_____________________________________________________________________
724-746-5500 | blackbox.com Page 305
1. Generate an X.509 certificate for the client. Place it and its private key file onto a USB flash drive (concatenated
as a single file, client.pem).
2. Set up a HTTPS server that restricts access to the .opg or .xml file for HTTPS onnections providing the client
certificate.
3. Put a copy of the CA cert (that signed the HTTP server's certificate) onto the USB flash drive as well (ca-
bundle.crt).
4. Insert the USB flash drive into the Console server device before attaching power or network.
5. Continue with the steps above, but using only a https URL.
6. A detailed step-by-step document for preparing a USB flash drive and using OpenSSL to create keys is at Howto:
set up a USB key for authenticated restore
15.16.3 How it works
This section explains in detail how the Console server device uses DHCP to obtain its initial configuration.
First, a console manager is either configured or unconfigured. ZTP needs it to be in an unconfigured state, which is only
obtained in the following ways:
• Firmware programming at factory
• Pressing the Config Erase button twice during operation
• Selecting Config Erase under System: Administration in the web UI, and rebooting
• Creating the file /etc/config/.init and then rebooting (command-line)
When an unconfigured Console server boots, it performs these steps to find a configuration:
• The Console server device transmits a DHCP DISCOVER request onto its primary Network Interface (wan). This
DHCP request will carry a Vendor Class Identifier.
• On receipt of a DHCP OFFER, the device will use the information in the offer to assign an IPv4 address to its
primary Network Interface, add a default route, and prepare its DNS resolver.
• If the offer also contained an option 43 with sub-option 1, the device interprets the sub-option as a whitespace-
separated list of URLs to configuration files to try to restore.
• If an NTP server option was provided in the DHCP offer, the system clock is (quickly) synchronized with the NTP
server.
• The system now searches all attached USB storage devices for two optional certificate files. The first file is named
ca-bundle.crt and the second one is whichever one of the following filenames is found first:
o client-AABBCCDDEEFF.pem (where AABBCCDDEEFF is the MAC address of the primary network
interace); or
o client-MODEL.pem (where MODEL is the (vendor class) model name in lowercase, truncated to before
the first hyphen); or
o client.pem
• If both files are found (ca-bundle.crt and a client.pem), then secure mode is enabled for the next section.
• Each URL in the list obtained from option 43 sub-option 1 is tried in sequence until one succeeds:
o The URL undergoes substring replacement from the following table:
To Next Page
Loading...
