Articles in this section

See more

Set up a USB key for authenticated ZTP

Robert Waldie
  • Updated
Follow

The ZTP feature has a secure mode that requires a USB flash drive to be present in the Opengear appliance when it boots unconfigured.

This article explains how to set up the USB key and configure an HTTPS server to serve the .opg file you want to use for configuration.
We use openssl to generate the certificates, the lighttpd web server and isc-dhcp-server on Ubuntu 14.10 to demonstrate.

Generate certificates

First, let's generate a CA certificate so we can sign the client and server CSRs with it later. I've called it DavesCA but you can choose your own name. (In a real, enterprise deployment, the enterprise's secure CA process would be used instead of the openssl ca commands below).  

cp /etc/ssl/openssl.cnf .
mkdir -p demoCA/newcerts
echo 00 > demoCA/serial
echo 00 > demoCA/crlnumber
touch demoCA/index.txt
openssl genrsa -out ca.key 8192
openssl req -new -x509 -days 3650 -key ca.key -out demoCA/cacert.pem -subj /CN=DavesCA
cp demoCA/cacert.pem ca-bundle.crt

Now generate the server certificate. Make sure the hostname or IP address used is what you will use in the URL later (Here it is demo.example.com)

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=demo.example.com
openssl ca -days 365 -in server.csr -out server.crt \
        -keyfile ca.key -policy policy_anything -batch -notext
And the client certificate. The name ExampleClient should be chosen to identify the USB flash drive.
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj /CN=ExampleClient
openssl ca -days 365 -in client.csr -out client.crt \
        -keyfile ca.key -policy policy_anything -batch -notext
cat client.key client.crt > client.pem

 

Create the secure USB key

  1. Format a USB flash drive as a single FAT32 volume.
  2. Move the client.pem and ca-bundle.crt files onto the flash drive's root directory.

Configure lighttpd

This is an example web server on Ubuntu 14.10. We will be putting the protected demo.opg file into /var/www/opg/.

Due to a limitation in lighttpd, SSL connections to the server have to be either rejected or accepted before the URL is known. There is no syntax to test the certificate subject name in lighttpd. There should be in other web servers.

As root, edit /etc/lighttpd/conf-available/99-opg.conf and add this to turn on SSL client authenticatoin:

$HTTP["scheme"] == "https" {
 ssl.ca-file = "/etc/ssl/certs/DavesCA.pem"
 ssl.verifyclient.activate = "enable"
 ssl.verifyclient.enforce = "enable"
 ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
}

$HTTP["url"] =~ "^/opg/" {
    $HTTP["scheme"] != "https" {
     url.access-deny = ( "" )
    }
}

Now run these commands to enable SSL and copy the certificates into the right directories:

mkdir /var/www/opg
cp demoCA/cacert.pem /usr/local/share/ca-certificates/DavesCA.crt
update-ca-certificates
(umask 77; cat server.key server.crt > /etc/lighttpd/server.pem)
lighttpd-enable-mod ssl opg
/etc/init.d/lighttpd force-reload

 

Obtain the .opg file to serve

  1. Configure the Opengear appliance manually until it is how you want it to be.
  2. Visit its System:Configuration Backup screen.
  3. Click Save Backup.
  4. Save, rename and copy the resulting .opg file to the web server directory /var/www/opg/demo.opg.

Testing:

  • Try downloading the URL https://demo.example.com/opg/demo.opg from a web browser; the file should be protected.
  • Try fetching the URL metadata (i.e. HEAD) using curl with the client.pem: 
    ​curl -I -E client.pem https://demo.example.com/opg/demo.opg
HTTP/1.1 200 OK
...

 

Set up the DHCP server

This is on Ubuntu with the isc-dhcp-server package installed. We assume you have already set this up server DHCP leases.

  1. Add this entry to /etc/dhcp/dhcpd.conf 
    option space opengear  code width 1  length width 1;
option opengear.config-url code 1 = text;

class "opengear-demo-config" {
  match if option vendor-class-identifier ~~ "^Opengear/";
  vendor-option-space opengear;
  option opengear.config-url "https://demo.example.com/opg/demo.opg";
}
  2. Restart the DHCP server with /etc/init.d/isc-dhcp-server restart

Opengear appliances booting in configured mode will now be sent a config-url list from the server.

The config-url string is a space-separated list of URLs that will be tried in order. In secure mode, only the https URLs will be tried. The following macro expansions are available in the config-url string and will be expanded by the device before being fetched.

SubstringExpands toExample
${mac} The 12-digit MAC address of the device, lowercase  0013b600b669
${model} The full model name, in lowercase acm5504-5-g-w-i
${class} The firmware hardware class ACM550x
${version} The firmware version number 3.15.1

Demonstration

If you've followed all the instructions above, you should be able to demonstrate it by resetting a test unit.

If you have console access to the Opengear appliance, reset it in this way:

config -s config.console.debug=on -r console
flatfsd -i

This will allow you to watch for error messages when backup-url runs.

How to set up Wireshark for decrypting HTTPS connections

Wireshark can also be used to debug the situation. Since we have the server.key file, we can give that to Wireshark and inspect the packets, decrypted.

  1. Start wireshark
  2. Go to Edit > Preferences
  3. Scroll down to SSL
  4. Click Edit... next to RSA keys list
  5. Click New
  6. Enter the IP address, port 443 protocol http and select the server.key file
  7. Close all those dialogs to get back to the main panel.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk