Chapter 12 Installing With WAN Boot (Tasks)

This chapter describes the following tasks that are necessary to prepare your network for a WAN boot installation.

• Installing Over a Wide Area Network (Task Maps)

• Configuring the WAN Boot Server

• Creating the Custom JumpStart Installation Files

• Creating the Configuration Files

• (Optional) Providing Configuration Information With a DHCP Server

• (Optional) To Configure the WAN Boot Logging Server

Installing Over a Wide Area Network (Task Maps)

The following tables list the tasks you need to perform to prepare for a WAN boot installation.

• For a list of the tasks you need to perform to prepare for a secure WAN boot installation, see Table 12–1.

  For a description of a secure WAN boot installation over HTTPS, see Secure WAN Boot Installation Configuration.

• For a list of the tasks you need to perform to prepare for an insecure WAN boot installation, see Table 12–2.

  For a description of an insecure WAN boot installation, see Insecure WAN Boot Installation Configuration.

To use a DHCP server or a logging server, complete the optional tasks that are listed at the bottom of each table.

Configuring the WAN Boot Server

The WAN boot server is a web server that provides the boot and configuration data during a WAN boot installation. For a list of the system requirements for the WAN boot server, see Table 11–1.

This section describes the following tasks required to configure the WAN boot server for a WAN boot installation.

• Creating the Document Root Directory

• Creating the WAN Boot Miniroot

• Installing the wanboot Program on the WAN Boot Server

• Creating the /etc/netboot Hierarchy on the WAN Boot Server

• Copying the WAN Boot CGI Program to the WAN Boot Server

• (Optional) Protecting Data by Using HTTPS

Creating the Document Root Directory

To serve the configuration and installation files, you must make these files accessible to the web server software on the WAN boot server. One method to make these files accessible is to store them in the WAN boot server's document root directory.

If you want to use a document root directory to serve the configuration and installation files, you must create this directory. See your web server documentation for information about how to create the document root directory. For detailed information about how to design your document root directory, see Storing Installation and Configuration Files in the Document Root Directory.

For an example of how to set up this directory, see Create the Document Root Directory.

After you create the document root directory, create the WAN boot miniroot. For instructions, see Creating the WAN Boot Miniroot.

Creating the WAN Boot Miniroot

WAN boot uses a special Solaris miniroot that has been modified to perform a WAN boot installation. The WAN boot miniroot contains a subset of the software in the Solaris miniroot. To perform a WAN boot installation, you must copy the miniroot from the Solaris DVD or the Solaris Software - 1 CD to the WAN boot server. Use the -w option to the setup_install_server command to copy the WAN boot miniroot from the Solaris software media to your system's hard disk.

SPARC: To Create a WAN Boot Miniroot

This procedure creates a SPARC WAN boot miniroot with SPARC media. If you want to serve a SPARC WAN boot miniroot from an x86–based server, you must create the miniroot on a SPARC machine. After you create the miniroot, copy the miniroot to the document root directory on the x86–based server.

Before You Begin

This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Devices and File Systems.

1. Become superuser or assume an equivalent role on the WAN boot server.

   The system must meet the following requirements.

   • Include a CD-ROM or DVD-ROM drive

   • Be part of the site's network and naming service

     If you use a naming service, the system must already be in a naming service, such as NIS, NIS+, DNS, or LDAP. If you do not use a naming service, you must distribute information about this system by following your site's policies.

2. Insert the Solaris Software - 1 CD or the Solaris DVD in the install server's drive.

3. Create a directory for the WAN boot miniroot and Solaris installation image.

   # mkdir -p wan-dir-path install-dir-path

   -p

   Instructs the mkdir command to create all the necessary parent directories for the directory you want to create.

   wan-dir-path

   Specifies the directory where the WAN boot miniroot is to be created on the install server. This directory needs to accommodate miniroots that are typically 250 Mbytes in size.

   install-dir-path

   Specifies the directory on the install server where the Solaris software image is to be copied. This directory can be removed later in this procedure.

4. Change to the Tools directory on the mounted disc.

   # cd /cdrom/cdrom0/Solaris_10/Tools

   In the previous example, cdrom0 is the path to the drive that contains the Solaris OS media.

5. Copy the WAN boot miniroot and the Solaris software image to the WAN boot server's hard disk.

   # ./setup_install_server -w wan-dir-path install-dir-path

   wan-dir-path

   Specifies the directory where the WAN boot miniroot is to be copied

   install-dir-path

   Specifies the directory where the Solaris software image is to be copied

   ---

   Note –

   The setup_install_server command indicates whether you have enough disk space available for the Solaris Software disc images. To determine available disk space, use the df -kl command.

   ---

   The setup_install_server -w command creates the WAN boot miniroot and a network installation image of the Solaris software.

6. (Optional) Remove the network installation image.

   You do not need the Solaris software image to perform a WAN installation with a Solaris Flash archive. You can free up disk space if you do not plan to use the network installation image for other network installations. Type the following command to remove the network installation image.

   # rm -rf install-dir-path

7. Make the WAN boot miniroot available to the WAN boot server in one of the following ways.

   • Create a symbolic link to the WAN boot miniroot in the document root directory of the WAN boot server.

     # cd /document-root-directory/miniroot # ln -s /wan-dir-path/miniroot .

     document-root-directory/miniroot

     Specifies the directory in the WAN boot server's document root directory where you want to link to the WAN boot miniroot

     /wan-dir-path/miniroot

     Specifies the path to the WAN boot miniroot

   • Move the WAN boot miniroot to the document root directory on the WAN boot server.

     # mv /wan-dir-path/miniroot /document-root-directory/miniroot/miniroot-name

     wan-dir-path/miniroot

     Specifies the path to the WAN boot miniroot.

     /document-root-directory/miniroot/

     Specifies the path to the WAN boot miniroot directory in the WAN boot server's document root directory.

     miniroot-name

     Specifies the name of the WAN boot miniroot. Name the file descriptively, for example miniroot.s10_sparc.

Example 12–1 Creating the WAN Boot Miniroot

Use the setup_install_server(1M) with the -w option to copy the WAN boot miniroot and the Solaris software image to the /export/install/Solaris_10 directory of wanserver-1.

Insert the Solaris Software media in the media drive that is attached to wanserver-1. Type the following commands.

wanserver-1# mkdir -p /export/install/cdrom0
wanserver-1# cd /cdrom/cdrom0/Solaris_10/Tools
wanserver-1# ./setup_install_server -w /export/install/cdrom0/miniroot \
/export/install/cdrom0

Move the WAN boot miniroot to the document root directory (/opt/apache/htdocs/) of the WAN boot server. In this example the name the WAN boot miniroot is set to miniroot.s10_sparc.

wanserver-1# mv /export/install/cdrom0/miniroot/miniroot \
/opt/apache/htdocs/miniroot/miniroot.s10_sparc

Continuing the WAN Boot Installation

After you create the WAN boot miniroot, verify that the client OpenBoot PROM (OBP) supports WAN boot. For instructions, see Verifying WAN Boot Support on the Client.

See Also

For additional information about the setup_install_server command, see install_scripts(1M).

Verifying WAN Boot Support on the Client

To perform an unattended WAN boot installation, the client system's OpenBoot PROM (OBP) must support WAN boot. If the client's OBP does not support WAN boot, you can perform a WAN boot installation by providing the necessary programs on a local CD.

You can determine if the client supports WAN boot by checking the client's OBP configuration variables. Perform the following procedure to check the client for WAN boot support.

To Check the Client OBP for WAN Boot Support

This procedure describes how to determine if the client OBP supports WAN boot.

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Check the OBP configuration variables for WAN boot support.

   # eeprom | grep network-boot-arguments

   • If the variable network-boot-arguments is displayed, or if the previous command returns the output network-boot-arguments: data not available, the OBP supports WAN boot installations. You do not need to update the OBP before you perform your WAN boot installation.

   • If the previous command does not return any output, the OBP does not support WAN boot installations. You must perform one of the following tasks.

     • Update the client OBP. For those clients who do have an OBP that is capable of supporting WAN boot installations, see your system documentation for information about how to update the OBP.

       ---

       Note –

       Not all client OBPs support WAN Boot. For those clients use the next option.

       ---

     • After you complete the preparation tasks and are ready to install the client, perform the WAN boot installation from the Solaris Software CD1 or DVD. This option works in all cases when the current OBP does not provide WAN Boot support.

       For instructions about how to boot the client from CD1, see To Perform a WAN Boot Installation With Local CD Media. To continue preparing for the WAN boot installation, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

Example 12–2 Verifying OBP Support for WAN Boot on the Client

The following command shows how to check the client OBP for WAN boot support.

# eeprom | grep network-boot-arguments
network-boot-arguments: data not available

In this example, the output network-boot-arguments: data not available indicates that the client OBP supports WAN boot.

Continuing the WAN Boot Installation

After you verify that the client OBP supports WAN boot, you must copy the wanboot program to the WAN boot server. For instructions, see Installing the wanboot Program on the WAN Boot Server.

If the client OBP does not support WAN boot, you do not need to copy the wanboot program to the WAN boot server. You must provide the wanboot program to the client on a local CD. To continue the installation, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

See Also

For additional information about the setup_install_server command, see Chapter 4, Installing From the Network (Overview).

Installing the wanboot Program on the WAN Boot Server

WAN boot uses a special second-level boot program (wanboot) to install the client. The wanboot program loads the WAN boot miniroot, client configuration files, and installation files that are required to perform a WAN boot installation.

To perform a WAN boot installation, you must provide the wanboot program to the client during the installation. You can provide this program to the client in the following ways.

• If your client's PROM supports WAN boot, you can transmit the program from the WAN boot server to the client. You must install the wanboot program on the WAN boot server.

  To check if your client's PROM supports WAN boot, see To Check the Client OBP for WAN Boot Support.

• If your client's PROM does not support WAN boot, you must provide the program to the client on a local CD. If your client's PROM does not support WAN boot, go to Creating the /etc/netboot Hierarchy on the WAN Boot Server to continue preparing for your installation.

SPARC: To Install the wanboot Program on the WAN Boot Server

This procedure describes how to copy the wanboot program from Solaris media to the WAN boot server.

This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Devices and File Systems.

Before You Begin

Verify that your client system supports WAN boot. See To Check the Client OBP for WAN Boot Support for more information.

1. Become superuser or assume an equivalent role on the install server.

2. Insert the Solaris Software - 1 CD or the Solaris DVD in the install server's drive.

3. Change to the sun4u platform directory on the Solaris Software - 1 CD or the Solaris DVD.

   # cd /cdrom/cdrom0/Solaris_10/Tools/Boot/platform/sun4u/

4. Copy the wanboot program to the install server.

   # cp wanboot /document-root-directory/wanboot/wanboot-name

   document-root-directory

   Specifies the document root directory of the WAN boot server.

   wanboot-name

   Specifies the name of the wanboot program. Name this file descriptively, for example, wanboot.s10_sparc.

5. Make the wanboot program available to the WAN boot server in one of the following ways.

   • Create a symbolic link to the wanboot program in the document root directory of the WAN boot server.

     # cd /document-root-directory/wanboot # ln -s /wan-dir-path/wanboot .

     document-root-directory/wanboot

     Specifies the directory in the WAN boot server's document root directory where you want to link to the wanboot program

     /wan-dir-path/wanboot

     Specifies the path to the wanboot program

   • Move the WAN boot miniroot to the document root directory on the WAN boot server.

     # mv /wan-dir-path/wanboot /document-root-directory/wanboot/wanboot-name

     wan-dir-path/wanboot

     Specifies the path to the wanboot program

     /document-root-directory/wanboot/

     Specifies the path to the wanboot program directory in the WAN boot server's document root directory.

     wanboot-name

     Specifies the name of the wanboot program. Name the file descriptively, for example wanboot.s10_sparc.

Example 12–3 Installing the wanboot Program on the WAN Boot Server

To install the wanboot program on the WAN boot server, copy the program from the Solaris Software media to the WAN boot server's document root directory.

Insert the Solaris DVD or the Solaris Software - 1 CD in the media drive that is attached to wanserver-1 and type the following commands.

wanserver-1# cd /cdrom/cdrom0/Solaris_10/Tools/Boot/platform/sun4u/
wanserver-1# cp wanboot /opt/apache/htdocs/wanboot/wanboot.s10_sparc

In this example, the name of the wanboot program is set to wanboot.s10_sparc.

Continuing the WAN Boot Installation

After you install the wanboot program on the WAN boot server, you must create the /etc/netboot hierarchy on the WAN boot server. For instructions, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

See Also

For overview information about the wanboot program, see What Is WAN Boot?.

Creating the /etc/netboot Hierarchy on the WAN Boot Server

During the installation, WAN boot refers to the contents of the /etc/netboot hierarchy on the web server for instructions about how to perform the installation. This directory contains the configuration information, private key, digital certificate, and certificate authority required for a WAN boot installation. During the installation, the wanboot-cgi program converts this information into the WAN boot file system. The wanboot-cgi program then transmits the WAN boot file system to the client.

You can create subdirectories within the /etc/netboot directory to customize the scope of the WAN installation. Use the following directory structures to define how configuration information is shared among the clients that you want to install.

• Global configuration – If you want all the clients on your network to share configuration information, store the files that you want to share in the /etc/netboot directory.

• Network-specific configuration – If you want only those machines on a specific subnet to share configuration information, store the configuration files that you want to share in a subdirectory of /etc/netboot. Have the subdirectory follow this naming convention.

  /etc/netboot/net-ip

  In this example, net-ip is the IP address of the client's subnet.

• Client-specific configuration – If you want only a specific client to use the boot file system, store the boot file system files in a subdirectory of /etc/netboot. Have the subdirectory follow this naming convention.

  /etc/netboot/net-ip/client-ID

  In this example, net-ip is the IP address of the subnet. client-ID is either the client ID that is assigned by the DHCP server, or a user-specified client ID.

For detailed planning information about these configurations, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.

The following procedure describes how to create the /etc/netboot hierarchy.

To Create the /etc/netboot Hierarchy on the WAN Boot Server

Follow these steps to create the /etc/netboot hierarchy.

1. Become superuser or assume an equivalent role on the WAN boot server.

2. Create the /etc/netboot directory.

   # mkdir /etc/netboot

3. Change the permissions of the /etc/netboot directory to 700.

   # chmod 700 /etc/netboot

4. Change the owner of the /etc/netboot directory to the web server owner.

   # chown web-server-user:web-server-group /etc/netboot/

   web-server-user

   Specifies the user owner of the web server process

   web-server-group

   Specifies the group owner of the web server process

5. Exit the superuser role.

   # exit

6. Assume the user role of the web server owner.

7. Create the client subdirectory of the /etc/netboot directory.

   # mkdir -p /etc/netboot/net-ip/client-ID

   -p

   Instructs the mkdir command to create all the necessary parent directories for the directory you want to create.

   (Optional) net-ip

   Specifies the network IP address of the client's subnet.

   (Optional) client-ID

   Specifies the client ID. The client ID can be a user-defined value or the DHCP client ID. The client-ID directory must be a subdirectory of the net-ip directory.

8. For each directory in the /etc/netboot hierarchy, change the permissions to 700.

   # chmod 700 /etc/netboot/dir-name

   dir-name

   Specifies the name of a directory in the /etc/netboot hierarchy

Example 12–4 Creating the /etc/netboot Hierarchy on the WAN Boot Server

The following example shows how to create the /etc/netboot hierarchy for the client 010003BA152A42 on subnet 192.168.198.0. In this example, the user nobody and the group admin own the web server process.

The commands in this example perform the following tasks.

• Create the /etc/netboot directory.

• Change the permissions of the /etc/netboot directory to 700.

• Change the ownership of the /etc/netboot directory to the owner of the web server process.

• Assume the same user role as the web server user.

• Create a subdirectory of /etc/netboot that is named after the subnet (192.168.198.0).

• Create a subdirectory of the subnet directory that is named after the client ID.

• Change the permissions of the /etc/netboot subdirectories to 700.

# cd /
# mkdir /etc/netboot/
# chmod 700 /etc/netboot
# chown nobody:admin /etc/netboot
# exit
server# su nobody
Password:
nobody# mkdir -p /etc/netboot/192.168.198.0/010003BA152A42
nobody# chmod 700 /etc/netboot/192.168.198.0
nobody# chmod 700 /etc/netboot/192.168.198.0/010003BA152A42

Continuing the WAN Boot Installation

After you create the /etc/netboot hierarchy, you must copy the WAN Boot CGI program to the WAN boot server. For instructions, see Copying the WAN Boot CGI Program to the WAN Boot Server.

See Also

For detailed planning information about how to design the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.

Copying the WAN Boot CGI Program to the WAN Boot Server

The wanboot-cgi program creates the data streams that transmit the following files from the WAN boot server to the client.

• wanboot program

• WAN boot file system

• WAN boot miniroot

The wanboot-cgi program is installed on the system when you install the current Solaris release software. To enable the WAN boot server to use this program, copy this program to the cgi-bin directory of the WAN boot server.

To Copy the wanboot-cgi Program to the WAN Boot Server

1. Become superuser or assume an equivalent role on the WAN boot server.

2. Copy the wanboot-cgi program to the WAN boot server.

   # cp /usr/lib/inet/wanboot/wanboot-cgi /WAN-server-root/cgi-bin/wanboot-cgi

   /WAN-server-root

   Specifies the root directory of the web server software on the WAN boot server

3. On the WAN boot server, change the permissions of the CGI program to 755.

   # chmod 755 /WAN-server-root/cgi-bin/wanboot-cgi

Continuing the WAN Boot Installation

After you copy the WAN boot CGI program to the WAN boot server, you can optionally set up a logging server. For instructions, see (Optional) To Configure the WAN Boot Logging Server.

If you do not want to set up a separate logging server, see (Optional) Protecting Data by Using HTTPS for instructions about how to set up the security features of a WAN boot installation.

See Also

For overview information about the wanboot-cgi program, see What Is WAN Boot?.

(Optional) To Configure the WAN Boot Logging Server

By default, all WAN boot logging messages are displayed on the client system. This default behavior enables you to quickly debug any installation issues.

If you want to record boot and installation logging messages on a system other than the client, you must set up a logging server. If you want to use a logging server with HTTPS during the installation, you must configure the WAN boot server as the logging server.

To configure the logging server, follow these steps.

1. Copy the bootlog-cgi script to the logging server's CGI script directory.

   # cp /usr/lib/inet/wanboot/bootlog-cgi \ log-server-root/cgi-bin

   log-server-root/cgi-bin

   Specifies the cgi-bin directory in the logging server's web server directory

2. Change the permissions of the bootlog-cgi script to 755.

   # chmod 755 log-server-root/cgi-bin/bootlog-cgi

3. Set the value of the boot_logger parameter in the wanboot.conf file.

   In the wanboot.conf file, specify the URL of the bootlog-cgi script on the logging server.

   For more information about setting parameters in the wanboot.conf file, see To Create the wanboot.conf File.

   During the installation, boot and installation log messages are recorded in the /tmp directory of the logging server. The log file is named bootlog.hostname, where hostname is the host name of the client.

Example 12–5 Configuring a Logging Server for WAN Boot Installation Over HTTPS

The following example configures the WAN boot server as a logging server.

# cp /usr/lib/inet/wanboot/bootlog-cgi /opt/apache/cgi-bin/
# chmod 755 /opt/apache/cgi-bin/bootlog-cgi

Continuing the WAN Boot Installation

After you set up the logging server, you can optionally set up the WAN boot installation to use digital certificates and security keys. See (Optional) Protecting Data by Using HTTPS for instructions about how to set up the security features of a WAN boot installation.

(Optional) Protecting Data by Using HTTPS

To protect your data during the transfer from the WAN boot server to the client, you can use HTTP over Secure Sockets Layer (HTTPS). To use the more secure installation configuration that is described in Secure WAN Boot Installation Configuration, you must enable your web server to use HTTPS.

If you do not want to perform a secure WAN boot, skip the procedures in this section. To continue preparing for your less secure installation, see Creating the Custom JumpStart Installation Files.

To enable the web server software on the WAN boot server to use HTTPS, you must perform the following tasks.

• Activate Secure Sockets Layer (SSL) support in your web server software.

  The processes for enabling SSL support and client authentication vary by web server. This document does not describe how to enable these security features on your web server. For information about these features, see the following documentation.

  • For information about activating SSL on the SunONE and iPlanet web servers, see the SunONE and iPlanet documentation collections on http://docs.sun.com.

  • For information about activating SSL on the Apache web server, see the Apache Documentation Project at http://httpd.apache.org/docs-project/.

  • If you are using web server software that is not listed in the previous list, see your web server software documentation.

• Install digital certificates on the WAN boot server.

  For information about using digital certificates with WAN boot, see (Optional) To Use Digital Certificates for Server and Client Authentication.

• Provide a trusted certificate to the client.

  For instructions about how to create a trusted certificate, see (Optional) To Use Digital Certificates for Server and Client Authentication.

• Create a hashing key and an encryption key.

  For instructions about how to create keys, see (Optional) To Create a Hashing Key and an Encryption Key.

• (Optional) Configure the web server software to support client authentication.

  For information about how to configure your web server to support client authentication, see your web server documentation.

This section describes how to use digital certificates and keys in your WAN boot installation.

(Optional) To Use Digital Certificates for Server and Client Authentication

The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.

To use a PKCS#12 file in a WAN boot installation, you perform the following tasks.

• Split the PKCS#12 file into separate SSL private key and trusted certificate files.

• Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.

• (Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.

The wanbootutil command provides options to perform the tasks in the previous list.

If you do not want to perform a secure WAN boot, skip this procedure. To continue preparing for your less secure installation, see Creating the Custom JumpStart Installation Files.

Follow these steps to create a trusted certificate and a client private key.

Before You Begin

Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.

• For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.

• For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

1. Assume the same user role as the web server user on the WAN boot server.

2. Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the client's truststore file in the /etc/netboot hierarchy.

   # wanbootutil p12split -i p12cert \ -t /etc/netboot/net-ip/client-ID/truststore

   p12split

   Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

   -i p12cert

   Specifies the name of the PKCS#12 file to split.

   -t /etc/netboot/net-ip/client-ID/truststore

   Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

3. (Optional) Decide if you want to require client authentication.

   • If no, go to (Optional) To Create a Hashing Key and an Encryption Key.

   • If yes, continue with the following steps.

     1. Insert the client certificate in the client's certstore.

        # wanbootutil p12split -i p12cert -c \ /etc/netboot/net-ip/client-ID/certstore -k keyfile

        p12split

        Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

        -i p12cert

        Specifies the name of the PKCS#12 file to split.

        -c /etc/netboot/net-ip/client-ID/certstore

        Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

        -k keyfile

        Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.

     2. Insert the private key in the client's keystore.

        # wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa

        keymgmt -i

        Inserts an SSL private key in the client's keystore

        -k keyfile

        Specifies the name of the client's private key file that was created in the previous step

        -s /etc/netboot/net-ip/client-ID/keystore

        Specifies the path to the client's keystore

        -o type=rsa

        Specifies the key type as RSA

Example 12–6 Creating a Trusted Certificate for Server Authentication

In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.198.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.

Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.

server# su nobody
Password:
nobody# wanbootutil p12split -i client.p12 \
-t /etc/netboot/192.168.198.0/010003BA152A42/truststore
nobody# chmod 600 /etc/netboot/192.168.198.0/010003BA152A42/truststore

Continuing the WAN Boot Installation

After you create a digital certificate, create a hashing key and an encryption key. For instructions, see(Optional) To Create a Hashing Key and an Encryption Key.

See Also

For more information about how to create trusted certificates, see the man page wanbootutil(1M).

(Optional) To Create a Hashing Key and an Encryption Key

If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi-private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program.

By using the wanbootutil keygen command, you can generate these keys and store them in the appropriate /etc/netboot directory.

If you do not want to perform a secure WAN boot, skip this procedure. To continue preparing for your less secure installation, see Creating the Custom JumpStart Installation Files.

To create a hashing key and an encryption key, follow these steps.

1. Assume the same user role as the web server user on the WAN boot server.

2. Create the master HMAC SHA1 key.

   # wanbootutil keygen -m

   keygen -m

   Creates the master HMAC SHA1 key for the WAN boot server

3. Create the HMAC SHA1 hashing key for the client from the master key.

   # wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1

   -c

   Creates the client's hashing key from the master key.

   -o

   Indicates that additional options are included for the wanbootutil keygen command.

   (Optional) net=net-ip

   Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.

   (Optional) cid=client-ID

   Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.

   type=sha1

   Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.

4. Decide if you need to create an encryption key for the client.

   You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.

   • If you are performing a more secure WAN installation over HTTPS with server authentication, continue.

   • If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.

5. Create an encryption key for the client.

   # wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=key-type

   -c

   Creates the client's encryption key.

   -o

   Indicates that additional options are included for the wanbootutil keygen command.

   (Optional) net=net-ip

   Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.

   (Optional) cid=client-ID

   Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.

   type=key-type

   Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.

6. Install the keys on the client system.

   For instructions about how to install keys on the client, see Installing Keys on the Client.

Example 12–7 Creating Required Keys for WAN Boot Installation Over HTTPS

The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 010003BA152A42 on subnet 192.168.198.0.

Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.

server# su nobody
Password:
nobody# wanbootutil keygen -m
nobody# wanbootutil keygen -c -o net=192.168.198.0,cid=010003BA152A42,type=sha1
nobody# wanbootutil keygen -c -o net=192.168.198.0,cid=010003BA152A42,type=3des

Continuing the WAN Boot Installation

After you create a hashing and an encryption key, you must create the installation files. For instructions, see Creating the Custom JumpStart Installation Files.

See Also

For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.

For more information about how to create hashing and encryption keys, see the man page wanbootutil(1M).

Creating the Custom JumpStart Installation Files

WAN boot performs a custom JumpStart installation to install a Solaris Flash archive on the client. The custom JumpStart installation method is a command–line interface that enables you to automatically install several systems, based on profiles that you create. The profiles define specific software installation requirements. You can also incorporate shell scripts to include preinstallation and postinstallation tasks. You choose which profile and scripts to use for installation or upgrade. The custom JumpStart installation method installs or upgrades the system, based on the profile and scripts that you select. Also, you can use a sysidcfg file to specify configuration information so that the custom JumpStart installation is completely free of manual intervention.

To prepare the custom JumpStart files for a WAN boot installation, complete the following tasks.

• To Create the Solaris Flash Archive

• To Create the sysidcfg File

• To Create the rules File

• To Create the Profile

• (Optional) Creating Begin and Finish Scripts

For detailed information on the custom JumpStart installation method, see Chapter 2, Custom JumpStart (Overview), in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

To Create the Solaris Flash Archive

The Solaris Flash installation feature enables you to use a single reference installation of the Solaris OS on a system, which is called the master system. You can then create a Solaris Flash archive, which is a replica image of the master system. You can install the Solaris Flash archive on other systems in the network, creating clone systems.

This section describes how to create a Solaris Flash archive.

Before You Begin

• Before you create a Solaris Flash archive, you must first install the master system.

  • For information about installing a master system, see Installing the Master System in Solaris 10 5/09 Installation Guide: Solaris Flash Archives (Creation and Installation).

  • For detailed information about Solaris Flash archives, see Chapter 1, Solaris Flash (Overview), in Solaris 10 5/09 Installation Guide: Solaris Flash Archives (Creation and Installation).

• File Size Issues:

  Check your web server software documentation to verify that the software can transmit files that are the size of a Solaris Flash archive.

  • Check your web server software documentation to verify that the software can transmit files that are the size of a Solaris Flash archive.

  • The flarcreate command no longer has size limitations on individual files. You can create a Solaris Flash archive that contains individual files over 4 Gbytes.

    For more information, see Creating an Archive That Contains Large Files in Solaris 10 5/09 Installation Guide: Solaris Flash Archives (Creation and Installation).

1. Boot the master system.

   Run the master system in as inactive a state as possible. When possible, run the system in single-user mode. If that is not possible, shut down any applications that you want to archive and any applications that require extensive operating system resources.

2. To create the archive, use the flarcreate command.

   # flarcreate -n name [optional-parameters] document-root/flash/filename

   name

   The name that you give the archive. The name you specify is the value of the content_name keyword.

   optional-parameters

   You can use several options to the flarcreate command to customize your Solaris Flash archive. For detailed descriptions of these options, see Chapter 5, Solaris Flash (Reference), in Solaris 10 5/09 Installation Guide: Solaris Flash Archives (Creation and Installation).

   document-root/flash

   The path to the Solaris Flash subdirectory of the install server's document root directory.

   filename

   The name of the archive file.

   To conserve disk space, you might want to use the -c option to the flarcreate command to compress the archive. However, a compressed archive can affect the performance of your WAN boot installation. For more information about creating a compressed archive, see the man page flarcreate(1M).

   • If the archive creation is successful, the flarcreate command returns an exit code of 0.

   • If the archive creation fails, the flarcreate command returns a nonzero exit code.

Example 12–8 Creating a Solaris Flash Archive for a WAN Boot Installation

In this example, you create your Solaris Flash archive by cloning the WAN boot server system with the host name wanserver. The archive is named sol_10_sparc, and is copied exactly from the master system. The archive is an exact duplicate of the master system. The archive is stored in sol_10_sparc.flar. You save the archive in the flash/archives subdirectory of the document root directory on the WAN boot server.

wanserver# flarcreate -n sol_10_sparc \
/opt/apache/htdocs/flash/archives/sol_10_sparc.flar

Continuing the WAN Boot Installation

After you create the Solaris Flash archive, preconfigure the client information in the sysidcfg file. For instructions, see To Create the sysidcfg File.

See Also

For detailed instructions about how to create a Solaris Flash archive, see Chapter 3, Creating Solaris Flash Archives (Tasks), in Solaris 10 5/09 Installation Guide: Solaris Flash Archives (Creation and Installation).

For more information about the flarcreate command, see the man page flarcreate(1M).

To Create the sysidcfg File

You can specify a set of keywords in the sysidcfg file to preconfigure a system.

To create the sysidcfg file, follow these steps.

Before You Begin

Create the Solaris Flash archive. See To Create the Solaris Flash Archive for detailed instructions.

1. Create a file called sysidcfg in a text editor on the install server.

2. Type the sysidcfg keywords you want.

   For detailed information about sysidcfg keywords, see sysidcfg File Keywords.

3. Save the sysidcfg file in a location that is accessible to the WAN boot server.

   Save the file to one of the following locations.

   • If the WAN boot server and install server are hosted on the same machine, save this file to the flash subdirectory of the document root directory on the WAN boot server.

   • If the WAN boot server and install server are not on the same machine, save this file to the flash subdirectory of the document root directory of the install server.

Example 12–9 sysidcfg File for WAN Boot Installation

The following is an example of a sysidcfg file for a SPARC based system. The host name, IP address, and netmask of this system have been preconfigured by editing the naming service.

network_interface=primary {hostname=wanclient
                           default_route=192.168.198.1
                           ip_address=192.168.198.210
                           netmask=255.255.255.0
                           protocol_ipv6=no}
timezone=US/Central
system_locale=C
terminal=xterm
timeserver=localhost
name_service=NIS {name_server=matter(192.168.255.255)
                  domain_name=mind.over.example.com
                  }
security_policy=none

Continuing the WAN Boot Installation

After you create the sysidcfg file, create a custom JumpStart profile for the client. For instructions, see To Create the Profile.

See Also

For more detailed information about sysidcfg keywords and values, see Preconfiguring With the sysidcfg File.

To Create the Profile

A profile is a text file that instructs the custom JumpStart program how to install the Solaris software on a system. A profile defines elements of the installation, for example, the software group to install.

For detailed information about how to create profiles, see Creating a Profile in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

To create the profile, follow these steps.

Before You Begin

Create the sysidcfg file for the client. See To Create the sysidcfg File for detailed instructions.

1. Create a text file on the install server. Name the file descriptively.

   Ensure that the name of the profile reflects how you intend to use the profile to install the Solaris software on a system. For example, you might name the profiles basic_install, eng_profile, or user_profile.

2. Add profile keywords and values to the profile.

   For a list of profile keywords and values, see Profile Keywords and Values in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

   Profile keywords and their values are case sensitive.

3. Save the profile in a location that is accessible to the WAN boot server.

   Save the profile in one of the following locations.

   • If the WAN boot server and install server are hosted on the same machine, save this file to the flash subdirectory of the document root directory on the WAN boot server.

   • If the WAN boot server and install server are not on the same machine, save this file to the flash subdirectory of the document root directory of the install server.

4. Ensure that root owns the profile and that the permissions are set to 644.

5. (Optional) Test the profile.

   Testing a Profile in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations contains information about testing profiles.

Example 12–10 Retrieving a Solaris Flash Archive From a Secure HTTP Server

In the following example, the profile indicates that the custom JumpStart program retrieves the Solaris Flash archive from a secure HTTP server.

# profile keywords         profile values
# ----------------         -------------------
install_type               flash_install
archive_location           https://192.168.198.2/sol_10_sparc.flar
partitioning               explicit
filesys                    c0t1d0s0 4000 /
filesys                    c0t1d0s1 512 swap
filesys                    c0t1d0s7 free /export/home

The following list describes some of the keywords and values from this example.

install_type

The profile installs a Solaris Flash archive on the clone system. All files are overwritten as in an initial installation.

archive_location

The compressed Solaris Flash archive is retrieved from a secure HTTP server.

partitioning

The file system slices are determined by the filesys keywords, value explicit. The size of root (/) is based on the size of the Solaris Flash archive. The size of swap is set to the necessary size and is installed on c0t1d0s1. /export/home is based on the remaining disk space. /export/home is installed on c0t1d0s7.

Continuing the WAN Boot Installation

After you create a profile, you must create and validate the rules file. For instructions, see To Create the rules File.

See Also

For more information about how to create a profile, see Creating a Profile in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

For more detailed information about profile keywords and values, see Profile Keywords and Values in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

To Create the rules File

The rules file is a text file that contains a rule for each group of systems on which you want to install the Solaris OS. Each rule distinguishes a group of systems that are based on one or more system attributes. Each rule also links each group to a profile. A profile is a text file that defines how the Solaris software is to be installed on each system in the group. For example, the following rule specifies that the JumpStart program use the information in the basic_prof profile to install any system with the sun4u platform group.

karch sun4u - basic_prof -

The rules file is used to create the rules.ok file, which is required for custom JumpStart installations.

For detailed information about how to create a rules file, see Creating the rules File in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

To create the rules file, follow these steps.

Before You Begin

Create the profile for the client. See To Create the Profile for detailed instructions.

1. On the install server, create a text file that is named rules.

2. Add a rule in the rules file for each group of systems you want to install.

   For detailed information about how to create a rules file, see Creating the rules File in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

3. Save the rules file on the install server.

4. Validate the rules file.

   $ ./check -p path -r file-name

   -p path

   Validates the rules by using the check script from the current Solaris release software image instead of the check script from the system you are using. path is the image on a local disk or a mounted Solaris DVD or a Solaris Software - 1 CD.

   Use this option to run the most recent version of check if your system is running a previous version of the Solaris OS.

   -r file_name

   Specifies a rules file other than the file that is named rules. By using this option, you can test the validity of a rule before you integrate the rule into the rules file.

   As the check script runs, the script reports the checking of the validity of the rules file and each profile. If no errors are encountered, the script reports: The custom JumpStart configuration is ok. The check script creates the rules.ok file.

5. Save the rules.ok file in a location that is accessible to the WAN boot server.

   Save the file to one of the following locations.

   • If the WAN boot server and install server are hosted on the same machine, save this file to the flash subdirectory of the document root directory on the WAN boot server.

   • If the WAN boot server and install server are not on the same machine, save this file to the flash subdirectory of the document root directory of the install server.

6. Ensure that root owns the rules.ok file and that the permissions are set to 644.

Example 12–11 Creating and Validating the rules File

The custom JumpStart programs use the rules file to select the correct installation profile for the wanclient-1 system. Create a text file that is named rules. Then, add keywords and values to this file.

The IP address of the client system is 192.168.198.210, and the netmask is 255.255.255.0. Use the network rule keyword to specify the profile that the custom JumpStart programs should use to install the client.

network 192.168.198.0 - wanclient_prof - 

This rules file instructs the custom JumpStart programs to use the wanclient_prof to install the current Solaris release software on the client.

Name this rule file wanclient_rule.

After you create the profile and the rules file, you run the check script to verify that the files are valid.

wanserver# ./check -r wanclient_rule

If the check script does not find any errors, the script creates the rules.ok file.

Save the rules.ok file in the /opt/apache/htdocs/flash/ directory.

Continuing the WAN Boot Installation

After you create the rules.ok file, you can optionally set up begin and finish scripts for your installation. For instructions, see (Optional) Creating Begin and Finish Scripts.

If you do not want to set up begin and finish scripts, see Creating the Configuration Files to continue the WAN boot installation.

See Also

For more information about how to create a rules file, see Creating the rules File in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

For more detailed information about rules file keywords and values, see Rule Keywords and Values in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

(Optional) Creating Begin and Finish Scripts

Begin and finish scripts are user-defined Bourne shell scripts that you specify in the rules file. A begin script performs tasks before the Solaris software is installed on a system. A finish script performs tasks after the Solaris software is installed on a system, but before the system reboots. You can use these scripts only when using custom JumpStart to install Solaris.

You can use begin scripts to create derived profiles. Finish scripts enable you to perform various postinstallation tasks, such as adding files, packages, patches, or additional software.

You must store the begin and finish scripts in the same directory as the sysidcfg, rules.ok, and profile files on the install server.

• For more information about creating begin scripts, see Creating Begin Scripts in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

• For more information about creating finish scripts, see Creating Finish Scripts in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

To continue preparing for your WAN boot installation, see Creating the Configuration Files.

Creating the Configuration Files

WAN boot uses the following files to specify the location of the data and files that are required for a WAN boot installation.

• System configuration file (system.conf)

• wanboot.conf file

This section describes how to create and store these two files.

To Create the System Configuration File

In the system configuration file, you can direct the WAN boot installation programs to the following files.

• sysidcfg file

• rules.ok file

• Custom JumpStart profile

WAN boot follows the pointers in the system configuration file to install and configure the client.

The system configuration file is a plain text file, and must be formatted in the following pattern.

setting=value

To use a system configuration file to direct the WAN installation programs to the sysidcfg, rules.ok, and profile files, follow these steps.

Before You Begin

Before you create the system configuration file, you must create the installation files for you WAN boot installation. See Creating the Custom JumpStart Installation Files for detailed instructions.

1. Assume the same user role as the web server user on the WAN boot server.

2. Create a text file. Name the file descriptively, for example, sys-conf.s10–sparc.

3. Add the following entries to the system configuration file.

   SsysidCF=sysidcfg-file-URL

   This setting points to the flash directory on the install server that contains the sysidcfg file. Make sure that this URL matches the path to the sysidcfg file that you created in To Create the sysidcfg File.

   For WAN installations that use HTTPS, set the value to a valid HTTPS URL.

   SjumpsCF=jumpstart-files-URL

   This setting points to the Solaris Flash directory on the install server that contains the rules.ok file, profile file, and begin and finish scripts. Make sure that this URL matches the path to the custom JumpStart files that you created in To Create the Profile and To Create the rules File.

   For WAN installations that use HTTPS, set the value to a valid HTTPS URL.

4. Save the file to a directory that is accessible to the WAN boot server.

   For administration purposes, you might want to save the file to the appropriate client directory in the /etc/netboot directory on the WAN boot server.

5. Change the permissions on the system configuration file to 600.

   # chmod 600 /path/system-conf-file

   path

   Specifies the path to the directory that contains the system configuration file.

   system-conf-file

   Specifies the name of the system configuration file.

Example 12–12 System Configuration File for WAN Boot Installation Over HTTPS

In the following example, the WAN boot programs check for the sysidcfg and custom JumpStart files on the web server https://www.example.com on port 1234. The web server uses secure HTTP to encrypt data and files during the installation.

The sysidcfg and custom JumpStart files are located in the flash subdirectory of the document root directory /opt/apache/htdocs.

SsysidCF=https://www.example.com:1234/flash
SjumpsCF=https://www.example.com:1234/flash

Example 12–13 System Configuration File for Insecure WAN Boot Installation

In the following example, the WAN boot programs check for the sysidcfg and custom JumpStart files on the web server http://www.example.com. The web server uses HTTP, so the data and files are not protected during the installation.

The sysidcfg and custom JumpStart files are located in the flash subdirectory of the document root directory /opt/apache/htdocs.

SsysidCF=http://www.example.com/flash
SjumpsCF=http://www.example.com/flash

Continuing the WAN Boot Installation

After you create the system configuration file, create the wanboot.conf file. For instructions, see To Create the wanboot.conf File.

To Create the wanboot.conf File

The wanboot.conf file is a plain text configuration file that the WAN boot programs use to perform a WAN installation. The wanboot-cgi program, the boot file system, and the WAN boot miniroot all use the information included in the wanboot.conf file to install the client machine.

Save the wanboot.conf file in the appropriate client subdirectory in the /etc/netboot hierarchy on the WAN boot server. For information about how to define the scope of your WAN boot installation with the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

If the WAN boot server is running the current Solaris release, a sample wanboot.conf file is located in /etc/netboot/wanboot.conf.sample. You can use this sample as a template for your WAN boot installation.

You must include the following information in the wanboot.conf file.

You specify this information by listing parameters with associated values in the following format.

parameter=value

For detailed information about wanboot.conf file parameters and syntax, see wanboot.conf File Parameters and Syntax.

To create the wanboot.conf file, follow these steps.

1. Assume the same user role as the web server user on the WAN boot server.

2. Create the wanboot.conf text file.

   You can create a new text file that is named wanboot.conf, or use the sample file that is located in /etc/netboot/wanboot.conf.sample. If you use the sample file, rename the file wanboot.conf after you add parameters.

3. Type the wanboot.conf parameters and values for your installation.

   For detailed descriptions of wanboot.conf parameters and values, see wanboot.conf File Parameters and Syntax.

4. Save the wanboot.conf file to the appropriate subdirectory of the /etc/netboot hierarchy.

   For information about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

5. Validate the wanboot.conf file.

   # bootconfchk /etc/netboot/path-to-wanboot.conf/wanboot.conf

   path-to-wanboot.conf

   Specifies the path to the client's wanboot.conf file on the WAN boot server

   • If the wanboot.conf file is structurally valid, the bootconfchk command returns an exit code of 0.

   • If the wanboot.conf file is invalid, the bootconfchk command returns a nonzero exit code.

6. Change the permissions on the wanboot.conf file to 600.

   # chmod 600 /etc/netboot/path-to-wanboot.conf/wanboot.conf

Example 12–14 wanboot.conf File for WAN Boot Installation Over HTTPS

The following wanboot.conf file example includes configuration information for a WAN installation that uses secure HTTP. The wanboot.conf file also indicates that a 3DES encryption key is used in this installation.

boot_file=/wanboot/wanboot.s10_sparc
root_server=https://www.example.com:1234/cgi-bin/wanboot-cgi
root_file=/miniroot/miniroot.s10_sparc
signature_type=sha1
encryption_type=3des
server_authentication=yes
client_authentication=no
resolve_hosts=
boot_logger=https://www.example.com:1234/cgi-bin/bootlog-cgi
system_conf=sys-conf.s10–sparc

This wanboot.conf file specifies the following configuration.

boot_file=/wanboot/wanboot.s10_sparc

The second level boot program is named wanboot.s10_sparc. This program is located in the /wanboot directory in the WAN boot server's document root directory.

root_server=https://www.example.com:1234/cgi-bin/wanboot-cgi

The location of the wanboot-cgi program on the WAN boot server is https://www.example.com:1234/cgi-bin/wanboot-cgi. The https portion of the URL indicates that this WAN boot installation uses secure HTTP.

root_file=/miniroot/miniroot.s10_sparc

The WAN boot miniroot is named miniroot.s10_sparc. This miniroot is located in the /miniroot directory in the WAN boot server's document root directory.

signature_type=sha1

The wanboot.s10_sparc program and the WAN boot file system are signed with a HMAC SHA1 hashing key.

encryption_type=3des

The wanboot.s10_sparc program and the boot file system are encrypted with a 3DES key.

server_authentication=yes

The server is authenticated during the installation.

client_authentication=no

The client is not authenticated during the installation.

resolve_hosts=

No additional host names are needed to perform the WAN installation. All required files and information are located in the document root directory on the WAN boot server.

boot_logger=https://www.example.com:1234/cgi-bin/bootlog-cgi

(Optional) Booting and installation log messages are recorded on the WAN boot server by using secure HTTP.

For instructions on how to set up a logging server for your WAN boot installation, see (Optional) To Configure the WAN Boot Logging Server.

system_conf=sys-conf.s10–sparc

The system configuration file that contains the locations of the sysidcfg and JumpStart files is located in a subdirectory of the /etc/netboot hierarchy. The system configuration file is named sys-conf.s10–sparc.

Example 12–15 wanboot.conf File for Insecure WAN Boot Installation

The following wanboot.conf file example includes configuration information for a less secure WAN boot installation that uses HTTP. This wanboot.conf file also indicates that the installation does not use an encryption key or a hashing key.

boot_file=/wanboot/wanboot.s10_sparc
root_server=http://www.example.com/cgi-bin/wanboot-cgi
root_file=/miniroot/miniroot.s10_sparc
signature_type=
encryption_type=
server_authentication=no
client_authentication=no
resolve_hosts=
boot_logger=http://www.example.com/cgi-bin/bootlog-cgi
system_conf=sys-conf.s10–sparc

This wanboot.conf file specifies the following configuration.

boot_file=/wanboot/wanboot.s10_sparc

The second level boot program is named wanboot.s10_sparc. This program is located in the /wanboot directory in the WAN boot server's document root directory.

root_server=http://www.example.com/cgi-bin/wanboot-cgi

The location of the wanboot-cgi program on the WAN boot server is http://www.example.com/cgi-bin/wanboot-cgi. This installation does not use secure HTTP.

root_file=/miniroot/miniroot.s10_sparc

The WAN boot miniroot is named miniroot.s10_sparc. This miniroot is located in the /miniroot subdirectory in the WAN boot server's document root directory.

signature_type=

The wanboot.s10_sparc program and the WAN boot file system are not signed with a hashing key.

encryption_type=

The wanboot.s10_sparc program and the boot file system are not encrypted.

server_authentication=no

The server is not authenticated with keys or certificates during the installation.

client_authentication=no

The client is not authenticated with keys or certificates during the installation.

resolve_hosts=

No additional host names are needed to perform the installation. All required files and information are located in the document root directory on the WAN boot server.

boot_logger=http://www.example.com/cgi-bin/bootlog-cgi

(Optional) Booting and installation log messages are recorded on the WAN boot server.

For instructions on how to set up a logging server for your WAN boot installation, see (Optional) To Configure the WAN Boot Logging Server.

system_conf=sys-conf.s10–sparc

The system configuration file that contains the locations of the sysidcfg and JumpStart files is named sys-conf.s10–sparc. This file is located in the appropriate client subdirectory of the /etc/netboot hierarchy.

Continuing the WAN Boot Installation

After you create the wanboot.conf file, you can optionally configure a DHCP server to support WAN boot. For instructions, see (Optional) Providing Configuration Information With a DHCP Server.

If you do not want to use a DHCP server in your WAN boot installation, see To Check the net Device Alias in the Client OBP to continue the WAN boot installation.

See Also

For detailed descriptions of wanboot.conf parameters and values, see wanboot.conf File Parameters and Syntax and the man page wanboot.conf(4).

(Optional) Providing Configuration Information With a DHCP Server

If you use a DHCP server on your network, you can configure the DHCP server to supply the following information.

• Proxy server's IP address

• Location of the wanboot-cgi program

You can use the following DHCP vendor options in your WAN boot installation.

SHTTPproxy

Specifies the IP address of the network's proxy server

SbootURI

Specifies the URL of the wanboot-cgi program on the WAN boot server

For information about setting these vendor options on a Solaris DHCP server, see Preconfiguring System Configuration Information With the DHCP Service (Tasks).

For detailed information about setting up a Solaris DHCP server, see Chapter 14, Configuring the DHCP Service (Tasks), in System Administration Guide: IP Services.

To continue with your WAN boot installation, see Chapter 13, SPARC: Installing With WAN Boot (Tasks).