15: Maintenance
EMG™ Edge Management Gateway User Guide
332
b. Option
TFTP Server IP/150
and
Boot Filename/67
- if both of these are received, they
will be used, and all other DHCP options will be ignored.
c. Option
TFTP Server IP or Name/66
and
Boot Filename/67
- if both of these are received,
they will be used.
Any configuration file specified by VSI/43 or Boot Filename/67 must be a valid console
manager configuration filename ending in "-slccfg.tgz" (for SLC8000 console managers) or
"-emgcfg.tgz" (for EMG console managers). For TFTP Server IP/150, the first IP address in
the IP address list will be used; all other IP addresses will be ignored.
VSI/43 suboption 1 format
: the format of this suboption is a string consisting of tokens
separated by spaces. Two tokens are supported: a URL indicating where to download the ZTP
configuration file from, and the optional
validatecert
token. The URL can use the HTTPS,
HTTP, FTP or TFTP protocol. The
validatecert
token indicates that the HTTPS protocol will
be used and that a client side X.509 certificate and certificate authority files will be provided on
an external USB drive or SD card; if the certificate files cannot be located, ZTP will terminate
and not attempt to location a ZTP file with any other methods. Examples of suboption 1 strings
are "ftp://ftpuser:[email protected]/ztp2-slccfg.tgz" and "https://10.0.1.131/
config/ztp2-emgcfg.tgz validatecert".
For
validatecert
, 3 certificate files are required to be in the top level directory of an external
storage device:
cacert.pem
(certificate authority file for validating the HTTPS server),
cert.pem
(client side certificate file), and
key.pem
(client side key file). The console manager
will search external storage devices in this order: upper USB port, lower USB port (if present)
and SD card. The first external storage device that is found and successfully mounted is
expected to be the source for the certificate files; if they are not located in the top level
directory, ZTP will terminate and not attempt to locate a ZTP file with any other methods. See
Creating a Certificate on page 332
for instructions to create a self-signed certificate with
OpenSSL.
If the console manager is able to download the configuration file, it will restore the
configuration onto the console manager, and begin the normal startup process.
If any of these steps fail for the Eth1 network port, it will repeat the process of trying to acquire
a configuration over the Eth2 network port.
After attempting to acquire a configuration over the Eth2 network port, the unit will begin the
normal startup process.
Any results of attempting to acquire and restore a configuration file will be output to the console
port and the system log. Configurations for firmware versions that are newer than the firmware
version running on the unit will not be restored. Spaces are not supported in either the directory or
filename portion of the Boot Filename path.
Creating a Certificate
To use OpenSSL to create a self signed root certificate authority, and use it to sign a client
certificate that is used on the console manager and a server certificate that is installed in a web
server responding to ZTP requests:
1. Setup OpenSSL environment: create a directory to store the OpenSSL configuration and
certificate files. This step can be omitted if an existing OpenSSL configuration and directory
will be used.
a. Create a new directory and copy existing openssl.cnf file (or create openssl.cnf):
cd /root
mkdir ztp-cert
Summary of Contents for EMG Series
Page 100: ...7 Networking EMG Edge Management Gateway User Guide 100 Figure 7 5 Network Wireless Settings...
Page 353: ...15 Maintenance EMG Edge Management Gateway User Guide 353 Figure 15 12 About EMG...
Page 474: ...EMG Edge Management Gateway User Guide 474 Figure E 3 EU Declaration of Conformity...
Page 475: ...EMG Edge Management Gateway User Guide 475 Figure E 4 EU Declaration of Conformity continued...