Solaris 9 12/03 Installation Guide

Chapter 40 Preparing to Install With WAN Boot (Tasks)

This chapter describes the following tasks that are necessary to prepare your network for a WAN boot installation.

Task Map: Preparing to Install Over a Wide Area Network

The following table lists the tasks you need to perform to prepare for a WAN boot installation. Review the task description to determine if the task is required for your WAN boot installation configuration.

For a description of a secure WAN boot installation over HTTPS, see Secure WAN Boot Installation Configuration.
For a description of an insecure WAN boot installation, see Insecure WAN Boot Installation Configuration.

To use a DHCP server or a logging server, complete the optional tasks that are listed at the bottom of the table.

Table 40–1 Task Map: Preparing to Perform a WAN Boot Installation


Task	Description	For Instructions
Decide what security features you want to use in your installation.	Review the security features and configurations to decide what level of security you want to use in your WAN boot installation.	Protecting Data During a WAN Boot Installation Security Configurations Supported by WAN Boot (Overview)
Collect WAN boot installation information.	Complete the worksheet to record all the information you need to perform a WAN boot installation.	Gathering Information for WAN Boot Installations
Create the document root directory on the WAN boot server.	Create the document root directory and any subdirectories to serve the configuration and installation files. This task is required for both secure and insecure installation configurations.	Creating the Document Root Directory
Create the WAN boot miniroot.	Use the `setup_install_server` command to create the WAN boot miniroot. This task is required for both secure and insecure installation configurations.	SPARC: To Create a WAN Boot Miniroot
Install the `wanboot` program on the WAN boot server.	Copy the `wanboot` program to the document root directory of the WAN boot server. This task is required for both secure and insecure installation configurations.	Installing the `wanboot` Program on the WAN Boot Server
Install the `wanboot-cgi` program on the WAN boot server.	Copy the `wanboot-cgi` program to the WAN boot server's CGI directory. This task is required for both secure and insecure installation configurations.	To Copy the `wanboot-cgi` Program to the WAN Boot Server
Set up the `/etc/netboot` hierarchy.	Populate the `/etc/netboot` hierarchy with the configuration and security files that are required for a WAN boot installation. This task is required for both secure and insecure installation configurations.	Creating the `/etc/netboot` Hierarchy on the WAN Boot Server
Configure the web server to use secure HTTP for a more secure WAN boot installation.	Identify the web server requirements that are necessary to perform a WAN installation with HTTPS. This task is required for the secure installation configuration.	(Optional) Protecting Data by Using HTTPS
Format digital certificates for a more secure WAN boot installation.	Split PKCS#12 file into a private key and a certificate to use with the WAN installation. This task is required for the secure installation configuration.	Creating a Trusted Certificate and Client Private Key
Create a hashing key and an encryption key for a more secure WAN boot installation.	Use the `wanbootutil keygen` command to create HMAC SHA1, 3DES, or AES keys. This task is required for the secure installation configuration. For insecure installations that check data integrity, complete this task to create an HMAC SHA1 hashing key.	To Create a Hashing Key and Encryption Key
Create the Solaris Flash archive.	Use the `flar create` command to create an archive of the software that you want to install on the client. This task is required for both secure and insecure installation configurations.	To Create a Solaris Flash Archive
Create the installation files for the custom JumpStart installation.	Use a text editor to create the following files: `sysidcfg` profile `rules.ok` begin scripts finish scripts This task is required for both secure and insecure installation configurations.	Creating the `sysidcfg` File Creating the Profile Creating the `rules` File (Optional) Creating Begin and Finish Scripts
Create the system configuration file.	Set the configuration information in the `system.conf` file. This task is required for both secure and insecure installation configurations.	To Create a System Configuration File
Create the WAN boot configuration file.	Set the configuration information in the `wanboot.conf` file. This task is required for both secure and insecure installation configurations.	To Create a `wanboot.conf` File
(Optional) Configure the DHCP server to support a WAN boot installation.	Set Sun vendor options and macros in the DHCP server.	Preconfiguring System Configuration Information With the DHCP Service (Tasks)
(Optional) Set up the logging server.	Configure a dedicated system for displaying boot and installation log messages.	(Optional) Configuring the WAN Boot Logging Server

Configuring the WAN Boot Server

The WAN boot server is a web server that provides the boot and configuration data during a WAN boot installation. For a list of the system requirements for the WAN boot server, see Table 39–1.

This section describes the following tasks required to configure the WAN boot server for a WAN boot installation.

Creating the Document Root Directory

To serve the configuration and installation files, you must make these files accessible to the web server software on the WAN boot server. One method to make these files accessible is to store them in the WAN boot server's document root directory.

If you want to use a document root directory to serve the configuration and installation files, you must create this directory. See your web server documentation for information about how to create the document root directory. For detailed information about how to design your document root directory, see Storing Installation and Configuration Files in the Document Root Directory.

Creating the WAN Boot Miniroot

WAN boot uses a special Solaris miniroot that has been modified to perform a WAN boot installation. The WAN boot miniroot contains a subset of the software in the Solaris miniroot. To perform a WAN boot installation, you must copy the miniroot from the Solaris DVD or the Solaris Software 1 of 2 CD to the WAN boot server. Use the -w option to the setup_install_server command to copy the WAN boot miniroot from the Solaris software media to your system's hard disk.

This procedure creates a SPARC WAN boot miniroot with SPARC media. If you want to serve a SPARC WAN boot miniroot from an x86–based server, you must create the miniroot on a SPARC machine. After you create the miniroot, copy the miniroot to the document root directory on the x86–based server.

For additional information about the setup_install_server command, see Chapter 12, Preparing to Install From the Network With CD Media (Tasks).

SPARC: To Create a WAN Boot Miniroot

This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Basic Administration for information about managing removable media without the Volume Manager.

Become superuser on the WAN boot server.

The system must meet the following requirements.
- Include a CD-ROM or DVD-ROM drive
- Be part of the site's network and name service.
  
  If you use a name service, the system must already be in a name service, such as NIS, NIS+, DNS, or LDAP. If you do not use a name service, you must distribute information about this system by following your site's policies.

Insert the Solaris Software 1 of 2 CD or the Solaris DVD in the install server's drive.

Create a directory for the WAN boot miniroot and Solaris installation image.
# mkdir -p wan-dir-path install-dir-path
-p

Instructs the mkdir command to create all the necessary parent directories for the directory you want to create.

wan-dir-path

Specifies the directory where the WAN boot miniroot is to be created on the install server. This directory needs to accommodate miniroots that are typically 250 Mbytes in size.

install-dir-path

Specifies the directory on the install server where the Solaris software image is to be copied. This directory can be removed later in this procedure.

Change to the Tools directory on the mounted disc.
# cd /cdrom/cdrom0/s0/Solaris_9/Tools
In the previous example, cdrom0 is the path to the drive that contains the Solaris operating environment media.

Copy the WAN boot miniroot and the Solaris software image to the WAN boot server's hard disk.
# ./setup_install_server -w wan-dir-path install-dir-path
wan-dir-path

Specifies the directory where the WAN boot miniroot is to be copied

install-dir-path

Specifies the directory where the Solaris software image is to be copied

Note –
The setup_install_server command indicates whether you have enough disk space available for the Solaris Software disc images. To determine available disk space, use the df -kl command.

The setup_install_server -w command creates the WAN boot miniroot and a network installation image of the Solaris software.

(Optional) Remove the network installation image.

You do not need the Solaris software image to perform a WAN installation with a Solaris Flash archive. You can free up disk space if you do not plan to use the network installation image for other network installations. Type the following command to remove the network installation image.
# rm -rf install-dir-path

Make the WAN boot miniroot available to the WAN boot server in one of the following ways.
- Create a symbolic link to the WAN boot miniroot in the document root directory of the WAN boot server.
  # cd /document-root-directory/miniroot # ln -s /wan-dir-path/miniroot .
  document-root-directory/miniroot
  
  Specifies the directory in the WAN boot server's document root directory where you want to link to the WAN boot miniroot
  
  /wan-dir-path/miniroot
  
  Specifies the path to the WAN boot miniroot
- Move the WAN boot miniroot to the document root directory on the WAN boot server.
  # mv /wan-dir-path/miniroot /document-root-directory/miniroot/miniroot-name
  wan-dir-path/miniroot
  
  Specifies the path to the WAN boot miniroot.
  
  /document-root-directory/miniroot/
  
  Specifies the path to the WAN boot miniroot directory in the WAN boot server's document root directory.
  
  miniroot-name
  
  Specifies the name of the WAN boot miniroot. Name the file descriptively, for example miniroot.s9_sparc.

Installing the `wanboot` Program on the WAN Boot Server

WAN boot uses a special second-level boot program (wanboot) to install the client. The wanboot program loads the WAN boot miniroot, client configuration files, and installation files that are required to perform a WAN boot installation.

To perform a WAN boot installation, you must provide the wanboot program to the client during the installation. You can provide this program to the client in the following ways.

If your client's PROM supports WAN boot, you can transmit the program from the WAN boot server to the client. To check if your client's PROM supports WAN boot, see Checking the Client OBP for WAN Boot Support.
If your client's PROM does not support WAN boot, you must provide the program to the client on a local CD. If your client's PROM does not support WAN boot, go to Creating the /etc/netboot Hierarchy on the WAN Boot Server to continue preparing for your installation.

SPARC: To Install the `wanboot` Program on the WAN Boot Server

Become superuser on the install server.

Insert the Solaris Software 1 of 2 CD or the Solaris DVD in the install server's drive.

Change to the sun4u platform directory on the Solaris Software 1 of 2 CD or the Solaris DVD.
# cd /cdrom/cdrom0/s0/Solaris_9/Tools/Boot/platform/sun4u/

Copy the wanboot program to the install server.
# cp wanboot /document-root-directory/wanboot/wanboot-name
document-root-directory

Specifies the document root directory of the WAN boot server.

wanboot-name

Specifies the name of the wanboot program. Name this file descriptively, for example, wanboot.s9_sparc.

Make the wanboot program available to the WAN boot server in one of the following ways.
- Create a symbolic link to the wanboot program in the document root directory of the WAN boot server.
  # cd /document-root-directory/wanboot # ln -s /wan-dir-path/wanboot .
  document-root-directory/wanboot
  
  Specifies the directory in the WAN boot server's document root directory where you want to link to the wanboot program
  
  /wan-dir-path/wanboot
  
  Specifies the path to the wanboot program
- Move the WAN boot miniroot to the document root directory on the WAN boot server.
  # mv /wan-dir-path/wanboot /document-root-directory/wanboot/wanboot-name
  wan-dir-path/wanboot
  
  Specifies the path to the wanboot program
  
  /document-root-directory/wanboot/
  
  Specifies the path to the wanboot program directory in the WAN boot server's document root directory.
  
  wanboot-name
  
  Specifies the name of the wanboot program. Name the file descriptively, for example wanboot.s9_sparc.

Creating the `/etc/netboot` Hierarchy on the WAN Boot Server

During the installation, WAN boot refers to the contents of the /etc/netboot hierarchy on the web server for instructions about how to perform the installation. This directory contains the configuration information, private key, digital certificate, and certificate authority required for a WAN boot installation. During the installation, the wanboot-cgi program converts this information into the WAN boot file system. The wanboot-cgi program then transmits the WAN boot file system to the client.

For planning information about how to design the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.

To Create the `/etc/netboot` Hierarchy

Become superuser on the WAN boot server.

Create the /etc/netboot directory.
# mkdir /etc/netboot

Change the permissions of the /etc/netboot directory to 700.
# chmod 700 /etc/netboot

Change the owner of the /etc/netboot directory to the web server owner.
# chown web-server-user:web-server-group /etc/netboot/
web-server-user

Specifies the user owner of the web server process

web-server-group

Specifies the group owner of the web server process

Exit the superuser role.
# exit

Assume the user role of the web server owner.

Create the client subdirectory of the /etc/netboot directory.
# mkdir -p /etc/netboot/net-ip/client-ID
-p

Instructs the mkdir command to create all the necessary parent directories for the directory you want to create

(Optional) net-ip

Specifies the network IP address of the client's subnet.

(Optional) client-ID

Specifies the client ID. The client ID can be a user-defined value or the DHCP client ID. The client-ID directory must be a subdirectory of the net-ip directory.

For each directory in the /etc/netboot hierarchy, change the permissions to 700.
# chmod 700 /etc/netboot/dir-name
dir-name

Specifies the name of a directory in the /etc/netboot hierarchy

Example 40–1 Creating the `/etc/netboot` Hierarchy on the WAN Boot Server

The following example shows how to create the /etc/netboot hierarchy for the client 010003BA152A42 on subnet 192.168.255.0. In this example, the user nobody and the group admin own the web server process.

# cd /
# mkdir /etc/netboot/
# chmod 700 /etc/netboot
# chown nobody:admin /etc/netboot
# exit
server# su nobody
Password:
nobody# mkdir -p /etc/netboot/192.168.255.0/010003BA152A42
nobody# chmod 700 /etc/netboot/192.168.255.0
nobody# chmod 700 /etc/netboot/192.168.255.0/010003BA152A42

Copying the WAN Boot CGI Program to the WAN Boot Server

The wanboot-cgi program creates the data streams that transmit the the following files from the WAN boot server to the client.

wanboot program
WAN boot file system
WAN boot miniroot

The wanboot-cgi program is installed on the system when you install the Solaris 9 12/03 operating environment. To enable the WAN boot server to use this program, copy this program to the cgi-bin directory of the WAN boot server.

To Copy the `wanboot-cgi` Program to the WAN Boot Server

Become superuser on the WAN boot server.

Copy the wanboot-cgi program to the WAN boot server.
# cp /usr/lib/inet/wanboot/wanboot-cgi /WAN-server-root/cgi-bin/wanboot-cgi
/WAN-server-root

Specifies the root directory of the web server software on the WAN boot server

On the WAN boot server, change the permissions of the CGI program to 755.
# chmod 755 /WAN-server-root/cgi-bin/wanboot-cgi

(Optional) Protecting Data by Using HTTPS

To protect your data during the transfer from the WAN boot server to the client, you can use HTTP over Secure Sockets Layer (HTTPS). To use the more secure installation configuration that is described in Secure WAN Boot Installation Configuration, you must enable your web server to use HTTPS.

To enable the web server software on the WAN boot server to use HTTPS, you must perform the following tasks.

Activate Secure Sockets Layer (SSL) support in your web server software.

The processes for enabling SSL support and client authentication vary by web server. This document does not describe how to enable these security features on your web server. For information about these features, see the following documentation.
- For information about activating SSL on the SunONE and iPlanet web servers, see the Sun ONE and iPlanet documentation collections on http://docs.sun.com.
- For information about activating SSL on the Apache web server, see the Apache Documentation Project at http://httpd.apache.org/docs-project/.
- If you are using web server software that is not listed in the previous list, see your web server software documentation.
Install digital certificates on the WAN boot server.

For information about using digital certificates with WAN boot, see Using Digital Certificates for Server and Client Authentication.
Provide a trusted certificate to the client.

For instructions about how to create a trusted certificate, see Using Digital Certificates for Server and Client Authentication.
Create a hashing key and an encryption key.

For instructions about how to create keys, see Creating a Hashing Key and an Encryption Key.
(Optional) Configure the web server software to support client authentication.

For information about how to configure your web server to support client authentication, see your web server documentation.

Using Digital Certificates for Server and Client Authentication

The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.

To use a PKCS#12 file in a WAN boot installation, you perform the following tasks.

Split the PKCS#12 file into separate SSL private key and trusted certificate files.
Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.
(Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.

The wanbootutil command provides options to perform the tasks in the previous list.

Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.

For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.
For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

Creating a Trusted Certificate and Client Private Key

Assume the same user role as the web server user on the WAN boot server.

Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the client's truststore file in the /etc/netboot hierarchy.
# wanbootutil p12split -i p12cert \ -t /etc/netboot/net-ip/client-ID/truststore
p12split

Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

-i p12cert

Specifies the name of the PKCS#12 file to split.

-t /etc/netboot/net-ip/client-ID/truststore

Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

(Optional) Decide if you want to require client authentication.
- If yes, continue with the following steps.
- If no, go to Creating a Hashing Key and an Encryption Key.
1. Insert the client certificate in the client's certstore.
  # wanbootutil p12split -i p12cert -c \ /etc/netboot/net-ip/client-ID/certstore -k keyfile
  p12split
  
  Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
  
  -i p12cert
  
  Specifies the name of the PKCS#12 file to split.
  
  -c /etc/netboot/net-ip/client-ID/certstore
  
  Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
  
  -k keyfile
  
  Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.
2. Insert the private key in the client's keystore.
  # wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa
  keymgmt -i
  
  Inserts an SSL private key in the client's keystore
  
  -k keyfile
  
  Specifies the name of the client's private key file that was created in the previous step
  
  -s /etc/netboot/net-ip/client-ID/keystore
  
  Specifies the path to the client's keystore
  
  -o type=rsa
  
  Specifies the key type as RSA

Example 40–2 Creating a Trusted Certificate for Server Authentication

In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.255.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.

# wanbootutil p12split -i client.p12 \
   -t /etc/netboot/192.168.255.0/010003BA152A42/truststore
# chmod 600 /etc/netboot/192.168.255.0/010003BA152A42/truststore

Creating a Hashing Key and an Encryption Key

If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi-private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program. For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.

By using the wanbootutil keygen command, you can generate these keys and store them in the appropriate /etc/netboot directory.

To Create a Hashing Key and Encryption Key

Assume the same user role as the web server user on the WAN boot server.

Create the master HMAC SHA1 key.
# wanbootutil keygen -m
keygen -m

Creates the master HMAC SHA1 key for the WAN boot server

Create the HMAC SHA1 hashing key for the client from the master key.
# wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1
-c

Creates the client's hashing key from the master key.

-o

Indicates that additional options are included for the wanbootutil keygen command.

(Optional) net=net-ip

Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.

(Optional) cid=client-ID

Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.

type=sha1

Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.

Decide if you need to create an encryption key for the client.

You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.
- If you are performing a more secure WAN installation over HTTPS with server authentication, continue.
- If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.

Create an encryption key for the client.
# wanbootutil keygen —c -o [net=net-ip,{cid=client-ID,}]type=key-type
-c

Creates the client's encryption key.

-o

Indicates that additional options are included for the wanbootutil keygen command.

(Optional) net=net-ip

Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.

(Optional) cid=client-ID

Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.

type=key-type

Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.

Install the keys on the client system.

For instructions about how to install keys on the client, see Installing Keys on the Client.

Example 40–3 Creating Required Keys for WAN Boot Installation Over HTTPS

The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 01832AA440 on subnet 192.168.255.0.

# wanbootutil keygen -m
# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=sha1
# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=3des

Creating the Custom JumpStart Installation Files

WAN boot performs a custom JumpStart installation to install a Solaris Flash archive on the client. The custom JumpStart installation method is a command–line interface that enables you to automatically install several systems, based on profiles that you create. The profiles define specific software installation requirements. You can also incorporate shell scripts to include preinstallation and postinstallation tasks. You choose which profile and scripts to use for installation or upgrade. The custom JumpStart installation method installs or upgrades the system, based on the profile and scripts that you select. Also, you can use a sysidcfg file to specify configuration information so that the custom JumpStart installation is completely free of manual intervention.

To prepare the custom JumpStart files for a WAN boot installation, complete the following tasks.

For detailed information on the custom JumpStart installation method, see Chapter 22, Custom JumpStart (Overview).

Creating the Solaris Flash Archive

The Solaris Flash installation feature enables you to use a single reference installation of the Solaris operating environment on a system, which is called the master system. You can then create a Solaris Flash archive, which is a replica image of the master system. You can install the Solaris Flash archive on other systems in the network, creating clone systems.

This section describes how to create a Solaris Flash archive to use in your WAN boot installation. Before you create a Solaris Flash archive, you must first install the master system.

For information about installing a master system, see Installing the Master System.
For detailed information about Solaris Flash archives, see Chapter 18, Creating Solaris Flash Archives (Tasks).

To Create a Solaris Flash Archive

For detailed instructions about how to create a Solaris Flash archive, see Creating a Solaris Flash Archive.

Boot the master system.

Run the master system in as inactive a state as possible. When possible, run the system in single-user mode. If that is not possible, shut down any applications that you want to archive and any applications that require extensive operating system resources.

To create the archive, use the flar create command.
# flar create -n name [optional-parameters] document-root/flash/filename
name

The name that you give the archive. The name you specify is the value of the content_name keyword.

optional-parameters

You can use several options to the flar create command to customize your Solaris Flash archive. For detailed descriptions of these options, see Chapter 20, Solaris Flash (Reference).

document-root/flash

The path to the Solaris Flash subdirectory of the install server's document root directory.

filename

The name of the archive file.

To conserve disk space, you might want to use the -c option to the flar create command to compress the archive. However, a compressed archive can affect the performance of your WAN boot installation. For more information about creating a compressed archive, see the man page flar create(1M).
- If the archive creation is successful, the flar create command returns an exit code of 0.
- If the archive creation fails, the flar create command returns a nonzero exit code.

For examples of how to create a Solaris Flash archive, see Examples—Creating an Archive for an Initial Install.

Creating the `sysidcfg` File

You can specify a set of keywords in the sysidcfg file to preconfigure a system. For more detailed information about sysidcfg keywords and values, see Preconfiguring With the sysidcfg File.

To Create the `sysidcfg` File

Create a file called sysidcfg in a text editor on the install server.

Type the sysidcfg keywords you want.

For detailed information about sysidcfg keywords, see sysidcfg File Keywords.

Save the sysidcfg file in a location that is accessible to the WAN boot server.

Save the file to one of the following locations.
- If the WAN boot server and install server are hosted on the same machine, save this file to the flash subdirectory of the document root directory on the WAN boot server.
- If the WAN boot server and install server are not on the same machine, save this file to the flash subdirectory of the document root directory of the install server.

Example 40–4 `sysidcfg` File for WAN Boot Installation

The following is an example of a sysidcfg file for a SPARC based system. The host name, IP address, and netmask of this system have been preconfigured by editing the name service.

network_interface=primary {hostname=seahag
                           default_route=192.168.88.1
                           ip_address=192.168.88.210
                           netmask=255.255.0.0
                           protocol_ipv6=no}
timezone=US/Central
system_locale=C
terminal=xterm
timeserver=localhost
name_service=NIS {name_server=matter(192.168.255.255)
                  domain_name=mind.over.example.com
                  }
security_policy=none

Creating the Profile

A profile is a text file that instructs the custom JumpStart program how to install the Solaris software on a system. A profile defines elements of the installation, for example, the software group to install.

For detailed information about how to create profiles, see Creating a Profile.

To Create a Profile

Create a text file on the install server. Name the file descriptively.

Ensure that the name of the profile reflects how you intend to use the profile to install the Solaris software on a system. For example, you might name the profiles basic_install, eng_profile, or user_profile.

Add profile keywords and values to the profile.

For a list of profile keywords and values, see Profile Keywords and Values.

Profile keywords and their values are case sensitive.

Save the profile in a location that is accessible to the WAN boot server.

Save the profile in one of the following locations.
- If the WAN boot server and install server are hosted on the same machine, save this file to the flash subdirectory of the document root directory on the WAN boot server.
- If the WAN boot server and install server are not on the same machine, save this file to the flash subdirectory of the document root directory of the install server.

Ensure that root owns the profile and that the permissions are set to 644.

(Optional) Test the profile.

Testing a Profile contains information about testing profiles.

Example 40–5 Retrieving a Solaris Flash Archive From a Secure HTTP Server

In the following example, the profile indicates that the custom JumpStart program retrieves the Solaris Flash archive from a secure HTTP server.

# profile keywords         profile values
# ----------------         -------------------
install_type               flash_install
archive_location           https://192.168.255.255/solarisupdate.flar
partitioning               explicit
filesys                    c0t1d0s0 4000 /
filesys                    c0t1d0s1 512 swap
filesys                    c0t1d0s7 free /export/home

The following list describes some of the keywords and values from this example.

install_type: The profile installs a Solaris Flash archive on the clone system. All files are overwritten as in an initial installation.
archive_location: The compressed Solaris Flash archive is retrieved from a secure HTTP server.
partitioning: The file system slices are determined by the filesys keywords, value explicit. The size of root (/) is based on the size of the Solaris Flash archive. The size of swap is set to the necessary size and is installed on c0t1d0s1. /export/home is based on the remaining disk space. /export/home is installed on c0t1d0s7.

Creating the `rules` File

The rules file is a text file that contains a rule for each group of systems on which you want to install the Solaris operating environment. Each rule distinguishes a group of systems that are based on one or more system attributes. Each rule also links each group to a profile. A profile is a text file that defines how the Solaris software is to be installed on each system in the group. For example, the following rule specifies that the JumpStart program use the information in the basic_prof profile to install any system with the sun4u platform group.

karch sun4u - basic_prof -

The rules file is used to create the rules.ok file, which is required for custom JumpStart installations.

For detailed information about how to create a rules file, see Creating the rules File.

To Create a `rules` File

On the install server, create a text file that is named rules.

Add a rule in the rules file for each group of systems you want to install.

For detailed information about how to create a rules file, see Creating the rules File.

Save the rules file on the install server.

Validate the rules file.
$ ./check [[-p path -r file-name]]
-p path

Validates the rules by using the check script from the Solaris 9 software image instead of the check script from the system you are using. path is the image on a local disk or a mounted Solaris DVD or a Solaris Software 1 of 2 CD.

Use this option to run the most recent version of check if your system is running a previous version of Solaris.

-r file_name

Specifies a rules file other than the file that is named rules. By using this option, you can test the validity of a rule before you integrate the rule into the rules file.

As the check script runs, the script reports the checking of the validity of the rules file and each profile. If no errors are encountered, the script reports: The custom JumpStart configuration is ok. The check script creates the rules.ok file.

Save the rules.ok file in a location that is accessible to the WAN boot server.

Save the file to one of the following locations.
- If the WAN boot server and install server are hosted on the same machine, save this file to the flash subdirectory of the document root directory on the WAN boot server.
- If the WAN boot server and install server are not on the same machine, save this file to the flash subdirectory of the document root directory of the install server.

Ensure that root owns the rules.ok file and that the permissions are set to 644.

For examples of rules files, see rules File Example.

(Optional) Creating Begin and Finish Scripts

Begin and finish scripts are user-defined Bourne shell scripts that you specify in the rules file. A begin script performs tasks before the Solaris software is installed on a system. A finish script performs tasks after the Solaris software is installed on a system, but before the system reboots. You can use these scripts only when using custom JumpStart to install Solaris.

You can use begin scripts to create derived profiles. Finish scripts enable you to perform various postinstallation tasks, such as adding files, packages, patches, or additional software.

You must store the begin and finish scripts in the same directory as the sysidcfg, rules.ok, and profile files on the install server.

For more information about creating begin scripts, see Creating Begin Scripts.
For more information about creating finish scripts, see Creating Finish Scripts.

Creating the Configuration Files

WAN boot uses the following files to specify the location of the data and files that are required for a WAN boot installation.

system configuration file (system.conf)
wanboot.conf file

This section describes how to create and store these two files.

Creating the System Configuration File

In the system configuration file, you can direct the WAN boot installation programs to the following files.

sysidcfg file
rules.ok file
Custom JumpStart profile

WAN boot follows the pointers in the system configuration file to install and configure the client.

The system configuration file is a plain text file, and must be formatted in the following pattern.

setting=value

To use a system configuration file to direct the WAN installation programs to the sysidcfg, rules.ok, and profile files, follow these steps.

To Create a System Configuration File

Assume the same user role as the web server user on the WAN boot server.

Create a text file. Name the file descriptively, for example, sys-conf.s9–sparc.

Add the following entries to the system configuration file.

SsysidCF=sysidcfg-file-URL

This setting points to the flash directory on the install server that contains the sysidcfg file. Make sure that this URL matches the path to the sysidcfg file that you created in Creating the sysidcfg File.

For WAN installations that use HTTPS, set the value to a valid HTTPS URL.

SjumpsCF=jumpstart-files-URL

This setting points to the Solaris Flash directory on the install server that contains the rules.okfile, profile file, and begin and finish scripts. Make sure that this URL matches the path to the custom JumpStart files that you created in Creating the Profile and Creating the rules File.

For WAN installations that use HTTPS, set the value to a valid HTTPS URL.

Save the file to a directory that is accessible to the WAN boot server.

For administration purposes, you might want to save the file to the appropriate client directory in the /etc/netboot directory on the WAN boot server.

Change the permissions on the system configuration file to 600.
# chmod 600 /path/system-conf-file
path

Specifies the path to the directory that contains the system configuration file.

system-conf-file

Specifies the name of the system configuration file.

Example 40–6 System Configuration File for WAN Boot Installation Over HTTPS

In the following example, the WAN boot programs check for the sysidcfg and custom JumpStart files on the web server https://www.example.com on port 1234. The web server uses secure HTTP to encrypt data and files during the installation.

The sysidcfg and custom JumpStart files are located in the flash subdirectory of the document root directory htdocs.

SsysidCF=https://www.example.com:1234/htdocs/flash
SjumpsCF=https://www.example.com:1234/htdocs/flash

Example 40–7 System Configuration File for Insecure WAN Boot Installation

In the following example, the WAN boot programs check for the sysidcfg and custom JumpStart files on the web server http://www.example.com. The web server uses HTTP, so the data and files are not protected during the installation.

The sysidcfg and custom JumpStart files are located in the flash subdirectory of the document root directory htdocs.

SsysidCF=http://www.example.com/htdocs/flash
SjumpsCF=http://www.example.com/htdocs/flash

Creating the `wanboot.conf` File

The wanboot.conf file is a plain text configuration file that the WAN boot programs use to perform a WAN installation. The wanboot-cgi program, the boot file system, and the WAN boot miniroot all use the information included in the wanboot.conf file to install the client machine.

Save the wanboot.conf file in the appropriate client subdirectory in the /etc/netboot hierarchy on the WAN boot server. For information about how to define the scope of your WAN boot installation with the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

If the WAN boot server is running the Solaris 9 12/03 operating environment, a sample wanboot.conf file is located in /etc/inet/wanboot.conf.sample. You can use this sample as a template for your WAN boot installation.

You must include the following information in the wanboot.conf file.

Table 40–2 Information for the wanboot.conf File


Type of Information	Description
WAN boot server information	Path to `wanboot` program on the WAN boot server URL of `wanboot-cgi` program on WAN boot server
Install server information	Path to WAN boot miniroot on the install server Path to system configuration file on the WAN boot server that specifies location of `sysidcfg` and custom JumpStart files
Security information	Signature type for the WAN boot file system or WAN boot miniroot Encryption type for the WAN boot file system Whether the server should be authenticated during the WAN boot installation Whether the client should be authenticated during the WAN boot installation
Optional information	Additional hosts that might need to be resolved for the client during a WAN boot installation URL to the `bootlog-cgi` script on the logging server

You specify this information by listing parameters with associated values in the following format.

parameter=value

For detailed information about wanboot.conf file parameters and syntax, see wanboot.conf File Parameters and Syntax.

To Create a `wanboot.conf` File

Assume the same user role as the web server user on the WAN boot server.

Create the wanboot.conf text file.

You can create a new text file that is named wanboot.conf, or use the sample file that is located in /etc/inet/wanboot.conf.sample. If you use the sample file, rename the file wanboot.conf after you add parameters.

Type the wanboot.conf parameters and values for your installation.

For detailed descriptions of wanboot.conf parameters and values, see wanboot.conf File Parameters and Syntax.

Save the wanboot.conf file to the appropriate subdirectory of the /etc/netboot hierarchy.

For information about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

Validate the wanboot.conf file.
# bootconfchk /etc/netboot/path-to-wanboot.conf/wanboot.conf
path-to-wanboot.conf

Specifies the path to the client's wanboot.conf file on the WAN boot server
- If the wanboot.conf file is structurally valid, the bootconfchk command returns an exit code of 0.
- If the wanboot.conf file is invalid, the bootconfchk command returns a nonzero exit code.

Change the permissions on the wanboot.conf file to 600.

# chmod 600 /etc/netboot/path-to-wanboot.conf/wanboot.conf

Example 40–8 `wanboot.conf` File for WAN Boot Installation Over HTTPS

The following wanboot.conf file example includes configuration information for a WAN installation that uses secure HTTP. The wanboot.conf file also indicates that a 3DES encryption key is used in this installation.

boot_file=/wanboot/wanboot.s9_sparc
root_server=https://www.example.com:1234/cgi-bin/wanboot-cgi
root_file=/miniroot/miniroot.s9_sparc
signature_type=sha1
encryption_type=3des
server_authentication=yes
client_authentication=no
resolve_hosts=
boot_logger=https://www.example.com:1234/cgi-bin/bootlog-cgi
system_conf=system.conf

This wanboot.conf file specifies the following configuration.

boot_file=/wanboot/wanboot.s9_sparc: The second level boot program is named wanboot.s9_sparc. This program is located in the /wanboot directory in the WAN boot server's document root directory.
root_server=https://www.example.com:1234/cgi-bin/wanboot-cgi: The location of the wanboot-cgi program on the WAN boot server is https://www.example.com:1234/cgi-bin/wanboot-cgi. The https portion of the URL indicates that this WAN boot installation uses secure HTTP.
root_file=/miniroot/miniroot.s9_sparc: The WAN boot miniroot is named miniroot.s9_sparc. This miniroot is located in the /miniroot directory in the WAN boot server's document root directory.
signature_type=sha1: The wanboot.s9_sparc program and the WAN boot file system are signed with a HMAC SHA1 hashing key.
encryption_type=3des: The wanboot.s9_sparc program and the boot file system are encrypted with a 3DES key.
server_authentication=yes: The server is authenticated during the installation.
client_authentication=no: The client is not authenticated during the installation.
resolve_hosts=: No additional host names are needed to perform the WAN installation. All required files and information are located in the document root directory on the WAN boot server.
boot_logger=https://www.example.com:1234/cgi-bin/bootlog-cgi: Booting and installation log messages are recorded on the WAN boot server by using secure HTTP.
system_conf=system.conf: The system configuration file that contains the locations of the sysidcfg and JumpStart files is located in a subdirectory of the /etc/netboot hierarchy. The system configuration file is named system.conf.

Example 40–9 `wanboot.conf` File for Insecure WAN Boot Installation

The following wanboot.conf file example includes configuration information for a less secure WAN boot installation that uses HTTP. This wanboot.conf file also indicates that the installation does not use an encryption key or a hashing key.

boot_file=/wanboot/wanboot.s9_sparc
root_server=http://www.example.com/cgi-bin/wanboot-cgi
root_file=/miniroot/miniroot.s9_sparc
signature_type=
encryption_type=
server_authentication=no
client_authentication=no
resolve_hosts=
boot_logger=http://www.example.com/cgi-bin/bootlog-cgi
system_conf=system.conf

This wanboot.conf file specifies the following configuration.

boot_file=/wanboot/wanboot.s9_sparc: The second level boot program is named wanboot.s9_sparc. This program is located in the /wanboot directory in the WAN boot server's document root directory.
root_server=http://www.example.com/cgi-bin/wanboot-cgi: The location of the wanboot-cgi program on the WAN boot server is http://www.example.com/cgi-bin/wanboot-cgi. This installation does not use secure HTTP.
root_file=/miniroot/miniroot.s9_sparc: The WAN boot miniroot is named miniroot.s9_sparc. This miniroot is located in the /miniroot subdirectory in the WAN boot server's document root directory.
signature_type=: The wanboot.s9_sparc program and the WAN boot file system are not signed with a hashing key.
encryption_type=: The wanboot.s9_sparc program and the boot file system are not encrypted.
server_authentication=no: The server is not authenticated with keys or certificates during the installation.
client_authentication=no: The client is not authenticated with keys or certificates during the installation.
resolve_hosts=: No additional host names are needed to perform the installation. All required files and information are located in the document root directory on the WAN boot server.
boot_logger=http://www.example.com/cgi-bin/bootlog-cgi: Booting and installation log messages are recorded on the WAN boot server.
system_conf=system.conf: The system configuration file that contains the locations of the sysidcfg and JumpStart files is named system.conf. This file is located in the appropriate client subdirectory of the /etc/netboot hierarchy.

(Optional) Providing Configuration Information With a DHCP Server

If you use a DHCP server on your network, you can configure the DHCP server to supply the following information.

Proxy server's IP address
Location of the wanboot-cgi program

You can use the following DHCP vendor options in your WAN boot installation.

SHTTPproxy: Specifies the IP address of the network's proxy server
SbootURI: Specifies the URL of the wanboot-cgi program on the WAN boot server

For information about setting these vendor options on a Solaris DHCP server, see Preconfiguring System Configuration Information With the DHCP Service (Tasks).

For detailed information about setting up a Solaris DHCP server, see “Configuring DHCP Service (Task)” in System Administration Guide: IP Services.

(Optional) Configuring the WAN Boot Logging Server

If you want to record boot and installation logging messages on a system other than the client, you must set up a logging server. If you want to use a logging server with HTTPS during the installation, you must configure the WAN boot server as the logging server.

To configure the logging server, follow these steps.

To Configure the Logging Server

Copy the bootlog-cgi script to the logging server's CGI script directory.
# cp /usr/lib/inet/wanboot/bootlog-cgi \ log-server-root/cgi-bin
log-server-root/cgi-bin

Specifies the cgi-bin directory in the logging server's web server directory

Change the permissions of the bootlog-cgi script to 755.
# chmod 755 log-server-root/cgi-bin/bootlog-cgi

Set the value of the boot_logger parameter in the wanboot.conf file.

In the wanboot.conf file, specify the URL of the bootlog-cgi script on the logging server.

For more information about setting parameters in the wanboot.conf file, see Creating the wanboot.conf File.

During the installation, boot and installation log messages are recorded in the /tmp directory of the logging server. The log file is named bootlog.hostname, where hostname is the host name of the client.

Example 40–10 Configuring a Logging Server for WAN Boot Installation Over HTTPS

The following example configures the WAN boot server as a logging server.

# cp /usr/lib/inet/wanboot/bootlog-cgi /opt/apache/cgi-bin/
# chmod 755 /opt/apache/cgi-bin/bootlog-cgi