Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 39

Creating Provisioning Scripts Open Format Configuration File 2 If the file is encrypted, the profile expects the file to have the same format as generated by the following command: # example encryption key = SecretPhrase1234 openssl enc -e -aes-256-cbc -k SecretPhrase1234 -in profile.xml -out profile.cfg # analogous invocation for a compressed xml file openssl enc -e -aes-256-cbc -k SecretPhrase1234 -in profile.xml.gz -out profile.cfg A lower case -k precedes the secret key, which can be any plain text phrase and is used to generate a random 64-bit salt. Then, in combination with the secret specified with the -k argument, it derives a random 128-bit initial vector, and the actual 256-bit encryption key. When this form of encryption is used to encrypt a configuration profile, the IP Telephony Device needs to be informed of the secret key value to decrypt the file. This value is specified as a qualifier in the pertinent profile URL. The syntax is as follows, using an explicit URL: [--key "SecretPhrase1234"] http://prov.telco.com/path/profile.cfg This value is programmed using one of the Profile_Rule parameters. The key must be preprovisioned into the unit at an earlier time. This bootstrap of the secret key can be accomplished securely by using HTTPS. Preencrypting configuration profiles offline with symmetric key encryption allows the use of HTTP for resyncing profiles. The provisioning server uses HTTPS to handle initial provisioning of IP Telephony Devices after deployment. This feature reduces the load on the HTTPS server in large scale deployments. The final file name does not need to follow a specific format, but it is conventional to end the name with the .cfg extension to indicate that it is a configuration profile. Cisco Small Business IP Telephony Devices Provisioning Guide 37