1. Automatically Installing Oracle Solaris 11.4 Systems
  2. Securing Automated Installation
  3. Securing Automated Installations
  4. How to Secure WAN Boot on SPARC Clients

How to Secure WAN Boot on SPARC Clients

Ensure that your role has the appropriate rights profiles to perform this procedure. See Using Rights Profiles to Install Oracle Solaris.

  1. List the security information for clients. 
    $ installadm list -v

    If you created separate credentials for a specific SPARC client, include the client's MAC address in the command to obtain its client's security information. For example:

    $ installadm list -ve aabbccddeeff
  2. Note down the AES key and active hash key for the client.

    In the following example, the active hash key is based on the HMAC-SHA256 algorithm.

    $ installadm list -vs
...
Def Client FW Encr Key ........
   31c88df08c958972a4b0996910539a39
Def Client FW HMAC-SHA1 Key ... (inactive)
   3789ec373712f89879c575643415b386564b0e51
Def Client FW HMAC-SHA256 Key . (active)
   ae956c3a41d02083ca40f6125fce994d5df4a3e5077f9996d6118dce5ac74fad
HMAC Policy ................... HMAC-SHA256
  3. On the client system, access the OpenBoot prompt.

    Several options exist to access the OpenBoot prompt, such as typing the command init 0.

    If the auto-boot? OpenBoot variable is set to false, rebooting the system also displays the ok prompt at the end of the boot process.

  4. At the OBP prompt, set the AES key and the active hash key. 
    ok set-security-key wanboot-aes 31c88df08c958972a4b0996910539a39
ok set-security-key wanboot-hmac-sha256 \
ae956c3a41d02083ca40f6125fce994d5df4a3e5077f9996d6118dce5ac74fad

    If the active security key is HMAC-SHA1, then you would use the appropriate command argument:

    ok set-security-key wanboot-hmac-sha1 key