Configuring the WAN Boot Server

The WAN boot server is a web server that provides the boot and configuration data during a WAN boot installation. For a list of the system requirements for the WAN boot server, see Table 39–1.

This section describes the following tasks required to configure the WAN boot server for a WAN boot installation.

• Creating the Document Root Directory

• Creating the WAN Boot Miniroot

• Installing the wanboot Program on the WAN Boot Server

• Creating the /etc/netboot Hierarchy on the WAN Boot Server

• Copying the WAN Boot CGI Program to the WAN Boot Server

• (Optional) Protecting Data by Using HTTPS

Creating the Document Root Directory

To serve the configuration and installation files, you must make these files accessible to the web server software on the WAN boot server. One method to make these files accessible is to store them in the WAN boot server's document root directory.

If you want to use a document root directory to serve the configuration and installation files, you must create this directory. See your web server documentation for information about how to create the document root directory. For detailed information about how to design your document root directory, see Storing Installation and Configuration Files in the Document Root Directory.

Creating the WAN Boot Miniroot

WAN boot uses a special Solaris miniroot that has been modified to perform a WAN boot installation. The WAN boot miniroot contains a subset of the software in the Solaris miniroot. To perform a WAN boot installation, you must copy the miniroot from the Solaris DVD or the Solaris Software 1 of 2 CD to the WAN boot server. Use the -w option to the setup_install_server command to copy the WAN boot miniroot from the Solaris software media to your system's hard disk.

This procedure creates a SPARC WAN boot miniroot with SPARC media. If you want to serve a SPARC WAN boot miniroot from an x86–based server, you must create the miniroot on a SPARC machine. After you create the miniroot, copy the miniroot to the document root directory on the x86–based server.

For additional information about the setup_install_server command, see Chapter 12, Preparing to Install From the Network With CD Media (Tasks).

SPARC: To Create a WAN Boot Miniroot

This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Basic Administration for information about managing removable media without the Volume Manager.

1. Become superuser on the WAN boot server.

   The system must meet the following requirements.

   • Include a CD-ROM or DVD-ROM drive

   • Be part of the site's network and name service.

     If you use a name service, the system must already be in a name service, such as NIS, NIS+, DNS, or LDAP. If you do not use a name service, you must distribute information about this system by following your site's policies.

2. Insert the Solaris Software 1 of 2 CD or the Solaris DVD in the install server's drive.

3. Create a directory for the WAN boot miniroot and Solaris installation image.

   # mkdir -p wan-dir-path install-dir-path

   -p

   Instructs the mkdir command to create all the necessary parent directories for the directory you want to create.

   wan-dir-path

   Specifies the directory where the WAN boot miniroot is to be created on the install server. This directory needs to accommodate miniroots that are typically 250 Mbytes in size.

   install-dir-path

   Specifies the directory on the install server where the Solaris software image is to be copied. This directory can be removed later in this procedure.

4. Change to the Tools directory on the mounted disc.

   # cd /cdrom/cdrom0/s0/Solaris_9/Tools

   In the previous example, cdrom0 is the path to the drive that contains the Solaris operating environment media.

5. Copy the WAN boot miniroot and the Solaris software image to the WAN boot server's hard disk.

   # ./setup_install_server -w wan-dir-path install-dir-path

   wan-dir-path

   Specifies the directory where the WAN boot miniroot is to be copied

   install-dir-path

   Specifies the directory where the Solaris software image is to be copied

   ---

   Note –

   The setup_install_server command indicates whether you have enough disk space available for the Solaris Software disc images. To determine available disk space, use the df -kl command.

   ---

   The setup_install_server -w command creates the WAN boot miniroot and a network installation image of the Solaris software.

6. (Optional) Remove the network installation image.

   You do not need the Solaris software image to perform a WAN installation with a Solaris Flash archive. You can free up disk space if you do not plan to use the network installation image for other network installations. Type the following command to remove the network installation image.

   # rm -rf install-dir-path

7. Make the WAN boot miniroot available to the WAN boot server in one of the following ways.

   • Create a symbolic link to the WAN boot miniroot in the document root directory of the WAN boot server.

     # cd /document-root-directory/miniroot # ln -s /wan-dir-path/miniroot .

     document-root-directory/miniroot

     Specifies the directory in the WAN boot server's document root directory where you want to link to the WAN boot miniroot

     /wan-dir-path/miniroot

     Specifies the path to the WAN boot miniroot

   • Move the WAN boot miniroot to the document root directory on the WAN boot server.

     # mv /wan-dir-path/miniroot /document-root-directory/miniroot/miniroot-name

     wan-dir-path/miniroot

     Specifies the path to the WAN boot miniroot.

     /document-root-directory/miniroot/

     Specifies the path to the WAN boot miniroot directory in the WAN boot server's document root directory.

     miniroot-name

     Specifies the name of the WAN boot miniroot. Name the file descriptively, for example miniroot.s9_sparc.

Installing the wanboot Program on the WAN Boot Server

WAN boot uses a special second-level boot program (wanboot) to install the client. The wanboot program loads the WAN boot miniroot, client configuration files, and installation files that are required to perform a WAN boot installation.

To perform a WAN boot installation, you must provide the wanboot program to the client during the installation. You can provide this program to the client in the following ways.

• If your client's PROM supports WAN boot, you can transmit the program from the WAN boot server to the client. To check if your client's PROM supports WAN boot, see Checking the Client OBP for WAN Boot Support.

• If your client's PROM does not support WAN boot, you must provide the program to the client on a local CD. If your client's PROM does not support WAN boot, go to Creating the /etc/netboot Hierarchy on the WAN Boot Server to continue preparing for your installation.

SPARC: To Install the wanboot Program on the WAN Boot Server

This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Basic Administration for information about managing removable media without the Volume Manager.

1. Become superuser on the install server.

2. Insert the Solaris Software 1 of 2 CD or the Solaris DVD in the install server's drive.

3. Change to the sun4u platform directory on the Solaris Software 1 of 2 CD or the Solaris DVD.

   # cd /cdrom/cdrom0/s0/Solaris_9/Tools/Boot/platform/sun4u/

4. Copy the wanboot program to the install server.

   # cp wanboot /document-root-directory/wanboot/wanboot-name

   document-root-directory

   Specifies the document root directory of the WAN boot server.

   wanboot-name

   Specifies the name of the wanboot program. Name this file descriptively, for example, wanboot.s9_sparc.

5. Make the wanboot program available to the WAN boot server in one of the following ways.

   • Create a symbolic link to the wanboot program in the document root directory of the WAN boot server.

     # cd /document-root-directory/wanboot # ln -s /wan-dir-path/wanboot .

     document-root-directory/wanboot

     Specifies the directory in the WAN boot server's document root directory where you want to link to the wanboot program

     /wan-dir-path/wanboot

     Specifies the path to the wanboot program

   • Move the WAN boot miniroot to the document root directory on the WAN boot server.

     # mv /wan-dir-path/wanboot /document-root-directory/wanboot/wanboot-name

     wan-dir-path/wanboot

     Specifies the path to the wanboot program

     /document-root-directory/wanboot/

     Specifies the path to the wanboot program directory in the WAN boot server's document root directory.

     wanboot-name

     Specifies the name of the wanboot program. Name the file descriptively, for example wanboot.s9_sparc.

Creating the /etc/netboot Hierarchy on the WAN Boot Server

During the installation, WAN boot refers to the contents of the /etc/netboot hierarchy on the web server for instructions about how to perform the installation. This directory contains the configuration information, private key, digital certificate, and certificate authority required for a WAN boot installation. During the installation, the wanboot-cgi program converts this information into the WAN boot file system. The wanboot-cgi program then transmits the WAN boot file system to the client.

For planning information about how to design the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.

To Create the /etc/netboot Hierarchy

1. Become superuser on the WAN boot server.

2. Create the /etc/netboot directory.

   # mkdir /etc/netboot

3. Change the permissions of the /etc/netboot directory to 700.

   # chmod 700 /etc/netboot

4. Change the owner of the /etc/netboot directory to the web server owner.

   # chown web-server-user:web-server-group /etc/netboot/

   web-server-user

   Specifies the user owner of the web server process

   web-server-group

   Specifies the group owner of the web server process

5. Exit the superuser role.

   # exit

6. Assume the user role of the web server owner.

7. Create the client subdirectory of the /etc/netboot directory.

   # mkdir -p /etc/netboot/net-ip/client-ID

   -p

   Instructs the mkdir command to create all the necessary parent directories for the directory you want to create

   (Optional) net-ip

   Specifies the network IP address of the client's subnet.

   (Optional) client-ID

   Specifies the client ID. The client ID can be a user-defined value or the DHCP client ID. The client-ID directory must be a subdirectory of the net-ip directory.

8. For each directory in the /etc/netboot hierarchy, change the permissions to 700.

   # chmod 700 /etc/netboot/dir-name

   dir-name

   Specifies the name of a directory in the /etc/netboot hierarchy

Example 40–1 Creating the /etc/netboot Hierarchy on the WAN Boot Server

The following example shows how to create the /etc/netboot hierarchy for the client 010003BA152A42 on subnet 192.168.255.0. In this example, the user nobody and the group admin own the web server process.

# cd /
# mkdir /etc/netboot/
# chmod 700 /etc/netboot
# chown nobody:admin /etc/netboot
# exit
server# su nobody
Password:
nobody# mkdir -p /etc/netboot/192.168.255.0/010003BA152A42
nobody# chmod 700 /etc/netboot/192.168.255.0
nobody# chmod 700 /etc/netboot/192.168.255.0/010003BA152A42

Copying the WAN Boot CGI Program to the WAN Boot Server

The wanboot-cgi program creates the data streams that transmit the the following files from the WAN boot server to the client.

• wanboot program

• WAN boot file system

• WAN boot miniroot

The wanboot-cgi program is installed on the system when you install the Solaris 9 12/03 operating environment. To enable the WAN boot server to use this program, copy this program to the cgi-bin directory of the WAN boot server.

To Copy the wanboot-cgi Program to the WAN Boot Server

1. Become superuser on the WAN boot server.

2. Copy the wanboot-cgi program to the WAN boot server.

   # cp /usr/lib/inet/wanboot/wanboot-cgi /WAN-server-root/cgi-bin/wanboot-cgi

   /WAN-server-root

   Specifies the root directory of the web server software on the WAN boot server

3. On the WAN boot server, change the permissions of the CGI program to 755.

   # chmod 755 /WAN-server-root/cgi-bin/wanboot-cgi

(Optional) Protecting Data by Using HTTPS

To protect your data during the transfer from the WAN boot server to the client, you can use HTTP over Secure Sockets Layer (HTTPS). To use the more secure installation configuration that is described in Secure WAN Boot Installation Configuration, you must enable your web server to use HTTPS.

To enable the web server software on the WAN boot server to use HTTPS, you must perform the following tasks.

• Activate Secure Sockets Layer (SSL) support in your web server software.

  The processes for enabling SSL support and client authentication vary by web server. This document does not describe how to enable these security features on your web server. For information about these features, see the following documentation.

  • For information about activating SSL on the SunONE and iPlanet web servers, see the Sun ONE and iPlanet documentation collections on http://docs.sun.com.

  • For information about activating SSL on the Apache web server, see the Apache Documentation Project at http://httpd.apache.org/docs-project/.

  • If you are using web server software that is not listed in the previous list, see your web server software documentation.

• Install digital certificates on the WAN boot server.

  For information about using digital certificates with WAN boot, see Using Digital Certificates for Server and Client Authentication.

• Provide a trusted certificate to the client.

  For instructions about how to create a trusted certificate, see Using Digital Certificates for Server and Client Authentication.

• Create a hashing key and an encryption key.

  For instructions about how to create keys, see Creating a Hashing Key and an Encryption Key.

• (Optional) Configure the web server software to support client authentication.

  For information about how to configure your web server to support client authentication, see your web server documentation.

Using Digital Certificates for Server and Client Authentication

The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.

To use a PKCS#12 file in a WAN boot installation, you perform the following tasks.

• Split the PKCS#12 file into separate SSL private key and trusted certificate files.

• Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.

• (Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.

The wanbootutil command provides options to perform the tasks in the previous list.

Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.

• For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.

• For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

Creating a Trusted Certificate and Client Private Key

1. Assume the same user role as the web server user on the WAN boot server.

2. Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the client's truststore file in the /etc/netboot hierarchy.

   # wanbootutil p12split -i p12cert \ -t /etc/netboot/net-ip/client-ID/truststore

   p12split

   Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

   -i p12cert

   Specifies the name of the PKCS#12 file to split.

   -t /etc/netboot/net-ip/client-ID/truststore

   Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

3. (Optional) Decide if you want to require client authentication.

   • If yes, continue with the following steps.

   • If no, go to Creating a Hashing Key and an Encryption Key.

   1. Insert the client certificate in the client's certstore.

      # wanbootutil p12split -i p12cert -c \ /etc/netboot/net-ip/client-ID/certstore -k keyfile

      p12split

      Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

      -i p12cert

      Specifies the name of the PKCS#12 file to split.

      -c /etc/netboot/net-ip/client-ID/certstore

      Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

      -k keyfile

      Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.

   2. Insert the private key in the client's keystore.

      # wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa

      keymgmt -i

      Inserts an SSL private key in the client's keystore

      -k keyfile

      Specifies the name of the client's private key file that was created in the previous step

      -s /etc/netboot/net-ip/client-ID/keystore

      Specifies the path to the client's keystore

      -o type=rsa

      Specifies the key type as RSA

Example 40–2 Creating a Trusted Certificate for Server Authentication

In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.255.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.

# wanbootutil p12split -i client.p12 \
   -t /etc/netboot/192.168.255.0/010003BA152A42/truststore
# chmod 600 /etc/netboot/192.168.255.0/010003BA152A42/truststore

Creating a Hashing Key and an Encryption Key

If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi-private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program. For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.

By using the wanbootutil keygen command, you can generate these keys and store them in the appropriate /etc/netboot directory.

To Create a Hashing Key and Encryption Key

1. Assume the same user role as the web server user on the WAN boot server.

2. Create the master HMAC SHA1 key.

   # wanbootutil keygen -m

   keygen -m

   Creates the master HMAC SHA1 key for the WAN boot server

3. Create the HMAC SHA1 hashing key for the client from the master key.

   # wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1

   -c

   Creates the client's hashing key from the master key.

   -o

   Indicates that additional options are included for the wanbootutil keygen command.

   (Optional) net=net-ip

   Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.

   (Optional) cid=client-ID

   Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.

   type=sha1

   Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.

4. Decide if you need to create an encryption key for the client.

   You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.

   • If you are performing a more secure WAN installation over HTTPS with server authentication, continue.

   • If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.

5. Create an encryption key for the client.

   # wanbootutil keygen —c -o [net=net-ip,{cid=client-ID,}]type=key-type

   -c

   Creates the client's encryption key.

   -o

   Indicates that additional options are included for the wanbootutil keygen command.

   (Optional) net=net-ip

   Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.

   (Optional) cid=client-ID

   Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.

   type=key-type

   Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.

6. Install the keys on the client system.

   For instructions about how to install keys on the client, see Installing Keys on the Client.

Example 40–3 Creating Required Keys for WAN Boot Installation Over HTTPS

The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 01832AA440 on subnet 192.168.255.0.

# wanbootutil keygen -m
# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=sha1
# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=3des