You can secure automated installations with the Transport Layer Security (TLS) protocol. To be authenticated with TLS, you must assign the AI server and each AI client a private certificate and key pair. In addition, you must provide the Certificate Authority (CA) certificate used to generate and sign certificates. To enable security for SPARC clients, you must generate an OBP HMAC key and encryption key for each client . These keys also secure the download of the initial network boot files.
You may enable security for x86 clients as well, but note that x86 clients use PXEBoot, so the initial network boot phase is not secured. To enable security for x86 clients, you must create the x86 install service from a custom AI image that includes the CA certificates and the client certificate and key files. See Chapter 3, Building an Image in Creating a Custom Oracle Solaris 11.3 Installation Image on how to build custom AI media which includes security certificates. After creating the install service from this image, security must be set on the install service using the same security certificates that were used during the construction of that AI image.
You can secure an automated installation in the following ways:
Server authentication: The identity of the AI server can be verified.
Client authentication: The identity of the AI client can be verified.
Controlling access to automated installations.
Controlling access to server data.
Protecting client data for all AI clients or separately for specified AI clients.
Encrypting data so that it cannot be read over the network.
Accessing secured IPS package repositories.
Having the web server securely publish a user-specified directory. Client authentication is required to access this directory.
In addition to securing the AI process, you can increase security within your network by using AI to provision Kerberos in the AI clients. For instructions, see How to Configure Kerberos Clients Using AI.