Linksys SPA921 Cisco Small Business IP Telephony Devices Provisioning Guide - Page 77

Provisioning Tutorial Secure Resync 3 Exercise STEP 1 Enable client certificate authentication on the HTTPS server. STEP 2 In Apache (v.2), set the following in the server configuration file: SSLVerifyClient require Also ensure that the spacroot.cert has been stored as shown in the previous exercise. STEP 3 Restart the HTTPS server and observe the syslog trace from the IP Telephony Device. Each resync to the server now performs symmetric authentication, so that both the server certificate and the client certificate are verified before the profile is transferred. STEP 4 Using ssldump, capture a resync connection between the IP Telephony Device and the HTTPS server. If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric exchange of certificates (first server-to-client, then client-toserver) before the encrypted packets containing the profile. With client authentication enabled, only a IP Telephony Device with a MAC address matching a valid client certificate can request the profile from the provisioning server. A request from an ordinary browser or other unauthorized device is rejected by the server. HTTPS Client Filtering and Dynamic Content If the HTTPS server is configured to require a client certificate, then the information in the certificate identifies the resyncing IP Telephony Device and supplies it with the correct configuration information. The HTTPS server makes the certificate information available to CGI scripts (or compiled CGI programs) invoked as part of the resync request. For the purpose of illustration, this exercise uses the open source Perl scripting language, and assumes that Apache (v.2) is used as the HTTPS server. Cisco Small Business IP Telephony Devices Provisioning Guide 75