Creating a Hashing Key and an Encryption Key
If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi-private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program. For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.
By using the wanbootutil keygen command, you can generate these keys and store them in the appropriate /etc/netboot directory.
To Create a Hashing Key and Encryption Key
-
Assume the same user role as the web server user on the WAN boot server.
-
Create the master HMAC SHA1 key.
# wanbootutil keygen -m
- keygen -m
-
Creates the master HMAC SHA1 key for the WAN boot server
-
Create the HMAC SHA1 hashing key for the client from the master key.
# wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1- -c
-
Creates the client's hashing key from the master key.
- -o
-
Indicates that additional options are included for the wanbootutil keygen command.
- (Optional) net=net-ip
-
Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
- (Optional) cid=client-ID
-
Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
- type=sha1
-
Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.
-
Decide if you need to create an encryption key for the client.
You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.
-
If you are performing a more secure WAN installation over HTTPS with server authentication, continue.
-
If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.
-
-
Create an encryption key for the client.
# wanbootutil keygen —c -o [net=net-ip,{cid=client-ID,}]type=key-type- -c
-
Creates the client's encryption key.
- -o
-
Indicates that additional options are included for the wanbootutil keygen command.
- (Optional) net=net-ip
-
Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
- (Optional) cid=client-ID
-
Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
- type=key-type
-
Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.
-
Install the keys on the client system.
For instructions about how to install keys on the client, see Installing Keys on the Client.
Example 40–3 Creating Required Keys for WAN Boot Installation Over HTTPS
The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 01832AA440 on subnet 192.168.255.0.
# wanbootutil keygen -m # wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=sha1 # wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=3des |
- © 2010, Oracle Corporation and/or its affiliates