Using USB autorun

USB autorun helps ease the configuration of HP Switch switches by providing a way to auto-execute CLI commands from a USB flash drive. Using this solution, you can create a command file (also known as an AutoRun file), write it to a USB storage device, and then execute the file simply by inserting the USB device into the switch's 'Auxiliary Port.' The AutoRun file is executed automatically when autorun is enabled on the switch and can be designed for various purposes, such as to configure the switch, to update software, or to retrieve diagnostic logs for troubleshooting purposes.

The overall USB autorun solution requires the following components:

An HP Switch switch that can securely use USB autorun to load authorized configurations and write reporting information. This requires software versions xx.13.01 or greater.
The network management application HP Switch Manager Plus (PCM+). PCM+ is required to create a valid AutoRun file and to view the results after the file has been executed on the switch.
A non-proprietary USB flash drive.

NOTE: The ability to create a valid AutoRun file will be incorporated into an upcoming HP Switch Manager update; see the HP Switch Manager documentation for details. For guidelines on using the USB port for basic file copy capabilities, see Using USB to transfer files to and from the switch.

The general process for using USB autorun is as follows (steps 1, 2, and 7 require an upcoming update to PCM+, as described above):

Create an AutoRun file using PCM+.

See the HP Switch Manager documentation for details.


	NOTE: Creating the AutoRun file in PCM+ includes the following steps: Specify the target device or devices. Create the CLI script to be executed on the target devices. Determine if the file will be signed and/or encrypted. Determine if the file will be 'run once' (moved to a 'processed' directory on execution) or 'run many' (kept in the root directory of the flash drive from where it can be executed again).

Deploy the AutoRun file to a USB flash drive.
(If required) Enable the autorun feature on the switch (autorun is enabled by default unless an operator or manager password has been set—See Autorun and configuring passwords).
(If the AutoRun file has been signed or encrypted) Enable secure-mode on the switch:
1. Configure an encryption key and a valid trusted certificate
2. Enable secure-mode via the CLI.
  
  See Downloading switch software.
Insert the USB flash drive into the switch's USB auxiliary port.

The switch processes the AutoRun file automatically and writes a result (.txt) file and report (.xml) file back to the USB flash drive, reporting on the command operations that were executed.
Remove the USB device from the USB port.

The switch executes any post-commands, such as rebooting the switch to apply any configuration updates.
(Optional) Transfer the 'result file' and 'report file' to a PCM+-enabled computer for report checking.

See Troubleshooting autorun operations.

Security considerations

By default, the switch is unsecured when shipped (that is, USB autorun is enabled by default). However, as soon as an operator or manager password is configured, autorun is disabled and must be re-enabled at the configuration level of the CLI before it can be used. The requirement to use PCM+ to create a valid AutoRun file helps prevent a nonauthorized command file from being created and processed by the switch.

In terms of physical security, access to the switch's console port and USB port are equivalent. Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you have the following configuration options via the CLI (see Configuring autorun on the switch (CLI)):

Disable autorun by setting an operator or manager password.
Disable or re-enable the USB autorun function via the CLI.
Enable autorun in secure mode to verify signatures in autorun command files and to decrypt encrypted command files.

Troubleshooting autorun operations

You can verify autorun operations by checking the following items:

USB auxiliary port LEDs

The following table shows LED indications on the Auxiliary Port that allow you to identify the different USB operation states.

Color	State	Meaning
Green	Slow blinking	Switch is processing USB AutoRun file.
Green	Solid	Switch has finished processing USB AutoRun file. This LED state indicates the AutoRun file was successfully executed and the report files were generated. You can review the report files on a USB-enabled computer for more details. Upon removal of the USB device, the LED turns OFF.
N/A	Off	Indicates one or more of the following: No USB device has been inserted. A USB device that cannot be recognized as a USB storage device has been inserted. No AutoRun file can be found on the inserted USB device.. If the USB device has just been removed from the port, the switch executes any post commands.
Amber	Fast blinking	Processing Error. The AutoRun file stops processing when an error is encountered (For example, no more disk space is available on the USB device to write the result and report files). For more information on the error, remove the USB device and inspect its contents on a USB-enabled computer.

AutoRun status files

The following files are generated during autorun operations and written to the USB flash drive:

Report files (.xml file)—show which CLI commands have been run. The file name includes a serial number and datetime stamp to indicate when and on which device the AutoRun file was executed.
Result files (.txt file)—contain the CLI output for each command that was run on the switch, allowing you to verify whether a command was executed successfully or not.

NOTE: IMC provides a mechanism to read these status files and capture the results of the commands executed. It also allows you to verify the report files for their authenticity and reject files that have not been signed (for details, see the IMC documentation).

The status files do not include any records of post commands that may have been executed after the USB flash drive was removed from the switch.

Event log or syslog

For details on how to use the switch's Event Log or syslog for help in isolating autorun-related problems, see Using the Event Log for troubleshooting switch problems.

Configuring autorun on the switch (CLI)

To enable/disable the autorun feature on the switch, the following commands can be executed from configuration mode in the CLI.

Syntax:

[no] autorun [ encryption-key <key-string> | secure-mode ]

When executed from the configuration mode, enables or disables USB autorun on the switch.

Use the encryption-key keyword to configure or remove an encryption-key (a base-64 encoded string). The encryption key is a prerequisite for enabling autorun in secure-mode. Encryption is regarded only when the AutoRun file is also signed by an authentic source.

Use the secure-mode keyword to enable or disable secure mode for autorun.

(Default: Enabled—or disabled if a password has been set)

For information about enabling secure mode on autorun, see Autorun secure mode.

Autorun secure mode

You can use autorun secure mode to verify the authenticity of autorun command files. Secure-mode is configured using the autorun secure-mode command and can be enabled under both of the following conditions:

An encryption-key has already been configured using the autorun encryption key command.
A trusted certificate for verifying autorun command files has been copied to the switch using the copy <tftp|usb> autorun-cert-file command.

There is an additional security option to install a valid key-pair for signing the result files that are generated during autorun operations. You can generate the key-pair on the switch using the crypto key generate autorun [rsa] command.


	NOTE: You can also install the key-pair from a tftp server or via the USB port using the `copy <tftp\|usb> autorun-key-file <ipaddr filename>` command. The filename must contain the private key and the matching public key in a X509 certificate structure. Both the private key and the X509 certificate must be in PEM format.

Operating notes and restrictions

Autorun is enabled by default, until passwords are set on the device.
Secure-mode and encryption-key are disabled by default.
To enable secure mode, both an encryption key and trusted certificate must be set.
If secure-mode is enabled, the following conditions apply:
- The encryption-key cannot be removed or unconfigured.
- The key-pair cannot be removed.
If secure mode is disabled, the key-pair can be removed using the crypto key zeorize autorun command.
When installing the autorun certificate file and/or the other key files, the files must be in PEM format.

Autorun and configuring passwords

When an operator or manager password is configured on a switch, autorun is disabled automatically, and a message is displayed on the screen, as shown in the following Example:

HP Switch# password manager
New password for manager: *****
Please retype new password for manager: *****
Autorun is disabled as operator/manager is configured.

After passwords are set, you can re-enable autorun as needed using the autorun command.

For more information on configuring passwords, see chapter "Username and Password Security" in the Access Security Guide for your switch.

Viewing autorun configuration information

The show autorun command displays autorun configuration status information, as shown in the following Example:

The show autorun command

HP Switch(config)# show autorun

   Autorun configuration status
 
    Enabled        : Yes
    Secure-mode    : Disabled
    Encryption-key :

prev	up	next
Flight Data Recorder (FDR)	home	Monitoring and Analyzing Switch Operation