Activate the Secure Provisioning Module on Lighthouse

The Secure Provisioning license is installed on Lighthouse and contains a preset number of available node activations. Each node activated for Secure Provisioning consumes an available activation; Lighthouse itself does not consume an activation.

Installing the Secure Provisioning license automatically activates Secure Provisioning on Lighthouse, at which point the NetOps Automation platform installs the central Secure Provisioning software components on Lighthouse.

  1. Install the Enterprise Automation Edition license under SETTINGS > System > Subscriptions.

  2. Install an applicable legacy license, or, apply an Automation Edition subscription, to enable Secure Provisioning under SETTINGS > System > Subscriptions.

    • It will take a few minutes for the Secure Provisioning to activate on Lighthouse, view progress under CONFIGURE > NetOps Modules > Manage Modules.

  1. Click the Update icon and note new menu items are now available under CONFIGURE > Secure Provisioning.

Secure Provisioning may now be selectively activated on nodes automatically as they enroll, or activated on nodes manually after enrollment.

Install the Node

  1. Connect the NET1 Ethernet to a network port via which node can reach the Lighthouse VM Connect power to the node.

  2. By default, the node requests a DHCP address and has a static address of 192.168.0.1/24.

  3. Test you can reach the node address via ping, SSH and HTTPS, and note this address for the following step.

ConFigure a Per-node Module Activation Policy

The process of automatically or manually activating Secure Provisioning on a node prepares it to become a Secure Provisioning server, securely over Lighthouse VPN.

Activating a node for Secure Provisioning consumes an activation from the license. Deactivation returns the activation to the available pool. To deactivate and remove a NetOps Module from a given node, see Deactivate (remove) a NetOps Module.

Note:Operations Manager activation deploys the Secure Provisioning container to the node, which may take several minutes.

Option A. Automatically Activate All Nodes Upon Enrollment

This is the default policy. When a license is present and activations are available, all nodes are activated for Secure Provisioning as they enroll. Nodes that have been previously enrolled must be manually activated.

  1. Ensure CONFIGURE > NetOps Modules > Manage Modules > Secure Provisioning > Always Activate is checked and applied.

  2. To activate a node, enroll it into Lighthouse.

Option B. Automatically Activate Select Nodes Upon Enrollment

You may selectively activate Secure Provisioning on a subset of nodes using Enrollment Bundles. Only nodes enrolling using one of these bundles will be automatically activated.

  1. Uncheck CONFIGURE > NetOps Modules > Manage Modules > Secure Provisioning > Always Activate and click Apply.

  2. Select CONFIGURE > Node Enrollment > Enrollment Bundles and add a new bundle (you may also edit an existing bundle) Enter a bundle Name and Token, and choose whether or not to Auto-Approve enrollment.

  3. Scroll down to NetOps Modules and add Secure Provisioning then Apply.

  4. When enrolling the node to Lighthouse, specify the Enrollment Bundle Name and Token.

Note:Lighthouse-initiated manual enrollment (i.e. clicking the Add Node button in the Lighthouse web UI) does not support bundles, you must use a node-initiated enrollment method.

Option C. Manually Activate Nodes After Enrollment

  1. Select CONFIGURE > Configuration Templating > Apply Templates.

  2. Under NetOps Module Activation, select Secure Provisioning and click Next. Select the nodes to to activate and click Next.

  3. To ensure the preflight check has succeeded click the Update icon above the table, then click Next.

  4. Click the Update icon, to ensure activation is successful.

Enroll the Node Into Lighthouse

  1. Launch an HTTPS browser session to Lighthouse.

  2. Login using root and the secure password set earlier.

    Tip: You may also login as a Lighthouse Administrator user, if you have configured one.

  3. At the top of the UI, click Add Node.

  4. Select An Opengear appliance, the second option in the Product dropdown list.

  5. Enter the Operations Manager's Network Address, Username (root) and Password (default) Check Auto-approve node then Apply.

  6. From menu, select CONFIGURE -> Node Enrollment -> Enrolled Nodes then click the Update icon to check enrollment has completed.

  7. If you are using the Automatically activate select nodes upon enrollment policy, you must manually activate the node after enrollment.

The node now has a secure Lighthouse VPN (OpenVPN) tunnel back to Lighthouse, over which all communications are now secured.

Connect Target Device

Secure Provisioning currently supports provisioning devices from these vendors:

  • Cisco

  • Juniper

  • Arista

  • HPE/Aruba

  • Huawei

  • Cumulus

  • Pica8

  • Opengear

Note:Additional devices may be supported using custom DHCP configuration. To request built-in support for additional devices, contact customer support.

PROCEDURE

  1. Connect a supported managed device's management NIC directly to the node.

  2. If the node has a built-in Ethernet switch, connect the device to any switch port.

  3. Otherwise, connect the device directly to the node's NET2 Ethernet, or via an intermediary management switch.

  4. Power on the managed device.

  5. Ensure the managed device is in ZTP mode, this typically requires the device to have its configuration erased/reset to factory defaults.