xref: /titanic_50/usr/src/man/man4/wanboot.conf.4 (revision 1886f67eb9de99edbcda88765f2c603a30c87fc2)
te
Copyright (c) 2003, Sun Microsystems, Inc. All Rights Reserved.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
WANBOOT.CONF 4 "Nov 15, 2003"
NAME
wanboot.conf - repository for WANboot configuration data
SYNOPSIS

/etc/netboot/wanboot.conf
DESCRIPTION

The wanboot.conf file is set up by a system administrator for one or more WANboot clients. The file contains information used to drive the WANboot process. The CGI program that serves up the bootstrap (wanboot) and the boot and root filesystems use information contained in the file to determine file paths, encryption and signing policies, and other characteristics of the operating environment.

A copy of wanboot.conf is incorporated in the boot filesystem that is transmitted to the client. This is used by the bootstrap (wanboot) to determine SSL authentication policy, and other security conditions.

You should use the bootconfchk(1M) utility to check the format and content of a wanboot.conf file prior to deployment.

FILE FORMAT

Entries in wanboot.conf are written one per line; an entry cannot be continued onto another line. Blank lines are ignored, as is anything following a hash mark character (#), which allows you to insert comments.

Each non-blank, non-comment line must take the form:

parameter=value

where value is terminated by the end-of-line, a space, or the hash mark character. The value can be quoted if it contains a space or a hash mark, using single or double quotes.

The parameters currently supported and their meanings are as follows: boot_file

Specifies the path of the bootstrap file relative to the directory from which the web server serves files. This parameter must be given if the bootstrap file (wanboot) is to be served via HTTP, and must be specified with a leading slash (/).

root_server

Specifies the location of the CGI program that will serve up the information about the root filesystem that will be transmitted to the client. If present, the value must be a URL in one of the following forms:

http://host:port/some_path/wanboot-cgi
https://host:port/some_path/wanboot-cgi
where http specifies insecure download of the root filesystem; https specifies secure download of the root filesystem; host is the name of the system which will serve the root filesystem; port is the port through which the web server will serve the root filesystem image; some-path is the directory which contains the wanboot-cgi CGI program which will serve information about the root filesystem. For example:
http://webserver:8080/cgi-bin/wanboot-cgi
root_file

Specifies the path of the root filesystem image relative to the directory from which the web server serves files. This parameter must be given if the root filesystem is to be served by means of HTTP, and must be specified with a leading /.

signature_type

Specifies the signing algorithm to be used when signing the bootstrap (that is, wanboot), the boot filesystem, and the root filesystem (assuming the last is not being sent using secure HTTP), prior to transmission to the client. If absent, or the value is empty, no signing will be performed. If present, its value must be: sha1. If signature_type is set, the client system being booted must also be setup with a client key for that algorithm.

encryption_type

Specifies the encryption algorithm to be used when encrypting the boot filesystem prior to transmission to the client. If absent, or the value is empty, no encryption of the boot filesystem will be performed. If present, its value must be one of: 3des or aes. If encryption_type is set to one of the above algorithms, then the client system being booted must also be setup with a client key for that algorithm and a non-empty encryption_type must also be specified.

server_authentication

Specifies whether server authentication should be requested during SSL connection setup. If absent, or the value is empty, server authentication will not be requested. If present, its value must be one of: yes or no.

client_authentication

Specifies whether client authentication should be requested during SSL coonection setup. If absent, or the value is empty, client authentication will not be requested. If present, its value must be one of: yes or no. If client_authentication is yes, then encryption and signing algorithms must also be specified, the URL scheme in root_server must be https, and server_authentication must also be yes.

resolve_hosts

Used to specify any host names that might need to be resolved for the client system. Host names appearing in URLs in wanboot.conf and any discovered in certificates associated with the client will automatically be resolved and do not need to be specified here. The value should be a comma-separated list of host names. A typical use of this parameter would be to name hosts used by the installer that differ from any of those used by the bootstrap.

boot_logger

Specifies the URL of a system to which logging messages will be sent. If absent, or the value is empty, then logging will be to the system console only. If present it must specify a URL in one of the following forms:

http://host:port/some_path/bootlog-cgi
https://host:port/some_path/bootlog-cgi
where the constituent parts are as defined for root_server, above. Logging can be insecure or secure.
system_conf

Specifies the name of a file in the /etc/netboot hierarchy that will be incorporated in the boot filesystem named system.conf and which is intended for use by the system startup scripts only.

EXAMPLES

Example 1 Sample File

The following is a sample wanboot.conf file:

####################################################################
#
# Copyright 2003 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)wanboot.conf 1.12 03/01/30 SMI"
#
####################################################################
# wanboot.conf(4): boot configuration file.
#
# Please consult wanboot.conf(4) for further information. Note that
# this interface is "Evolving" as defined by attributes(5).
#
# Anything after a '#' is comment. Values may be quoted (e.g. "val").
#
# <empty> means there is no value, i.e. null. The absence of any
# parameter implies that it takes a default value (<empty> unless
# otherwise specified).
#
# <url> is of the form http://... or https://...
####################################################################

# The path of the bootstrap file (within htdocs) which is served up
# by wanboot-cgi(bootfile).
#
boot_file=/bootfiles/wanboot # <absolute pathname>

# These are used by wanboot-cgi(bootfile|bootfs|rootfs) to determine
# whether boot_file or the bootfs is to be sent encrypted/signed, or
# root_file is to be sent signed; the client must be setup with the
# corresponding encryption/signature key(s) (which cannot be auto-
# matically verified).
#
# If an encryption_type is specified then a signature_type must also
# be specified.
#
encryption_type=3des # 3des | aes | <empty>
signature_type=sha1 # sha1 | <empty>

# This is used by wanboot-cgi(bootfs) and WANboot to determine whether
# server authentication should be requested during SSL connection
# setup.
#
server_authentication=yes # yes | no

# This is used by wanboot-cgi(bootfs) and wanboot to determine whether
# client authentication should be requested during SSL connection
# setup. If client_authentication is "yes", then server_authentication
# must also be "yes".
#
client_authentication=yes # yes | no


# wanboot-cgi(bootfs) will construct a hosts file which resolves any
# hostnames specified in any of the URLs in the wanboot.conf file,
# plus those found in certificates, etc. The following parameter
# may be used to add additional mappings to the hosts file.
#
resolve_hosts= # <hostname>[,<hostname>*] | <empty>

# This is used to specify the URL of wanboot-cgi on the server on which
# the root_file exists, and used by wanboot to obtain the root server's
# URL; wanboot substitutes root_file for the pathname part of the URL.
# If the schema is http://... then the root_file will be signed if there
# is a non-empty signature_type. If server_authentication is "yes", the
# schema must be https://...; otherwise it must be http://...
#
root_server=https://www.example.com:1234/cgi-bin/wanboot-cgi # <url> \e
 | <empty>

# This is used by wanboot-cgi(rootfs) to locate the path of the
# rootfs image (within htdocs) on the root_server.
#
root_file=/rootimages/miniroot # <absolute pathname> | <empty>

# This is used by wanboot to determine the URL of the boot_logger
# (and whether logging traffic should be sent using http or https),
# or whether it should simply be sent to the console.
#
boot_logger=http://www.example.com:1234/cgi-bin/bootlog-cgi # <url> \e
 | <empty>

# This is used by the system startup scripts.
#
system_conf=system.conf
ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Evolving
SEE ALSO

bootconfchk(1M), attributes(5)