Cisco SPA2102-AU Provisioning Guide - Page 55

Secure Resync, Basic HTTPS Resync - authentication

Get Cisco SPA2102-AU PDF manuals and user guides View all Cisco SPA2102-AU manuals
Add to My Manuals
Save this manual to your list of manuals

Page 55 highlights

Chapter 3 Provisioning Tutorial Secure Resync Step 5 Step 6 http://192.168.1.200/basic.txt Observe the syslog messages sent by the SPA. The periodic resyncs should now be obtaining the profile from the HTTP server. Also, the server should be logging each request if connection logging is enabled in the server configuration. In the HTTP server logs, observe how information identifying the test SPA appears in the log of user agents. This should include the SPA manufacturer, product name, current firmware version, and serial number. Secure Resync This section demonstrates the preferred mechanisms available on the SPA for securing the provisioning process. It includes the following topics: • Basic HTTPS Resync, page 3-7 • HTTPS With Client Certificate Authentication, page 3-9 • HTTPS Client Filtering and Dynamic Content, page 3-9 Basic HTTPS Resync HTTPS adds SSL to HTTP for remote provisioning so that: • The SPA can authenticate the provisioning server • The provisioning server can authenticate the SPA • The confidentiality of information exchanged between the SPA and the provisioning server is ensured through encryption SSL generates and exchanges secret (symmetric) keys for each connection between the SPA and the server, using public/private key pairs preinstalled in the SPA and the provisioning server. On the client side, using HTTPS (with the GET method), simply requires changing the definition of the URL in the Profile_Rule parameter from http to https. On the server side, the service provider must install and set up the HTTPS server. In addition, an SSL server certificate signed by Linksys must be installed on the SPA provisioning server. The SPA devices cannot resync to a server using HTTPS, unless the server supplies a Linksys-signed server certificate. Exercise Step 1 Step 2 Install an HTTPS server on a host whose IP address is known to the network DNS server, through normal hostname translation. The open source Apache server can be configured to operate as an HTTPS server, when installed with the open source mod_ssl package. Generate a server Certificate Signing Request for the server. Version 3.0 Linksys SPA Provisioning Guide 3-7

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
3-7
Linksys SPA Provisioning Guide
Version 3.0
Chapter 3
Provisioning Tutorial
Secure Resync
Step 5
Observe the syslog messages sent by the SPA.
The periodic resyncs should now be obtaining the profile from the HTTP server.
Also, the server should be logging each request if connection logging is enabled in the server
configuration.
Step 6
In the HTTP server logs, observe how information identifying the test SPA appears in the log of user
agents.
This should include the SPA manufacturer, product name, current firmware version, and serial number.
Secure Resync
This section demonstrates the preferred mechanisms available on the SPA for securing the provisioning
process. It includes the following topics:
Basic HTTPS Resync, page 3-7
HTTPS With Client Certificate Authentication, page 3-9
HTTPS Client Filtering and Dynamic Content, page 3-9
Basic HTTPS Resync
HTTPS adds SSL to HTTP for remote provisioning so that:
The SPA can authenticate the provisioning server
The provisioning server can authenticate the SPA
The confidentiality of information exchanged between the SPA and the provisioning server is
ensured through encryption
SSL generates and exchanges secret (symmetric) keys for each connection between the SPA and the
server, using public/private key pairs preinstalled in the SPA and the provisioning server.
On the client side, using HTTPS (with the GET method), simply requires changing the definition of the
URL in the Profile_Rule parameter from
http
to
https
. On the server side, the service provider must
install and set up the HTTPS server.
In addition, an SSL server certificate signed by Linksys must be installed on the SPA provisioning server.
The SPA devices cannot resync to a server using HTTPS, unless the server supplies a Linksys-signed
server certificate.
Exercise
Step 1
Install an HTTPS server on a host whose IP address is known to the network DNS server, through normal
hostname translation.
The open source Apache server can be configured to operate as an HTTPS server, when installed with
the open source mod_ssl package.
Step 2
Generate a server Certificate Signing Request for the server.