The following describes the different states that the SEE operates within. For details on switching between operational states and on configuring the required user authorizations refer to Changing Operational States and to Managing User Authorizations.
The SEE operates within 4 defined states (or levels) according to the principle that the higher the operating state, the more access controls and restrictions are placed on the SEE.
- Direct access to the TA is only available in the operational state Production (0).
- SSH access to the SFP is only available in the operational state OEM (1).
State 0 - Production
This is the operational state in which the SEE is produced. This state provides complete access to the three hardware components: the Secure Foundation Platform (SFP), Trust Anchor (TA), and the PiLO (PrimeKey’s Integrated Lights Out). This state is used for installing firmware and testing the product. It can never be used for the deployment of applications.
The SEE can not be reverted to the Production State (0) by a user. Reinstating the SEE to the Production State can only be performed if the device is returned to PrimeKey as an RMA.
State 1 - OEM
This is the operational state in which the SEE is delivered to the user. In this state, you have complete access to the PiLO and SFP via SSH and you can install and configure one or more virtual machines.
User-installed VMs will not be started automatically. The VMs must be manually started via the built-in virtual machine wizard vmadmin, or by using the WebConf. VMs can also be started directly using the command line virsh application by issuing the command
virsh start <vm name>. For more information refer to Install Virtual Machines and WebConf User Interface.
State 2 - Administration
This operational state allows an authenticated user to perform administrative tasks on the VMs deployed within the SEE. This includes, for example, updating an application within a VM, performing a full backup of VMs, or performing network configurations. You can be start and stop VMs in this operational state but you cannot create or delete them.
State 3 - End User
In this operational state, installed VMs are automatically started and monitored. The End User state provides the highest level of user access restriction to the SEE. The SFP provides access to executing VMs via their configured network ports only. There is no access to the SFP. Only limited and authorized administrative tasks can be performed on the SFP and on any of the installed VMs, such as powering on/off a VM.
By default, the web-based configuration WebConf is not available in this state. However, in the operational state OEM, you can configure the SFP to grant WebConf access with limited VM functions in the End User state.