The WAN boot server is a web server that provides the boot and configuration data during a WAN boot installation. For a list of the system requirements for the WAN boot server, see Table 42–1.
This section describes the following tasks required to configure the WAN boot server for a WAN boot installation.
To serve the configuration and installation files, you must make these files accessible to the web server software on the WAN boot server. One method to make these files accessible is to store them in the WAN boot server's document root directory.
If you want to use a document root directory to serve the configuration and installation files, you must create this directory. See your web server documentation for information about how to create the document root directory. For detailed information about how to design your document root directory, see Storing Installation and Configuration Files in the Document Root Directory.
WAN boot uses a special Solaris miniroot that has been modified to perform a WAN boot installation. The WAN boot miniroot contains a subset of the software in the Solaris miniroot. To perform a WAN boot installation, you must copy the miniroot from the Solaris DVD or the Solaris Software 1 of 2 CD to the WAN boot server. Use the -w option to the setup_install_server command to copy the WAN boot miniroot from the Solaris software media to your system's hard disk.
This procedure creates a SPARC WAN boot miniroot with SPARC media. If you want to serve a SPARC WAN boot miniroot from an x86–based server, you must create the miniroot on a SPARC machine. After you create the miniroot, copy the miniroot to the document root directory on the x86–based server.
For additional information about the setup_install_server command, see Chapter 15, Preparing to Install From the Network With CD Media (Tasks).
This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Basic Administration for information about managing removable media without the Volume Manager.
Become superuser on the WAN boot server.
The system must meet the following requirements.
Include a CD-ROM or DVD-ROM drive
Be part of the site's network and name service.
If you use a name service, the system must already be in a name service, such as NIS, NIS+, DNS, or LDAP. If you do not use a name service, you must distribute information about this system by following your site's policies.
Insert the Solaris Software 1 of 2 CD or the Solaris DVD in the install server's drive.
Create a directory for the WAN boot miniroot and Solaris installation image.
# mkdir -p wan-dir-path install-dir-path |
Instructs the mkdir command to create all the necessary parent directories for the directory you want to create.
Specifies the directory where the WAN boot miniroot is to be created on the install server. This directory needs to accommodate miniroots that are typically 250 Mbytes in size.
Specifies the directory on the install server where the Solaris software image is to be copied. This directory can be removed later in this procedure.
Change to the Tools directory on the mounted disc.
# cd /cdrom/cdrom0/s0/Solaris_9/Tools |
In the previous example, cdrom0 is the path to the drive that contains the Solaris operating environment media.
Copy the WAN boot miniroot and the Solaris software image to the WAN boot server's hard disk.
# ./setup_install_server -w wan-dir-path install-dir-path |
Specifies the directory where the WAN boot miniroot is to be copied
Specifies the directory where the Solaris software image is to be copied
The setup_install_server command indicates whether you have enough disk space available for the Solaris Software disc images. To determine available disk space, use the df -kl command.
The setup_install_server -w command creates the WAN boot miniroot and a network installation image of the Solaris software.
(Optional) Remove the network installation image.
You do not need the Solaris software image to perform a WAN installation with a Solaris Flash archive. You can free up disk space if you do not plan to use the network installation image for other network installations. Type the following command to remove the network installation image.
# rm -rf install-dir-path |
Make the WAN boot miniroot available to the WAN boot server in one of the following ways.
Create a symbolic link to the WAN boot miniroot in the document root directory of the WAN boot server.
# cd /document-root-directory/miniroot # ln -s /wan-dir-path/miniroot . |
Specifies the directory in the WAN boot server's document root directory where you want to link to the WAN boot miniroot
Specifies the path to the WAN boot miniroot
Move the WAN boot miniroot to the document root directory on the WAN boot server.
# mv /wan-dir-path/miniroot /document-root-directory/miniroot/miniroot-name |
Specifies the path to the WAN boot miniroot.
Specifies the path to the WAN boot miniroot directory in the WAN boot server's document root directory.
Specifies the name of the WAN boot miniroot. Name the file descriptively, for example miniroot.s9_sparc.
WAN boot uses a special second-level boot program (wanboot) to install the client. The wanboot program loads the WAN boot miniroot, client configuration files, and installation files that are required to perform a WAN boot installation.
To perform a WAN boot installation, you must provide the wanboot program to the client during the installation. You can provide this program to the client in the following ways.
If your client's PROM supports WAN boot, you can transmit the program from the WAN boot server to the client. To check if your client's PROM supports WAN boot, see Checking the Client OBP for WAN Boot Support.
If your client's PROM does not support WAN boot, you must provide the program to the client on a local CD. If your client's PROM does not support WAN boot, go to Creating the /etc/netboot Hierarchy on the WAN Boot Server to continue preparing for your installation.
This procedure assumes that the WAN boot server is running the Volume Manager. If you are not using the Volume Manager, see System Administration Guide: Basic Administration for information about managing removable media without the Volume Manager.
Become superuser on the install server.
Insert the Solaris Software 1 of 2 CD or the Solaris DVD in the install server's drive.
Change to the sun4u platform directory on the Solaris Software 1 of 2 CD or the Solaris DVD.
# cd /cdrom/cdrom0/s0/Solaris_9/Tools/Boot/platform/sun4u/ |
Copy the wanboot program to the install server.
# cp wanboot /document-root-directory/wanboot/wanboot-name |
Specifies the document root directory of the WAN boot server.
Specifies the name of the wanboot program. Name this file descriptively, for example, wanboot.s9_sparc.
Make the wanboot program available to the WAN boot server in one of the following ways.
Create a symbolic link to the wanboot program in the document root directory of the WAN boot server.
# cd /document-root-directory/wanboot # ln -s /wan-dir-path/wanboot . |
Specifies the directory in the WAN boot server's document root directory where you want to link to the wanboot program
Specifies the path to the wanboot program
Move the WAN boot miniroot to the document root directory on the WAN boot server.
# mv /wan-dir-path/wanboot /document-root-directory/wanboot/wanboot-name |
Specifies the path to the wanboot program
Specifies the path to the wanboot program directory in the WAN boot server's document root directory.
Specifies the name of the wanboot program. Name the file descriptively, for example wanboot.s9_sparc.
During the installation, WAN boot refers to the contents of the /etc/netboot hierarchy on the web server for instructions about how to perform the installation. This directory contains the configuration information, private key, digital certificate, and certificate authority required for a WAN boot installation. During the installation, the wanboot-cgi program converts this information into the WAN boot file system. The wanboot-cgi program then transmits the WAN boot file system to the client.
You can create subdirectories within the /etc/netboot directory to customize the scope of the WAN installation. Use the following directory structures to define how configuration information is shared among the clients that you want to install.
Global configuration – If you want all the clients on your network to share configuration information, store the files that you want to share in the /etc/netboot directory.
Network-specific configuration – If you want only those machines on a specific subnet to share configuration information, store the configuration files that you want to share in a subdirectory of /etc/netboot. Have the subdirectory follow this naming convention.
/etc/netboot/net-ip |
In this example, net-ip is the IP address of the client's subnet.
Client-specific configuration – If you want only a specific client to use the boot file system, store the boot file system files in a subdirectory of /etc/netboot. Have the subdirectory follow this naming convention.
/etc/netboot/net-ip/client-ID |
In this example, net-ip is the IP address of the subnet. client-ID is either the client ID that is assigned by the DHCP server, or a user-specified client ID.
For detailed planning information about how to design the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.
Become superuser on the WAN boot server.
Create the /etc/netboot directory.
# mkdir /etc/netboot |
Change the permissions of the /etc/netboot directory to 700.
# chmod 700 /etc/netboot |
Change the owner of the /etc/netboot directory to the web server owner.
# chown web-server-user:web-server-group /etc/netboot/ |
Specifies the user owner of the web server process
Specifies the group owner of the web server process
Exit the superuser role.
# exit |
Assume the user role of the web server owner.
Create the client subdirectory of the /etc/netboot directory.
# mkdir -p /etc/netboot/net-ip/client-ID |
Instructs the mkdir command to create all the necessary parent directories for the directory you want to create
Specifies the network IP address of the client's subnet.
Specifies the client ID. The client ID can be a user-defined value or the DHCP client ID. The client-ID directory must be a subdirectory of the net-ip directory.
For each directory in the /etc/netboot hierarchy, change the permissions to 700.
# chmod 700 /etc/netboot/dir-name |
Specifies the name of a directory in the /etc/netboot hierarchy
The following example shows how to create the /etc/netboot hierarchy for the client 010003BA152A42 on subnet 192.168.255.0. In this example, the user nobody and the group admin own the web server process.
The commands in this example perform the following tasks.
Create the /etc/netboot directory.
Change the permissions of the /etc/netboot directory to 700.
Change the ownership of the /etc/netboot directory to the owner of the web server process.
Assume the same user role as the web server user.
Create a subdirectory of /etc/netboot that is named after the subnet (192.168.255.0).
Create a subdirectory of the subnet directory that is named after the client ID.
Change the permissions of the /etc/netboot subdirectories to 700.
# cd / # mkdir /etc/netboot/ # chmod 700 /etc/netboot # chown nobody:admin /etc/netboot # exit server# su nobody Password: nobody# mkdir -p /etc/netboot/192.168.255.0/010003BA152A42 nobody# chmod 700 /etc/netboot/192.168.255.0 nobody# chmod 700 /etc/netboot/192.168.255.0/010003BA152A42 |
The wanboot-cgi program creates the data streams that transmit the the following files from the WAN boot server to the client.
wanboot program
WAN boot file system
WAN boot miniroot
The wanboot-cgi program is installed on the system when you install the Solaris 9 12/03 operating environment. To enable the WAN boot server to use this program, copy this program to the cgi-bin directory of the WAN boot server.
Become superuser on the WAN boot server.
Copy the wanboot-cgi program to the WAN boot server.
# cp /usr/lib/inet/wanboot/wanboot-cgi /WAN-server-root/cgi-bin/wanboot-cgi |
Specifies the root directory of the web server software on the WAN boot server
On the WAN boot server, change the permissions of the CGI program to 755.
# chmod 755 /WAN-server-root/cgi-bin/wanboot-cgi |
If you want to record boot and installation logging messages on a system other than the client, you must set up a logging server. If you want to use a logging server with HTTPS during the installation, you must configure the WAN boot server as the logging server.
To configure the logging server, follow these steps.
Copy the bootlog-cgi script to the logging server's CGI script directory.
# cp /usr/lib/inet/wanboot/bootlog-cgi \ log-server-root/cgi-bin |
Specifies the cgi-bin directory in the logging server's web server directory
Change the permissions of the bootlog-cgi script to 755.
# chmod 755 log-server-root/cgi-bin/bootlog-cgi |
Set the value of the boot_logger parameter in the wanboot.conf file.
In the wanboot.conf file, specify the URL of the bootlog-cgi script on the logging server.
For more information about setting parameters in the wanboot.conf file, see Creating the wanboot.conf File.
During the installation, boot and installation log messages are recorded in the /tmp directory of the logging server. The log file is named bootlog.hostname, where hostname is the host name of the client.
The following example configures the WAN boot server as a logging server.
# cp /usr/lib/inet/wanboot/bootlog-cgi /opt/apache/cgi-bin/ # chmod 755 /opt/apache/cgi-bin/bootlog-cgi |
To protect your data during the transfer from the WAN boot server to the client, you can use HTTP over Secure Sockets Layer (HTTPS). To use the more secure installation configuration that is described in Secure WAN Boot Installation Configuration, you must enable your web server to use HTTPS.
To enable the web server software on the WAN boot server to use HTTPS, you must perform the following tasks.
Activate Secure Sockets Layer (SSL) support in your web server software.
The processes for enabling SSL support and client authentication vary by web server. This document does not describe how to enable these security features on your web server. For information about these features, see the following documentation.
For information about activating SSL on the SunONE and iPlanet web servers, see the Sun ONE and iPlanet documentation collections on http://docs.sun.com.
For information about activating SSL on the Apache web server, see the Apache Documentation Project at http://httpd.apache.org/docs-project/.
If you are using web server software that is not listed in the previous list, see your web server software documentation.
Install digital certificates on the WAN boot server.
For information about using digital certificates with WAN boot, see Using Digital Certificates for Server and Client Authentication.
Provide a trusted certificate to the client.
For instructions about how to create a trusted certificate, see Using Digital Certificates for Server and Client Authentication.
Create a hashing key and an encryption key.
For instructions about how to create keys, see Creating a Hashing Key and an Encryption Key.
(Optional) Configure the web server software to support client authentication.
For information about how to configure your web server to support client authentication, see your web server documentation.
The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.
To use a PKCS#12 file in a WAN boot installation, you perform the following tasks.
Split the PKCS#12 file into separate SSL private key and trusted certificate files.
Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.
(Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.
The wanbootutil command provides options to perform the tasks in the previous list.
Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.
For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.
For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.
Assume the same user role as the web server user on the WAN boot server.
Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the client's truststore file in the /etc/netboot hierarchy.
# wanbootutil p12split -i p12cert \ -t /etc/netboot/net-ip/client-ID/truststore |
Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
Specifies the name of the PKCS#12 file to split.
Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
(Optional) Decide if you want to require client authentication.
If yes, continue with the following steps.
If no, go to Creating a Hashing Key and an Encryption Key.
Insert the client certificate in the client's certstore.
# wanbootutil p12split -i p12cert -c \ /etc/netboot/net-ip/client-ID/certstore -k keyfile |
Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
Specifies the name of the PKCS#12 file to split.
Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.
Insert the private key in the client's keystore.
# wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa |
Inserts an SSL private key in the client's keystore
Specifies the name of the client's private key file that was created in the previous step
Specifies the path to the client's keystore
Specifies the key type as RSA
In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.255.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.
Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.
server# su nobody Password: nobody# wanbootutil p12split -i client.p12 \ -t /etc/netboot/192.168.255.0/010003BA152A42/truststore nobody# chmod 600 /etc/netboot/192.168.255.0/010003BA152A42/truststore |
If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi-private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program. For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.
By using the wanbootutil keygen command, you can generate these keys and store them in the appropriate /etc/netboot directory.
Assume the same user role as the web server user on the WAN boot server.
Create the master HMAC SHA1 key.
# wanbootutil keygen -m |
Creates the master HMAC SHA1 key for the WAN boot server
Create the HMAC SHA1 hashing key for the client from the master key.
# wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1 |
Creates the client's hashing key from the master key.
Indicates that additional options are included for the wanbootutil keygen command.
Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.
Decide if you need to create an encryption key for the client.
You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.
If you are performing a more secure WAN installation over HTTPS with server authentication, continue.
If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.
Create an encryption key for the client.
# wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=key-type |
Creates the client's encryption key.
Indicates that additional options are included for the wanbootutil keygen command.
Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.
Install the keys on the client system.
For instructions about how to install keys on the client, see Installing Keys on the Client.
The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 010003BA152A42 on subnet 192.168.255.0.
Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.
server# su nobody Password: nobody# wanbootutil keygen -m nobody# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=sha1 nobody# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=3des |