System configuration profiles are XML files that enable you to automate client configurations at first boot after an installation is completed.
You can assign any number of configuration profiles to a client. However, make sure that the client does not use a set of profiles with overlapping property definitions. Otherwise, even if the property setting is the same in those multiple profiles, the behavior of the SMF service being configured remains undefined.
You create profiles by using one of the following tools:
System Configuration Interactive (SCI) tool
Any XML editor
Derived manifests script
Scripts are discussed in Using a Script to Customize an Installation.
Whichever tool you use, the best practice is to use templates so that you do not have to start from an empty profile. See Templates for System Configuration Profiles. On these files, you can either provide actual value settings, or use variables for a more dynamic process. See Using System Configuration Profile Templates.
This tool creates an XML profile out of responses that you provide interactively. To launch the tool, issue the following command:
# sysconfig create-profile [-o directory][other-options]
For other options you can use, see the sysconfig(8) man page.
The command opens the SCI tool which prompts you for configuration information to be stored in sc_profile.xml. For an overview of the SCI tool's screens, see System Configuration Profiles.
By default, sc_profile.xml is created in the /system/volatile/profile/ directory. To store the file in a different existing directory, specify the –o directory option. The new profile overwrites any profile existing in that location.
Use any XML editor to create an XML file to contain the property specifications. If you start from an empty XML file, include the following required declarations at the top of the file:
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> <service_bundle type="profile" name="sysconfig">
Refer to Specifying Configuration in a System Configuration Profile for guidance on how to set SMF property definitions properly in the file.
In this method, you provide the specifications in the manifest script itself. This method assumes you are familiar with langage scripts and their commands. For an example of how to add a configuration profile in the script, see Adding a System Configuration Profile.
In Oracle Solaris 11.4, KMIP client configuration is stored in the Service Management Facility (SMF). You can use the kmipcfg command to create sn SMF configuration profile based on existing KMIP configuration. You provide the parameters either interactively or directly on the command line.
The SMF configuration profile can be created regardless of whether the system is currently configured as a KMIP client. After it is created, the profile can be used in AI installations to apply its configuration to target clients.
This method assumes that a working KMIP server group already exists. For procedures, see Creating and Configuring a KMIP Server Group in Managing Encryption and Certificates in Oracle Solaris 11.4.
The procedure consists of the following steps:
Extract the configuration into an SMF configuration profile.
Assign the profile to an AI service to be used for installation.
The profile can also be used with the sysconfig command for configuring or unconfiguring the Oracle Solaris instance.
To create an SMF system configuration profile on a KMIP client based on an existing server-group, use the following command syntax:
$ kmipcfg extract -p filename [-s] [-t all|pkcs11|libkmip] server-group
Profile where the extracted configuration information is stored. The filename must include the .xml extension.
If you do not use this option, the configuration is printed to standard output.
Extracts sensitive information such as encoded certificates.
Type of information that is extracted:
pcks11 creates the profile for the /system/pkcsll.kmip service instance.
libkmip creates the profile for the /system/kmip/client:default service instance.
all, the default setting, creates the profile for both services.
Source of the configuration information
For additional options, see the kmipcfg(8) man page.
Suppose that you have a KMIP server group cluster-1 as follows:
$ kmipcfg list Server group: cluster1 State: enabled Hosts: server1.example.com:5696 server2.example.com:5696 server3.example.com:5696 Connection timeout: 5 Cache object time to live: 300 Encoding: TTLV Failover limit: 3 Client keystore: /var/user/testuser/kmip/cluster1 Client PKCS#12 bundle: cluster1_cred.p12 Secondary authentication type: none
To store cluster-1's configuration in an SMF profile, issue the following command:
$ kmipcfg extract -p /var/tmp/kmip-client.xml cluster-1
To use the profile in an AI installation, you would associate kmip-client.xml with an install service. For example, assuming an existing sparc-install install service, you would issue the following command:
$ installadm create-profile -n sparc-install -f /var/tmp/kmip-client.xml -p kmip-prof
The next section describes associating install services and profiles more fully.