![background image](/i/tripp-lite/128520/tripp-lite-b094-008-2e-m-f-b096-048-b096-016-b094-008-2e-v-b096-032/h/tripp-lite-b094-008-2e-m-f-b096-048-b096-016-b094-008-2e-v-b096-032-249.png)
249
Chapter 15: Advanced Configuration
• The system checks to see if it is still in an unconfigured state. If it is, then the network interface mode is set to DHCP. This
effectively forces the system into a configured state, preventing a future reboot loop.
• The system reboots
Note:
If all the URLs were skipped or failed, the system will wait for 30 seconds before retrying again. It will retry all the URLs
up to 10 times. After the 10th retry, the system reboots. If the system has been manually configured in the meantime, the
retries stop and ZTP is disabled.
Note:
If no option 43 is received over DHCP, no URLs are downloaded and no reboots occur: the system must be manually
configured. Once configured (manually or by ZTP), the appliance will no longer request option 43 from the DHCP server, and it
will ignore any option 43 configuration URLs presented to it.
15.14.5 Setup a USB key for authenticated restore
The ZTP feature has a secure mode that requires a USB flash drive to be present in the appliance when it boots unconfigured.
This section explains how to set up the USB key and configure an HTTPS server to serve the .opg file you want to use for
configuration.
We use openssl to generate the certificates, the lighttpd web server and isc-dhcp-server on Ubuntu 14.10 to demonstrate.
A. Generate certificates
First, let’s generate a CA certificate so we can sign the client and server CSRs with it later. We’ve called it
DavesCA
but you
can choose your own name. (In a real, enterprise deployment, the enterprise’s secure CA process would be used instead of
the
openssl ca
commands below).
cp /etc/ssl/openssl.cnf .
mkdir -p demoCA/newcerts
echo 00 > demoCA/serial
echo 00 > demoCA/crlnumber
touch demoCA/index.txt
openssl genrsa -out ca.key 8192
openssl req -new -x509 -days 3650 -key ca.key -out demoCA/cacert.pem -subj /
CN=DavesCA
cp demoCA/cacert.pem
ca-bundle.crt
Now generate the server certificate. Make sure the hostname or IP address used is what you will use in the URL later (Here it
is
demo.example.com
)
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=
demo.example.com
openssl ca -days 365 -in server.csr -out server.crt -keyfile ca.key -policy policy_anything -batch -notext
And the client certificate. The name
ExampleClient
should be chosen to identify the USB flash drive.
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj /CN=
ExampleClient
openssl ca -days 365 -in client.csr -out client.crt -keyfile ca.key -policy policy_anything -batch -notext cat client.key client.crt
> client.pem