Management and Configuration Guide K/KA/KB.15.15
Autorun secure mode
You can use autorun secure mode to verify the authenticity of autorun command files. Secure-mode
is configured using the autorun secure-mode command and can be enabled under both of
the following conditions:
• An encryption-key has already been configured using the autorun encryption key
command.
• A trusted certificate for verifying autorun command files has been copied to the switch using
the
copy [ tftp | usb ] autorun-cert-file
command.
There is an additional security option to install a valid key-pair for signing the result files that are
generated during autorun operations. You can generate the key-pair on the switch using the crypto
key generate autorun [rsa] command.
NOTE: You can also install the key-pair from a tftp server or via the USB port using the
copy [ tftp | usb ] autorun-key-file ipaddr filename
command. The filename must contain the private key and the matching public key in a X509
certificate structure. Both the private key and the X509 certificate must be in PEM format.
Operating notes and restrictions
• Autorun is enabled by default, until passwords are set on the device.
• Secure-mode and encryption-key are disabled by default.
• To enable secure mode, both an encryption key and trusted certificate must be set.
• If secure-mode is enabled, the following conditions apply:
The encryption-key cannot be removed or unconfigured.•
• The key-pair cannot be removed.
• If secure mode is disabled, the key-pair can be removed using the crypto key zeorize
autorun command.
• When installing the autorun certificate file and/or the other key files, the files must be in PEM
format.
Autorun and configuring passwords
When an operator or manager password is configured on a switch, autorun is disabled
automatically, and a message is displayed on the screen, as shown in the following example:
HP Switch# password manager
New password for manager: *****
Please retype new password for manager: *****
Autorun is disabled as operator/manager is configured.
After passwords are set, you can re-enable autorun as needed using the autorun command.
Using USB autorun 301