Go to main content

Installing Oracle® Solaris 11.3 Systems

Exit Print View

Updated: April 2019
 
 

Configuring Secure Install Services

Use the installadm create-service command to configure an install service when creating it. For more information, see How to Create an Install Service. Use the installadm set-service command to reconfigure an existing install service. This section describes how to set a security policy for your install service.

Each install service may have one security policy set. The available choices are:

require-client-auth

Confirms the identity of the AI client. Requires client and server authentication for all AI clients of the specified service. This option also requires encryption.

Requires all AI clients of the service to authenticate with client authentication. All AI clients of the specified service must be assigned credentials, and all SPARC clients of this service must have their OBP keys defined. Any AI clients of the service that are not configured for client authentication will not be able to use this install service.

require-server-auth

Confirms the identify of the AI server. Requires all AI clients of the specified service to perform server authentication. This option also requires encryption.

Requires at least AI server authentication for access to the specified install service. Client authentication is optional, but you must provide any assigned or attributed client credentials. You must also define OBP keys for all SPARC clients of this service.

optional

Allows both authenticated and unauthenticated AI clients to access the install service. The option also requires encryption if the AI server has credentials. This is the default behavior.

You must provide any assigned client credentials. AI clients without assigned or attributed credentials do not use OBP keys or server authentication. Server authentication is provided only for AI clients configured for client authentication.

encr-only

For x86 clients only: Enables SSL/TLS end-to-end encryption without requiring authentication. Without authentication, the identities of the AI client and AI server are not guaranteed. Data in transit is not readable over the network by third parties.

disable

Disables all security for all AI clients of the specified service.

Clients of this service are not authenticated. No credentials are issued. Clients of this service cannot access the webserver_secure_files_dir directory described in Configuring the Web Server User Files Directory. Use this setting with caution: Any install service files that were previously protected by authentication are no longer protected. Client data is not secured from unwanted access. To re-enable authentication, specify the set-service subcommand again with a different security policy value.

Example 31  Requiring AI Server Authentication During Installation

This example specifies a security setting that requires server authentication to use an install service. Use the require-server-auth install service security setting to require AI clients of the specified service to at least authenticate the AI server.

# installadm set-service -p require-server-auth -n install-service
Example 32  x86: Requiring Encryption During Installation

This example specifies a security setting that uses encryption but does not require authentication. On x86 clients, to protect data transfers for a specific install service but not require client or server authentication, use the encr-only security setting. You still need a server certificate. The data will be protected from snooping over the network, but the AI server will provide the data to any AI client that issues the proper request to the server.

# installadm set-service -p encr-only -n install-service