Dell Prerequisites

• A Linux* PC or Windows* PC to run the command line tool RACADM to load the HTTPS certificates in to iDRAC on the edge node, on the same network as the edge node. Only RACADM can be used for this task as it is not currently possible to load certificates through the Web based iDRAC interface.

Edge Node Requirements

• The Integrated Dell* Remote Access Controller (iDRAC) service configured on the edge node

• iDRAC IP address for the edge node * Find on XR12 LCD

• iDRAC user name and password for the edge node

• Two LAN ports * One port for edge node Internet access * One port to connect to the iDRAC PC

• The Fully Qualified Domain Name for the Edge Orchestrator (CLUSTER_FQDN).

Hardware Requirements

Dell PowerEdge* XR12 Rack Server

• Intel® Xeon® processor 4314 (single socket)

• BIOS version 1.12.1 or higher

• iDRAC firmware version 7.00.60.00 or higher

• 128GB RAM

• 1/2/3 SSDs (Minimum 1 SSD with 500GB)

• Intel® Ethernet Network Adapter X710-T2L Dual Port 10GbE BASE-T

• USB drive (minimum 4GB)

Prepare Dell iDRAC

Enable UEFI Secure Boot (Optional)

Secure Boot (SB) is disabled by default. To enable it, follow the steps below to configure SB in the BIOS. After that, refer to the instructions in Secure Boot opt in feature for enabling SB in Edge Orchestrator.

Enabling Secure Boot is optional, but recommended.

1. Navigate to Configuration > BIOS Settings > System Security.

2. Set Secure Boot to Enabled if needed.

3. Set Secure Boot Policy to Custom.

4. Set Secure Boot Mode to User Mode.

5. Go to TPM Security and set the value to On.

6. Go to TPM Advanced Settings and set TPM2 Algorithm Selection to SHA256.

Reset or Clear TPM

Reset the TPM hierarchy and clear TPM.

1. Navigate to the Configuration > BIOS settings > System Security.

2. Select TPM Hierarchy and select Clear from the drop-down menu.

3. Click Apply and then Reboot.

4. Go back to the Configuration > BIOS Settings > System Security.

5. Select TPM Hierarchy and choose Enable from the drop-down menu.

6. Click Apply and then Reboot.

RACADM on Linux* PC

Note

Because of limitations in Integrated Dell* Remote Access Controller (iDRAC), it is not possible to load certificates through the iDRAC Web UI, so it must be done through the RACADM tool. This section describes how this can be done on the Linux PC. See the alternative approach using a Windows* PC at RACADM on Windows PC.

Install RACADM on Linux PC

1. On a local Linux machine, download and install iDRAC tools.

2. Use the readme.txt file in the iDRAC installation folder to install RACADM.

3. Run the following commands in a terminal.

   # Install wget if not already installed
   
   sudo apt-get update
   sudo apt-get install wget
   # Install LibSSL-dev package if not already installed on the host machine.
   sudo apt-get install libssl-dev
   
   NODE_BMC_IP="Your iDRAC IP"
   NODE_BMC_USER="Your iDRAC username"
   NODE_BMC_PWD="Your iDRAC password"
   
   CLUSTER_FQDN="Your cluster FQDN established when deploying Edge Orchestrator"
   TINK_FQDN=tinkerbell-nginx.${CLUSTER_FQDN}
   
   # RACADM login
   LOGIN="-r ${NODE_BMC_IP} -u ${NODE_BMC_USER} -p ${NODE_BMC_PWD} --nocertwarn"
   

Import Certificates with Linux PC

First you must need to download all the certificates to be uploaded.

For iPXE and Hook Os, independent of final operating system:

Note

Ensure that you understand proxy settings in your network. If the curl or ``wget operation fails, verify the network proxy settings.

wget https://"${TINK_FQDN}"/tink-stack/keys/db.der  --no-check-certificate -O "db.der"

db.der is the public key to trust the ipxe.efi and Hook Os during the Secure Boot.

For Edge Microvisor Toolkit, if Secure Boot (SB) is enabled (Not required for Ubuntu):

1. Then, you must download the db-emt.der file from the Release Service.

   Repository URL path of Edge Microvisor Toolkit can be found by looking at the OS Profile you are trying to install and copying manually the Repository URL value without raw.gz suffix. microvisor image version osImageVersion can be fetched from microvisor profile defined in os profile Alternatively, it can be acquired using the Edge Orchestrator API - see the Acquiring the Edge Microvisor Toolkit repository URL path from Edge Orchestrator API section.

   Choose the correct values for the command and replace them in the variables as per the example and resulting command below. Make sure that resulting HTTP status is successful.

   export FILES_RS_URL=<Files Release Service URL>
   export MICROVISOR_REPO_URL=<Repository URL path to OS Image without .raw.gz extension>
   export OS_IMAGE_VERSION=<Microvisor Image Version>
   
   # Following is an example of the variables and the expanded resulting command:
   # export FILES_RS_URL=files-rs.edgeorchestration.intel.com
   # export OS_IMAGE_VERSION=<Microvisor Image Version>
   # export MICROVISOR_REPO_URL=files-edge-orch/repository/microvisor/non_rt/edge-readonly-$OS_IMAGE_VERSION-signed
   # Command to download the microvisor der file
   wget https://$FILES_RS_URL/$MICROVISOR_REPO_URL.der
   
   # A real example with no variables
   # wget https://files-edge-orch/repository/microvisor/non_rt/edge-readonly-3.0.20250324.1008.der -o db-emt.der --write-out "\nHTTP Status: %{http_code}\n"
   

Finally, you can upload the certificates to the server with the racadm command and reboot the device

Note

The racadm commands issue a warning error as follows:

Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related err

This is expected and the commands proceed with no issue.

# Import BIOS Certificate for iPXE and HookOS
racadm ${LOGIN} bioscert import -t 2 -k 0 -f db.der

# Import BIOS Certificate (Only required for Edge Microvisor Toolkit in case Secure Boot is enabled)
racadm ${LOGIN} bioscert import -t 2 -k 0 -f db-emt.der

# Reboot or Power Cycle in this step only if USB assisted boot is used
racadm ${LOGIN} serveraction powercycle

Full_server.crt is the provisioning certificate using during the HTTPs boot.

Note

Skip the following part for “USB assisted boot” as there is no need to enroll the httpsbootcert.

wget https://"${TINK_FQDN}"/tink-stack/keys/Full_server.crt  --no-check-certificate -O "full_server.crt"

# Import HTTPS Boot Certificate:
racadm ${LOGIN} httpsbootcert import -i 1 -f full_server.crt

# Reboot or Power Cycle
racadm ${LOGIN} serveraction powercycle

RACADM on Windows PC

Note

Because of limitations in Dell iDRAC it is not possible to load certificates through the iDRAC Web UI, so it must be done through the RACADM tool. This section describes how this can be done on a Windows PC. The Linux based alternative is given in the next page RACADM on Linux* PC.

Install RACADM on Windows PC

1. On the local PC machine, download and install Dell Remote Access Control Admin (RACADM).

2. Launch the command prompt as Administrator.

3. Go to the RACADM CLI installation directory.

Download and import Certificates with Windows PC

Importing certificates requires the iDRAC IP address.

1. On the Windows PC, launch the command prompt as an administrator.

2. View the previously downloaded certificates.

   # View certificates
   racadm.exe -r {iDRAC IP address} -u [iDRAC username] -p [iDRAC password] bioscert view --all
   

   Note

   Ensure that you understand proxy settings in your network. If the curl or wget operation fails, verify the network proxy settings.

3. Import the certificates to the local PC. The certificates are in the directory created previously.

   Note

   Download all certificates necessary to configure the edge node and establish communication with Edge Orchestrator. Edit the curl commands to add the CLUSTER_FQDN established when deploying Edge Orchestrator.

   Navigate to a directory on the PC where the certificates will be stored. For example, you may want to store certificates in a /certificates/ directory. Go to that directory and run the curl commands below.

For iPXE and Hook Os, independent of final operating system:

# Replace **CLUSTER_FQDN** with name of the domain of the orchestrator
curl "https://tinkerbell-nginx.${CLUSTER_FQDN}/tink-stack/keys/db.der" -O --insecure

db.der is the public key to trust the ipxe.efi and Hook Os during the Secure Boot.

For Edge Microvisor Toolkit, if Secure Boot (SB) is enabled (Not required for Ubuntu):

1. Then, you must download the db-emt.der file from Release Service.

   The Edge Microvisor Toolkit repository URL path can be found by looking at the OS Profile you are trying to install and copying manually the Repository URL value without raw.gz suffix. Alternatively, it can be acquired using the Edge Orchestrator API - see the Acquiring the Edge Microvisor Toolkit repository URL path from Edge Orchestrator API section.

   Choose the correct values for the command and replace them in the variables as per the example and resulting command below. Make sure that resulting HTTP status is successful.

   export FILES_RS_URL=<Files Release Service URL>
   export MICROVISOR_REPO_URL=<Repository URL path to OS Image without .raw.gz extension>
   export OS_IMAGE_VERSION=<Microvisor Image Version>
   
   # Following is an example of the variables and the expanded resulting command:
   # export FILES_RS_URL=files-rs.edgeorchestration.intel.com
   # export OS_IMAGE_VERSION=<Microvisor Image Version>
   # export MICROVISOR_REPO_URL=files-edge-orch/repository/microvisor/non_rt/edge-readonly-$OS_IMAGE_VERSION-signed
   # Command to download the microvisor der file
   wget https://$FILES_RS_URL/$MICROVISOR_REPO_URL.der
   
   # A real example with no variables
   # wget https://files-edge-orch/repository/microvisor/non_rt/edge-readonly-3.0.20250324.1008.der -o db-emt.der --write-out "\nHTTP Status: %{http_code}\n"
   

Finally, you can Upload the certificates to the server with the racadm command and reboot the device

Note

The racadm commands below issue a warning error:

Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related err

This is expected and the commands proceed with no issue.

# Upload the BIOS Certificate
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] bioscert import -t 2 -k 0 -f C:\\\<{path_to_certificates}\>\\db.der

# Import BIOS Certificate (Only required for Edge Microvisor Toolkit in case Secure Boot is enabled)
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] bioscert import -t 2 -k 0 -f C:\\\<{path_to_certificates}\>\\db-emt.der

# Reboot or Power Cycle in this step only if USB assisted boot is used
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] serveraction powercycle

Note

Skip this part for “USB-assisted boot” as there is no need to enroll the httpsbootcert.

Full_server.crt is the provisioning certificate used during the HTTPs boot.

# Replace **CLUSTER_FQDN** with the name of the domain of the orchestrator
curl "https://tinkerbell-nginx.${CLUSTER_FQDN}/tink-stack/keys/Full_server.crt" -O --insecure

# Full_server.crt - TLS authorization with cluster for HTTPS boot.
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] httpsbootcert import -i 1 -f C:\\\<{path_to_certificates}\>\\Full_server.crt
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] serveraction powercycle