SDO agent installation and registration

SDO (Secure Device Onboard), created by Intel, makes it easy and secure to configure edge devices and associate them with an edge management hub. IBM Edge Application Manager (IEAM) supports SDO-enabled devices so that the agent will be installed on the devices and registered to the IEAM management hub with zero touch (by simply powering on the devices).

SDO overview

SDO consists of these components:

• The SDO module on the edge device (usually installed there by the device manufacturer)
• An ownership voucher (a file that is given to the device purchaser along with the physical device)
• The SDO rendezvous server (the well-known server that an SDO-enabled device first contacts when it starts the first time)
• SDO owner services (services run on the IEAM management hub that configure the device to use this specific instance of IEAM)

Note: SDO only supports edge devices, not edge clusters.

SDO flow

Before you begin

SDO requires that the agent files are stored in the IEAM Cloud Sync Service (CSS). If this has not been done, ask your administrator to run one of the following commands as described in Gather edge node files:

edgeNodeFiles.sh ALL -c ...

Trying SDO

Before you purchase SDO-enabled edge devices, you can test SDO support in IEAM with a VM that simulates an SDO-enabled device:

1. You need an API key. See Creating your API key for instructions to create an API key, if you do not already have one.

2. Contact your IEAM administrator to get the values of these environment variables. (You need them in the next step.)

   export HZN_ORG_ID=<exchange-org>
   export HZN_EXCHANGE_USER_AUTH=iamapikey:<api-key>
   export HZN_SDO_SVC_URL=https://<mgmt-hub-ingress>/edge-sdo-ocs/api
   export HZN_MGMT_HUB_CERT_PATH=<path-to-mgmt-hub-self-signed-cert>
   export CURL_CA_BUNDLE=$HZN_MGMT_HUB_CERT_PATH
   

3. Follow the steps in the Open Horizon SDO 1.11 to observe SDO automatically install the IEAM agent on a device and registers it with your IEAM management hub.

Adding SDO-enabled devices to your IEAM domain

If you have purchased SDO-enabled devices and want to incorporate them into your IEAM domain:

1. If you did not create SDO owner key pairs when trying out SDO in the previous section, perform these steps:

   1. You need an API key. See Prepare for setting up edge nodes for instructions to create an API key, if you do not already have one.

   2. Contact your IEAM administrator to get the values of these environment variables. (You need them in the next step.)

      export HZN_ORG_ID=<exchange-org>
      export HZN_EXCHANGE_USER_AUTH=iamapikey:<api-key>
      export HZN_SDO_SVC_URL=https://<mgmt-hub-ingress>/edge-sdo-ocs/api
      export HZN_MGMT_HUB_CERT_PATH=<path-to-mgmt-hub-self-signed-cert>
      export CURL_CA_BUNDLE=$HZN_MGMT_HUB_CERT_PATH
      

   3. Perform the steps in just this one section: Generate Owner Key Pairs .

2. Log in to the IEAM management console.

3. On the Nodes tab, click Add node.

   Enter the information necessary to create a private ownership key in the SDO service and download the corresponding public key.

4. Fill in the necessary information to import the ownership vouchers you received when you purchased the devices.

5. Connect the devices to the network and power them on.

6. Back in the management console, watch the progress of the devices as they come online by viewing the Node overview page and filtering on the installation name.