Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 76

Submit All Changes, STEP 9

Get Linksys SPA921 - Cisco - IP Phone PDF manuals and user guides
UPC - 745883570799
View all Linksys SPA921 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 76 highlights

Provisioning Tutorial Secure Resync 3 STEP 9 Inspect the server certificate supplied by the server. The browser probably does not recognize it as valid unless the browser has been preconfigured to accept Cisco as a root CA. However, the IP Telephony Devices expect the certificate to be signed this way. Modify the Profile_Rule of the test device to contain a reference to the HTTPS server in place of the HTTP server, for example: https://my.server.com/basic.txt This example assumes the name of the HTTPS server is my.server.com. STEP 10 Click Submit All Changes. STEP 11 Observe the syslog trace sent by the IP Telephony Device. The syslog message should indicate that the resync obtained the profile from the HTTPS server. STEP 12 (Optional) Use an Ethernet protocol analyzer on the IP Telephony Device subnet to verify that the packets are encrypted. STEP 13 In this exercise, client certificate verification is not yet enabled, use a browser to request the profile stored in basic.txt. At this point, the connection between IP Telephony Device and server is encrypted. However, the transfer is not secure because any client can connect to the server and request the file, given knowledge of the file name and directory location. For secure resync, the server must also authenticate the client, as demonstrated in the next exercise. HTTPS With Client Certificate Authentication In the factory default configuration, the server does not request an SSL client certificate from a client. After you edit the configuration to enable client authentication, then the server requires a client certificate to authenticate the IP Telephony Device before accepting a connection request. Because of this, the resync operation in this exercise cannot be independently tested using a browser lacking the proper credentials. Nevertheless, the SSL key exchange within the HTTPS connection between the test IP Telephony Device and the server can be observed using the ssldump utility. The utility trace shows the interaction between client and server. Cisco Small Business IP Telephony Devices Provisioning Guide 74

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
Provisioning Tutorial
Secure Resync
Cisco Small Business IP Telephony Devices Provisioning Guide
74
3
STEP 9
Inspect the server certificate supplied by the server.
The browser probably does not recognize it as valid unless the browser has been
preconfigured to accept Cisco as a root CA. However, the IP Telephony Devices
expect the certificate to be signed this way.
Modify the Profile_Rule of the test device to contain a reference to the HTTPS
server in place of the HTTP server, for example:
This example assumes the name of the HTTPS server is my.server.com.
STEP 10
Click
Submit All Changes
.
STEP 11
Observe the syslog trace sent by the IP Telephony Device.
The syslog message should indicate that the resync obtained the profile from the
HTTPS server.
STEP 12
(Optional) Use an Ethernet protocol analyzer on the IP Telephony Device subnet to
verify that the packets are encrypted.
STEP 13
In this exercise, client certificate verification is not yet enabled, use a browser to
request the profile stored in basic.txt.
At this point, the connection between IP Telephony Device and server is
encrypted. However, the transfer is not secure because any client can connect to
the server and request the file, given knowledge of the file name and directory
location. For secure resync, the server must also authenticate the client, as
demonstrated in the next exercise.
HTTPS With Client Certificate Authentication
In the factory default configuration, the server does not request an SSL client
certificate from a client. After you edit the configuration to enable client
authentication, then the server requires a client certificate to authenticate the IP
Telephony Device before accepting a connection request.
Because of this, the resync operation in this exercise cannot be independently
tested using a browser lacking the proper credentials. Nevertheless, the SSL key
exchange within the HTTPS connection between the test IP Telephony Device and
the server can be observed using the ssldump utility. The utility trace shows the
interaction between client and server.