Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022
 
 

identity(8s)

Name

identity - System Identity configuration

Synopsis

svc:/system/identity

Description

The SMF service svc:/system/identity configures the basic network identity (names) of the Oracle Solaris instance. This includes its nodename, RPC domainname and the default set of X.509 certificates used for the Remote Administration Daemon (RAD) and WebUI.

The service is composed of multiple instances:

  • svc:/system/identity:node

    Sets the hostname/nodename.

  • svc:/system/identity:domain

    Sets the RPC domainname.

  • svc:/system/identity:cert

    Deploys or creates the X.509 certificates for WebUI and RAD connections using the TLS transport.

  • svc:/system/identity:cert-expiry

    X.509 certificate expiry check.

  • svc:/system/identity:version

    Updates the value used for 'uname -v'.

Options

The following configuration properties apply to the cert instance:

certificate/generate

Generate a new local Certificate Authority and host certifiate issued by the host CA. This option is true by default and is automatically set to false after the certificates have been generated and loaded into the SMF service.

certificate/add_ip_subject_altname

Include IP address Subject Alternative Name entries in the CSR and local CA generated X.509 certificate. This option is set to true by default. Note that RFC 6125 generally advises against the use of IP addresses in X.509 certificates.

Examples

Example 1 Regenerating the local host CA and host keys and certificates
# svccfg -s system/identity:cert delcust
# svcadm refresh system/identity:cert
# svcadm restart -s system/identity:cert
Example 2 View the host X.509 certificate
# pktool list keystore=file dir=/etc/certs/localhost
Certificates:
1) X.509 certificate
    Filename: /etc/certs/localhost/host.crt
    Subject: CN=myhost.example.com
    Issuer: O=Host Root CA, CN=myhost
    Not Before: Feb 23 10:56:00 2021 GMT
    Not After: Feb 24 10:56:00 2022 GMT
    Serial: 0xF84CDC4E7326
    Signature Algorithm: sha256WithRSAEncryption
    X509v3 Subject Alternative Name:
        DNS:myhost.example.com
        DNS:myhost
        IP Address:10.1.208.223
        IP Address:192.168.0.1
    X509v3 Extended Key Usage:
        TLS Web Server Authentication
    SHA1 Certificate Fingerprint:
        97:30:b0:7c:63:05:19:78:55:d4:12:81:5f:e3:2c:5d:00:d1:31:b6
Example 3 Specifying a certificate DN For the case where the host can not determine its own fully qualified domain name its self, maybe because it is behind NAT or uses a different DNS to the clients, the value of the DN can be provided:
# svccfg -s system/identity:cert delcust
# svccfg -s system/identity:cert setprop certificate/subject \
  = service.example.com
# svcadm refresh system/identity:cert
# svcadm restart -sr system/identity:cert
Example 4 Setting CA issued X.509 Certificates By default the system will generate a local Certificate Authority (CA) and issue a host certificate from it. This is used as the default TLS server certificate for svc:/system/webui/server and svc:/system/rad:remote services.

Deployments that can have a certificate issued from a Certificate Authority (CA) should use the following procedure to use that certificate instead, substituting appropriate filenames:

# SVC=svc:/system/identity:cert
# svccfg -s $SVC setprop certificate/cert/pem_value \
  = astring: "$(cat /path/to/signed/certificate.crt)"
# svccfg -s $SVC setprop certificate/cert/private_key/pem_value \
  = astring: "$(cat /path/to/signed/certificate.key)"
# svccfg -s $SVC setprop certificate/ca/pem_value \
  = astring: "$(cat /path/to/issuer/certificate.crt)"
# svcadm refresh $SVC
# svcadm restart -s $SVC

Restarting svc:/system/identity:cert results in svc:/system/webui/server, svc:/system/rad:remote, and svc:/system/ca-certificates:default also being restarted.

See Also

uname(1), hostname(1), webui-service(7), domainname(8)