1. Automatically Installing Oracle Solaris 11.4 Systems
  2. Securing Automated Installation
  3. Securing Automated Installations
  4. Configuring Client Credentials

Configuring Client Credentials

Client security provides the following benefits:

  • The AI server can verify the identity of the clients.

  • Data is encrypted over the network.

  • For clients with custom credentials, any published files specific to a client are not readable by any other client.

  • Only authenticated clients can access the user-specified secure directory described in Configuring the AI Server's Web Server Files Directory.

To configure security for a specific client, use the following command:

$ installadm set-client -e mac-address --hmac-type signature-type [-g| [-H]]

For an explanation of the other options, see Securing Automated Installations.

Note:

When you move a client from one install service to another, the client's custom credentials are unaffected. To associate clients with a service, see Creating Client-Service Associations.

Example 5-3 Assigning User-Supplied Credentials for Specific Clients

This example specifies user-supplied credentials. Firmware keys are generated if they do not already exist and are displayed on screen.

$ installadm set-client -e 02:00:00:00:00:00 -C client.crt -K client.key -A cacert.pem

For an explanation of the options, see Securing AI on the AI Server.

Example 5-4 Setting Credentials for Clients of a Specific Install Service

Non-custom clients use the credentials of their associated AI service. See the following example for the solaris11_4-sparc service. 

$ installadm set-service -g -n solaris11_4-sparc
Generating credentials for service solaris11_4-sparc...
A new certificate key has been generated.
A new certificate has been generated.
Generated client encryption (AES) firmware key:
   34bc980ccc8dfee478f89b5acbdf51b4
Generated client hashing (HMAC SHA-1) firmware key:
   b8a9f0b3472e8c3b29443daf7c9d448faad14fee

Clients without credentials that are assigned to the service share the service's credentials. Consequently, these clients can view each other's installation data.

Example 5-5 Setting Default Client Credentials

To provide a default set of credentials for any client, you configure the credentials on the AI server and use the -D option. 

$ installadm set-server -D -g
Generating default client credentials...
A new certificate key has been generated.
A new certificate has been generated.
Generated client encryption (AES) firmware key:
   7cdbda5b8fc4b10ffbd29fa19d13af77
Generated client hashing (HMAC SHA-1) firmware key:
   14effe2c515da4940ef1db165791e92790163004

After default client credentials are assigned, all clients would perform client and server authentication, and firmware keys are required for all the clients.

Because multiple clients share the same default credentials, they can view each other's installation data.