(Optional) Protecting Data by Using HTTPS
To protect your data during the transfer from the WAN boot server
to the client, you can use HTTP over Secure Sockets Layer (HTTPS). To
use the more secure installation configuration that is described in Secure WAN Boot Installation Configuration, you must enable
your web server to use HTTPS.
If you do not want to perform a secure WAN boot, skip
the procedures in this section. To continue preparing for your less secure installation, see
Creating the Custom JumpStart Installation Files.
To enable the web server software on the WAN boot server to
use HTTPS, you must perform the following tasks.
Activate Secure Sockets Layer (SSL) support in your web server software.
The processes for enabling SSL support and client authentication vary by web server. This document does not describe how to enable these security features on your web server. For information about these features, see the following documentation.
For information about activating SSL on the SunONE and iPlanet web servers, see the SunONE and iPlanet documentation collections on https://docs.sun.com.
For information about activating SSL on the Apache web server, see the Apache Documentation Project at https://httpd.apache.org/docs-project/.
If you are using web server software that is not listed in the previous list, see your web server software documentation.
Install digital certificates on the WAN boot server.
For information about using digital certificates with WAN boot, see (Optional) To Use Digital Certificates for Server and Client Authentication.
Provide a trusted certificate to the client.
For instructions about how to create a trusted certificate, see (Optional) To Use Digital Certificates for Server and Client Authentication.
Create a hashing key and an encryption key.
For instructions about how to create keys, see (Optional) To Create a Hashing Key and an Encryption Key.
(Optional) Configure the web server software to support client authentication.
For information about how to configure your web server to support client authentication, see your web server documentation.
This section describes how to use digital certificates and keys in your WAN
boot installation.
(Optional) To Use Digital Certificates for Server and Client Authentication
The WAN boot installation method can use PKCS#12 files to perform an installation
over HTTPS with server or both client and server authentication. For requirements and
guidelines about using PKCS#12 files, see Digital Certificate Requirements.
To use a PKCS#12 file in a WAN boot installation, you perform
the following tasks.
Split the PKCS#12 file into separate SSL private key and trusted certificate files.
Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.
(Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.
The wanbootutil command provides options to perform the tasks in the previous list.
If you do not want to perform a secure WAN boot, skip
this procedure. To continue preparing for your less secure installation, see Creating the Custom JumpStart Installation Files.
Follow these steps to create a trusted certificate and a client private key.
Before You Begin
Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot
hierarchy on the WAN boot server.
- Assume the same user role as the web server user on the
WAN boot server.
- Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the
client's truststore file in the /etc/netboot hierarchy.
# wanbootutil p12split -i p12cert \
-t /etc/netboot/net-ip/client-ID/truststore
- p12split
Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
- -i p12cert
Specifies the name of the PKCS#12 file to split.
- -t /etc/netboot/net-ip/client-ID/truststore
Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
- (Optional) Decide if you want to require client authentication.
- If no, go to (Optional) To Create a Hashing Key and an Encryption Key.
- If yes, continue with the following steps.
- Insert the client certificate in the client's certstore.
# wanbootutil p12split -i p12cert -c \
/etc/netboot/net-ip/client-ID/certstore -k keyfile
- p12split
Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
- -i p12cert
Specifies the name of the PKCS#12 file to split.
- -c /etc/netboot/net-ip/client-ID/certstore
Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
- -k keyfile
Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.
- Insert the private key in the client's keystore.
# wanbootutil keymgmt -i -k keyfile \
-s /etc/netboot/net-ip/client-ID/keystore -o type=rsa
- keymgmt -i
Inserts an SSL private key in the client's keystore
- -k keyfile
Specifies the name of the client's private key file that was created in the previous step
- -s /etc/netboot/net-ip/client-ID/keystore
Specifies the path to the client's keystore
- -o type=rsa
Specifies the key type as RSA
Example 11-6 Creating a Trusted Certificate for Server Authentication
In the following example, you use a PKCS#12 file to install client
010003BA152A42 on subnet 192.168.198.0. This command sample extracts a certificate from a PKCS#12 file
that is named client.p12. The command then places the contents of the trusted
certificate in the client's truststore file.
Before you execute these commands, you must first assume the same user role
as the web server user. In this example, the web server user
role is nobody.
server# su nobody
Password:
nobody# wanbootutil p12split -i client.p12 \
-t /etc/netboot/192.168.198.0/010003BA152A42/truststore
nobody# chmod 600 /etc/netboot/192.168.198.0/010003BA152A42/truststore
More Information
Continuing the WAN Boot Installation
After you create a digital certificate, create a hashing key and an encryption
key. For instructions, see(Optional) To Create a Hashing Key and an Encryption Key.
See Also
For more information about how to create trusted certificates, see the man page
wanbootutil(1M).
(Optional) To Create a Hashing Key and an Encryption Key
If you want to use HTTPS to transmit your data, you must
create a HMAC SHA1 hashing key and an encryption key. If you plan
to install over a semi-private network, you might not want to encrypt the
installation data. You can use a HMAC SHA1 hashing key to check the
integrity of the wanboot program.
By using the wanbootutil keygen command, you can generate these keys and store them
in the appropriate /etc/netboot directory.
If you do not want to perform a secure WAN boot, skip
this procedure. To continue preparing for your less secure installation, see Creating the Custom JumpStart Installation Files.
To create a hashing key and an encryption key, follow these steps.
- Assume the same user role as the web server user on the
WAN boot server.
- Create the master HMAC SHA1 key.
# wanbootutil keygen -m
- keygen -m
Creates the master HMAC SHA1 key for the WAN boot server
- Create the HMAC SHA1 hashing key for the client from the master key.
# wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=sha1
- -c
Creates the client's hashing key from the master key.
- -o
Indicates that additional options are included for the wanbootutil keygen command.
- (Optional) net=net-ip
Specifies the IP address for the client's subnet. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
- (Optional) cid=client-ID
Specifies the client ID. The client ID can be a user-defined ID or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
- type=sha1
Instructs the wanbootutil keygen utility to create a HMAC SHA1 hashing key for the client.
- Decide if you need to create an encryption key for the client.
You need to create an encryption key to perform a WAN boot
installation over HTTPS. Before the client establishes an HTTPS connection with the WAN boot
server, the WAN boot server transmits encrypted data and information to the client.
The encryption key enables the client to decrypt this information and use this
information during the installation.
If you are performing a more secure WAN installation over HTTPS with server authentication, continue.
If you only want to check the integrity of the wanboot program, you do not need to create an encryption key. Go to Step 6.
- Create an encryption key for the client.
# wanbootutil keygen -c -o [net=net-ip,{cid=client-ID,}]type=key-type
- -c
Creates the client's encryption key.
- -o
Indicates that additional options are included for the wanbootutil keygen command.
- (Optional) net=net-ip
Specifies the network IP address for the client. If you do not use the net option, the key is stored in the /etc/netboot/keystore file, and can be used by all WAN boot clients.
- (Optional) cid=client-ID
Specifies the client ID. The client ID can be a user-defined ID, or the DHCP client ID. The cid option must be preceded by a valid net= value. If you do not specify the cid option with the net option, the key is stored in the /etc/netboot/net-ip/keystore file. This key can be used by all WAN boot clients on the net-ip subnet.
- type=key-type
Instructs the wanbootutil keygen utility to create an encryption key for the client. key-type can have a value of 3des or aes.
- Install the keys on the client system.
For instructions about how to install keys on the client, see Installing Keys on the Client.
Example 11-7 Creating Required Keys for WAN Boot Installation Over HTTPS
The following example creates a master HMAC SHA1 key for the WAN
boot server. This example also creates a HMAC SHA1 hashing key and 3DES
encryption key for client 010003BA152A42 on subnet 192.168.198.0.
Before you execute these commands, you must first assume the same user role
as the web server user. In this example, the web server user
role is nobody.
server# su nobody
Password:
nobody# wanbootutil keygen -m
nobody# wanbootutil keygen -c -o net=192.168.198.0,cid=010003BA152A42,type=sha1
nobody# wanbootutil keygen -c -o net=192.168.198.0,cid=010003BA152A42,type=3des
More Information
Continuing the WAN Boot Installation
After you create a hashing and an encryption key, you must create
the installation files. For instructions, see Creating the Custom JumpStart Installation Files.
See Also
For overview information on hashing keys and encryption keys, see Protecting Data During a WAN Boot Installation.
For more information about how to create hashing and encryption keys, see the
man page wanbootutil(1M).