Example 43-3 Creating a Trusted Certificate for Server Authentication

In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.255.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.

Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.

server# su nobody
Password:
nobody# wanbootutil p12split -i client.p12 \
   -t /etc/netboot/192.168.255.0/010003BA152A42/truststore
nobody# chmod 600 /etc/netboot/192.168.255.0/010003BA152A42/truststore

Creating a Hashing Key and an Encryption Key

If you want to use HTTPS to transmit your data, you must create a HMAC SHA1 hashing key and an encryption key. If you plan to install over a semi-private network, you might not want to encrypt the installation data. You can use a HMAC SHA1 hashing key to check the integrity of the wanboot program. For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.

By using the wanbootutil keygen command, you can generate these keys and store them in the appropriate /etc/netboot directory.

To Create a Hashing Key and Encryption Key

1. Assume the same user role as the web server user on the WAN boot server.

2. Create the master HMAC SHA1 key.

   # wanbootutil keygen -m

   
   

   keygen -m

   Creates the master HMAC SHA1 key for the WAN boot server

3. Create the HMAC SHA1 hashing key for the client from the master key.

   # wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1

   
   

   -c	Creates the client's hashing key from the master key.
   -o	Indicates that additional options are included for the wanbootutil keygen command.
   (Optional) net=net-ip	Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
   (Optional) cid=client-ID	Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
   type=sha1	Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.

4. Decide if you need to create an encryption key for the client.

   You need to create an encryption key to perform a WAN boot installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot server, the WAN boot server transmits encrypted data and information to the client. The encryption key enables the client to decrypt this information and use this information during the installation.

   • If you are performing a more secure WAN installation over HTTPS with server authentication, continue.

   • If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.

5. Create an encryption key for the client.

   # wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=key-type

   
   

   -c	Creates the client's encryption key.
   -o	Indicates that additional options are included for the wanbootutil keygen command.
   (Optional) net=net-ip	Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
   (Optional) cid=client-ID	Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
   type=key-type	Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.

6. Install the keys on the client system.

   For instructions about how to install keys on the client, see Installing Keys on the Client.

Example 43-4 Creating Required Keys for WAN Boot Installation Over HTTPS

The following example creates a master HMAC SHA1 key for the WAN boot server. This example also creates a HMAC SHA1 hashing key and 3DES encryption key for client 010003BA152A42 on subnet 192.168.255.0.

Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.

server# su nobody
Password:
nobody# wanbootutil keygen -m
nobody# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=sha1
nobody# wanbootutil keygen -c -o net=192.168.255.0,cid=010003BA152A42,type=3des

Creating the Custom JumpStart Installation Files

WAN boot performs a custom JumpStart installation to install a Solaris Flash archive on the client. The custom JumpStart installation method is a command-line interface that enables you to automatically install several systems, based on profiles that you create. The profiles define specific software installation requirements. You can also incorporate shell scripts to include preinstallation and postinstallation tasks. You choose which profile and scripts to use for installation or upgrade. The custom JumpStart installation method installs or upgrades the system, based on the profile and scripts that you select. Also, you can use a sysidcfg file to specify configuration information so that the custom JumpStart installation is completely free of manual intervention.

To prepare the custom JumpStart files for a WAN boot installation, complete the following tasks.

• Creating the Solaris Flash Archive

• Creating the sysidcfg File

• Creating the rules File

• Creating the Profile

• (Optional) Creating Begin and Finish Scripts

For detailed information on the custom JumpStart installation method, see Chapter 25, Custom JumpStart (Overview).

Creating the Solaris Flash Archive

The Solaris Flash installation feature enables you to use a single reference installation of the Solaris operating environment on a system, which is called the master system. You can then create a Solaris Flash archive, which is a replica image of the master system. You can install the Solaris Flash archive on other systems in the network, creating clone systems.

This section describes how to create a Solaris Flash archive to use in your WAN boot installation. Before you create a Solaris Flash archive, you must first install the master system.

• For information about installing a master system, see Installing the Master System.

• For detailed information about Solaris Flash archives, see Chapter 21, Creating Solaris Flash Archives (Tasks).

To Create a Solaris Flash Archive

For detailed instructions about how to create a Solaris Flash archive, see Creating a Solaris Flash Archive.

1. Boot the master system.

   Run the master system in as inactive a state as possible. When possible, run the system in single-user mode. If that is not possible, shut down any applications that you want to archive and any applications that require extensive operating system resources.

2. To create the archive, use the flar create command.

   # flar create -n name [optional-parameters] document-root/flash/filename

   
   

   name	The name that you give the archive. The name you specify is the value of the content_name keyword.
   optional-parameters	You can use several options to the flar create command to customize your Solaris Flash archive. For detailed descriptions of these options, see Chapter 23, Solaris Flash (Reference).
   document-root/flash	The path to the Solaris Flash subdirectory of the install server's document root directory.
   filename	The name of the archive file.

   To conserve disk space, you might want to use the -c option to the flar create command to compress the archive. However, a compressed archive can affect the performance of your WAN boot installation. For more information about creating a compressed archive, see the man page flar create(1M).

   • If the archive creation is successful, the flar create command returns an exit code of 0.

   • If the archive creation fails, the flar create command returns a nonzero exit code.