Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 10 1/13 Installation Guide: Network-Based Installations Oracle Solaris 10 1/13 Information Library |
Part I Planning to Install Over the Network
1. Where to Find Oracle Solaris Installation Planning Information
2. Preconfiguring System Configuration Information (Tasks)
3. Preconfiguring With a Naming Service or DHCP
Part II Installing Over a Local Area Network
4. Installing From the Network (Overview)
5. Installing From the Network With DVD Media (Tasks)
6. Installing From the Network With CD Media (Tasks)
7. Patching the Miniroot Image (Tasks)
8. Installing Over the Network (Examples)
9. Installing From the Network (Command Reference)
Part III Installing Over a Wide Area Network
11. Preparing to Install With WAN Boot (Planning)
12. Installing With WAN Boot (Tasks)
Installing Over a Wide Area Network (Task Maps)
Configuring the WAN Boot Server
Creating the Document Root Directory
Creating the WAN Boot Miniroot
SPARC: How to Create a WAN Boot Miniroot
Verifying WAN Boot Support on the Client
How to Check the Client OBP for WAN Boot Support
Installing the wanboot Program on the WAN Boot Server
SPARC: How to Install the wanboot Program on the WAN Boot Server
Creating the /etc/netboot Hierarchy on the WAN Boot Server
How to Create the /etc/netboot Hierarchy on the WAN Boot Server
Copying the WAN Boot CGI Program to the WAN Boot Server
How to Copy the wanboot-cgi Program to the WAN Boot Server
How to Configure the WAN Boot Logging Server
Creating the JumpStart Installation Files
How to Create the Flash Archive
How to Create the sysidcfg File
How to Create the JumpStart Profile
How to Create the JumpStart rules File
Creating Begin and Finish Scripts
Creating the Configuration Files
How to Create the System Configuration File
How to Create the wanboot.conf File
Providing Configuration Information With a DHCP Server
13. SPARC: Installing With WAN Boot (Tasks)
14. SPARC: Installing With WAN Boot (Examples)
To protect your data during the transfer from the WAN boot server to the client, you can use HTTP over Secure Sockets Layer (HTTPS). To use the more secure installation configuration that is described in Secure WAN Boot Installation Configuration, you must enable your web server to use HTTPS.
If you do not want to perform a secure WAN boot, skip the procedures in this section. To continue preparing for your less secure installation, see Creating the JumpStart Installation Files.
To enable the web server software on the WAN boot server to use HTTPS, you must perform the following tasks.
Activate Secure Sockets Layer (SSL) support in your web server software.
The processes for enabling SSL support and client authentication vary by web server. This document does not describe how to enable these security features on your web server. For information about these features, see your web server documentation. For information about activating SSL on the Apache web server, see the Apache Documentation Project at http://httpd.apache.org/docs-project/.
Install digital certificates on the WAN boot server.
For information about using digital certificates with WAN boot, see How to Use Digital Certificates for Server and Client Authentication.
Provide a trusted certificate to the client.
For instructions about how to create a trusted certificate, see How to Use Digital Certificates for Server and Client Authentication.
Create a hashing key and an encryption key.
For instructions about how to create keys, see How to Create a Hashing Key and an Encryption Key.
(Optional) Configure the web server software to support client authentication.
For information about how to configure your web server to support client authentication, see your web server documentation.
This section describes how to use digital certificates and keys in your WAN boot installation.
The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.
If you do not want to perform a secure WAN boot, skip to Creating the JumpStart Installation Files.
Before You Begin
Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.
For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.
For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.
# wanbootutil p12split -i p12cert \ -t /etc/netboot/net-IP/client-ID/truststore
Splits a PKCS#12 file into separate private key and certificate files.
Specifies the name of the PKCS#12 file to split.
Inserts the certificate in the client's truststore file. net-IP is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
Insert the client certificate in the client's certstore.
# wanbootutil p12split -i p12cert -c \ /etc/netboot/net-IP/client-ID/certstore -k keyfile
Specifies the name of the PKCS#12 file to split.
Inserts the client's certificate in the client's certstore. net-IP is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.
Insert the private key in the client's keystore.
# wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-IP/client-ID/keystore -o type=rsa
Example 12-4 Creating a Trusted Certificate for Server Authentication
In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.198.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.
Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.
server# su nobody Password: nobody# wanbootutil p12split -i client.p12 \ -t /etc/netboot/192.168.198.0/010003BA152A42/truststore nobody# chmod 600 /etc/netboot/192.168.198.0/010003BA152A42/truststore
Next Steps
After you create a digital certificate, create a hashing key and an encryption key. For instructions, seeHow to Create a Hashing Key and an Encryption Key.
See Also
For more information about how to create trusted certificates, see the wanbootutil(1M) man page.
If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi—private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program.
If you do not want to perform a secure WAN boot, skip to Creating the JumpStart Installation Files.
# wanbootutil keygen -m
# wanbootutil keygen -c -o [net=net-IP,{cid=client-ID,}]type=sha1
Creates the client's hashing key from the master key.
Indicates that additional options are included for the wanbootutil keygen command.
Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file and can be used by all WAN boot clients.
Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-IP/keystore file. This key can be used by all WAN boot clients on the net-IP subnet.
Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.
You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.
If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. SeeInstalling Keys on the Client.
# wanbootutil keygen -c -o [net=net-IP,{cid=client-ID,}]type=key-type
Creates the client's encryption key.
Indicates that additional options are included for the wanbootutil keygen command.
Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file and can be used by all WAN boot clients.
Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.
Example 12-5 Creating Required Keys for WAN Boot Installation Over HTTPS
The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 010003BA152A42 on subnet 192.168.198.0.
Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.
server# su nobody Password: nobody# wanbootutil keygen -m nobody# wanbootutil keygen -c -o net=192.168.198.0,cid=010003BA152A42,type=sha1 nobody# wanbootutil keygen -c -o net=192.168.198.0,cid=010003BA152A42,type=3des
Next Steps
After you create a hashing and an encryption key, you must create the installation files. For instructions, see Creating the JumpStart Installation Files
For instructions about how to install keys on the client, see Installing Keys on the Client.
See Also
For overview information about hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.
For more information about how to create hashing and encryption keys, see the wanbootutil(1M) man page.