1. Automatically Installing Oracle Solaris 11.4 Systems
  2. Securing Automated Installation
  3. SPARC: Upgrading Security Credentials
  4. How to Upgrade a Client's HMAC Key Based on its Service (SPARC Only)

How to Upgrade a Client's HMAC Key Based on its Service (SPARC Only)

Ensure that your role has the appropriate rights profiles to perform this procedure. See Using Rights Profiles to Install Oracle Solaris.

This task shows you how to upgrade SPARC clients that use SHA1 keys to switch to its service's SHA256 keys. It assumes that no SHA256 keys have yet been set up on the install service.

  1. If necessary, check the clients that use the SPARC service. 
    $ installadm list -c
Service Name      Client Address    Arch  Secure Custom Args Custom Grub
------------      --------------    ----  ------ ----------- -----------
solaris11_4-sparc A0:B1:C2:D3:E4:F5 sparc yes     no          no

    In this example, the system with the MAC address A0:B1:C2:D3:E4:F5 uses the solaris11_4-sparc service.

  2. Check the current HMAC key that the client uses.

    For example:

    $ installadm list -v -e A0:B1:C2:D3:E4:F5
Service Name         Client Address    Arch  Secure Custom Args Custom Grub
------------         --------------    ----  ------ ----------- -----------
solaris11_4-sparc    A0:B1:C2:D3:E4:F5 sparc yes    no          no

...

   FW Encr Key (AES) . 23780bc444636f124ba3ff61bdac32d1
   FW HMAC Key (SHA1) 1093562559ec45a5bb5235b27c1d0545ff259d63
   Boot Args ......... none
  3. On the AI server, create SHA256 keys.

    Perform one or both substeps depending on the security configuration you want to implement.

    1. Create SHA256 keys on the service. 
      $ installadm set-service -n solaris11_4-sparc --hmac-type sha256
Assigning credentials for service solaris11_4-sparc...
Generating new hashing key (HMAC)...
Generated service hashing (HMAC SHA-256) firmware key
   b8a9f0b3472e8c3b29443daf7c9d448faad14feeb795895dac7a36d4ba6e1084
    2. Create SHA256 keys on a client. 
      $ installadm set-client -g -e aa:bb:cc:aa:bb:cc -hmac-type sha256
Assigning credentials for client AA:BB:CC:AA:BB:CC...

Generating new hashing key (HMAC)...
Generated client hashing (HMAC SHA-256) firmware key:
   b795895dac7a36d4ba6e1084e906aa24fda9c973e7fb4ee1c55199ca50825d3f
Changed Client A0:B1:C2:D3:E4:F5

    Both steps perform the following actions:

    • Create new SHA256 keys.

    • Set the new keys as the active keys.

  4. Access the client system and set the new key on the its firmware.

    Based on the previous step, you would do one or both of the following steps:

    1. Based on Step 3.a, you would type the following on the client A0:B1:C2:D3:E4:F5: 
      OK set-security-key wanboot-hmac-256 \
b8a9f0b3472e8c3b29443daf7c9d448faad14feeb795895dac7a36d4ba6e1084
    2. Based on Step 3.b, you would type the following on the client AA:BB:CC:AA:BB:CC: 
      OK set-security-key wanboot-hmac-256 \
b795895dac7a36d4ba6e1084e906aa24fda9c973e7fb4ee1c55199ca50825d3f