Solaris Express Installation Guide: Network-Based Installations

Chapter 14 WAN Boot (Reference)

This chapter briefly describes the commands and files you use to perform a WAN installation.

WAN Boot Installation Commands

The following tables describe the commands you use to perform a WAN boot installation.

Table 14–1 Preparing the WAN Boot Installation and Configuration Files

Task and Description 

Command 

Copy the Solaris installation image to install-dir-path, and copy the WAN boot miniroot to wan-dir-path on the install server's local disk.

setup_install_server –w wan-dir-path install-dir-path

Create a Solaris Flash archive that is named name.flar.

  • name is the name of the archive

  • optional-parameters are optional parameters you can use to customize the archive

  • document-root is the path to the document root directory on the install server

  • filename is the name of the archive

flarcreate – n name [optional-parameters] document-root/flash/filename

Check the validity of the custom JumpStart rules file that is named rules.

./check -r rules

Check the validity of the wanboot.conf file.

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

bootconfchk /etc/netboot/net-ip/client-ID/wanboot.conf

Check for WAN boot installation support in the client OBP.

eeprom | grep network-boot-arguments

Table 14–2 Preparing the WAN Boot Security Files

Task and Description 

Command 

Create a master HMAC SHA1 key for the WAN boot server. 

wanbootutil keygen -m

Create a HMAC SHA1 hashing key for the client. 

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

wanbootutil keygen -c -o net=net-ip,cid=client-ID,type=sha1

Create an encryption key for the client. 

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

  • key-type is either 3des or aes.

wanbootutil keygen -c -o net=net-ip,cid=client-ID,type=key-type

Split a PKCS#12 certificate file and insert the certificate in the client's truststore.

  • p12cert is the name of the PKCS#12 certificate file.

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

wanbootutil p12split -i p12cert -t /etc/netboot/net-ip/client-ID/truststore

Split a PKCS#12 certificate file and insert the client certificate in the client's certstore.

  • p12cert is the name of the PKCS#12 certificate file.

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

  • keyfile is the name of the client's private key.

wanbootutil p12split -i p12cert -c /etc/netboot/net-ip/client-ID/certstore -k keyfile

Insert the client private key from a split PKCS#12 file in the client's keystore.

  • keyfile is the name of the client's private key.

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or a DHCP client ID.

wanbootutil keymgmt -i -k keyfile -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa

Display the value of a HMAC SHA1 hashing key. 

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

wanbootutil keygen -d -c -o net=net-ip,cid=client-ID,type=sha1

Display the value of an encryption key. 

  • net-ip is the IP address of the client's subnet.

  • client-ID can be a user-defined ID or the DHCP client ID.

  • key-type is either 3des or aes.

wanbootutil keygen -d -c -o net=net-ip,cid=client-ID,type=key-type

Insert a hashing key or an encryption key on a running system. key-type can have a value of sha1, 3des, or aes.

/usr/lib/inet/wanboot/ickey -o type=key-type

OBP Commands

The following table lists the OBP commands that you type at the client ok prompt to perform a WAN boot installation.

Table 14–3 OBP Commands for a WAN Boot Installation

Task and Description 

OBP Command 

Begin an unattended WAN boot installation. 

boot net – install

Begin an interactive WAN boot installation. 

boot net –o prompt - install

Begin a WAN boot installation from a local CD. 

boot cdrom –F wanboot - install

Install a hashing key before you begin a WAN boot installation.key-value is the hexadecimal value of the hashing key.

set-security-key wanboot-hmac-sha1 key-value

Install an encryption key before you begin a WAN boot installation.

  • key-type is either wanboot-3des or wanboot-aes.

  • key-value is the hexadecimal value of the encryption key.

set-security-key key-type key-value

Verify that key values are set in OBP.

list-security-keys

Set client configuration variables before you begin your WAN boot installation.

  • client-IP is the IP address of the client.

  • router-ip is the IP address of the network router.

  • mask-value is the subnet mask value.

  • client-name is the host name of the client.

  • proxy-ip is the IP address of the network's proxy server.

  • wanbootCGI-path is the path to the wanbootCGI programs on the web server.

setenv network-boot-arguments host-ip=client-IP,router-ip=router-ip,subnet-mask=mask-value,hostname=client-name,http-proxy=proxy-ip,file=wanbootCGI-path

Check the network device alias.

devalias

Set the network device alias, where device-path is the path to the primary network device.

  • To set the alias for the current installation only, type devalias net device-path.

  • To permanently set the alias, type nvvalias net device-path.

System Configuration File Settings and Syntax

The system configuration file enables you to direct the WAN boot installation programs to the following files.

The system configuration file is a plain text file, and must be formatted in the following pattern.

setting=value

The system.conf file must contain the following settings.

SsysidCF=sysidcfg-file-URL

This setting points to the directory on the install server that contains the sysidcfg file. For WAN installations that use HTTPS, set the value to a valid HTTPS URL.

SjumpsCF=jumpstart-files-URL

This setting points to the custom JumpStart directory that contains the rules.ok and profile files. For WAN installations that use HTTPS, set the value to a valid HTTPS URL.

You can store the system.conf in any directory that is accessible to the WAN boot server.

wanboot.conf File Parameters and Syntax

The wanboot.conf file is a plain-text configuration file that the WAN boot installation programs use to perform a WAN installation. The following programs and files use the information included in the wanboot.conf file to install the client machine.

Save the wanboot.conf file in the appropriate client subdirectory in the /etc/netboot hierarchy on the WAN boot server. For information on how to define the scope of your WAN boot installation with the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

You specify information in the wanboot.conf file by listing parameters with associated values in the following format.

parameter=value

Parameter entries cannot span lines. You can include comments in the file by preceding the comments with the # character.

For detailed information about the wanboot.conf file, see the man page wanboot.conf(4).

You must set the following parameters in the wanboot.conf file.

boot_file=wanboot-path

This parameter specifies the path to the wanboot program. The value is a path relative to the document root directory on the WAN boot server.

boot_file=/wanboot/wanboot.s10_sparc
root_server=wanbootCGI-URL/wanboot-cgi

This parameter specifies the URL of the wanboot-cgi program on the WAN boot server.

  • Use an HTTP URL if you are performing a WAN boot installation without client or server authentication.

    root_server=http://www.example.com/cgi-bin/wanboot-cgi
  • Use an HTTPS URL if you are performing a WAN boot installation with server authentication, or server and client authentication.

    root_server=https://www.example.com/cgi-bin/wanboot-cgi
root_file=miniroot-path

This parameter specifies the path to the WAN boot miniroot on the WAN boot server. The value is a path relative to the document root directory on the WAN boot server.

root_file=/miniroot/miniroot.s10_sparc
signature_type=sha1 | empty

This parameter specifies the type of hashing key to use to check the integrity of the data and files that are transmitted.

  • For WAN boot installations that use a hashing key to protect the wanboot program, set this value to sha1.

    signature_type=sha1
  • For insecure WAN installations that do not use a hashing key, leave this value blank.

    signature_type=
encryption_type=3des | aes | empty

This parameter specifies the type of encryption to use to encrypt the wanboot program and WAN boot file system.

  • For WAN boot installations that use HTTPS, set this value to 3des or aes to match the key formats you use. You must also set the signature_type keyword value to sha1.

    encryption_type=3des

    or

    encryption_type=aes
  • For an insecure WAN boot installations that do not use encryption key, leave this value blank.

    encryption_type=
server_authentication=yes | no

This parameter specifies if the server should be authenticated during the WAN boot installation.

  • For WAN boot installations with server authentication or server and client authentication, set this value to yes. You must also set the value of signature_type to sha1, encryption_type to 3des or aes, and the URL of root_server to an HTTPS value.

    server_authentication=yes
  • For insecure WAN boot installations that do not use server authentication or server and client authentication, set this value to no. You can also leave the value blank.

    server_authentication=no
client_authentication=yes | no

This parameter specifies if the client should be authenticated during a WAN boot installation.

  • For WAN boot installations with server and client authentication, set this value to yes. You must also set the value of signature_type to sha1, encryption_type to 3des or aes, and the URL of root_server to an HTTPS value.

    client_authentication=yes
  • For WAN boot installations that do not use client authentication, set this value to no. You can also leave the value blank.

    client_authentication=no
resolve_hosts=hostname | empty

This parameter specifies additional hosts that need to be resolved for the wanboot-cgi program during the installation.

Set the value to the host names of systems that are not specified previously in the wanboot.conf file or in a client certificate.

  • If all the required hosts are listed in the wanboot.conf file or the client certificate, leave this value blank.

    resolve_hosts=
  • If specific hosts are not listed in the wanboot.conf file or the client certificate, set the value to these host names.

    resolve_hosts=seahag,matters
boot_logger=bootlog-cgi-path | empty

This parameter specifies the URL to the bootlog-cgi script on the logging server.

  • To record boot or installation log messages on a dedicated logging server, set the value to the URL of the bootlog-cgi script on the logging server.

    boot_logger=http://www.example.com/cgi-bin/bootlog-cgi
  • To display boot and installation messages on the client console, leave this value blank.

    boot_logger=
system_conf=system.conf | custom-system-conf

This parameter specifies the path to the system configuration file that includes the location of sysidcfg and custom JumpStart files.

Set the value to the path to the sysidcfg and custom JumpStart files on the web server.

system_conf=sys.conf