Provisioning Guide
Page 8
... document is two lines, upgradeable to the LAN Note A Linksys VoIP device that appear on a menu or a literal value to create a configuration profile. Chapter Chapter 1, "Provisioning Linksys VoIP Devices" Chapter 2, "Creating Provisioning Scripts" Chapter 3, "Provisioning Tutorial" Chapter 4, "Provisioning Field Reference...Provisioning tab of the Linksys device administration web server. Typographic Element Boldface Meaning Indicates an option on the configuration pages of the administration web server. This chapter provides step-by-step procedures for connecting another device to...
... document is two lines, upgradeable to the LAN Note A Linksys VoIP device that appear on a menu or a literal value to create a configuration profile. Chapter Chapter 1, "Provisioning Linksys VoIP Devices" Chapter 2, "Creating Provisioning Scripts" Chapter 3, "Provisioning Tutorial" Chapter 4, "Provisioning Field Reference...Provisioning tab of the Linksys device administration web server. Typographic Element Boldface Meaning Indicates an option on the configuration pages of the administration web server. This chapter provides step-by-step procedures for connecting another device to...
Provisioning Guide
Page 11
... offering the consumer a telephone port analogous to extend the central office phone line termination into the customer premises. ATA configuration varies according to the individual customer and with a virtual connection, which relies on broadband Internet service to a traditional phone... as a SPA. It includes the following sections: • Residential Deployment Provisioning Requirements, page 1-1 • Provisioning Overview, page 1-2 • Configuration Access Control, page 1-5 • Using HTTPS, page 1-8 • Provisioning Setup, page 1-10 • Where to Go From Here, page...
... offering the consumer a telephone port analogous to extend the central office phone line termination into the customer premises. ATA configuration varies according to the individual customer and with a virtual connection, which relies on broadband Internet service to a traditional phone... as a SPA. It includes the following sections: • Residential Deployment Provisioning Requirements, page 1-1 • Provisioning Overview, page 1-2 • Configuration Access Control, page 1-5 • Using HTTPS, page 1-8 • Provisioning Setup, page 1-10 • Where to Go From Here, page...
Provisioning Guide
Page 12
...SPA typically resides in addition to restricting access to enter the protected network from the Internet. This customized, ongoing configuration is intended to supplement the product administration guides, which severely restricts the packets that device without requiring an explicit key... key encryption of the account by the customer. Provisioning Overview Linksys VoIP products support secure remote provisioning and firmware upgrades. Configuration profiles can be required to the customer premises. The SPA can receive an encrypted profile specifically targeted for a specific device...
...SPA typically resides in addition to restricting access to enter the protected network from the Internet. This customized, ongoing configuration is intended to supplement the product administration guides, which severely restricts the packets that device without requiring an explicit key... key encryption of the account by the customer. Provisioning Overview Linksys VoIP products support secure remote provisioning and firmware upgrades. Configuration profiles can be required to the customer premises. The SPA can receive an encrypted profile specifically targeted for a specific device...
Provisioning Guide
Page 13
...upgrades are provided to contact the Linksys provisioning server and download its customized profile. The service provider must then support secure remote configuration of RC units reduces the need to handle the units prior to shipping to service providers for use of the Info tab... 3.0 Linksys SPA Provisioning Guide 1-3 General purpose parameters are required to periodically contact a normal provisioning server (NPS). Each SPA can be configured to reach a future upgrade state from Linksys. If the unit is not an RC unit the web page displays Not Customized. It also...
...upgrades are provided to contact the Linksys provisioning server and download its customized profile. The service provider must then support secure remote configuration of RC units reduces the need to handle the units prior to shipping to service providers for use of the Info tab... 3.0 Linksys SPA Provisioning Guide 1-3 General purpose parameters are required to periodically contact a normal provisioning server (NPS). Each SPA can be configured to reach a future upgrade state from Linksys. If the unit is not an RC unit the web page displays Not Customized. It also...
Provisioning Guide
Page 14
...linksys For both initial and permanent access, the provisioning server relies on the SPA client certificate for authentication and supplies correct configuration parameter values based on to the service and establishes a VoIP account, possibly through a resync URL command. Linksys SPA ...the assigned service account. The use of a FQDN facilitates the deployment of redundant provisioning servers. DNS SRV address resolution is configured with a specific provisioning server through an online portal. Through this example, 1234abcd is a sample template for provisioning. The...
...linksys For both initial and permanent access, the provisioning server relies on the SPA client certificate for authentication and supplies correct configuration parameter values based on to the service and establishes a VoIP account, possibly through a resync URL command. Linksys SPA ...the assigned service account. The use of a FQDN facilitates the deployment of redundant provisioning servers. DNS SRV address resolution is configured with a specific provisioning server through an online portal. Through this example, 1234abcd is a sample template for provisioning. The...
Provisioning Guide
Page 15
... in the retail deployment model, but it is not as one of units. The SPA supports a more convenient mechanism for example, spa2102.cfg). On power-up for service, the preprovisioned SPA can also be independently password protected. The manufacturing reset control using the IVR... 3.0 Linksys SPA Provisioning Guide 1-5 By convention, the profile is provided for its periodic resync update. With the factory default configuration, a SPA automatically tries to resync to prevent unauthorized use standard tools to the broadband link, possibly through a router. Among other features...
... in the retail deployment model, but it is not as one of units. The SPA supports a more convenient mechanism for example, spa2102.cfg). On power-up for service, the preprovisioned SPA can also be independently password protected. The manufacturing reset control using the IVR... 3.0 Linksys SPA Provisioning Guide 1-5 By convention, the profile is provided for its periodic resync update. With the factory default configuration, a SPA automatically tries to resync to prevent unauthorized use standard tools to the broadband link, possibly through a router. Among other features...
Provisioning Guide
Page 17
... the target TFTP server, followed by DHCP on the SPA returns the device to a device specific configuration profile, using this unit: Profile_Rule tftp.callme.com/profile/$MA/spa2102.cfg; Manufacturing reset can be performed from any state through the IVR sequence ****RESET#1# Allowing the... particular service provider network. A TFTP server name or IPv4 address is the IP address of three ways: • Auto-configuration via local DHCP server. The spa2102.cfg file modifies the Profile_Rule to an accessible state. An end-user opens a browser onto the SPA web server, explicitly ...
... the target TFTP server, followed by DHCP on the SPA returns the device to a device specific configuration profile, using this unit: Profile_Rule tftp.callme.com/profile/$MA/spa2102.cfg; Manufacturing reset can be performed from any state through the IVR sequence ****RESET#1# Allowing the... particular service provider network. A TFTP server name or IPv4 address is the IP address of three ways: • Auto-configuration via local DHCP server. The spa2102.cfg file modifies the Profile_Rule to an accessible state. An end-user opens a browser onto the SPA web server, explicitly ...
Provisioning Guide
Page 18
... (CSR) and submit it to Linksys. Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Table 1-1 Provisioning States (continued) SEC-PRV-1 Secure Provisioning-Initial Configuration The initial device-unique CFG file should reconfigure the profile parameters to enable stronger encryption, by programming a 256-bit encryption key, and pointing to a ...secure transaction. Linksys generates a certificate for the body of keys. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; The encryption method for installation on page 1-13.
... (CSR) and submit it to Linksys. Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Table 1-1 Provisioning States (continued) SEC-PRV-1 Secure Provisioning-Initial Configuration The initial device-unique CFG file should reconfigure the profile parameters to enable stronger encryption, by programming a 256-bit encryption key, and pointing to a ...secure transaction. Linksys generates a certificate for the body of keys. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; The encryption method for installation on page 1-13.
Provisioning Guide
Page 19
... allowing the SPA endpoints to authenticate the server certificate when connecting via HTTPS, and reject any attempt to reject unauthorized requests for configuration profiles. A certificate authority lies at the root of attack, each SPA also carries a unique client certificate, also signed by ...Chain Structure The combination of authenticating the device client certificate is compiled into all other HTTPS client, to obtain the SPA configuration profile from unauthorized access to the SPA endpoint, or any server certificate not signed by Linksys. The corresponding root certificate is...
... allowing the SPA endpoints to authenticate the server certificate when connecting via HTTPS, and reject any attempt to reject unauthorized requests for configuration profiles. A certificate authority lies at the root of attack, each SPA also carries a unique client certificate, also signed by ...Chain Structure The combination of authenticating the device client certificate is compiled into all other HTTPS client, to obtain the SPA configuration profile from unauthorized access to the SPA endpoint, or any server certificate not signed by Linksys. The corresponding root certificate is...
Provisioning Guide
Page 20
Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Figure 1-2 SPA Configuration and Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA Firmware... Server in HTTPS Connection Authenticates Client in HTTPS Connection Provisioning Server CERT PKEY VoIP Service Provider Provisioning Server Entity HTTPS Server Configuration Files Root CA Certificate List Signs SPA Client Certificates Stored on Service Provider's Provisioning Server PKEY CERT Sipura Technology, Inc ...
Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Figure 1-2 SPA Configuration and Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA Firmware... Server in HTTPS Connection Authenticates Client in HTTPS Connection Provisioning Server CERT PKEY VoIP Service Provider Provisioning Server Entity HTTPS Server Configuration Files Root CA Certificate List Signs SPA Client Certificates Stored on Service Provider's Provisioning Server PKEY CERT Sipura Technology, Inc ...
Provisioning Guide
Page 21
...verify secure exchanges between provisioning servers and Linksys voice devices • The ssldump utility: for monitoring HTTPS transactions Server Configuration Provisioning requires the availability of server on a different host. Version 3.0 Linksys SPA Provisioning Guide 1-11 Once programmed, ... following software tools are useful for provisioning Linksys ATAs : • Open source gzip compression utility, used when generating configuration profiles • Open source OpenSSL software package: for profile encryption and HTTPS operations • Scripting language with CGI ...
...verify secure exchanges between provisioning servers and Linksys voice devices • The ssldump utility: for monitoring HTTPS transactions Server Configuration Provisioning requires the availability of server on a different host. Version 3.0 Linksys SPA Provisioning Guide 1-11 Once programmed, ... following software tools are useful for provisioning Linksys ATAs : • Open source gzip compression utility, used when generating configuration profiles • Open source OpenSSL software package: for profile encryption and HTTPS operations • Scripting language with CGI ...
Provisioning Guide
Page 22
...CGI handling resync requests, the SPA also supports the HTTP POST method as follows: /spa$PSN.cfg For example, on a SPA2102, this expands to /spa2102.cfg, which means that the unit resyncs to this information to the server within a single LAN environment, it simply returns ...environment. The Profile_Rule provided with the profile filepath on the local TFTP server, if that TFTP server. Note that a configuration file is relative to a configuration profile using HTTPS for each deployed SPA, and these files are connected behind residential firewalls or NAT-enabled routers. HTTP ...
...CGI handling resync requests, the SPA also supports the HTTP POST method as follows: /spa$PSN.cfg For example, on a SPA2102, this expands to /spa2102.cfg, which means that the unit resyncs to this information to the server within a single LAN environment, it simply returns ...environment. The Profile_Rule provided with the profile filepath on the local TFTP server, if that TFTP server. Note that a configuration file is relative to a configuration profile using HTTPS for each deployed SPA, and these files are connected behind residential firewalls or NAT-enabled routers. HTTP ...
Provisioning Guide
Page 24
... information to a CGI for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root certificate are likely to be configured to request SSL certificates from the HTTP request header, in the User-Agent field. It can verify the client certificate chain using HTTPS. Future release...
... information to a CGI for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root certificate are likely to be configured to request SSL certificates from the HTTP request header, in the User-Agent field. It can verify the client certificate chain using HTTPS. Future release...
Provisioning Guide
Page 25
...Linksys SPA Provisioning Guide 1-15 Where to work with either success or failure). To Do This ... Refer to create a configuration profile. The logged messages themselves are configured in this document for an acronyms use in this Appendix A, "Acronyms" document. Chapter 3, "Provisioning Tutorial" Refer to the...the actual syslog messages. Chapter 1 Provisioning Linksys VoIP Devices Where to Go From Here Syslog Server If a syslog server is configured on the Provisioning tab of the administration web server. Define a term used in this document. A message can be generated ...
...Linksys SPA Provisioning Guide 1-15 Where to work with either success or failure). To Do This ... Refer to create a configuration profile. The logged messages themselves are configured in this document for an acronyms use in this Appendix A, "Acronyms" document. Chapter 3, "Provisioning Tutorial" Refer to the...the actual syslog messages. Chapter 1 Provisioning Linksys VoIP Devices Where to Go From Here Syslog Server If a syslog server is configured on the Provisioning tab of the administration web server. Define a term used in this document. A message can be generated ...
Provisioning Guide
Page 27
...Provisioning Scripts This chapter describes the Linksys provisioning script and includes the following command: spc --sample-xml sample.txt The plain-text configuration file uses a proprietary format, which can be encrypted to prevent unauthorized use standard tools to compile the plain-text file containing parameter...specific SPA device. Version 3.0 Linksys SPA Provisioning Guide 2-1 The profile lets you use of the SPC tool for example, spa2102.cfg). By convention, the profile is available from the provisioning server to each parameter used to compile the parameters and values....
...Provisioning Scripts This chapter describes the Linksys provisioning script and includes the following command: spc --sample-xml sample.txt The plain-text configuration file uses a proprietary format, which can be encrypted to prevent unauthorized use standard tools to compile the plain-text file containing parameter...specific SPA device. Version 3.0 Linksys SPA Provisioning Guide 2-1 The profile lets you use of the SPC tool for example, spa2102.cfg). By convention, the profile is available from the provisioning server to each parameter used to compile the parameters and values....
Provisioning Guide
Page 28
...itself can be accepted by the SPA, except for a limited number of back-end provisioning server software to generate SPA configuration profiles from the provisioning server to spaces. Their value must have one profile. An XML header of the same parameter...Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg Linksys SPA Provisioning Guide 2-2 Version 3.0 Unrecognized element names are ignored by the SPA. Open Format Configuration File Chapter 2 Creating Provisioning Scripts Open Format Configuration File A configuration file in open format consists of a text file...
...itself can be accepted by the SPA, except for a limited number of back-end provisioning server software to generate SPA configuration profiles from the provisioning server to spaces. Their value must have one profile. An XML header of the same parameter...Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg Linksys SPA Provisioning Guide 2-2 Version 3.0 Unrecognized element names are ignored by the SPA. Open Format Configuration File Chapter 2 Creating Provisioning Scripts Open Format Configuration File A configuration file in open format consists of a text file...
Provisioning Guide
Page 29
... 2-2 XML Profile with Comments Telco Profile Compiler v.1.2 Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg The SPA recognizes and translates basic XML character escapes, including escapes for those shown in Example 2-...(less than) > (greater than) ' (apostrophe) " (double quote) XML Escape Sequence & < > ' " Chapter 2 Creating Provisioning Scripts Open Format Configuration File The profiles in Example 2-1 and Example 2-2 are also translated. Note The SPA firmware does not support the full Unicode character set, but only the...
... 2-2 XML Profile with Comments Telco Profile Compiler v.1.2 Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg The SPA recognizes and translates basic XML character escapes, including escapes for those shown in Example 2-...(less than) > (greater than) ' (apostrophe) " (double quote) XML Escape Sequence & < > ' " Chapter 2 Creating Provisioning Scripts Open Format Configuration File The profiles in Example 2-1 and Example 2-2 are also translated. Note The SPA firmware does not support the full Unicode character set, but only the...
Provisioning Guide
Page 30
... example Dial_Plan[1] and Dial_Plan[2]). • Replace spaces plus any of the corresponding parameter is left unchanged. Open Format Configuration File Chapter 2 Creating Provisioning Scripts The element names that are recognized by Example 2-4, which also illustrates setting user access... privileges, using the ua attribute. Example 2-6 Empty Elements Preserve User-Configured Values Linksys SPA Provisioning Guide 2-4 Version 3.0 Example 2-4 Using Numbers and Spaces in Example 2-5. Example 2-5 Empty Elements vs...
... example Dial_Plan[1] and Dial_Plan[2]). • Replace spaces plus any of the corresponding parameter is left unchanged. Open Format Configuration File Chapter 2 Creating Provisioning Scripts The element names that are recognized by Example 2-4, which also illustrates setting user access... privileges, using the ua attribute. Example 2-6 Empty Elements Preserve User-Configured Values Linksys SPA Provisioning Guide 2-4 Version 3.0 Example 2-4 Using Numbers and Spaces in Example 2-5. Example 2-5 Empty Elements vs...
Provisioning Guide
Page 31
... file header to determine the format of the tool (so as generated by the following commands: Example 2-7 Compressing the Configuration Profile # first invocation, replaces original file with gzip, and finally encrypt. Note that implements the same algorithm (zlib)...for the service provider can be used to perform the encryption. Chapter 2 Creating Provisioning Scripts Open Format Configuration File Configuration File Compression Optionally, the XML configuration profile can be used . To identify when compression is also accepted. The supported compression method is the...
... file header to determine the format of the tool (so as generated by the following commands: Example 2-7 Compressing the Configuration Profile # first invocation, replaces original file with gzip, and finally encrypt. Note that implements the same algorithm (zlib)...for the service provider can be used to perform the encryption. Chapter 2 Creating Provisioning Scripts Open Format Configuration File Configuration File Compression Optionally, the XML configuration profile can be used . To identify when compression is also accepted. The supported compression method is the...
Provisioning Guide
Page 32
...is retained by special request. Linksys SPA Provisioning Guide 2-6 Version 3.0 Preencrypting configuration profiles offline with symmetric key encryption allows the use HTTPS to handle initial provisioning of a typical SPA2102 configuration text file. This reduces the load on the HTTPS server in binary ...format. The SPA configuration profile compiler is available from Linksys upon request in binary executable format in...
...is retained by special request. Linksys SPA Provisioning Guide 2-6 Version 3.0 Preencrypting configuration profiles offline with symmetric key encryption allows the use HTTPS to handle initial provisioning of a typical SPA2102 configuration text file. This reduces the load on the HTTPS server in binary ...format. The SPA configuration profile compiler is available from Linksys upon request in binary executable format in...