Secure Provisioning for NetOps Automation is an optional, licensed module. Licence installation and module activation is controlled by your central Lighthouse instance.
The Secure Provisioning licence is installed on Lighthouse and contains a preset number of available node activations. Each supported node that is activated for Secure Provisioning, consumes an available activation; Lighthouse itself does not consume an activation.
Installing the Secure Provisioning licence automatically activates Secure Provisioning on Lighthouse, at which point the NetOps Automation platform deploys the central Secure Provisioning software components to Lighthouse.
The process of automatically or manually activating Secure Provisioning on a node deploys the remote Secure Provisioning components to that node, securely over Lighthouse VPN.
At a high level, the steps to install the NetOps Automation platform and Secure Provisioning module are:
Activate Secure Provisioning on Lighthouse
- If you're not already running Lighthouse:
- Install the Lighthouse VM
- Login to the Lighthouse web UI as root or a Lighthouse Administrator
- Install the Lighthouse node licence (SKU OGLH) under SETTINGS > System > Licensing
- Purchase a Secure Provisioning licence (SKU nom-prov) and install under SETTINGS > System > Licensing
- It will take a few minutes for the Secure Provisioning to activate on Lighthouse, view progress under CONFIGURE NODES > NetOps Modules > Manage Modules
- Refresh your browser and note new menu items are now available under CONFIGURE NODES > Device Provisioning
- Nodes may now be automatically activated for Secure Provisioning as they enroll, or manually activated after enrollment
Automatically activate Secure Provisioning on all nodes
In this mode, when a licence is present and activations are available, all nodes are activated for Secure Provisioning as they enroll.
- Check and apply CONFIGURE NODES > NetOps Modules > Manage Modules > Secure Provisioning > Always Activate
- To activate a new node, enroll it into Lighthouse
Automatically activate Secure Provisioning on selected nodes
You may selectively activate Secure Provisioning on a subset of nodes using Enrollment Bundles. Only nodes enrolling using one of these bundles will be automatically activated.
- Uncheck CONFIGURE NODES > NetOps Modules > Manage Modules > Secure Provisioning > Always Activate and click Apply
- Select CONFIGURE NODES > Node Enrollment > Enrollment Bundles and add a new bundle (you may also edit an existing bundle)
- Enter a bundle Name and Token, and choose whether or not to Auto-Approve enrollment
- Scroll down to NetOps Modules and add Secure Provisioning
- Enroll the node to Lighthouse, specifying the Enrollment Bundle Name and Token
- Lighthouse-initiated manual enrollment (e.g. clicking the Add Node button in the Lighthouse web UI) does not support bundles, you must use a node-initiated enrollment method
Manually activating Secure Provisioning on nodes
To activate nodes manually after enrollment, use the following steps:
- Ensure CONFIGURE NODES > NetOps Modules > Manage Modules > Secure Provisioning > Always Activate is unchecked and applied
- Select CONFIGURE NODES > Configuration Templating > Apply Templates
- Under NetOps Module Activation choose Secure Provisioning and click Next
- Select the nodes to to activate and click Next
- Refresh to ensure preflight checking is successful, then click Next
- Refresh to ensure activation is successful
Note: Once a node is activated for Secure Provisioning, the activation is consumed by and locked to that node. Unenrolling or factory resetting the node will not automatically return the activation to the available pool. Returning an activation to the available pool, e.g. after accidental activation or node RMA swap out, requires support intervention.