open-edge-platform · Ram-srini · Feb 20, 2026 · Feb 20, 2026 · Feb 23, 2026 · cjnolan
@@ -131,33 +131,113 @@ sequenceDiagram
   %%{wrap}%%
   autonumber
   participant US as User
-  participant TR as Traefik
-  participant MT as MT-GW
-  participant MPS as MPS
-  participant PS as psqlDB
+  participant CLI as UI/CLI
+  box rgba(10, 184, 242, 1) EMF Orchestrator
+    participant TR as Traefik
+    participant MT as MT-GW
+    participant RPS as RPS
+    participant PS as psqlDB
+  end
+  US ->> CLI: Create Domain Profile (profileName,domainSuffix,ProvsioningCert,ProvisioningPasswd) 
   US ->> TR: Create Domain Profile
   activate TR
   TR ->> TR: Verify JWT token
   TR ->> MT: Create Domain Profile
   activate MT
   MT ->> MT: Extract ProjectID
-  MT ->> MPS: Create Domain Profile
-  activate MPS
-  MPS ->> MPS: Verify JWT token
-  MPS ->> MPS: Extract ProjectID
-  MPS ->> PS: Store Domain Profile
-  MPS ->> MT: OK
-  deactivate MPS
+  MT ->> RPS: Create Domain Profile
+  activate RPS
+  RPS ->> RPS: Verify JWT token
+  RPS ->> RPS: Extract ProjectID
+  RPS ->> PS: Store Domain Profile
+  RPS ->> MT: OK
+  deactivate RPS
   MT ->> TR: OK
   deactivate MT
-  TR ->> US: OK
+  TR ->> CLI: OK
   deactivate TR
+  CLI ->> US: OK
 ```
 
-The configuration is per-tenant and we expect each tenant to have its own provisioning certificate. The user is capable
-to change the `Domain` configuration by removing the existing and uploading a new one. There will be multiple domain
-configurations depending on how the edge infrastructure is deployed (ideally in each site there will be multiple network
-segments).
+Activating EN in ACM mode.
+
+```mermaid
+sequenceDiagram
+  title: AMT activation in ACM mode
+  %%{wrap}%%
+  autonumber
+  participant US as User
+  participant CLI as Orch-Cli
+  box rgba(10, 184, 242, 1) EMF Orchestrator
+    participant TR as Traefik
+    participant MT as MT-GW
+    participant API as API
+    participant INV as Inventory
+    participant DM as DeviceMgr
+    participant RPS as RPS
+  end
+  box rgba(32, 194, 142, 1) Edge Node
+    participant PMA as PMA
+  end
+  activate DM
+  Note over DM: Subscribe and listen for tenant creation events.
+  DM ->> DM: TenantCreation event received
+  DM ->> RPS: Create CIRA configuration
+  DM ->> RPS: Create the CCM profile
+  DM ->> RPS: Create the ACM profile
+  deactivate DM
+  Note over PMA: User has update the EN BIOS with DNS suffix(ACM mode only) and MEBx Password
+
+  US ->> CLI: Register the EN(serialNo or hardwareUUID, activationMode)
+  Note over CLI: Default CCM mode will chosen if user doesn't specify the action mode
+  CLI ->> TR: Register the EN
+  activate TR
+  TR ->> TR: Verify JWT token
+  TR ->> MT: Register the device
+  MT ->> MT: Extract ProjectID
+  MT ->> API: RegisterHost with serialNo or hardwareUUID , activationMode
+  API ->> INV: CreateHost and persist the host details in the DB
+  INV ->> API: CreateHost Response
+  API ->> MT: RegisterHost Response
+  MT ->> TR: RegisterHost Response
+  TR ->> CLI: RegisterHost Response
+  deactivate TR
+  CLI ->> US: RegisterHost Response
+
+  Note over PMA: Periodically calls gRPC API to get activation requests.
+  activate PMA
+  US ->> CLI: ActivateAMT for the EN
+  CLI ->> TR: ActivateAMT for the EN
+  activate TR
+  TR ->> TR: Verify JWT token
+  TR ->> MT: ActivateAMT for the EN
+  MT ->> MT: Extract ProjectID
+  MT ->> API: ActivateAMT for the EN
+  API ->> INV: Set the AMTDesiredState to PROVISIONED
+  INV ->> API: ActivateAMT Response
+  API ->> MT: ActivateAMT Response
+  MT ->> TR: ActivateAMT Response
+  TR ->> CLI: ActivateAMT Response
+  deactivate TR
+  CLI ->> US: ActivateAMT Response
+  activate DM
+  PMA ->> DM: Get ActivationRequest
+  DM ->> INV: QueryHost to get the user intent to do activation
+  INV ->> DM: AMT activattion intent response 
+  DM ->> PMA: Response with profileName, AMTPassed
+  PMA ->> PMA: Trigger the action command using rpc-go(profileName, amtPasswd)
+  PMA ->> DM: Report the AMT activation status to DM
+  deactivate DM
+  deactivate PMA
+  Note over US: Once activation completed then user can invoke AMT out of band operations
+```
+
+The configuration is per-tenant and we expect each tenant to have its own provisioning certificate.
+User has to procure the provisioning certificate from
+[CA providers/vendors](https://device-management-toolkit.github.io/docs/2.29/Reference/Certificates/remoteProvisioning/#purchase).
+The user is capable to change the `Domain` configuration by removing the existing
+and uploading a new one. There will be multiple domain configurations depending on
+how the edge infrastructure is deployed (ideally in each site there will be multiple network segments).
 
 **Note:** it is important to control e2e the environment and it is not possible to transfer devices from a domain to another
 without disruptions.
@@ -219,7 +299,6 @@ Hereafter we present as steps the proposed plan in the release 3.1.
 - Move user creation to the installer script
 - Introduce new roles and possibly groups to have fine-grain tokens
 - Substitute Kong and Kuma respectively with Traefik and Istio
-- Vault root creation and refresh logic move to a job, side care container or in the DM RM
 - Integrate MT-GW with RPS/MPS and expose their services
 - Extend MPS to properly handle JWT tokens and ActiveProjectID
   - Requests from the north will have ActiveProjectID and the JWT token
@@ -238,16 +317,14 @@ Control Mode (ACM). The proposed plan for the release is:
   - Extend vPRO UI to allow User to specify whether ACM or Client Control Mode (CCM) is used.
   - Add option to UI to allow User to specify DNS Suffix for domain profiles.
   - Add option to UI to allow User to upload required provisioning cert (in PFX format) and password for domain profiles.
+- Device manager:
+  - Create AMT admin profile whenever a new tenant is created.
+  - GRPC service should read the activation from host resource and based on that return the right profile name to PMA.
 - CLI
   - Add option for CLI to be used to provide the device activation mode is ACM or CCM for an instance.
   - Extend CLI to add method to provide DNS Suffix for domain profiles.
   - Add option for CLI to be used for uploading provisioning cert and password for domain profiles.
-- Vault
-  - Add storage option for provisioning cert and password for domain profiles.
-  - API for adding cert and password to Vault for use by CLI and UI. This API and storage should be tenant aware
-  as different tenants may use different certs and passwords for ACM.
-  - Add option for Device Management Manager to extract required cert and password for each instance.
-- Onboarding
+- Edge Node
   - Update BIOS with DNS Suffix value when running in admin mode
 
 Device Management Manager updates are documented in the [Device Management documentation](./vpro-rm.md).