![background image](/i/tripp-lite/128520/tripp-lite-b094-008-2e-m-f-b096-048-b096-016-b094-008-2e-v-b096-032/h/tripp-lite-b094-008-2e-m-f-b096-048-b096-016-b094-008-2e-v-b096-032-247.png)
247
Chapter 15: Advanced Configuration
15.14 Zero Touch Provisioning
Zero Touch Provisioning (ZTP) was introduced with firmware release 3.15 to allow appliances to be provisioned during their
initial boot from a DHCP server.
15.14.1 Preparation
These are typical steps for configuration over a trusted network:
1. Configure a same-model appliance.
2. Save the configuration as a backup (.opg) file under
System: Configuration Backup
in the web UI, or via
config -e
in the
CLI. Alternatively, you can save the XML configuration as a file ending in .xml.
3. Publish the .opg or.xml file on a fileserver that understands one of the HTTPS, HTTP, FTP or TFTP protocols.
4. Configure your DHCP server to include a “vendor specific” option for Tripp Lite appliances. The option text should be a URL
to the location of the .opg or .xml file. The option text should not exceed 250 characters in length. It must end in either
.opg or .xml.
5. Connect a new appliance (either at defaults from the factory, or config erased) to the network and apply power.
6. It may take up to 5 minutes for the device to find the .opg or .xml file via DHCP, download, install the file and reboot itself.
15.14.2 Example ISC DHCP server configuration
The following is an example of an ISC DHCP server configuration fragment for serving an .opg configuration image:
option space tripplite code width 1 length width 1;
option tripplite.config-url code 1 = text;
class “tripplite-ztp” {
match if option vendor-class-identifier ~~ “^TrippLite/”;
vendor-option-space tripplite;
option tripplite.config-url “https://example.com/opg/${class}.opg”;
}
For other DHCP servers, please consult their documentation on specifying “Vendor Specific” option fields. We use sub-option 1
to hold the URL text.
15.14.3 Setup for an untrusted LAN
If network security is a concern, and you can have remote hands insert a trusted USB flash drive into the appliance during
provisioning, then follow the steps below to configure in an untrusted network:
1. Generate an X.509 certificate for the client. Place it and its private key file onto a USB flash drive (concatenated as a
single file, client.pem).
2. Set up a HTTPS server that restricts access to the .opg or .xml file for HTTPS connections providing the client certificate.
3. Put a copy of the CA cert (that signed the HTTP server’s certificate) onto the USB flash drive as well (ca-bundle.crt).
4. Insert the USB flash drive into the Appliance
before attaching power or network
.
5. Continue with the steps above, but using only a https URL.
6. Detailed step-by-step instructions for preparing a USB flash drive and using OpenSSL to create keys can be found later in
this section.