Skip to main content

Enroll nodes

When you enroll a node into a node cohort, Chef 360 Platform installs the Chef skills and skill settings that are defined for all nodes in that cohort. These skills allow Chef 360 Platform to manage the node, execute Chef Courier jobs, and report back to Chef 360 Platform.

Chef 360 Platform installs the following skills in the default skill assembly:

  • Chef Infra Client interpreter skill: Executes Chef Infra Client runs.
  • Courier Runner skill: Interprets and executes Chef Courier jobs.
  • Gohai skill: Reports node attribute data to Chef 360 Platform.
  • Inspec interpreter skill: Executes Chef InSpec audits.
  • Node Management agent: Manages and installs other skills on the node.
  • Restart interpreter skill: Restarts nodes.
  • Shell interpreter skill: Executes shell scripts.

For more information, see the Chef 360 skills documentation.

Node enrollment methods

This document demonstrates the following methods of node enrollment:

  • cookbook-based enrollment
  • self enrollment
  • single-node enrollment

For more information, see the node enrollment documentation.

Note

Chef 360 Platform doesn’t support node re-enrollment.

Role requirements

To enroll nodes, use a profile with the node-manager role.

Before you begin

Single-node enrollment

Single-node enrollment allows you to enroll nodes directly from the server side. With this method, you specify the connection and configuration details for each node and upload them to Chef 360 Platform. Chef 360 Platform then connects to each node, installs Chef Habitat, Chef Node Management, and any skills or agents associated with the node’s cohort.

Enroll Linux nodes

Before you begin, you will need the following node connection details:

  • the public DNS or IP address
  • the RSA key or password
  • the username
  • the SSH port number

To enroll a Linux node, follow these steps:

  1. Get the ID of the cohort that you want to add the node to using the find-all-cohorts command:

    chef-node-management-cli management cohort find-all-cohorts --profile <PROFILE_NAME>

    Replace <PROFILE_NAME> with the name of a profile that has the node-manager role.

    This returns a list of cohorts and their IDs.

  2. Create a JSON file that defines the node connection settings. You can authenticate with a password or RSA key.

    Use the following JSON to authenticate with an RSA key:

    {
    "cohortId": "<COHORT_ID>",
    "url": "<NODE_DNS_OR_PUBLIC_IP>",
    "sshCredentials": {
        "username": "<SSH_USER_NAME>",
        "key": "<SSH_KEY>",
        "port": <SSH_PORT>
    }
}

    Replace the following:

    • <COHORT_ID> with the ID of the cohort that the node will be enrolled with.
    • <NODE_DNS_OR_PUBLIC_IP> with a public domain name or IP address.
    • <SSH_USERNAME> with the SSH username to authenticate with the node.
    • <SSH_KEY> with the SSH key used to authenticate with the node.
    • <SSH_PORT> with the SSH port. Default is 22.

    Note

    Format SSH keys as a single-line string. To add a multiline key, replace new lines with the newline character \n.

    Use the following command to replace new lines in a PEM file:

    awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <PEM_FILENAME>

    Use the following JSON to authenticate with a password:

    {
    "cohortId": "<COHORT_ID>",
    "url": "<NODE_DNS_OR_PUBLIC_IP>",
    "sshCredentials": {
        "username": "<SSH_USER_NAME>",
        "password": "<SSH_PASSWORD>",
        "port": <SSH_PORT>
    }
}

    Replace the following:

    • <COHORT_ID> with the ID of the cohort that the node will be enrolled with.
    • <NODE_DNS_OR_PUBLIC_IP> with a public domain name or IP address.
    • <SSH_USERNAME> with the SSH username to authenticate with the node.
    • <SSH_PASSWORD> with the SSH password used to authenticate with the node.
    • <SSH_PORT> with the SSH port. Default is 22.

  3. Enroll the node using the enrollment enroll-node command:

    chef-node-management-cli enrollment enroll-node --body-file <JSON_SETTINGS_FILE> --profile <PROFILE_NAME>

    The response is similar to the following:

    {
    "item": {
        "id": "36c570b1-798a-4530-ada5-2661dfeb3fac",
        "nodeId": "e4b1b524-4e77-4448-b1a9-01b80288c898"
    }
}

Enroll Windows nodes

Before you begin, you will need the following node connection details:

  • the public DNS or IP address
  • the username and password

To enroll a Windows node, follow these steps:

  1. Get the ID of the cohort that you want to add the node to using the find-all-cohorts command:

    chef-node-management-cli management cohort find-all-cohorts --profile <PROFILE_NAME>

    Replace <PROFILE_NAME> with the name of a profile that has the node-manager role.

    This returns a list of cohorts and their IDs.

  2. Create a JSON file that defines the node connection settings:

    {
    "cohortId": "<COHORT_ID>",
    "url": "<NODE_DNS_OR_PUBLIC_IP>",
    "winRMCredentials": {
        "username": "<WINDOWS_USERNAME>",
        "password": "<WINDOWS_PASSWORD>"
    }
}

    Replace the following:

    • <COHORT_ID> with the ID of the cohort that the node will be enrolled with.
    • <NODE_DNS_OR_PUBLIC_IP> with the node’s public domain name or IP address.
    • <WINDOWS_USERNAME> with the Windows username to authenticate with the node.
    • <WINDOWS_PASSWORD> with the Windows password used to authenticate with the node.

  3. Enroll the node using the enrollment enroll-node command:

    chef-node-management-cli enrollment enroll-node --body-file <JSON_SETTINGS_FILE> --profile <PROFILE_NAME>

    The response is similar to the following:

    {
    "item": {
        "id": "36c570b1-798a-4530-ada5-2661dfeb3fac",
        "nodeId": "e4b1b524-4e77-4448-b1a9-01b80288c898"
    }
}

Cookbook-based enrollment

Cookbook-based enrollment allows you to enroll nodes from the client side. In this method, you upload a cookbook with the enrollment settings to the Chef Infra Server, and then use Chef Infra Client to enroll the node with Chef 360 Platform.

Enroll nodes with a cookbook

The chef-cookbook-enroll cookbook uses the node_management_enroll custom resource and a wrapper cookbook to define enrollment settings.

Before you begin, you will need the following node and Chef 360 Platform details:

  • Your Chef 360 Platform FQDN.

  • Your Chef 360 Platform API port number.

  • An access key and secret key for secure communication with Chef 360 Platform.

  • The Habitat Builder URL, either your private URL or https://bldr.habitat.sh.

  • If TLS is enabled on Chef 360 Platform, get the root CA certificate for the machine that Chef 360 Platform Server is installed on. You can retrieve this certificate using the following command:

    curl -k <TENANT_URL>/platform/system/v1/tenant/root-ca \
  | jq -r '.item.rootCa' \
  | sed 's/\\n/$'\''\n'\''/g' \
  > root-ca.crt

    Replace <TENANT_URL> with your Chef 360 Platform server hostname or IP address.

To configure the cookbooks and define enrollment settings, follow these steps:

  1. Get the ID of the cohort that you want to add the node to using the find-all-cohorts command:

    chef-node-management-cli management cohort find-all-cohorts \
  --profile <PROFILE_NAME>

    Replace <PROFILE_NAME> with the name of a profile that has the node-manager role.

    This returns a list of cohorts and their IDs.

  2. Download the chef360-node-enroll cookbook.

  3. Upload the chef360-node-enroll cookbook, which includes the node_management_enroll resource, to your Chef Infra Server:

    knife cookbook upload chef360-node-enroll \
  --cookbook-path <COOKBOOK_DIR_PATH>

    Replace COOKBOOK_DIR_PATH with the path to your cookbook directory.

  4. Create a wrapper cookbook and add the chef360-node-enroll cookbook as a dependency:

    chef generate cookbook <COOKBOOK_NAME>

    In the metadata.rb file of your wrapper cookbook, add the following dependency to include the chef-cookbook-enroll cookbook:

    depends 'chef360-node-enroll', '~> 1.0.8'

  5. On a computer registered with Chef 360 Platform Server, generate an access key and secret key:

    chef-platform-auth-cli user-account self create-token \
  --body '{"expiration": "<EXPIRATION_DATE>", "name": "<TOKEN_NAME>"}' \
  --profile <PROFILE_NAME>

    Replace:

    • <EXPIRATION_DATE> with a date and time in ISO 8601 format. For example, 2027-12-31T11:42:23-05:00.
    • <TOKEN_NAME> with a meaningful token name for easy identification.
    • <PROFILE_NAME> with a profile that has the node-manager role assigned to it.

    The response includes an access key and secret key and looks like the following:

    {
  "item": {
    "accessKey": "6QIUKP4WIXD4RVAF0BQ3",
    "expiration": "2027-12-31T11:42:23-05:00",
    "id": "bcba5b7a-fb0b-4a62-b442-7ba7bda5e05a",
    "name": "CI-CD Token",
    "role": {
      "id": "5fcb0235-1e56-4ece-8857-404a5d39a290",
      "name": "tenant-admin"
    },
    "secretKey": "x6aCg1NckQoLsQnere26fmGgD0RiWOrf4RNXBhlg"
  }
}

  6. Define the node_management_enroll resource in your wrapper cookbook’s recipe:

    node_management_enroll 'Enroll Node' do
  chef_platform_url '<CHEF_360_FQDN>'
  enroll_type '<ENROLLMENT_TYPE>'
  api_port '<API_PORT>'
  access_key '<ACCESS_KEY>'
  secret_key '<SECRET_KEY>'
  cohort_id '<COHORT_ID>'
  hab_builder_url '<HABITAT_BUILDER_URL>'
  root_ca <CHEF_360_ROOT_CA>
  working_dir_path '<VALID_DIR_PATH>'
  upgrade_skills <UPGRADE_SKILLS>
end

    Replace:

    • <CHEF_360_FQDN> with the fully qualified domain name (FQDN) for your Chef 360 Platform deployment.

    • <ENROLLMENT_TYPE> with either full or partial depending on the form of enrollment. Use full unless you must partial. See the node enrollment documentation for details on the difference between these types.

    • <API_PORT> with the API port configured in Chef 360 Platform. The default value is 31000.

      For Chef 360 SaaS, use 443.

    • <ACCESS_KEY> with an access key for secure communication with Chef 360 Platform. Store securely using an encrypted Chef data bag or a secrets manager.

    • <SECRET_KEY> with a secret key for secure communication with Chef 360 Platform. Store securely using an encrypted Chef data bag or a secrets manager.

    • <COHORT_ID> with a valid cohort ID. The cohort defines all skills and settings installed on the node.

    • <HABITAT_BUILDER_URL> with the URL of the Chef Habitat Builder used by your organization.

      Default value: https://bldr.habitat.sh

    • <CHEF_360_ROOT_CA> if TLS is enabled, with the root CA public key.

      For Chef 360 SaaS, use the following public key.

      • Chef 360 SaaS public key

        For Chef 360 SaaS, replace <CHEF_360_ROOT_CA> with the following public key. This key expires on March 18, 2029.

        -----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4
GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbF
NpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwM
zE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzET
MBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQY
JKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2Ec
WtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUh
hB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL
0gRgykmmKPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65
TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rU
AVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCA
wEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNv
AUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8
dEe3jgr25sbwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw
8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0
095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVE
TI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02
JQZR7rkpeDMdmztcpHWD9f
-----END CERTIFICATE-----

    • <VALID_DIR_PATH> with a temporary working directory where all required builds are downloaded. Specify a valid path based on the OS.

      Default value: /tmp.

    • <UPGRADE_SKILLS> with true or false. If true, Chef 360 Platform checks for the latest skill versions and installs them if found.

      Default value: false.

  7. Push the wrapper cookbook or policy to Chef Infra Server.

    If you’re using a role, upload the wrapper cookbook to the Chef Infra Server:

    knife cookbook upload <WRAPPER_COOKBOOK_NAME> \
  --cookbook-path <WRAPPER_COOKBOOK_DIR_PATH>

    If you’re using a Policyfile, create Policyfile.lock.json file and push the Policyfile to Chef Infra Server:

    chef install
chef push <POLICY_GROUP> <POLICYFILE>

  8. Include the wrapper cookbook in your node’s run-list by adding it to a role or Policyfile. See the run-list and role documentation for more information.

    The next time Chef Infra Client runs, it executes the node_management_enroll resource and the node is enrolled with Chef 360 Platform. The access key and secret key are included with the wrapper cookbook and passed to all nodes that run the cookbook so they can authenticate with Chef 360 Platform.

Self enrollment

Node self enrollment is a client-side enrollment method that allows nodes to register themselves with Chef 360 Platform. This method works well for environments that follow zero trust principles or manage dynamic infrastructure like autoscaling cloud nodes. Self enrollment doesn’t require open ports or pre-established connections, making it both secure and flexible.

Self enrollment fully enrolls nodes.

You can integrate the self-enrollment scripts into your provisioning workflow for large-scale deployments. Use the script as part of a startup routine, golden image, or configuration management process. Each node can securely identify itself and register with Chef 360 Platform automatically without manual steps. This approach works well for dynamic or large-scale environments where automation, consistency, and scalability are essential.

Node self enrollment steps

To enroll nodes with self enrollment, follow these steps:

  1. If you don’t already have one, create an application key and signed config file. They allow the node to enroll with Chef 360 Platform.
  2. Enroll the node.
  3. If the cohort requires it, approve nodes after enrollment.

Enroll nodes with self enrollment

Enroll nodes with Chef 360 SaaS

The enrollment scripts below enroll Linux or Windows nodes into a cohort that’s defined:

  • by the application key stored on Chef 360 SaaS
  • in the PowerShell or Shell script executed on the node

To enroll your Linux nodes with Chef 360 SaaS, use one of the scripts below and execute it on the node as a root user.

  • Cohort defined in shell script

    This script enrolls Linux nodes into a cohort that’s defined in the script by its UUID and the node authenticates with Chef 360 SaaS with a public certificate.

    ######
# Script enrolls nodes in cohort defined in script and authenticates with Chef 360 Platform or SaaS using public certs or http
#
# Replace:
# - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol.
#                   For example, `https://chef360.example.com` or `https://chef360.example.com:31000`.
# - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file.
# - `<COHORT_ID>` with the Cohort ID for your self node enrollment.
######

export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <COHORT_ID>: with the Cohort ID for your self node enrollment.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined by application key

    This script enrolls Linux nodes into a cohort that’s defined by the application key and node authenticates with Chef 360 SaaS with a public certificate.

    ######
# Script enrolls nodes in cohort defined by application key and authenticates with Chef 360 Platform or SaaS using public certs or http
#
# Replace:
# - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol.
#                   For example, `https://chef360.example.com` or `https://chef360.example.com:31000`.
# - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file.
######

export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.

To enroll your Windows nodes with Chef 360 SaaS, use one of the scripts below and execute it on the node in Powershell with administrator privileges.

  • Cohort defined in PowerShell script

    This script enrolls Windows nodes into a cohort that’s defined in the PowerShell script by its UUID and the node authenticates with Chef 360 SaaS with a public certificate.

    <#
.SYNOPSIS
    Enrolls a Windows node into a Chef 360 Platform or SaaS cohort using UUID-based enrollment with public certificates.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol
      Examples: https://chef360.example.com or https://chef360.example.com:31000
    - <COHORT_ID>: The UUID of the cohort for self node enrollment
    - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file

#>

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
$ConfigFilePath = "$env:USERPROFILE\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath $ConfigFilePath -Encoding ascii
# Set CohortId
$COHORT_ID="<COHORT_ID>"
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file $ConfigFilePath

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <COHORT_ID>: with the Cohort ID for your self node enrollment.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined in application key

    This script enrolls Windows nodes into a cohort that’s defined by the application key and it authenticates with Chef 360 SaaS using a public certificate.

    <#
.SYNOPSIS
    Enrolls a Windows node into a Chef 360 Platform or SaaS cohort using application key authentication with public certificates.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol
      Examples: https://chef360.example.com or https://chef360.example.com:31000
    - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file

#>

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
$ConfigFilePath = "$env:USERPROFILE\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath $ConfigFilePath -Encoding ascii
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file $ConfigFilePath

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.

Enroll nodes with Chef 360 Platform

The enrollment scripts below enroll nodes in the following scenarios:

  • The cohort that the node is enrolled into is defined:

    • by the application key stored on Chef 360 Platform
    • in the PowerShell or Shell script executed on the node

  • Chef 360 Platform is configured with the following gateway certificate methods:

    • Disabled (http)
    • System generated (self-signed certificate)
    • Custom certificate (self-signed or public certificate)

To enroll your Linux nodes with Chef 360 Platform, select the script below that matches where the cohort is defined and the gateway certificate method. Execute the script on the node as a root user.

  • Cohort defined in shell script, 360 Platform authenticates with self-signed certificate

    This script enrolls Linux nodes into a cohort that’s defined in the script by its UUID and with Chef 360 Platform configured to authenticate with a self-signed certificate.

    ######
# Script enrolls nodes in cohort defined in script and authenticates with Chef 360 Platform using self-signed certs
#
# Replace:
# - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol.
#                   For example, `https://chef360.example.com` or `https://chef360.example.com:31000`.
# - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file.
# - `<COHORT_ID>` with the Cohort ID for your self node enrollment.
######

export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <COHORT_ID>: with the Cohort ID for your self node enrollment.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined in shell script, 360 Platform uses http or authenticates with public certificate

    This script enrolls Linux nodes into a cohort that’s defined in the script by its UUID and with Chef 360 Platform configured to authenticate with a public certificate or with authentication disabled.

    ######
# Script enrolls nodes in cohort defined in script and authenticates with Chef 360 Platform or SaaS using public certs or http
#
# Replace:
# - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol.
#                   For example, `https://chef360.example.com` or `https://chef360.example.com:31000`.
# - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file.
# - `<COHORT_ID>` with the Cohort ID for your self node enrollment.
######

export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <COHORT_ID>: with the Cohort ID for your self node enrollment.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined by application key, 360 Platform authenticates with self-signed certificate

    This script enrolls Linux nodes into a cohort that’s defined by the application key and with Chef 360 Platform configured to authenticate with a self-signed certificate.

    ######
# Script enrolls nodes in cohort defined by application key and authenticates with Chef 360 Platform using self-signed certs
#
# Replace:
# - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol.
#                   For example, `https://chef360.example.com` or `https://chef360.example.com:31000`.
# - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file.
######

export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined by application key, 360 Platform uses http or authenticates with public certificate

    This script enrolls Linux nodes into a cohort that’s defined by the application key and with Chef 360 Platform configured to authenticate with a public certificate or with authentication disabled.

    ######
# Script enrolls nodes in cohort defined by application key and authenticates with Chef 360 Platform or SaaS using public certs or http
#
# Replace:
# - `<SERVER_FQDN>` with the fully qualified domain name of your Chef 360 Platform Server with protocol.
#                   For example, `https://chef360.example.com` or `https://chef360.example.com:31000`.
# - `<SIGNED_CONFIG_FILE_CONTENTS>` with the contents of your signed config file.
######

export SERVER="<SERVER_FQDN>"
curl -sk "$SERVER/platform/bundledtools/v1/static/install.sh" | TOOL="chef-node-enrollment-cli" SERVER="$SERVER" VERSION="latest" bash -
echo "<SIGNED_CONFIG_FILE_CONTENTS>" > /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.

To enroll your Windows nodes with Chef 360 Platform, select the script below that matches where the cohort is defined and gateway certificate method. Execute the script on the node in Powershell with administrator privileges.

  • Cohort defined in PowerShell script, 360 Platform authenticates with self-signed certificate

    This script enrolls Windows nodes into a cohort that’s defined in the PowerShell script by its UUID and with Chef 360 Platform configured to authenticate with a self-signed certificate.

    <#
.SYNOPSIS
    Enrolls a Windows node into a Chef 360 Platform cohort using self-signed certificate authentication.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol
      Examples: https://chef360.example.com or https://chef360.example.com:31000
    - <COHORT_ID>: The UUID of the cohort for self node enrollment
    - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file
#>

$code= @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
Add-Type -TypeDefinition $code -Language CSharp
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
$ConfigFilePath = "$env:USERPROFILE\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath $ConfigFilePath -Encoding ascii
#Set CohortId
$COHORT_ID="<COHORT_ID>"
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file $ConfigFilePath --insecure

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <COHORT_ID>: with the Cohort ID for your self node enrollment.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined in PowerShell script, 360 Platform uses http or authenticates with public certificate

    This script enrolls Windows nodes into a cohort that’s defined in the PowerShell script by its UUID and with Chef 360 Platform configured to authenticate with a public certificate or with authentication disabled.

    <#
.SYNOPSIS
    Enrolls a Windows node into a Chef 360 Platform or SaaS cohort using UUID-based enrollment with public certificates.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol
      Examples: https://chef360.example.com or https://chef360.example.com:31000
    - <COHORT_ID>: The UUID of the cohort for self node enrollment
    - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file

#>

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
$ConfigFilePath = "$env:USERPROFILE\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath $ConfigFilePath -Encoding ascii
# Set CohortId
$COHORT_ID="<COHORT_ID>"
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file $ConfigFilePath

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <COHORT_ID>: with the Cohort ID for your self node enrollment.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined in application key, 360 Platform authenticates with self-signed cert

    This script enrolls Windows nodes into a cohort that’s defined by the application key and with Chef 360 Platform configured to authenticate with a self-signed certificate.

    <#
.SYNOPSIS
    Enrolls a Windows node into a Chef 360 Platform cohort using application key authentication with self-signed certificate support.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol
      Examples: https://chef360.example.com or https://chef360.example.com:31000
    - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file

#>

$code= @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
Add-Type -TypeDefinition $code -Language CSharp
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
$ConfigFilePath = "$env:USERPROFILE\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath $ConfigFilePath -Encoding ascii
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file $ConfigFilePath --insecure

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.
  • Cohort defined in application key, 360 Platform uses http or authenticates with public certificate

    This script enrolls Windows nodes into a cohort that’s defined by the application key and Chef 360 Platform is configured to authenticate with a public certificate or with authentication disabled.

    <#
.SYNOPSIS
    Enrolls a Windows node into a Chef 360 Platform or SaaS cohort using application key authentication with public certificates.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server with protocol
      Examples: https://chef360.example.com or https://chef360.example.com:31000
    - <SIGNED_CONFIG_FILE_CONTENTS>: The complete contents of your signed configuration file

#>

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13
$SERVER="<SERVER_FQDN>"
$env:TOOL="chef-node-enrollment-cli"; $env:SERVER="$SERVER"; Invoke-WebRequest -Uri "$SERVER/platform/bundledtools/v1/static/install.ps1" -UseBasicParsing | Invoke-Expression
$ConfigFilePath = "$env:USERPROFILE\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"
"<SIGNED_CONFIG_FILE_CONTENTS>" | Out-File -FilePath $ConfigFilePath -Encoding ascii
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file $ConfigFilePath

    Replace the following:

    • <SERVER_FQDN>: with the fully qualified domain name of your Chef 360 Platform Server with protocol. For example, https://chef360.example.com or https://chef360.example.com:31000.
    • <SIGNED_CONFIG_FILE_CONTENTS>: with the contents of your signed config file.

Manually approve nodes after enrollment

If you set the approvalNeeded flag to true in your cohort, enrolled nodes will have an enrollment level of waiting-for-approval. You must approve these nodes manually before they can complete enrollment.

To approve a node manually, run the chef-node-management-cli management node approve-node command:

  • chef-node-management-cli management node approve-node \
 --nodeId <NODE_ID> \
 --profile <NODE_MANAGER_PROFILE_NAME>

After you approve the node, its enrollment level changes to admitted. Within a few minutes, the agent will retry, assign the correct roles to the node, and complete the enrollment process.

Check the node enrollment status

You can check if a node is enrolled by getting its current enrollment status or by getting the status of each step in the node’s enrollment process.

To get the enrollment level of a node, use the node ID and the management node find-one-node subcommand:

  • chef-node-management-cli management node find-one-node --nodeId <NODE_ID> --profile <NODE_MANAGER_PROFILE_NAME>

    An enrolled node has an enrollment level of enrolled, otherwise it has a status of admitted. For example:

    "enrollmentLevel": "enrolled"

To get the status of each step in the node’s enrollment process, use the get-status subcommand. This command is only applicable for single-node enrollment.

  • chef-node-management-cli status get-status --nodeId <NODE_ID> --profile <NODE_MANAGER_PROFILE_NAME>

    An enrolled node has "status": "Success" at each step.

Verify that the skills are installed

  • To verify that the skills are installed, use the find-one-node command:

    chef-node-management-cli management node find-one-node --nodeId <NODE_ID> --profile <PROFILE_NAME>

    The response returns details about the node including a list of installed skills.

More information

Next step

Thank you for your feedback!

×