When you start using a new internal ECDSA certificate authority, 256-bit encryption is automatically enabled for Engines. If an Engine cannot communicate with the Management Server,
manually enable 256-bit encryption on the Engine, then make initial contact between the Engine and the Management Server.
Before you begin
Create a new internal ECDSA certificate authority.
Steps
-
On the command line of the Engine, enter one of the following commands to start the Engine Configuration Wizard:
-
sg-reconfigure --no-shutdown
The Engine Configuration Wizard starts without shutting down the Engine. Network interface settings cannot be changed in this mode.
-
sg-reconfigure
The Engine shuts down, then the Engine Configuration Wizard starts. All options are available if you have a local connection. If you have a remote SSH
connection, you cannot change network interface settings because the Engine always uses the no-shutdown mode for SSH connections.
-
Select
Next on each page until the
Prepare for Management Contact page opens.
-
Select Contact or Contact at Reboot, then press the spacebar.
-
Enter the Management Server IP address and the one-time password.
Note: The one-time password is specific to each Engine and can be used only for one initial connection to the Management Server. After initial contact has been made, the Engine receives a
certificate from the Secure SD-WAN Manager for identification. If the certificate is deleted or expires, repeat the initial contact using a new
one-time password.
-
Select 256-bit Security Strength, then press the spacebar to use 256-bit encryption for the connection to the Management Server.
-
(Optional) Enter the fingerprint for the Management Server.
-
Select Edit Fingerprint, then press Enter.
-
Enter the Management Server’s certificate fingerprint.
The fingerprint is shown in the Management Client when you save the initial configuration.
-
Select Finish, then press Enter.
Result
The Engine tries to make initial Management Server contact. The progress is shown on the command line.