# Step 6: Configure connection and authorize your Outposts server
To authorize the server, you must connect your laptop to the server with a USB cable, then use a command-based serial protocol to test the connection and authorize the server. In addition to IAM credentials, you need a USB cable, a laptop, and serial terminal software, such as PuTTY or **screen**, to complete these steps.
Consider the following information about authorizing the server:
+ To authorize the server, you or the party installing the server needs IAM credentials in the AWS account that contains the Outpost. For more information, see [Step 1: Grant permissions to install the Outposts server](install-grant.md).
+ You do not need to authenticate with the IAM credentials to test your connection.
+ Consider testing the connection before you use the export command to set IAM credentials as environment variables.
+ To protect your account, Outpost Configuration Tool never saves your IAM credentials.
+ To connect your laptop to the server, always plug the USB cable into your laptop first and then into the server.
**Topics**
+ [Connect your laptop](authorize-1.md)
+ [Create a serial connection](authorize-2.md)
+ [Configure and test the connection](authorize-3.md)
+ [Authorize the server](authorize-4.md)
+ [Verify the NSK LEDs](authorize-5.md)
# Connect your laptop to the Outposts server
Connect the USB cable to your laptop first and then to the server. The server includes a USB chip that creates a virtual serial port available to you on the laptop. You can use this virtual serial port to connect to the server with serial terminal emulation software. You can only use this virtual serial port to run Outpost Configuration Tool commands.
**To connect the laptop to the server**
Plug the USB cable into your laptop first, then into the server.
**Note**
The USB chip requires drivers to create the virtual serial port. Your operating system should automatically install the required drivers if they are not already present. To download and install the drivers, see [Installation Guides](https://ftdichip.com/document/installation-guides/) from FTDI.
# Create a serial connection to the Outposts server
The following are instructions to create a serial connection from your laptop to the Outposts server. They use popular serial terminal programs. You are not required to use these programs. You can use the serial terminal program that you prefer, if it supports a connection speed of `115200` baud.
**Topics**
+ [Windows serial connection](#windows-serial)
+ [Mac serial connection](#mac-serial)
## Windows serial connection
The following instructions are for PuTTY on Windows. PuTTY is free, but you may have to download it.
**Download PuTTY**
Download and install PuTTY from the [PuTTY download page](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html).
**To create a serial terminal on Windows using PuTTY**
1. Plug the USB cable into your Windows laptop first, then into the server.
1. From the Desktop, right-click **Start**, and choose **Device Manager**.
1. In **Device Manager**, expand **Ports (COM & LPT)** to determine the COM port for the USB serial connection. You will see a node named **USB Serial Port (COM*\$1*)**. The value for the COM port depends on your hardware.
![\[An image of a Device Manager on Windows set to COM port 3.\]](http://docs.aws.amazon.com/outposts/latest/install-server/images/PuTTY-serial01.png)
1. In PuTTY, from **Session**, choose **Serial** for **Connection type**, and then enter the following information:
+ Under **Serial line**, enter the COM*\$1* port from Device Manager.
+ Under **Speed**, enter: `115200`
The following image shows an example on the **PuTTY Configuration** page:
![\[An image of a screen in PuTTY.\]](http://docs.aws.amazon.com/outposts/latest/install-server/images/PuTTY-serial.png)
1. Choose **Open**.
An empty console window appears. It can take between 1 to 2 minutes for one of the following to appear:
+ `Please wait for the system to stabilize. This can take up to 900 seconds, so far x seconds have elapsed on this boot.`
+ The `Outpost>` prompt.
## Mac serial connection
The following instructions are for **screen** on macOS. You can find **screen** included with the operating system.
**To create a serial terminal on macOS using **screen****
1. Plug the USB cable into your Mac laptop first, then into the server.
1. In Terminal, list `/dev` with a `*usb*` filter for output to find the virtual serial port.
```
ls -ltr /dev/*usb*
```
The serial device appears as `tty`. For example, consider the following sample output from the previous list command:
```
ls -ltr /dev/*usb*
crw-rw-rw- 1 root wheel 21, 3 Feb 8 15:48 /dev/cu.usbserial-EXAMPLE1
crw-rw-rw- 1 root wheel 21, 2 Feb 9 08:56 /dev/tty.usbserial-EXAMPLE1
```
1. In Terminal, use **screen** with the serial device and a baud rate of the serial connection to set up the serial connection. In the following command, replace *EXAMPLE1* with the value from your laptop.
```
screen /dev/tty.usbserial-EXAMPLE1 115200
```
An empty console window appears. It can take between 1 to 2 minutes for one of the following to appear:
+ `Please wait for the system to stabilize. This can take up to 900 seconds, so far x seconds have elapsed on this boot.`
+ The `Outpost>` prompt.
# Configure and test the Outposts server connection to AWS
Use the following procedures to configure and test the connection between your server and AWS using the Outpost Configuration Tool. You don't need IAM credentials to test the connection. Your connection must resolve DNS to access the AWS Region.
Before you begin, ensure the following prerequisites:
1. Your laptop is connected to the Outposts server through the USB cable as described in [Connect your laptop](authorize-1.md).
1. You created a serial connection to the server as described in [Create a serial connection](authorize-2.md).
1. You see the `Outpost` prompt.
**Topics**
+ [Configure static networking](#w2aac17c15c11)
+ [Test the links](#w2aac17c15c13)
+ [Test for DNS resolution](#w2aac17c15c15)
+ [Test for access to the AWS Region](#w2aac17c15c17)
## Configure static networking
**Note**
If you are using Dynamic Host Configuration Protocol (DHCP) for IP address configuration, skip this step.
Configure your Outposts server's service link and DNS (Domain Name Server) IP addresses statically.
**To configure static IP and DNS addresses**
1. From the `Outpost` prompt, you can run **help** to see the possible commands.
1. Set the static IP using **set-service-link-static-ip**. You will need the following arguments to run this command: the IP, subnet mask, and gateway.
Run: **set-service-link-static-ip *ip* *netmask* *gateway***
**Example**
For example, **set-service-link-static-ip** `192.168.1.2 255.255.255.0 192.168.1.1` sets the static IP to `192.168.1.2`, the netmask to `255.255.255.0`, and the gateway to `192.168.1.1`.
1. Set the DNS address using **set-dns**. This command requires one argument, the DNS address.
Run: **set-dns** `dns`
**Example**
For example, **set-dns** *8.8.8.8* sets the DNS address to `8.8.8.8`.
1. Optional. To verify that all values are correct, use **get-service-link-static-ip** and **get-dns** to display the values set in the previous two steps.
1. Reboot the server for the static IP to take effect.
Run: **reboot**
1. When the server comes back online it should be using the static IP. To verify:
1. Create the serial connection to the server as described in [Create a serial connection](authorize-2.md). The `Outpost>` prompt appears.
1. From the `Outpost>` prompt, run **describe-ip**.
In the information that appears, you should see `mode: static` along with the statically configured values for IP, netmask, gateway, and DNS.
**Example**
```
Outpost>describe-ip
---
links:
-
name: service_link
configured: True
mode: static
ip: 192.168.1.2
netmask: 255.255.255.0
gateway: 192.168.1.1
dns: [ "8.8.8.8" ]
ntp: [ ]
checksum: 0xDB88E57A
...
```
## Test the links
**To test the links**
1. Plug the USB cable into your laptop first and then into the server.
1. Use a serial terminal program, such as PuTTY or **screen**, to connect to the server. For more information, see [Create a serial connection to the Outposts server](authorize-2.md).
1. Press **Enter** to access the Outpost Configuration Tool command prompt.
```
Outpost>
```
**Note**
If you see a persistent red light inside the chassis of the server on the left-hand side after you power on and you can't connect to Outpost Configuration Tool, you might need to power down and drain the server to proceed. To drain the server, disconnect all network and power cables, wait five minutes, then power up and connect to the network again.
1. Use **describe-links** to return information about the network links on the server. Outposts servers must have one service link and one local network interface (LNI) link.
```
Outpost>describe-links
---
service_link_connected: True
local_link_connected: False
links:
-
name: local_link
connected: False
mac: 00:00:00:00:00:00
-
name: service_link
connected: True
mac: 0A:DC:FE:D7:8E:1F
checksum: 0x46FDC542
```
If you get `connected: False` for either link, troubleshoot the network connection on the hardware.
1. Use **describe-ip** to return the IP assignment status and configuration of the service link.
```
Outpost>describe-ip
---
links:
-
name: service_link
configured: True
ip: 192.168.0.0
netmask: 255.255.0.0
gateway: 192.168.1.1
dns: [ "192.168.1.1" ]
ntp: [ ]
checksum: 0x8411B47C
```
The NTP value might be missing as NTP is optional in a DHCP option set. You should have no other missing values.
## Test for DNS resolution
**To test for DNS**
1. Plug the USB cable into your laptop first and then into the server.
1. Use a serial terminal program, such as PuTTY or **screen**, to connect to the server. For more information, see [Create a serial connection to the Outposts server](authorize-2.md).
1. Press **Enter** to access the Outpost Configuration Tool command prompt.
```
Outpost>
```
**Note**
If you see a persistent red light inside the chassis of the server on the left-hand side after you power on and you can't connect to Outpost Configuration Tool, you might need to power down and drain the server to proceed. To drain the server, disconnect all network and power cables, wait five minutes, then power up and connect to the network again.
1. Use **export** to enter the parent Region of the Outposts server as the value for `AWS_DEFAULT_REGION`.
`AWS_DEFAULT_REGION=`*Region*
```
Outpost>export AWS_DEFAULT_REGION=us-west-2
result: OK
checksum: 0xB2A945RE
```
+ Do not include a space before or after the equal (=) sign.
+ No environment values are saved. You must export AWS Region each time you run Outpost Configuration Tool.
+ If you are using a third party to install the server, you must provide them with the parent Region.
1. Use **describe-resolve** to determine if the Outposts server can reach a DNS resolver and resolve the IP address of the Outpost configuration endpoint in the Region. Requires at least one link with an IP configuration.
```
Outpost>describe-resolve
---
dns_responding: True
dns_resolving: True
dns: [ "198.xx.xxx.xx", "198.xx.xxx.xx" ]
query: outposts.us-west-2.amazonaws.com
records: [ "18.xxx.xx.xxx", "44.xxx.xxx.xxx", "44.xxx.xxx.xxx" ]
checksum: 0xB6A961CE
```
## Test for access to the AWS Region
**To test access to AWS Regions**
1. Plug the USB cable into your laptop first and then into the server.
1. Use a serial terminal program, such as PuTTY or **screen**, to connect to the server. For more information, see [Create a serial connection to the Outposts server](authorize-2.md).
1. Press **Enter** to access the Outpost Configuration Tool command prompt.
```
Outpost>
```
**Note**
If you see a persistent red light inside the chassis of the server on the left-hand side after you power on and you can't connect to Outpost Configuration Tool, you might need to power down and drain the server to proceed. To drain the server, disconnect all network and power cables, wait five minutes, then power up and connect to the network again.
1. Use **export** to enter the parent Region of the Outposts server as the value for `AWS_DEFAULT_REGION`.
`AWS_DEFAULT_REGION=`*Region*
```
Outpost>export AWS_DEFAULT_REGION=us-west-2
result: OK
checksum: 0xB2A945RE
```
+ Do not include a space before or after the equal (=) sign.
+ No environment values are saved. You must export AWS Region each time you run Outpost Configuration Tool.
+ If you are using a third party to install the server, you must provide the them with the parent Region.
1. Use **describe-reachability** to determine if the Outposts server can reach the Outpost configuration endpoint in the Region. Requires a working DNS configuration, which you can determine by using **describe-resolve**.
```
Outpost>describe-reachability
---
is_reachable: True
src_ip: 10.0.0.0
dst_ip: 54.xx.x.xx
dst_port: xxx
checksum: 0xCB506615
```
+ `is_reachable` indicates the outcome of the test
+ `src_ip` is the IP address of the server
+ `dst_ip` is the IP address of the Outpost configuration endpoint in the Region
+ `dst_port` is the port the server used to connect to `dst_ip`
# Authorize the Outposts server using the Outpost Configuration Tool
Use the following procedure to authorize the server. You need the Outpost Configuration Tool and the IAM credentials from the AWS account that owns the Outpost.
**To authorize the server**
1. Plug the USB cable into your laptop first and then into the server.
1. Use a serial terminal program, such as PuTTY or **screen**, to connect to the server. For more information, see [Create a serial connection to the Outposts server](authorize-2.md).
1. Press **Enter** to access the Outpost Configuration Tool command prompt.
```
Outpost>
```
**Note**
If you see a persistent red light inside the chassis of the server on the left-hand side after you power on and you can't connect to Outpost Configuration Tool, you might need to power down and drain the server to proceed. To drain the server, disconnect all network and power cables, wait five minutes, then power up and connect to the network again.
1. Use **export** to enter your IAM credentials into Outpost Configuration Tool. If you are using a third party to install the server, you must provide them with the IAM credentials.
To authenticate, you must export the following four variables. Export one variable at a time. Do not include a space before or after the equal (=) sign.
+ `AWS_ACCESS_KEY_ID=`*access-key-id*
+ `AWS_SECRET_ACCESS_KEY=`*secret-access-key*
+ `AWS_SESSION_TOKEN=`*session-token*
+ Use the AWS CLI `GetSessionToken` command to get the `AWS_SESSION_TOKEN`. For more information, see [get-session-token](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html) in the *AWS CLI Command Reference*.
**Note**
You must have the [AWSOutpostsAuthorizeServerPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOutpostsAuthorizeServerPolicy.html) attached to your IAM role to get the `AWS_SESSION_TOKEN`.
+ To install the AWS CLI, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS CLI User Guide for Verrsion 2*.
+ `AWS_DEFAULT_REGION=`*Region*
Use the parent Region of the Outposts server as the value for `AWS_DEFAULT_REGION`. If you are using a third party to install the server, you must provide them with the parent Region.
The output in the following examples show successful exports.
```
Outpost>export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
result: OK
checksum: example-checksum
```
```
Outpost>export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
result: OK
checksum: example-checksum
```
```
Outpost>export AWS_SESSION_TOKEN=MIICiTCCAfICCQD6m7oRw0uXOjANBgk
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
result: OK
checksum: example-checksum
```
```
Outpost>export AWS_DEFAULT_REGION=us-west-2
result: OK
checksum: example-checksum
```
1. Use **start-connection** to create a secure connection to the Region.
The output in the following example shows a connection successfully started.
```
Outpost>start-connection
is_started: True
asset_id: example-asset-id
connection_id: example-connection-id
timestamp: 2021-10-01T23:30:26Z
checksum: example-checksum
```
1. Wait for about 5 minutes.
1. Use **get-connection** to check if the connection to the Region has been established.
The output in the following example shows a successful connection.
```
Outpost>get-connection
---
keys_exchanged: True
connection_established: True
exchange_active: False
primary_peer: xx.xx.xx.xx:xxx
primary_status: success
primary_connection_id: a1b2c3d4567890abcdefEXAMPLE11111
primary_handshake_age: 1111111111
primary_server_public_key: AKIAIOSFODNN7EXAMPLE
primary_client_public_key: AKIAI44QH8DHBEXAMPLE
primary_server_endpoint: xx.xx.xx.xx:xxx
secondary_peer: xx.xxx.xx.xxx:xxx
secondary_status: success
secondary_connection_id: a1b2c3d4567890abcdefEXAMPLE22222
secondary_handshake_age: 1111111111
secondary_server_public_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
secondary_client_public_key: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
secondary_server_endpoint: xx.xxx.xx.xxx:xxx
timestamp: 2023-02-22T22:19:28Z
checksum: 0x83FA0123
```
After `keys_exchanged` and `connection_established` changes to `True`, the Outposts server is automatically provisioned and updated to the latest software and configuration.
**Note**
Note the following about the provisioning process:
After activation completes, it can take up to 10 hours until your Outposts server is usable.
You must keep the power and network for the Outposts server connected and stable during this process.
It is normal for the service link to fluctuate during this process.
If `exchange_active` is `True`, the connection is still establishing. Retry in 5 minutes.
If `keys_exchanged` or `connection_established` is `False`, and if `exchange_active` is `True`, the connection is still establishing. Retry in 5 minutes.
If `keys_exchanged` or `connection_established` is `False` even after 1 hour, contact [AWS Support Center](https://console.aws.amazon.com/support/home#/).
If the message `primary_status: No such asset id found.` appears, confirm the following:
You specified the correct Region.
You are using the same account as the one used to order the Outposts server.
If the Region is correct and you are using the same account as the one used to order the Outposts server, contact [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The `LifeCycleStatus` attribute of the Outpost will transition from `Provisioning` to `Active`. You will then receive an email letting you know that your Outposts server is provisioned and activated.
You don’t need to re-authorize the Outposts server after it is activated.
1. After you make a successful connection, you can disconnect your laptop from the server.
# Verify the NSK LEDs for your Outposts server
After the provisioning process completes, check the NSK LEDs.
AWS Outposts supports two versions of NSK: Atlas 2.0 and Atlas 3.0. Both NSK versions have a RGB **Status** LED. In addition, the Atlas 3.0 has a green **Power** LED.
The following image shows the location of the LEDs on the Atlas 2.0 and Atlas 3.0:
![\[An image of the Atlas 2.0 and 3.0 NSKs with the RGB Status LED on each NSK and the green Power LED on the Atlas 3.0.\]](http://docs.aws.amazon.com/outposts/latest/install-server/images/nsk-led-status.png)
**To verify the Status and Power LEDs on the NSK**
1. Check the color of the RGB Status LED. If the color is green, the NSK is healthy. If the color is not green, contact Support.
1. If you have an Atlas 3.0 NSK, check the green Power LED. If the green light is on, the NSK is correctly connected to the host and has power. If the green light is not on, contact Support.