SZTP components

Onboarding device

The Nokia router that you want to provision and connect to your network.

DHCP server

The DHCP server supplies the node with the SZTP bootstrap-server location through DHCPv4 option 143 or DHCPv6 option 136, which contains a list of bootstrap-server URIs.

Bootstrap server

The bootstrap server hosts the bootstrapping data, including the OS version and the initial device configuration. The SZTP bootstrap server is a RESTCONF server that communicates with the device over TLS.

The device obtains its bootstrapping information by invoking the get-bootstrapping-data RESTCONF RPC, which is defined in the IETF YANG module ietf-sztp-bootstrap-server (see RFC 8572). The GetBootstrapDataResponse structure contains the bootstrapping data. The SZTP uses the get-bootstrapping-data. It returns the necessary bootstrapping data, the Conveyed information, and, when signed, the Ownership Voucher and Ownership Certificate. The onboarding information contains the boot image (os-name, os-version, download-uri, image-verification hash), an initial configuration, and optional pre-/post-configuration scripts.

The onboarding device uses RPC report-progress to report progress only when the bootstrap server is trusted.

SZTP artifacts

SZTP artifacts are as follows:
  • TPM keys: The IDevID is used for TLS client authentication to the bootstrap server (and to decrypt the OV if encrypted).
  • Redirect information: Data provided to an onboarding device that directs it to an alternative server or endpoint to obtain further configuration or bootstrapping data.
  • Onboarding information: Provides the data required for a device to bootstrap and establish secure connections with other systems.
  • Bootstrapping data: Bootstrapping data enables the CPM to carry out the following tasks:
    • redirect the CPM to a new source of bootstrapping data, such as an optional new bootstrap server
    • transfer device ownership and trust to the customer
    • specify which software image, configuration, and arbitrary scripts to run on the CPM
    The Conveyed Information, Ownership Voucher, and Ownership Certificate are used to achieve the above and make up the bootstrapping data artifacts.
  • Conveyed Information: The DHCP server only returns unsigned redirect information, whereas a bootstrap server can return redirection information (optional), onboarding information, and the ownership voucher and ownership certificate. Conveyed information is returned to the CPM as a Cryptographic Message Syntax (CMS) structure, as described in [RFC5652], signed by the customer's CA.
  • Onboarding information: Provides data necessary for a device to bootstrap and establish secure connections with other systems. It includes details about the boot image the device needs to run, an initial configuration it must commit, and the scripts it must execute successfully. Onboarding information is valid only when the CMS structure used to transmit the onboarding information is signed and verified against the customer's CA chain of trust.
  • Ownership Voucher: To support secure bootstrapping, an Ownership Voucher (OV) must be obtained by submitting a request to Nokia Support. The request must include the Pinned Domain Certificate (PDC), a trusted digital certificate issued by the customer and provided to Nokia during the OV request, and the order details containing the router serial numbers.
  • Ownership certificate: Represents an X.509 certificate that binds an owner's identity to a public key, allowing a device to validate a signature on the conveyed information artifact. It is provided to the device through a bootstrap server. The digital signature is validated against the PDC, which is contained in the Ownership Voucher.