Loading ...
Loading ...
Loading ...
266
15. Advanced Configuration
15.15.3 Set Up an Untrusted LAN
If network security is a concern, you can have remote hands insert a trusted USB flash drive into the Tripp Lite device during
provisioning. A summary of the steps required for deploying configuration in an untrusted network is outlined below:
1. Generate an X.509 certificate for the client. Place it and its private key file onto a USB flash drive (concatenated as a single
file, client.pem).
2. Set up an HTTPS server that restricts access to the .opg or .xml file for HTTPS connections, providing the client certificate.
3. Save a copy of the CA cert (that signed the HTTP server’s certificate) onto the USB flash drive as well (ca-bundle.crt).
4. Insert the USB flash drive into the Tripp Lite device before connecting to power or the network.
5. Continue with the steps above, but using only a https URL.
6. A detailed step-by-step document for preparing a USB flash drive and using OpenSSL to create keys is at Howto: set up a
USB key for authenticated restore.
15.15.4 How it Works
This section explains in detail how the Tripp Lite device uses DHCP to obtain its initial configuration.
A Tripp Lite console manager is either configured or unconfigured. ZTP needs it to be in an unconfigured state, which is only
obtained in the following ways:
• Firmware programming at factory.
• Pressing the Config Erase button twice during operation.
• Selecting Config Erase under System: Administration in the web UI, and rebooting.
• Creating the file /etc/config/.init and then rebooting (command-line).
When an unconfigured Tripp Lite boots, it performs these steps to find a configuration:
• The Tripp Lite device transmits a DHCP DISCOVER request onto its primary network interface (WAN). This DHCP request will
carry a vendor class identifier of the form Tripp Lite/model-name (for example, Tripp Lite/B098) and its parameter request list
will include option 43 (vendor-specific information).
• On receipt of a DHCP OFFER, the device will use the information in the offer to assign an IPv4 address to its primary network
interface, add a default route, and prepare its DNS resolver.
• If the offer also contained an option 43 with sub-option 1, the device interprets the sub-option as a whitespace-separated
list of URLs to configuration files to try to restore.
• If an NTP server option was provided in the DHCP offer, the system clock is (quickly) synchronized with the NTP server.
• The system now searches all attached USB storage devices for two optional certificate files. The first file is named ca-bundle.
crt, and the second one is whichever one of the following filenames is found first:
o client-AABBCCDDEEFF.pem (where AABBCCDDEEFF is the MAC address of the primary network interace); or
o client-MODEL.pem (where MODEL is the (vendor class) model name in lowercase, truncated to before the first hyphen); or
o client.pem
• If both files are found (ca-bundle.crt and a client.pem), then secure mode is enabled for the next section.
• Each URL in the list obtained from option 43 sub-option 1 is tried in sequence until one succeeds:
o The URL undergoes substring replacement from the following table:
Substring Replaced by
${mac} The 12-digit MAC address of the device, in lowercase
${model} The full model name, in lowercase
${class} The firmware hardware class
${version} The firmware version number
o The resulting URL must end in .opg or .xml (an optional ?query-string is permitted). If it does not, it is skipped and the next
URL is tried.
Loading ...
Loading ...
Loading ...