Top
Auto-Provisioning Mediatrix Units with Configuration Scripts
Top
Overview of the Server Configuration
Preparing Windows Server IIS
- Create a subdirectory for the firmware under the Web Server root directory.
- Create a subdirectory for the configuration files under the Web Server root directory.
Top
Preparing the Pumpkin TFTP Server
- Create a subdirectory for the firmware under C:\PumpKIN\
- Create a subdirectory for configuration files under C:\PumpKIN\
Top
Configuration Scripts
Configuration Scripts
Configuration scripts are files containing textual commands that are sent from the ACS over the network to a Mediatrix unit.
Configuration scripts support all configuration parameters and can be created for a group of units or for a specific unit of the Network.
The automated importation of configuration scripts can be performed with the use of a Customer Profile or using a DHCP server indicating the location of the file server with options 66 or 67. The automated importation to a unit is what is referred to as zero-touch, as the unit is automatically updated with the latest configuration without manual intervention.
When the configuration scripts are received, the unit executes each command line in sequence. Script commands can assign values to configuration parameters, or execute configuration commands. Scripts are written by the system administrator and can be used to accomplish various tasks, such as automating recurrent configuration tasks or batch-applying configuration settings to multiple devices. They can also be scheduled to be executed when the Mediatrix unit restarts.
- When the unit is restarted
- According to a pre-determined schedule
- Initiated by a DHCP server indicating where the script files are located using options 66 and 67
- FTP
- TFTP
- HTTP
- HTTPS
The configuration script download feature allows updating the Mediatrix unit configuration by transferring a configuration script from a remote server or from the local file system. The Mediatrix unit is the session initiator, which allows NAT traversal. You can also configure the Mediatrix unit to automatically update its configuration or you can generate a configuration script from the running configuration of the Mediatrix unit.
Top
Configuring the FTP Server
Perform this procedure if you plan to use the FTP transport protocol.
Top
Configuring the TFTP Server
Top
Configuring the HTTP Server
Top
Configuring the HTTPS Server
Make sure the unit is set to the proper date (refer to Configuring the Mediatrix Unit to Use an SNTP Server.
Top
Parameters
- using a MIB browser, such as the Mediatrix Unit Manager Network (UMN);
- using the CLI;
- creating a configuration script containing the configuration parameters.
Top
Exporting a Configuration Script Using a File Server
- Executing Configuration Scripts from a File Server Periodically
- Executing Configuration Scripts from the Unit File Management System Periodically
- Executing Configuration Scripts from a File Server Each Time the Unit is Started
- Executing Configuration Scripts from the Unit File Management System Each Time the Unit is Started
Top
Encryption
Securing Configuration Scripts
Media5 provides an encryption tool (MxCryptFile) to secure the configuration scripts on the server.
There are two encryption algorithms available:
- AES-256 GCM (recommended, available since DGW 47.0)
- Blowfish ECB (legacy).
Once the file is encrypted, the transfer of the information over the network is secure. The encryption key must be configured on the Mediatrix units in order to decipher the information. The unit detects automatically the encryption algorithm from the file.
Ensure that the Mediatrix unit is configured with the correct Privacy key in order to decipher the information. Without the proper key, the parameters in the encrypted script would not be applied to the Mediatrix unit.
In any case, the same key is used to decrypt both the generic and specific configuration scripts. When a key is defined, unencrypted configuration scripts are not allowed to be executed.
Top
Securing the configuration scripts using AES-256 GCM
- For MacOS, python3 is already pre-installed on recent MacOS versions.
- For Linux, some distribution already pre-install python3. Otherwise use the appropriate package manager to install python3 and pip3.
- For Windows, use an installation package from https://www.python.org/downloads/windows/ or install from the Windows Store on a clean install of Windows 10. Make sure to add application to PATH to facilitate usage.
pip3 install
cryptography
To secure the configuration scripts using AES-256, the python script
MxCryptFileAes.py
is available. The key is a password of variable-length
ASCII characters. For optimal security, it is recommended to use a password of at least 42
characters. The maximum length is 256 characters.
This is an example of the python script:
Usage:
MxCryptFileAes.py -in <input file> -out <output file> -k <key> [-enc|-dec]
where:
-in <input file>
Specifies the file to read from
-out <output file>
Specifies the file to write to
-k <key>
The key in variable size.
-enc
Perform encryption (default).
-dec
Perform decryption.
MxCryptFileAes.py -in mediatrix.cfg -out mediatrix_encrypted.cfg.bin -k MyPassword -enc
MxCryptFileAes.py -in mediatrix_encrypted.cfg.bin -out mediatrix.cfg -k MyPassword -dec
Top
Securing the configuration scripts using Blowfish
To secure the configuration scripts using Blowfish, the perl and exe scripts
(MxCryptFile.pl
and MxCryptFile.exe
) are available. The key is encoded in
hexadecimal notation, meaning only characters in the range 0-9 and A-F can be used. The
maximum key length is 64 hex characters, which gives a binary key of 256 bits. It is the
maximum key size accepted by the MxCryptFile external tool. For example, a 32-bit key could
look like: A36CB299.
This is an example of the tool running on Windows:
MxCryptFile version 1.0.3.5
Copyright(c) 2009 Media5 Corporation
Usage:
MxCryptFile -h Display online help
or
MxCryptFile -in <input file name>
-out <output file name>
-k <key string>
[-s]
[-enc|-dec]
where:
<input file name>: name of the file to read
<output file name>: name of the file to write
<key string>: key string (allowed characters are 0-9, a-f, A-F)
-s: run in silent mode (no display)
-enc: encrypt (default)
-dec: decrypt
MxCryptFile.exe -in Mediatrix_4102_unencrypted.cfg –out Mediatrix4102.cfg.bin –k 12345678
MxCryptFile.exe –in 0090F8XXXXXX_unencrypted.cfg –out 0090F8XXXXXX.cfg.bin –k 89bb6758ac895f56
Top
Preparation of the Configuration Files and Firmware
Executing Configuration Scripts from a File Server Periodically
- Configuring the FTP Server
- Configuring the TFTP Server
- Configuring the HTTP Server
- Configuring the HTTPS Server
Mediatrix units do not all include a real time clock allowing them to maintain accurate time when they are shutdown. You must have a time server SNTP that is accessible and properly configured or the automatic configuration update feature may not work properly. Refer to Configuring the Mediatrix Unit to Use an SNTP Server.
Top
Executing Configuration Scripts from the Unit File Management System Periodically
You must have a time server SNTP that is accessible and properly configured or the automatic configuration update feature may not work properly. Refer to Configuring the Mediatrix Unit to Use an SNTP Server. Configuration scripts files must be available in the unit's file management system. Refer to Importing a Configuration Script to the Unit File Management System.
A configuration script must have been imported to the unit's file management system. Refer to Importing a Configuration Script to the Unit File Management System.Top
Executing Configuration Scripts from a File Server Each Time the Unit is Started
Top
Executing Configuration Scripts from the Unit File Management System Each Time the Unit is Started
Top
Configuring the Mediatrix Unit to Use an SNTP Server
Top
Configuration of the Mediatrix Unit
Importing a Configuration Script Using a File Server
Top
Importing a Configuration Script to the Unit File Management System
Top
Configuring the DHCP to Trigger Configuration Script Execution
The Mediatrix unit can be configured to automatically import new configuration scripts upon receiving options 66 (tftp-server) or 67 (bootfile), or vendor-specific option 43 using sub-options 66 and 67 in a DHCPv4 answer. A DHCP answer includes both Bound and Renew.
- Configuring the FTP Server
- Configuring the TFTP Server
- Configuring the HTTP Server
- Configuring the HTTPS Server
Mediatrix units do not all include a real time clock allowing them to maintain accurate time when they are shutdown. If you are using HTTPS, you must have an SNTP server that is accessible and properly configured or the automatic configuration update feature may not work properly. Refer to Configuring the Mediatrix Unit to Use an SNTP Server.
For more details on DHCPv4 Auto-Provisionning, refer to DHCPv4 Auto-Provisioning
- Go to Management/Configuration Scripts/Execute.
- In the Automatic Script Execution section, from the Allow DHCP to Trigger Scripts Execution selection list, choose Enable.
- Click Apply.
The instructions sent FROM the DHCP server can be in different formats and will be understood by the Mediatrix unit according to what was chosen for the ScriptsDhcpOptionsFormat MIB parameter (not accessible via Web page). Possible values with their respective formats are:
- Fully Qualified: Script=[protocol]://[username] :[password]@[server]/[path]/[file].
- Url: [protocol]:// [username] :[password]@[server]/[path]/[file]
- ServerHost: Allow one DHCP option to specify the IP address or FQDN of a file server. Uses the path and filename specified in the ScriptLocation and ScriptGenericFileName parameters, use the transfer protocol, username and password specified in ScriptTransferProtocol, ScriptTransferUsername and ScriptTransferPassword parameters.
- AutoDetect: A value beginning with "Script=" is considered as "FullyQualified", A value beginning with "[protocol]://" is considered as a URL. A value that looks like an IPv4/IPv6 address or domain name is considered as a "ServerHost". (default value)
When the unit starts, it will receive the location of the config script from the DHCP response, as per the format defined by the ScriptsDhcpOptionsFormat parameter. The unit will then import and execute the configuration scripts from the specified location. Any changes to the script will be applied to the running configuration. The unit configuration is only updated if at least one parameter value defined in the imported configuration scripts is different from the actual unit configuration.
Top
DHCPv4 Auto-Provisioning
The Mediatrix unit can be configured to automatically download new configuration scripts upon receiving options 66 (tftp-server) or 67 (bootfile), or vendor-specific option 43 using sub-options 66 and 67 in a DHCPv4 answer
A DHCP server answer includes both Bound and Renew. The contents of option 66, 67 or 43 defines which script to download. The unit's configuration is not used to download the script. This allows the unit, for instance, to download a script from a server after a factory reset and to reconfigure itself without a specific profile. If the imported configuration script is identical to the last executed script, it will not be run again. The script retry mechanism is not enabled for the DHCPv4 triggered scripts. If options 66, 67 and 43 are received, all scripts are executed independently. The script defined by the tftp-server (option 66) option is executed first. If you are using HTTPS to transfer scripts, you must have a time server SNTP that is accessible and properly configured.
Top
Unit Macros
Macro | Description |
---|---|
%mac% | the MAC address of the unit |
%version% | the MFP version of the unit (firmware version) |
%product% | the Product name of the unit |
%productseries% | the Product series name of the unit. |
Top
Online Help
If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will bedisplayed.
Top
Available Documentation
Top
Copyright Notice
Copyright © 2023 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.