Lighthouse Enrollment

Opengear appliances can be enrolled into a Lighthouse instance, providing centralized access to console ports, automation, and central configuration of Opengear devices.

Lighthouse central management uses a persistent, public key authenticated SSH tunnels to maintain connectivity to managed console servers.

All network communications between Lighthouse and each console server (e.g. access to the web UI), and the console server's managed devices (e.g. the serial consoles of network equipment), is tunneled through this SSH management tunnel.

The following articles and Lighthouse user guide contain further information about Lighthouse Enrollment:

Manual enrollment using UI or CLI

How do I add Nodes to Lighthouse

Lighthouse User Guide

Manual Enrollment Using UI

Note: To enroll your Operations Manager to a Lighthouse instance, you must have Lighthouse installed and have an enrollment token set in Lighthouse.

  1. In Lighthouse, set an OM enrollment token, click on CONFIGURE > NODE ENROLLMENT > Enrollment Settings page, and enter an Enrollment Token.

    Tip: The same token is entered in the NEW LIGHTHOUSE ENROLLMENT page of the Operations Manager.

  2. Enroll your Operations Manager in this Lighthouse instance:
    Click CONFIGURE > Lighthouse Enrollment

  1. Click on the Add Lighthouse Enrollment button on the top-right of the page.
    The New Lighthouse Enrollment page opens.

  1. Enter the IP address or fully qualified domain name of the Lighthouse instance and the Enrollment Token you created in Lighthouse.
    Optionally enter a Port and an Enrollment Bundle (see the Lighthouse User Guide for more information about Bundling).

  2. Click the Apply button.
    A flag confirms the enrollment.

Note:  Enrollment can also be done directly via Lighthouse using the Add Node function. See the Lighthouse User Guide for more instructions on enrolling Opengear devices into Lighthouse.

Manual Enrollment Using the CLI

For complete instructions on Lighthouse Enrollment via the CLI please refer to this link: Manual enrollment using UI or CLI .

Automatic Enrollment By Lighthouse Service Portal (LSP)

Lighthouse Service Portal (LSP) is an Opengear solution that enables Operations Manager nodes (OM1200 and OM2200) to perform a zero touch call home and automatic enrollment into a customers Lighthouse instance of choice.

Note:    LSP is not configurable and cannot be added in-field.

No User setup is required for LSP. LSP should begin working on boot or factory reset.

LSP Service Initialization

When the node is initially powered-up or rebooted, ZTP begins to run and sees that device is LSP enabled and ZTP exits before applying any configuration. Systemd triggers the LSP.

The node connects to internet and adds an NTP server to ensure crypto is working. It then pulls an updated docker container which it runs, and waits while the docker container writes out the appropriate lighthouse bundle associated with the serial number, then exits.

Identity is verified by a TPM attestation key with the serial number encoded and signed by the attestation key and a CA running in AWS. An accompanying certificate is stored the secure Trusted Platform Module (TPM).

If there are no connectivity issues the LSP status LED (cloud on OM2200) state changes progressively from amber flashing (LSP is running), green flashing (Lighthouse is connecting) and green solid (Lighthouse connected successfully). See Device Status LEDs.

  LED Off Amber Flashing Amber Solid Green Flashing Green solid
OM Devices

Cloud /
Internet
 LSP is disabled and there are no existing Lighthouse enrollments. LSP is currently running on the device. An error occurred while running LSP. The device can reach the lighthouse instance and is attempting to enroll. If a lighthouse is unreachable the LED will not start. The device is enrolled and connected to a lighthouse. There will be a short delay between the UI status reported and the LED changing to solid green.

Note:    OM1200 series devices do not have a cloud LED, therefore, no LED indication is available for LSP or Lighthouse.

LSP Commands

LSP is run by a systemd service and can be controlled by systemctl commands which are self-explanatory:

systemctl start lsp
systemctl stop lsp
systemctl enable lsp
systemctl disable lsp

The systemd service also checks for the absence of a file /var/lib/lsp/.lsp-disabled before it will actually run the service.

Restarting The Service

If LSP has been disabled due to an error or a successful completion; to re-enable the service, remove the file /var/lib/lsp/.lsp-disabled, after which, LSP can be controlled via standard systemctl commands.

LSP Errors and Exit Codes

LSP initiation can sometimes encounter errors, for example, failure to communicate with the REST-API. In these situations, LSP attempts recovery by running from the start again after waiting for a short period.

Before LSP exits with one of these failures it sets the cloud Status LED to solid amber and it will remain solid amber until the process starts running again to try and recover. If a process error is repeated for an extended time then its likely that something is preventing LSP from completing properly.

LSP Logging & Errors

LSP logs from the systemd service and docker container are all stored in the system journal. The LSP service logs can be accessed with journalctl -u lsp, and the container logs can be viewed with journalctl -b CONTAINER_NAME=LSP_AGENT.

When the docker container runs, it will display the docker registry and digest hash of the running container.

Log Message/Error Code Event/Definition
Device is LSP enabled. The device supports LSP.

No logs, the LSP service should disabled without performing any operations.
Disabling the LSP systemd service.

The device does not support LSP. No logs, the LSP service should disabled without performing any operations.
Key detected in the TPM without a certificate. Due to the missing certificate this device is unable to perform LSP. Opengear Support Required! The device contains a key but no certificate. This should not happen in the field, and the device will require that the customer contact Opengear Support. It may require an RMA.
No existing Lighthouse enrollment found, proceeding with LSP. No existing Lighthouse is configured, LSP is able to proceed.
Running LSP Docker container. The docker container has started.
LSP Docker container has finished executing. The docker container has finished.
Configuring Lighthouse enrollment. Lighthouse enrollment configuration has started.
Lighthouse enrollment configuration applied successfully. Lighthouse enrollment configuration has completed.
No Internet connectivity. The device has no Internet connectivity and does not have a cellular modem, LSP will retry in 60s.
Could not confirm Internet connectivity. Enabling failover. The device could not reach the Internet with the ethernet interfaces, failover will be enabled on the cellular interface.

Exit Codes

The LSP process returns an exit code depending on the status of the process:

Code Name Definition
0 EXIT_SUCCESS

LSP completed successfully without error.
Lighthouse is now enrolling, or
Lighthouse is already configured and LSP doesn’t have to run, or
The device is not an LSP node.
151 EXIT_RETRY LSP failed, but will retry.
152 EXIT_UNRECOVERABLE_ERROR LSP failed but will not succeed, support is required.
153 EXIT_STOP LSP has stopped during execution. It can be started manually.

Accessing Lighthouse Service Portal

Register an account / log in to Lighthouse Service Portal

Visit portal.opengear.com.

If not already registered, click the user icon and select Register to initiate the process.

Log in to the portal with your credentials.

Dashboard

The LSP Dashboard shows any assets with recent activities such as enrollment, call homes, enrollment package assignments, and more.

Permissions

Only the user who originally received the Lighthouse License Key initially has access to the full LSP menu. Other users can be promoted in two ways:

  1. Navigate to the Access Request page and send a request to an LSP admin inside your organization.

  2. Open a Support Case or reach out to your Sales Rep directly to request access.

There are three different roles inside LSP:

  1. Account Admin
    Account Admins have full administrative control. They can create and manage groups, invite new users, and assign roles. With the ability to adjust access and oversee packages, they have comprehensive visibility to steer team success.

  2. LSP Admin
    LSP Admins can create and distribute packages. The ability to set enrollment triggers helps automate workflows, keeping operations running smoothly and efficiently.

  3. LSP View Only User
    LSP View Only Users have a streamlined view of LSP. They can explore the platform, familiarize themselves with the landscape, and request elevated access when needed.

ENROLLMENT SETTINGS

This is where you create a new Enrollment Package and configure Enrollment preferences.

First, an admin should create at least one Enrollment Package. This package will include Lighthouse IP, Bundle/Token, and API Port to ensure your node can digest this info and enroll to the desired Lighthouse Instance.

There are the four possible enrollment preference scenarios:

  1. Both Automatic Enrollment Triggering and Default Enrollment Packages are Disabled
    Nodes must be manually assigned enrollment packages and approved before the system sends the enrollment package. Approval is only possible after nodes have performed a "call home" action.

  2. Both Automatic Enrollment Triggering and Default Enrollment Package are Enabled
    Nodes automatically receive a default enrollment package immediately upon calling home; no manual intervention is required.

  3. Automatic Enrollment Triggering is Enabled and the Default Enrollment Package is Disabled
    Nodes must have an enrollment package manually assigned after calling home, but do not require manual approval.

  4. Automatic Enrollment Triggering is Disabled and Default Enrollment Package is Enabled
    Nodes automatically inherit the default package upon calling home but require manual approval before the package details are sent.

ASSETS

The assets tab shows all available assets (LSP enabled or not). You can assign enrollment packages to specific assets.

Possible Actions for each asset:

1. Approve: You can approve a call home action (if using manual enrollment).

2. Clear: You can clear a node of previous enrollment package information.

USER MANAGEMENT

The User Management tab allows you to invite new users to the Opengear Customer Portal, Create new custom groups for permissions, and more.

Understanding the Roles inside LSP

Role Account Admin LSP Admin LSP View Only User
Permission

  • Create Groups

  • Invite/Create Users

  • Promote Users

  • Revoke Account/LSP Admin

  • Set Enrollment Triggering

  • Create Package

  • Assign Packages

  • Set Enrollment Triggering preferences

  • Create Package

  • Assign Packages

  • Set Enrollment Triggering preferences

  • View Only of LSP

  • Request Account/LSP Admin permission
Visibility

  • See Current Account and Child

  • Note: When Creating a Group, Can see the Entire Account Structure Including Parent/Child/Sibling

 See Current Account and Child See Current Account and Child
Creation License Key Owner

  • Promoted by Account Admin

  • Promoted by Opengear Support or Sales team

 All Portal Users

LSP Admins can promote or demote users inside your organization.