Dell Prerequisites#
A Linux* PC or Windows* PC to run the command line tool RACADM to load the HTTPS certificates in to iDRAC on the edge node, on the same network as the edge node. Only RACADM can be used for this task as it is not currently possible to load certificates through the Web based iDRAC interface.
Edge Node Requirements#
The Integrated Dell* Remote Access Controller (iDRAC) service configured on the edge node
iDRAC IP address for the edge node * Find on XR12 LCD
iDRAC user name and password for the edge node
Two LAN ports * One port for edge node Internet access * One port to connect to the iDRAC PC
The Fully Qualified Domain Name for the Edge Orchestrator (CLUSTER_FQDN).
Hardware Requirements#
Dell PowerEdge* XR12 Rack Server
Intel® Xeon® processor 4314 (single socket)
BIOS version 1.12.1 or higher
iDRAC firmware version 7.00.60.00 or higher
128GB RAM
1/2/3 SSDs (Minimum 1 SSD with 500GB)
Intel® Ethernet Network Adapter X710-T2L Dual Port 10GbE BASE-T
USB drive (minimum 4GB)
Prepare Dell iDRAC#
Enable UEFI Secure Boot (Optional)#
Secure Boot (SB) is disabled by default. To enable it, follow the steps below to configure SB in the BIOS. After that, refer to the instructions in Secure Boot opt in feature for enabling SB in Edge Orchestrator.
Enabling Secure Boot is optional, but recommended.
Navigate to Configuration > BIOS Settings > System Security.
Set Secure Boot to
Enabled
if needed.Set Secure Boot Policy to
Custom
.Set Secure Boot Mode to
User Mode
.Go to TPM Security and set the value to
On
.Go to TPM Advanced Settings and set TPM2 Algorithm Selection to
SHA256
.
Reset or Clear TPM#
Reset the TPM hierarchy and clear TPM.
Navigate to the Configuration > BIOS settings > System Security.
Select TPM Hierarchy and select Clear from the drop-down menu.
Click Apply and then Reboot.
Go back to the Configuration > BIOS Settings > System Security.
Select TPM Hierarchy and choose Enable from the drop-down menu.
Click Apply and then Reboot.
RACADM on Linux* PC#
Note
Because of limitations in Integrated Dell* Remote Access Controller (iDRAC), it is not possible to load certificates through the iDRAC Web UI, so it must be done through the RACADM tool. This section describes how this can be done on the Linux PC. See the alternative approach using a Windows* PC at RACADM on Windows PC.
Install RACADM on Linux PC#
On a local Linux machine, download and install iDRAC tools.
Use the
readme.txt
file in the iDRAC installation folder to install RACADM.Run the following commands in a terminal.
# Install wget if not already installed sudo apt-get update sudo apt-get install wget # Install LibSSL-dev package if not already installed on the host machine. sudo apt-get install libssl-dev NODE_BMC_IP="Your iDRAC IP" NODE_BMC_USER="Your iDRAC username" NODE_BMC_PWD="Your iDRAC password" CLUSTER_FQDN="Your cluster FQDN established when deploying Edge Orchestrator" TINK_FQDN=tinkerbell-nginx.${CLUSTER_FQDN} # RACADM login LOGIN="-r ${NODE_BMC_IP} -u ${NODE_BMC_USER} -p ${NODE_BMC_PWD} --nocertwarn"
Import Certificates with Linux PC#
First you must need to download all the certificates to be uploaded.
For iPXE and Hook Os, independent of final operating system:
Note
Ensure that you understand proxy settings in your network.
If the curl or ``wget
operation fails, verify the network proxy settings.
wget https://"${TINK_FQDN}"/tink-stack/keys/db.der --no-check-certificate -O "db.der"
db.der
is the public key to trust the ipxe.efi and Hook Os during the Secure Boot.
For Edge Microvisor Toolkit, if Secure Boot (SB) is enabled (Not required for Ubuntu):
Then, you must download the db-emt.der file from the Release Service.
Repository URL path of Edge Microvisor Toolkit can be found by looking at the OS Profile you are trying to install and copying manually the Repository URL value without raw.gz suffix. microvisor image version osImageVersion can be fetched from microvisor profile defined in os profile Alternatively, it can be acquired using the Edge Orchestrator API - see the Acquiring the Edge Microvisor Toolkit repository URL path from Edge Orchestrator API section.
Choose the correct values for the command and replace them in the variables as per the example and resulting command below. Make sure that resulting HTTP status is successful.
export FILES_RS_URL=<Files Release Service URL> export MICROVISOR_REPO_URL=<Repository URL path to OS Image without .raw.gz extension> export OS_IMAGE_VERSION=<Microvisor Image Version> # Following is an example of the variables and the expanded resulting command: # export FILES_RS_URL=files-rs.edgeorchestration.intel.com # export OS_IMAGE_VERSION=<Microvisor Image Version> # export MICROVISOR_REPO_URL=files-edge-orch/repository/microvisor/non_rt/edge-readonly-$OS_IMAGE_VERSION-signed # Command to download the microvisor der file wget https://$FILES_RS_URL/$MICROVISOR_REPO_URL.der # A real example with no variables # wget https://files-edge-orch/repository/microvisor/non_rt/edge-readonly-3.0.20250324.1008.der -o db-emt.der --write-out "\nHTTP Status: %{http_code}\n"
Finally, you can upload the certificates to the server with the racadm command and reboot the device
Note
The racadm commands issue a warning error as follows:
Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related err
This is expected and the commands proceed with no issue.
# Import BIOS Certificate for iPXE and HookOS
racadm ${LOGIN} bioscert import -t 2 -k 0 -f db.der
# Import BIOS Certificate (Only required for Edge Microvisor Toolkit in case Secure Boot is enabled)
racadm ${LOGIN} bioscert import -t 2 -k 0 -f db-emt.der
# Reboot or Power Cycle in this step only if USB assisted boot is used
racadm ${LOGIN} serveraction powercycle
Full_server.crt
is the provisioning certificate using during the HTTPs boot.
Note
Skip the following part for “USB assisted boot” as there is no need to enroll the httpsbootcert.
wget https://"${TINK_FQDN}"/tink-stack/keys/Full_server.crt --no-check-certificate -O "full_server.crt"
# Import HTTPS Boot Certificate:
racadm ${LOGIN} httpsbootcert import -i 1 -f full_server.crt
# Reboot or Power Cycle
racadm ${LOGIN} serveraction powercycle
RACADM on Windows PC#
Note
Because of limitations in Dell iDRAC it is not possible to load certificates through the iDRAC Web UI, so it must be done through the RACADM tool. This section describes how this can be done on a Windows PC. The Linux based alternative is given in the next page RACADM on Linux* PC.
Install RACADM on Windows PC#
On the local PC machine, download and install Dell Remote Access Control Admin (RACADM).
Launch the command prompt as Administrator.
Go to the RACADM CLI installation directory.
Download and import Certificates with Windows PC#
Importing certificates requires the iDRAC IP address.
On the Windows PC, launch the command prompt as an administrator.
View the previously downloaded certificates.
# View certificates racadm.exe -r {iDRAC IP address} -u [iDRAC username] -p [iDRAC password] bioscert view --all
Note
Ensure that you understand proxy settings in your network. If the
curl
orwget
operation fails, verify the network proxy settings.Import the certificates to the local PC. The certificates are in the directory created previously.
Note
Download all certificates necessary to configure the edge node and establish communication with Edge Orchestrator. Edit the
curl
commands to add the CLUSTER_FQDN established when deploying Edge Orchestrator.Navigate to a directory on the PC where the certificates will be stored. For example, you may want to store certificates in a
/certificates/
directory. Go to that directory and run thecurl
commands below.
For iPXE and Hook Os, independent of final operating system:
# Replace **CLUSTER_FQDN** with name of the domain of the orchestrator
curl "https://tinkerbell-nginx.${CLUSTER_FQDN}/tink-stack/keys/db.der" -O --insecure
db.der
is the public key to trust the ipxe.efi and Hook Os during the Secure Boot.
For Edge Microvisor Toolkit, if Secure Boot (SB) is enabled (Not required for Ubuntu):
Then, you must download the db-emt.der file from Release Service.
The Edge Microvisor Toolkit repository URL path can be found by looking at the OS Profile you are trying to install and copying manually the Repository URL value without raw.gz suffix. Alternatively, it can be acquired using the Edge Orchestrator API - see the Acquiring the Edge Microvisor Toolkit repository URL path from Edge Orchestrator API section.
Choose the correct values for the command and replace them in the variables as per the example and resulting command below. Make sure that resulting HTTP status is successful.
export FILES_RS_URL=<Files Release Service URL> export MICROVISOR_REPO_URL=<Repository URL path to OS Image without .raw.gz extension> export OS_IMAGE_VERSION=<Microvisor Image Version> # Following is an example of the variables and the expanded resulting command: # export FILES_RS_URL=files-rs.edgeorchestration.intel.com # export OS_IMAGE_VERSION=<Microvisor Image Version> # export MICROVISOR_REPO_URL=files-edge-orch/repository/microvisor/non_rt/edge-readonly-$OS_IMAGE_VERSION-signed # Command to download the microvisor der file wget https://$FILES_RS_URL/$MICROVISOR_REPO_URL.der # A real example with no variables # wget https://files-edge-orch/repository/microvisor/non_rt/edge-readonly-3.0.20250324.1008.der -o db-emt.der --write-out "\nHTTP Status: %{http_code}\n"
Finally, you can Upload the certificates to the server with the racadm command and reboot the device
Note
The racadm commands below issue a warning error:
Security Alert: Certificate is invalid - Certificate is not signed by Trusted Third Party Continuing execution. Use -S option for racadm to stop execution on certificate-related err
This is expected and the commands proceed with no issue.
# Upload the BIOS Certificate
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] bioscert import -t 2 -k 0 -f C:\\\<{path_to_certificates}\>\\db.der
# Import BIOS Certificate (Only required for Edge Microvisor Toolkit in case Secure Boot is enabled)
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] bioscert import -t 2 -k 0 -f C:\\\<{path_to_certificates}\>\\db-emt.der
# Reboot or Power Cycle in this step only if USB assisted boot is used
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] serveraction powercycle
Note
Skip this part for “USB-assisted boot” as there is no need to enroll the httpsbootcert.
Full_server.crt
is the provisioning certificate used during the HTTPs boot.
# Replace **CLUSTER_FQDN** with the name of the domain of the orchestrator
curl "https://tinkerbell-nginx.${CLUSTER_FQDN}/tink-stack/keys/Full_server.crt" -O --insecure
# Full_server.crt - TLS authorization with cluster for HTTPS boot.
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] httpsbootcert import -i 1 -f C:\\\<{path_to_certificates}\>\\Full_server.crt
racadm.exe -r {iDRAC IP address} - u [iDRAC username] -p [iDRAC password] serveraction powercycle