(Optional) To Use Digital Certificates for Server and Client Authentication (Solaris 10 6/06 Installation Guide: Network-Based Installations)

Skip to ContentSun and Oracle Channel Sun How to Buy Log In

Solaris 10 6/06 Installation Guide: Network-Based Installations

Visa den här boken i:

Inom

Solaris 10 6/06 Release and Installation Collection

Hitta mer dokumentation

Supportresurser som ingår

Ladda ner denna bok i PDF (1569 KB)

(Optional) To Use Digital Certificates for Server and Client Authentication

The WAN boot installation method can use PKCS#12 files to perform an installation over HTTPS with server or both client and server authentication. For requirements and guidelines about using PKCS#12 files, see Digital Certificate Requirements.

To use a PKCS#12 file in a WAN boot installation, you perform the following tasks.

Split the PKCS#12 file into separate SSL private key and trusted certificate files.
Insert the trusted certificate in the client's truststore file in the /etc/netboot hierarchy. The trusted certificate instructs the client to trust the server.
(Optional) Insert the contents of the SSL private key file in the client's keystore file in the /etc/netboot hierarchy.

The wanbootutil command provides options to perform the tasks in the previous list.

If you do not want to perform a secure WAN boot, skip this procedure. To continue preparing for your less secure installation, see Creating the Custom JumpStart Installation Files.

Follow these steps to create a trusted certificate and a client private key.

Before You Begin

Before you split a PKCS#12 file, create the appropriate subdirectories of the /etc/netboot hierarchy on the WAN boot server.

For overview information that describes the /etc/netboot hierarchy, see Storing Configuration and Security Information in the /etc/netboot Hierarchy.
For instructions about how to create the /etc/netboot hierarchy, see Creating the /etc/netboot Hierarchy on the WAN Boot Server.

Steps

Assume the same user role as the web server user on the WAN boot server.

Extract the trusted certificate from the PKCS#12 file. Insert the certificate in the client's truststore file in the /etc/netboot hierarchy.
# wanbootutil p12split -i p12cert \ -t /etc/netboot/net-ip/client-ID/truststore
p12split

Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.

-i p12cert

Specifies the name of the PKCS#12 file to split.

-t /etc/netboot/net-ip/client-ID/truststore

Inserts the certificate in the client's truststore file. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.

(Optional) Decide if you want to require client authentication.
- If no, go to (Optional) To Create a Hashing Key and an Encryption Key.
- If yes, continue with the following steps.
  1. Insert the client certificate in the client's certstore.
    # wanbootutil p12split -i p12cert -c \ /etc/netboot/net-ip/client-ID/certstore -k keyfile
    p12split
    
    Option to wanbootutil command that splits a PKCS#12 file into separate private key and certificate files.
    
    -i p12cert
    
    Specifies the name of the PKCS#12 file to split.
    
    -c /etc/netboot/net-ip/client-ID/certstore
    
    Inserts the client's certificate in the client's certstore. net-ip is the IP address of the client's subnet. client-ID can be a user-defined ID or the DHCP client ID.
    
    -k keyfile
    
    Specifies the name of the client's SSL private key file to create from the split PKCS#12 file.
  2. Insert the private key in the client's keystore.
    # wanbootutil keymgmt -i -k keyfile \ -s /etc/netboot/net-ip/client-ID/keystore -o type=rsa
    keymgmt -i
    
    Inserts an SSL private key in the client's keystore
    
    -k keyfile
    
    Specifies the name of the client's private key file that was created in the previous step
    
    -s /etc/netboot/net-ip/client-ID/keystore
    
    Specifies the path to the client's keystore
    
    -o type=rsa
    
    Specifies the key type as RSA

Example 13–6 Creating a Trusted Certificate for Server Authentication

In the following example, you use a PKCS#12 file to install client 010003BA152A42 on subnet 192.168.198.0. This command sample extracts a certificate from a PKCS#12 file that is named client.p12. The command then places the contents of the trusted certificate in the client's truststore file.

Before you execute these commands, you must first assume the same user role as the web server user. In this example, the web server user role is nobody.

server# su nobody
Password:
nobody# wanbootutil p12split -i client.p12 \
-t /etc/netboot/192.168.198.0/010003BA152A42/truststore
nobody# chmod 600 /etc/netboot/192.168.198.0/010003BA152A42/truststore

Continuing the WAN Boot Installation

After you create a digital certificate, create a hashing key and an encryption key. For instructions, see(Optional) To Create a Hashing Key and an Encryption Key.