Security-related AI Failures

If you have secured your AI server and clients as described in Overview of Securing Automated Installations, and you are experiencing problems booting or installing those clients, try the following steps to check for authentication errors:

• Check the Apache access_log and error_log in /var/ai/image-server/logs/ on the client.

• Log onto the console of the client. Examine the /tmp/install_log file and the SMF service logs in /system/volatile/.

• If authentication fails after the boot archive loads in the client, when attempting to get image files, AI manifests, or system configuration profiles, you could have a transient networking interruption. Check that the AI server is functioning correctly, and restart the installation.

• Try using the openssl s_client command to test the connection:

  $ openssl s_client -key client-key -cert client-certificate \
  -CAcert server-CA-certificate -connect AI-server-address:port
  
  

• Use the installadm list -s -v command to show the enabled or disabled state of security on the AI server. See Displaying AI Server Security Information.

• Check the client's service policy with the installadm list -v -n svcnameS command.

• Check assigned credentials against the CA certificates. Use the -K and -C options with the installadm list subcommand to list the assigned keys and certificates. Compare those keys and certificates with the expected keys and certificates using a character comparison utility such as diff.

• Make sure the passphrase was removed from /var/ai/ai-webserver/tls.key/server.key on the client. X.509 private key files must have any passphrase removed.

• Try using the wget command to fetch a file from an AI image, using the appropriate key, certificate, and CA certification, as shown in the following example:

  $ wget --private-key=client-key --certificate=client-certificate \
  --ca-certificate=server-CA-certificate \
  http://AI-server-address:5555/path-to-file-in-image