Security-related AI Failures
If you have secured your AI server and clients as described in Overview of Securing Automated Installations, and you are experiencing problems booting or installing those clients, try the following steps to check for authentication errors:
-
Check the Apache
access_log
anderror_log
in/var/ai/image-server/logs/
on the client. -
Log onto the console of the client. Examine the
/tmp/install_log
file and the SMF service logs in/system/volatile/
. -
If authentication fails after the boot archive loads in the client, when attempting to get image files, AI manifests, or system configuration profiles, you could have a transient networking interruption. Check that the AI server is functioning correctly, and restart the installation.
-
Try using the
openssl s_client
command to test the connection:$ openssl s_client -key client-key -cert client-certificate \ -CAcert server-CA-certificate -connect AI-server-address:port
-
Use the
installadm list -s -v
command to show the enabled or disabled state of security on the AI server. See Displaying AI Server Security Information. -
Check the client's service policy with the
installadm list -v -n
svcnameS
command. -
Check assigned credentials against the CA certificates. Use the
-K
and-C
options with theinstalladm list
subcommand to list the assigned keys and certificates. Compare those keys and certificates with the expected keys and certificates using a character comparison utility such asdiff
. -
Make sure the passphrase was removed from
/var/ai/ai-webserver/tls.key/server.key
on the client. X.509 private key files must have any passphrase removed. -
Try using the
wget
command to fetch a file from an AI image, using the appropriate key, certificate, and CA certification, as shown in the following example:$ wget --private-key=client-key --certificate=client-certificate \ --ca-certificate=server-CA-certificate \ http://AI-server-address:5555/path-to-file-in-image