Solaris 9 12/03 Installation Guide

Preparing the Client for a WAN Boot Installation

Before you install the client system, prepare the client by performing the following tasks.

Checking the Client OBP for WAN Boot Support

To perform a hands-off WAN boot installation, the client OpenBoot PROM (OBP) must support WAN boot. The following procedure describes how to determine if the client OBP supports WAN boot.

To Check the Client OBP for WAN Boot Support

Become superuser on the client.

Bring the system to run level 0 (PROM monitor level).
# init 0
The ok prompt is displayed.

At the ok prompt, check the OBP configuration variables for WAN boot support.
ok printenv network-boot-arguments
- If the variable network-boot-arguments is displayed in the output of the previous command, the OBP supports WAN boot installations. You do not need to update the OBP before you perform your WAN boot installation.
- If the message Unknown option: network-boot-arguments is displayed in the output of the previous command, the OBP does not support WAN boot installations. You must perform one of the following tasks. See your system documentation for information about how to update the OBP.
  - Update the client OBP. See your system documentation for information about how to update the OBP.
  - Perform the WAN boot installation from the Solaris 9 Software CD in a local CD-ROM drive. For instructions about how to boot the client from a local CD-ROM drive, see Installing With Local CD Media.

Example 41–1 Verifying OBP Support for WAN Boot on the Client

The following command shows how to check the client OBP for WAN boot support.

ok printenv network-boot-arguments
network-boot-arguments=

In this example, the output network-boot-arguments= indicates that the client OBP supports WAN boot.

Checking the `net` Device Alias in the Client OBP

To boot the client from the WAN with the boot net, the net device alias must be set to the client's primary network device. On most systems, this alias is already set correctly. However, if the alias is not set to the network device you want to use, you must change the alias..

Follow these steps to check the net device alias on the client.

To Check the `net` Device Alias

Become superuser on the client.

Bring the system to run level 0.
# init 0
The ok prompt is displayed.

At the ok prompt, check device aliases that are set in the OBP.

ok devalias

The devalias command outputs information that is similar to the following example.

screen                   /pci@1f,0/pci@1,1/SUNW,m64B@2
net                      /pci@1f,0/pci@1,1/network@c,1
net2                     /pci@1f,0/pci@1,1/network@5,1
disk                     /pci@1f,0/pci@1/scsi@8/disk@0,0
cdrom                    /pci@1f,0/pci@1,1/ide@d/cdrom@0,0:f
keyboard                 /pci@1f,0/pci@1,1/ebus@1/su@14,3083f8
mouse                    /pci@1f,0/pci@1,1/ebus@1/su@14,3062f8

If the net alias is set to the network device you wan to use during the installation, you do not need to reset the alias. Go to Installing Keys on the Client to continue your installation.
If the net alias is not set to the network device you want to use, you must reset the alias. Continue.

Set the net device alias.

Choose one of the following commands to set the net device alias.
- To set the net device alias for this installation only, use the devalias command.
  ok devalias net device-path
  net device-path
  
  Assigns the device device-path to the net alias
- To permanently set the net device alias, use the nvalias command.
  ok nvalias net device-path
  net device-path
  
  Assigns the device device-path to the net alias

Example 41–2 Checking and Resetting the `net` Device Alias

The following commands show how to check and reset the net device alias.

Check the device aliases.

ok devalias
screen                   /pci@1f,0/pci@1,1/SUNW,m64B@2
net                      /pci@1f,0/pci@1,1/network@c,1
net2                     /pci@1f,0/pci@1,1/network@5,1
disk                     /pci@1f,0/pci@1/scsi@8/disk@0,0
cdrom                    /pci@1f,0/pci@1,1/ide@d/cdrom@0,0:f
keyboard                 /pci@1f,0/pci@1,1/ebus@1/su@14,3083f8
mouse                    /pci@1f,0/pci@1,1/ebus@1/su@14,3062f8

If you want to use the /pci@1f,0/pci@1,1/network@5,1 network device, type the following command.

ok devalias net /pci@1f,0/pci@1,1/network@5,1

For more information about setting device aliases, see “The Device Tree” in OpenBoot 3.x Command Reference Manual.

Installing Keys on the Client

For a more secure WAN boot installation or an insecure installation with data integrity checking, you must install keys on the client. By using a hashing key and an encryption key, you can protect the data that is transmitted to the client. You can install these keys in the following ways.

Set OBP variables – You can assign key values to OBP network boot argument variables before you boot the client. These keys can then be used for future WAN boot installations of the client.
Enter the key values during the boot process – You can set key values at the wanboot program boot> prompt. If you use this method to install keys, the keys are only used for the current WAN boot installation.

You can also install keys in the OBP of a running client. If you want to install keys on a running client, the system must be running the Solaris 9 12/03 operating environment, or compatible version.

When you install keys on your client, ensure that the key values are not transmitted over an insecure connection. Follow your site's security policies to ensure the privacy of the key values.

For instructions about how to assign key values to OBP network boot argument variables, see To Install Keys in the Client OBP.
For instructions about how to install keys during the boot process, see To Perform an Interactive Installation.
For instructions about how to install keys in the OBP of a running client, see To Install a Hashing Key and an Encryption Key on a Running Client.

To Install Keys in the Client OBP

If you want to assign key values to OBP network boot argument variables, follow these steps.

Assume the same user role as the web server user on the WAN boot server.

Display the key value for each client key.
# wanbootutil keygen -d -c -o net=net-ip,cid=client-ID,type=key-type
net-ip

The IP address of the client's subnet.

client-ID

The ID of the client you want to install. The client ID can be a user-defined ID or the DHCP client ID.

key-type

The key type you want to install on the client. Valid key types are 3des, aes, or sha1.

The hexadecimal value for the key is displayed.

Repeat the previous step for each type of client key you want to install.

Bring the client system to run level 0.
# init 0
The ok prompt is displayed.

At the client ok prompt, set the value for the hashing key.
ok set-security-key wanboot-hmac-sha1 key-value
set-security-key

Installs the key on the client

wanboot-hmac-sha1

Instructs OBP to install a HMAC SHA1 hashing key

key-value

Specifies the hexadecimal string that is displayed in Step 2.

The HMAC SHA1 hashing key is installed in the client OBP.

At the client ok prompt, install the encryption key.
ok set-security-key wanboot-3des key-value
set-security-key

Installs the key on the client

wanboot-3des

Instructs OBP to install a 3DES encryption key. If you want to use an AES encryption key, set this value to wanboot-aes.

key-value

Specifies the hexadecimal string that represents the encryption key.

The 3DES encryption key is installed in the client OBP.

After you install the keys, you are ready to install the client. See Installing the Client for instructions about how to install the client system.

(Optional) Verify that the keys are set in the client OBP.

ok list-security-keys
Security Keys:
         wanboot-hmac-sha1
         wanboot-3des

(Optional) If you need to delete a key, type the following command.
ok set-security-key key-type
key-type

Specifies the type of key you need to delete. Use the value wanboot-hmac-sha1, wanboot-3des, or wanboot-aes.

Example 41–3 Installing Keys in the Client OBP

The following example shows how to install a hashing key and an encryption key in the client OBP.

Display the key values on the WAN boot server.

# wanbootutil keygen -d -c -o net=192.168.198.0,cid=010003BA152A42,type=sha1
b482aaab82cb8d5631e16d51478c90079cc1d463
# wanbootutil keygen -d -c -o net=192.168.198.0,cid=010003BA152A42,type=3des
9ebc7a57f240e97c9b9401e9d3ae9b292943d3c143d07f04

The previous example uses the following information.

net=192.168.198.0

Specifies the IP address of the client's subnet

cid=010003BA152A42

Specifies the client's ID

b482aaab82cb8d5631e16d51478c90079cc1d463

Specifies the value of the client's HMAC SHA1 hashing key

9ebc7a57f240e97c9b9401e9d3ae9b292943d3c143d07f04

Specifies the value of the client's 3DES encryption key

If you use an AES encryption key in your installation, change wanboot-3des to wanboot-aes to display the encryption key value.

Install the keys on the client system.

ok set-security-key wanboot-hmac-sha1 b482aaab82cb8d5631e16d51478c90079cc1d463
ok set-security-key wanboot-3des 9ebc7a57f240e97c9b9401e9d3ae9b292943d3c143d07f04

The previous commands perform the following tasks.

Installs the HMAC SHA1 hashing key with a value of b482aaab82cb8d5631e16d51478c90079cc1d463 on the client
Installs the 3DES encryption key with a value of 9ebc7a57f240e97c9b9401e9d3ae9b292943d3c143d07f04 on the client

If you use an AES encryption key in your installation, change wanboot-3des to wanboot-aes.

To Install a Hashing Key and an Encryption Key on a Running Client

If you want to install a hashing key and an encryption key in the OBP of a running client, follow these steps.

Note –

This procedure makes the following assumptions.

The client system is powered on.
The client is accessible over a secure connection, such as a secure shell (ssh).

Assume the same user role as the web server user on the WAN boot server.

Display the key value for the client keys.
# wanbootutil keygen -d -c -o net=net-ip,cid=client-ID,type=key-type
net-ip

The IP address of the client's subnet.

client-ID

The ID of the client you want to install. The client ID can be a user-defined ID or the DHCP client ID.

key-type

The key type you want to install on the client. Valid key types are 3des, aes, or sha1.

The hexadecimal value for the key is displayed.

Repeat the previous step for each type of client key you want to install.

Become superuser on the client machine.

Install the necessary keys on the running client machine.
# /usr/lib/inet/wanboot/ickey -o type=key-type > key-value
key-type

Specifies the key type you want to install on the client. Valid key types are 3des, aes, or sha1.

key-value

Specifies the hexadecimal string that is displayed in Step 2.

Repeat the previous step for each type of client key you want to install.

After you install the keys, you are ready to install the client. See Installing the Client for instructions about how to install the client system.

Example 41–4 Installing Keys in the OBP of a Running Client System

The following example shows how to install keys in the OBP of a running client.