Lantronix EMG 8500 EMG User Guide - Page 337

15: Maintenance b. Option TFTP Server IP/150 and Boot Filename/67 - if both of these are received, they will be used, and all other DHCP options will be ignored. c. Option TFTP Server IP or Name/66 and Boot Filename/67 - if both of these are received, they will be used. Any configuration file specified by VSI/43 or Boot Filename/67 must be a valid console manager configuration filename ending in "-slccfg.tgz" (for SLC8000 console managers) or "-emgcfg.tgz" (for EMG console managers). For TFTP Server IP/150, the first IP address in the IP address list will be used; all other IP addresses will be ignored.  VSI/43 suboption 1 format: the format of this suboption is a string consisting of tokens separated by spaces. Two tokens are supported: a URL indicating where to download the ZTP configuration file from, and the optional validatecert token. The URL can use the HTTPS, HTTP, FTP or TFTP protocol. The validatecert token indicates that the HTTPS protocol will be used and that a client side X.509 certificate and certificate authority files will be provided on an external USB drive or SD card; if the certificate files cannot be located, ZTP will terminate and not attempt to location a ZTP file with any other methods. The preserve_ethname token indicates that the current Eth1, Eth2, and hostname settings on EMG should be preserved and not over-written with the Eth1, Eth2 and hostname settings from the configuration being restored. Examples of suboption 1 strings are "ftp:// ftpuser:[email protected]/ztp2-slccfg.tgz" and "https://10.0.1.131/config/ ztp2-emgcfg.tgz validatecert". For validatecert, 3 certificate files are required to be in the top level directory of an external storage device: cacert.pem (certificate authority file for validating the HTTPS server), cert.pem (client side certificate file), and key.pem (client side key file). The console manager will search external storage devices in this order: upper USB port, lower USB port (if present) and SD card. The first external storage device that is found and successfully mounted is expected to be the source for the certificate files; if they are not located in the top level directory, ZTP will terminate and not attempt to locate a ZTP file with any other methods. See Creating a Certificate on page 337 for instructions to create a self-signed certificate with OpenSSL.  If the console manager is able to download the configuration file, it will restore the configuration onto the console manager, and begin the normal startup process.  If any of these steps fail for the Eth1 network port, it will repeat the process of trying to acquire a configuration over the Eth2 network port.  After attempting to acquire a configuration over the Eth2 network port, the unit will begin the normal startup process. Any results of attempting to acquire and restore a configuration file will be output to the console port and the system log. Configurations for firmware versions that are newer than the firmware version running on the unit will not be restored. Spaces are not supported in either the directory or filename portion of the Boot Filename path. Creating a Certificate To use OpenSSL to create a self signed root certificate authority, and use it to sign a client certificate that is used on the console manager and a server certificate that is installed in a web server responding to ZTP requests: 1. Setup OpenSSL environment: create a directory to store the OpenSSL configuration and certificate files. This step can be omitted if an existing OpenSSL configuration and directory will be used. a. Create a new directory and copy existing openssl.cnf file (or create openssl.cnf): EMG™ Edge Management Gateway User Guide 337