Tripp Lite B097016 Owners Manual for B093- B097- and B098-Series Console Serve - Page 269

15. Advanced Configuration 15.15.3 Set Up an Untrusted LAN If network security is a concern, you can have remote hands insert a trusted USB flash drive into the Tripp Lite device during provisioning. A summary of the steps required for deploying configuration in an untrusted network is outlined below: 1. Generate an X.509 certificate for the client. Place it and its private key file onto a USB flash drive (concatenated as a single file, client.pem). 2. Set up an HTTPS server that restricts access to the .opg or .xml file for HTTPS connections, providing the client certificate. 3. Save a copy of the CA cert (that signed the HTTP server's certificate) onto the USB flash drive as well (ca-bundle.crt). 4. Insert the USB flash drive into the Tripp Lite device before connecting to power or the network. 5. Continue with the steps above, but using only a https URL. 6. A detailed step-by-step document for preparing a USB flash drive and using OpenSSL to create keys is at Howto: set up a USB key for authenticated restore. 15.15.4 How it Works This section explains in detail how the Tripp Lite device uses DHCP to obtain its initial configuration. A Tripp Lite console manager is either configured or unconfigured. ZTP needs it to be in an unconfigured state, which is only obtained in the following ways: • Firmware programming at factory. • Pressing the Config Erase button twice during operation. • Selecting Config Erase under System: Administration in the web UI, and rebooting. • Creating the file /etc/config/.init and then rebooting (command-line). When an unconfigured Tripp Lite boots, it performs these steps to find a configuration: • The Tripp Lite device transmits a DHCP DISCOVER request onto its primary network interface (WAN). This DHCP request will carry a vendor class identifier of the form Tripp Lite/model-name (for example, Tripp Lite/B098) and its parameter request list will include option 43 (vendor-specific information). • On receipt of a DHCP OFFER, the device will use the information in the offer to assign an IPv4 address to its primary network interface, add a default route, and prepare its DNS resolver. • If the offer also contained an option 43 with sub-option 1, the device interprets the sub-option as a whitespace-separated list of URLs to configuration files to try to restore. • If an NTP server option was provided in the DHCP offer, the system clock is (quickly) synchronized with the NTP server. • The system now searches all attached USB storage devices for two optional certificate files. The first file is named ca-bundle. crt, and the second one is whichever one of the following filenames is found first: o client-AABBCCDDEEFF.pem (where AABBCCDDEEFF is the MAC address of the primary network interace); or o client-MODEL.pem (where MODEL is the (vendor class) model name in lowercase, truncated to before the first hyphen); or o client.pem • If both files are found (ca-bundle.crt and a client.pem), then secure mode is enabled for the next section. • Each URL in the list obtained from option 43 sub-option 1 is tried in sequence until one succeeds: o The URL undergoes substring replacement from the following table: Substring Replaced by ${mac} The 12-digit MAC address of the device, in lowercase ${model} The full model name, in lowercase ${class} The firmware hardware class ${version} The firmware version number o The resulting URL must end in .opg or .xml (an optional ?query-string is permitted). If it does not, it is skipped and the next URL is tried. 269