advertisement
D i g i d e v i c e a d m i n i s t r a t i o n
Digi device administration
C H A P T E R 4
This chapter discusses the administration tasks that need to be performed on Digi devices periodically, such as file management, changing the password used for logging onto the device, backing up and restoring device configurations, updating firmware and Boot/POST code, restoring the device configuration to factory defaults, and rebooting the device. As with device configuration and monitoring, it covers performing administrative tasks through a variety of device interfaces, including web and command-line interfaces.
Administration from the web interface
The Administration section of the web interface main menu provides the following choices:
File Management: For uploading and managing files, such as custom web pages,
applet files, and initialization files. See "File management" on page 184.
Python Program File Management: For uploading custom programs in the Python programming language to Digi devices and configuring the programs to execute
automatically at startup. See "Python® program management" on page 149.
X.509 Certificate/Key Management: For loading and managing
X.509 certificates and public/private host key pairs that are public key infrastructure (PKI)
based security. See page 185.
Backup/Restore: For backing up or restoring a device’s configuration settings. See
"Backup/restore device configurations" on page 188.
Update Firmware: For updating firmware, including Boot and POST code. See
"Update firmware and Boot/POST Code" on page 189.
Factory Default Settings: For restoring a device to factory default settings. See
"Restore a device configuration to factory defaults" on page 190.
System Information: For displaying general system information for the device and
device statistics. See "Display system information" on page 192.
Reboot: For rebooting the device. See "Reboot the Digi device" on page 192.
These administrative tasks are organized elsewhere in the web interface:
Enable and disable network services. See "Network services settings" on page 63.
Enable password authentication for the Digi device. See "Security settings" on page
1 8 3
D i g i d e v i c e a d m i n i s t r a t i o n
File management
The File Management page of the web interface uploads custom files to a Digi device, such as the files for a custom applet, or a custom image file of your company logo. Custom applets allow the flexibility to alter the interface either by adding a different company logo, changing colors, or moving information to different locations. If custom applets or the sample Java applet is not used, using this feature is not necessary.
Uploading files
To upload files to a Digi device, enter the file path and name for the file, or click Browse to locate and select the file, and click Upload.
Delete files
To delete files from a Digi device, select the file from the list under Manage Files and click
Delete.
Custom files are not deleted by device reset
Any files uploaded to the file system of a Digi device from the File Management page are not deleted by restoring the device configuration to factory defaults, or by pressing the Reset button on
the device (see "Restore a device configuration to factory defaults" on page 190). This deletion is
prevented so that customers with custom applets and custom factory defaults can retain them on the device and not have them deleted by a reset. Such files can only be deleted by the Delete operation, described above.
1 8 4
D i g i d e v i c e a d m i n i s t r a t i o n
X.509 Certificate/Key Management
The X.509 Certificate/Key Management pages are for loading and managing X.509 certificates and public/private host key pairs that are public key infrastructure (PKI) based security. There are separate pages of settings for the certificate databases and key management.
Certificate Authorities (CAs) / Certificate Revocation Lists (CRLs)
The Certificate Authority (CA) database is used to load certificate authority digital certificates.
A certificate authority (CA) is a trusted third party which issues digital certificates for use by other parties. Digital certificates issued by the CA contain a public key. The certificate also contains information about the individual or organization to which the public key belongs. A CA verifies digital certificate applicants' credentials. The CA certificate allows verification of digital certificates, and the information contained therein, issued by that CA.
The Certificate Revocation List (CRL) database is used to load certificate revocation lists for loaded CAs. A certificate revocation list (CRL) is a file that contains the serial numbers of digital certificates issued by a CA which have been revoked, and should no longer be trusted. Like CAs,
CRLs are a vital part of a public key infrastructure (PKI). The digital certificate of the corresponding CA must be installed before the CRL can be loaded.
Upload Certificate Authority Certificates and Certificate Revocation Lists: Use this section to upload certificate authority (CA) certificates, or certificate revocation list
(CRL) files. Files may be in ASN.1 DER or PEM Base64 encoded formats.
Installed Certificate Authority Certificates: Lists any certificate authority certificates that are loaded in the Certificate Authority database.
Installed Certificate Authority Certificate Revocation Lists: Lists any certificate authority certificate revocation lists that are loaded in the Certificate Revocation List database.
Obtain CA certificates from a SCEP Server: Use this section to specify the SCEP server from which CA certificates should be obtained. Note: Certificates must be accepted by the operator to be used for any purpose.
Installed SCEP Certificate Authority Certificates: Lists any Simple Certificate
Enrollment Protocol (SCEP) certificate authority certificates that are installed.
1 8 5
D i g i d e v i c e a d m i n i s t r a t i o n
Virtual Private Network (VPN) Identities
The Virtual Private Networking (VPN) Identities database is used to load host certificates and keys. Identity certificates and keys allow for IPSec authentication and secure key exchange with
ISAKMP/IKE using RSA or DSA signatures. The VPN identity certificate must be issued by a CA trusted by the peer.
Upload VPN Identity Keys and Certificates: Use this section to upload VPN RSA or
DSA identity keys and certificates. Identity certificate and key files may be in ASN.1
DER or PEM Base64 encoded formats. If the host key file is encrypted, a password is required.
Installed VPN Identity Certificates: Lists any identity certificates that are loaded in the VPN Identities database.
Installed VPN Identity Keys: Lists any identity keys that are in the VPN Identities database.
Key Generation / Enrollment: Sets parameters for handling enrollment requests.
Pending SCEP Enrollment Requests: lists Certificate Enrollment Protocol (SCEP) requests that are pending approval.
1 8 6
D i g i d e v i c e a d m i n i s t r a t i o n
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Certificates
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) databases are used to load host certificates and keys, as well as peer certificates and revocations.
Identity Certificates and Keys
– Upload SSL/TLS Identity Keys and Certificates: use this section to upload SSL/TLS
RSA or DSA identity keys and certificates. Identity certificate and key files may be in
ASN.1 DER or PEM Base64 encoded formats. If the host key file is encrypted, a password is required.
– Installed SSL and TLS Identity Certificates: lists the identity certificates that are installed in the SSL and TLS databases.
– Installed SSL/TLS Identity Keys: Lists the identity keys that are installed in the SSL and TLS databases.
Trusted Peer Certificates
– Upload SSL/TLS Trusted Peer Certificates: Use this section to upload SSL/TLS trusted peer certificate files. Files may be in ASN.1 DER or PEM Base64 encoded formats.
– Installed SSL/TLS Trusted Peer Certificates: Lists the trusted peer certificates that have been loaded into the SSL and TLS databases.
Untrusted Revoked Certificates
– Upload SSL/TLS Untrusted Revoked Certificates: Use this section to upload SSL/
TLS untrusted revoked certificates to the database. Files may be in ASN.1 DER or PEM
Base64 encoded formats.
– Installed SSL/TLS Untrusted Revoked Certificates: Lists the untrusted revoked certificates that have been loaded into the SSL and TLS databases
Secure Shell (SSH) Hostkeys
The Secure Shell (SSHv2) Hostkeys database is used to load host private keys. SSHv2 host keys are used for authentication with SSHv2 clients and secure key exchange. A default 1024-bit DSA key is generated automatically if none exists when the device boots.
Upload SSH Host Keys: Use this section to upload SSH RSA or DSA hostkeys. Key files may be in ASN.1 DER or PEM Base64 encoded formats. If the host key file is encrypted, a password is required.
Installed SSH Host Keys: Lists the host keys that have been loaded into the SSH
Hostkeys database.
1 8 7
D i g i d e v i c e a d m i n i s t r a t i o n
Backup/restore device configurations
Once a Digi device is configured, backing up the configuration settings is recommended in case problems occur later, firmware is upgraded, or hardware is added. If multiple devices need to be configured, the backup/restore feature can be used as a convenience, where the first device’s configuration settings is backed up to a file, then the file is loaded onto the other devices.
This procedure shows how to back up or restore the configuration to a server and download a configuration from a server to a file or TFTP.
If using TFTP, ensure that the TFTP program is running on a server.
In the web interface:
1
2
From the Main menu, click Administration > Backup/Restore. The Backup/Restore page is displayed.
Choose the appropriate option (Backup or Restore) and select the file.
1 8 8
D i g i d e v i c e a d m i n i s t r a t i o n
Update firmware and Boot/POST Code
The firmware and/or boot/POST code for a Digi device can be updated from a file on a PC or through TFTP. The recommended method is to download the firmware to a local hard drive. TFTP is supported for those using UNIX systems. Both the firmware and the boot/POST code are updated using the same set of steps.The Digi device automatically determines the type of image being uploaded. Before uploading the firmware or the boot/POST code, it is very important to read the Release Notes supplied with the firmware to check if the boot/POST code must be updated before updating the firmware.
Prerequisites
These procedures assume that:
A firmware file has already been downloaded from digi.com.
If using TFTP, that the TFTP server is running.
Update firmware from a file on a PC
1
From the Main menu, click Administration > Update Firmware. The Update Firmware page is displayed.
2
3
Enter the name of the firmware or POST file in the Select Firmware edit box, or click
Browse to locate and select the firmware or POST file.
Click Update.
Important: DO NOT close the browser until the update is complete and a reboot prompt has been displayed.
Update Firmware from a TFTP Server
Updating firmware from a TFTP server is done from the command-line interface using the boot
1 8 9
D i g i d e v i c e a d m i n i s t r a t i o n
Restore a device configuration to factory defaults
Restoring a Digi device to its factory default settings clears all current configuration settings except the IP address settings and host key settings. In addition, any files that were loaded into the device through the File Management page such as custom-interface files and applet files are
retained. See "File management" on page 184 for information on loading and deleting files.
There are two ways to reset the device configuration of a Digi device to the factory default settings: from the web interface and using the reset button or, in some cases, the reset signal, on the Digi device.
Settings cleared and retained during factory reset
The Restore Factory Defaults operation clears all current settings except the IP address settings and host key settings. This is the best way to reset the configuration, because the settings can also be backed up using the Backup/Restore operation, which provides a means for restoring it after the configuration issues have been resolved.
Using the web interface
1
2
3
Make a backup copy of the configuration using the Backup/Restore operation, described on
From the Main menu, click Administration > Factory Default Settings. The Factory
Default Settings page is displayed.
Choose whether to keep the network settings for the device, such as the IP address, and click
Restore.
1 9 0
D i g i d e v i c e a d m i n i s t r a t i o n
Using the Reset button
1
2
If the Digi device cannot be accessed from the web interface, the configuration can be restored to factory defaults by using the Reset button.
Power off the Digi device.
Locate the Reset button or pin on your device.
4
5
6
7
3
Hold the Reset button down gently with a non-conductive, small diameter tool (such as wood or plastic) with a blunt end (NOT SHARP or the button could be damaged). Power on the device while holding the Reset button down.
After a few seconds you may see a 1-1-1 blink once on some devices.
Wait until you see the Status LED blink a 1-5-1 pattern, then release the reset button.
Wait for the device to boot up. At this time, the configuration is returned to factory defaults.
Now, if desired, power off the device, though this is not necessary. Powering off the device before releasing the button guarantees the configuration will NOT be reverted. Powering off the device just after releasing the button will result in an unknown configuration, possibly having some or all settings reverted to defaults.
1 9 1
D i g i d e v i c e a d m i n i s t r a t i o n
Display system information
System information displays the model, MAC address, firmware version, boot version, and POST version of the Digi device. It also displays memory available: total, used, and free, and tracks CPU percent utilization and the uptime.
From the web interface menu, select Administration > System Information. Select General,
Serial, Network, or Diagnostics for the appropriate information. For descriptions of the
information displayed on these screens, see page 160.
Reboot the Digi device
Changes to some device settings require saving the changes and rebooting the Digi device. To reboot a Digi device:
1
From the web interface menu, select Administration > Reboot.
2
On the Reboot page, click the Reboot button. Wait approximately 1 minute for the reboot to complete.
Enable/disable access to network services
As needed, enable and disable access to various network services, such as ADDP, RealPort, SNMP, and Telnet. For example, for performance and security reasons, it may be desirable to disable access to all network services not necessary for running or interfacing with the Digi device. In the web interface, enabling and disabling network services is done on the Network Services settings
page for a Digi device. See "Network services settings" on page 63.
1 9 2
D i g i d e v i c e a d m i n i s t r a t i o n
Administration from the command-line interface
Administrative tasks for Digi devices can also be performed from the command line. Here are several device-administration tasks and the commands used to perform them. See the Digi Connect
Family Command Reference for more complete command descriptions.
Administrative task Command
Backup/restore a configuration from a
TFTP server on the network backup
Update firmware boot
Telnet to the Digi device's command line interface using a telnet application or hyperterm.
If security is enabled for the Digi device, a login prompt is displayed. The default username is “root” and the default password is “dbps.” If these defaults do not work, contact the system administrator who set up the device.
Issue the command:
#> boot load=tftp-server-ip:filename where tftp-server-ip is the IP address of the TFTP server that contains the firmware, and filename is the name of the file to upload.
Reset configuration to factory defaults revert or boot action=factory
Display system information and statistics info
Reboot the device
Enable/disable network services boot set service
1 9 3
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project