Provisioning Guide
Page 12
... for high-volume residential deployment, where each SPA typically resides in a separate LAN environment connected to the Internet with firmware release 2.0, 256-bit symmetric key encryption of these operations must be reliable. In addition, an unprovisioned SPA can be... The service provider must be modified because of newly introduced service provider features, modifications in the service provider network, or firmware upgrades in a local network, and accesses the Internet through a router using SSL functionality. Communication Encryption The configuration parameters communicated...
... for high-volume residential deployment, where each SPA typically resides in a separate LAN environment connected to the Internet with firmware release 2.0, 256-bit symmetric key encryption of these operations must be reliable. In addition, an unprovisioned SPA can be... The service provider must be modified because of newly introduced service provider features, modifications in the service provider network, or firmware upgrades in a local network, and accesses the Internet through a router using SSL functionality. Communication Encryption The configuration parameters communicated...
Provisioning Guide
Page 13
...The status of individual service providers. Linksys offers RC units to meet the needs of customization for volume deployments of the unit. Remote firmware upgrade is associated with a customized profile for the Linksys provisioning server. Each SPA can be customized to service providers for an RC unit... can be read by Linksys with that has not been provisioned displays Pending. The RC unit is encrypted by using HTTPS because the firmware does not contain sensitive information that owns the unit. The SPA upgrade logic is idle, because this may trigger a software reboot. ...
...The status of individual service providers. Linksys offers RC units to meet the needs of customization for volume deployments of the unit. Remote firmware upgrade is associated with a customized profile for the Linksys provisioning server. Each SPA can be customized to service providers for an RC unit... can be read by Linksys with that has not been provisioned displays Pending. The RC unit is encrypted by using HTTPS because the firmware does not contain sensitive information that owns the unit. The SPA upgrade logic is idle, because this may trigger a software reboot. ...
Provisioning Guide
Page 14
... associate the device with the A-records responds, the SPA logs an error to the syslog server. Retail Provisioning The SPA firmware includes an administration web server that is automatically directed to resync thereafter to a permanent URL on to the service and establishes... server through a resync URL command. Resync_Periodic * "30"; When the provisioning server is a sample template for performing remote profile resync and firmware upgrade operations. Provision_Enable * "Yes"; The SPA continues to the RC unit. The use of a FQDN facilitates the deployment of five domains...
... associate the device with the A-records responds, the SPA logs an error to the syslog server. Retail Provisioning The SPA firmware includes an administration web server that is automatically directed to resync thereafter to a permanent URL on to the service and establishes... server through a resync URL command. Resync_Periodic * "30"; When the provisioning server is a sample template for performing remote profile resync and firmware upgrade operations. Provision_Enable * "Yes"; The SPA continues to the RC unit. The use of a FQDN facilitates the deployment of five domains...
Provisioning Guide
Page 15
...on a TFTP server, whose IP address is offered as convenient for preprovisioning a large number of the DHCP-provided parameters. The SPA firmware provides specific privileges for login to all IVR functions and to a User account and an Admin account. The Admin account provides full ...configuration profile can be disabled, via provisioning. The Linksys Profile Compiler (SPC) tool is named with the extension .cfg (for example, spa2102.cfg). Any new SPA connected to this LAN automatically resyncs to a subset of the device. The User account provides access to basic interactive...
...on a TFTP server, whose IP address is offered as convenient for preprovisioning a large number of the DHCP-provided parameters. The SPA firmware provides specific privileges for login to all IVR functions and to a User account and an Admin account. The Admin account provides full ...configuration profile can be disabled, via provisioning. The Linksys Profile Compiler (SPC) tool is named with the extension .cfg (for example, spa2102.cfg). Any new SPA connected to this LAN automatically resyncs to a subset of the device. The User account provides access to basic interactive...
Provisioning Guide
Page 16
Figure 1-1 SPA Provisioning Flow Linksys SPA Provisioning Guide 1-6 Version 3.0 SPA Provisioning Flow Firmware release 1.0 provides basic features in the context of a service provider application. Availability of secure provisioning. This section describes the high-level provisioning flow supported by -...
Figure 1-1 SPA Provisioning Flow Linksys SPA Provisioning Guide 1-6 Version 3.0 SPA Provisioning Flow Firmware release 1.0 provides basic features in the context of a service provider application. Availability of secure provisioning. This section describes the high-level provisioning flow supported by -...
Provisioning Guide
Page 18
...configured and maintained through this strongly encrypted profile. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; GPP_A 8e4ca259...; # 256 bit key GPP_B Gp3sqLn...; # random CFG file path directory SEC-PRV-2 Secure Provisioning-Full Configuration The...intervening network devices. Using HTTPS The SPA provides a reliable and secure provisioning strategy based on page 1-13. To use HTTPS with firmware release 2.0.6 , the SPA implements SSL, which maintain the SPA in addition to 128-bit RC4. This provides an initial level ...
...configured and maintained through this strongly encrypted profile. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; GPP_A 8e4ca259...; # 256 bit key GPP_B Gp3sqLn...; # random CFG file path directory SEC-PRV-2 Secure Provisioning-Full Configuration The...intervening network devices. Using HTTPS The SPA provides a reliable and secure provisioning strategy based on page 1-13. To use HTTPS with firmware release 2.0.6 , the SPA implements SSL, which maintain the SPA in addition to 128-bit RC4. This provides an initial level ...
Provisioning Guide
Page 19
The firmware running on the SPA, an attacker might allow the attacker to reprovision the SPA, to gain configuration information, or to sign individual provisioning server certificates. ... ensures the secure communication between a remote SPA and its corresponding private key (and vice versa). A certificate authority root certificate capable of the chain, with all firmware releases at the root of authenticating the device client certificate is given to reject unauthorized requests for configuration profiles. Figure 1-2 illustrates the relationship and placement...
The firmware running on the SPA, an attacker might allow the attacker to reprovision the SPA, to gain configuration information, or to sign individual provisioning server certificates. ... ensures the secure communication between a remote SPA and its corresponding private key (and vice versa). A certificate authority root certificate capable of the chain, with all firmware releases at the root of authenticating the device client certificate is given to reject unauthorized requests for configuration profiles. Figure 1-2 illustrates the relationship and placement...
Provisioning Guide
Page 20
... Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA Firmware Signs Provisioning Server Certificates SPA Root CA Certificate List SPA Firmware Load SPA PKEY CERT Authenticates Server in HTTPS Connection Authenticates Client in HTTPS Connection Provisioning Server CERT PKEY VoIP Service...
... Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA Firmware Signs Provisioning Server Certificates SPA Root CA Certificate List SPA Firmware Load SPA PKEY CERT Authenticates Server in HTTPS Connection Authenticates Client in HTTPS Connection Provisioning Server CERT PKEY VoIP Service...
Provisioning Guide
Page 22
... using HTTP without danger of unauthorized use of confidential information in the configuration profile. The supplied information conveys manufacturer, product name, current firmware version, and product serial number. 1-12 Linksys SPA Provisioning Guide Version 3.0 Note that the specified filepath is able to protect confidential ... resync requests, the SPA also supports the HTTP POST method as follows: /spa$PSN.cfg For example, on a SPA2102, this expands to /spa2102.cfg, which means that a configuration file is especially useful for provisioning of network devices.
... using HTTP without danger of unauthorized use of confidential information in the configuration profile. The supplied information conveys manufacturer, product name, current firmware version, and product serial number. 1-12 Linksys SPA Provisioning Guide Version 3.0 Note that the specified filepath is able to protect confidential ... resync requests, the SPA also supports the HTTP POST method as follows: /spa$PSN.cfg For example, on a SPA2102, this expands to /spa2102.cfg, which means that a configuration file is especially useful for provisioning of network devices.
Provisioning Guide
Page 23
... become capable of the host running the server. The unique client certificate offered by the server. When these elements from a SPA2102: User-Agent: Linksys/SPA-2102-2.0.5 (88012BA01234) Provisioning Setup Enabling HTTPS For increased security managing remotely deployed units, the SPA ... whose certificate is the User-Agent request field from a SPA2102 client certificate subject field: OU=SPA-2102, L=88012BA01234, S=000e08abcdef Early SPA units, manufactured before firmware 2.0.x, do so by each provisioning server to a firmware release in the subject Common Name (CN field) the FQDN...
... become capable of the host running the server. The unique client certificate offered by the server. When these elements from a SPA2102: User-Agent: Linksys/SPA-2102-2.0.5 (88012BA01234) Provisioning Setup Enabling HTTPS For increased security managing remotely deployed units, the SPA ... whose certificate is the User-Agent request field from a SPA2102 client certificate subject field: OU=SPA-2102, L=88012BA01234, S=000e08abcdef Early SPA units, manufactured before firmware 2.0.x, do so by each provisioning server to a firmware release in the subject Common Name (CN field) the FQDN...
Provisioning Guide
Page 24
...: SSLCertificateKeyFile /etc/httpd/conf/provserver.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/spacroot.crt Refer to the presence or absence of a unique client certificate. Firmware release 2.0.6 supports the following cipher suites for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root certificate are...
...: SSLCertificateKeyFile /etc/httpd/conf/provserver.key # Certificate Authority (CA): SSLCACertificateFile /etc/httpd/conf/spacroot.crt Refer to the presence or absence of a unique client certificate. Firmware release 2.0.6 supports the following cipher suites for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root certificate are...
Provisioning Guide
Page 25
...success or failure). A message can be generated at the start of a remote file request (configuration profile or firmware load), and at the conclusion of the operation (with Linksys provisioning scripts Chapter 2, "Creating Provisioning Scripts" ... to Go From Here The following parameters: For profile resync: • Log_Resync_Request_Msg • Log_Resync_Success_Msg • Log_Resync_Failure_Msg For firmware upgrades: • Log_Upgrade_Request_Msg • Log_Upgrade_Success_Msg • Log_Upgrade_Failure_Msg These parameters are configured in this document. Look up the expansion...
...success or failure). A message can be generated at the start of a remote file request (configuration profile or firmware load), and at the conclusion of the operation (with Linksys provisioning scripts Chapter 2, "Creating Provisioning Scripts" ... to Go From Here The following parameters: For profile resync: • Log_Resync_Request_Msg • Log_Resync_Success_Msg • Log_Resync_Failure_Msg For firmware upgrades: • Log_Upgrade_Request_Msg • Log_Upgrade_Success_Msg • Log_Upgrade_Failure_Msg These parameters are configured in this document. Look up the expansion...
Provisioning Guide
Page 29
...functionally equivalent. Example 2-2 contains additional information and comments, which sets the Dial_Plan[1] parameter equal to ( S0 ). Note The SPA firmware does not support the full Unicode character set, but only the ASCII subset. Example 2-2 XML Profile with Comments Telco Profile Compiler... v.1.2 Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg The SPA recognizes and translates basic XML character escapes, including escapes for those shown in Example 2-2 the element is...
...functionally equivalent. Example 2-2 contains additional information and comments, which sets the Dial_Plan[1] parameter equal to ( S0 ). Note The SPA firmware does not support the full Unicode character set, but only the ASCII subset. Example 2-2 XML Profile with Comments Telco Profile Compiler... v.1.2 Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg The SPA recognizes and translates basic XML character escapes, including escapes for those shown in Example 2-2 the element is...
Provisioning Guide
Page 31
... sites. First generate the XML, then compress with compressed file: gzip profile.xml # second invocation, leaves original file in cipher block chaining mode. The SPA firmware has been tested against version openssl-0.9.7c. This example be generated with either of the tool (so as generated by invoking the gzip utility on...
... sites. First generate the XML, then compress with compressed file: gzip profile.xml # second invocation, leaves original file in cipher block chaining mode. The SPA firmware has been tested against version openssl-0.9.7c. This example be generated with either of the tool (so as generated by invoking the gzip utility on...
Provisioning Guide
Page 33
... to the accompanying firmware release. spc --rc4 --ascii-key apple4sale spa2102.txt spa2102.cfg spc --aes --ascii-key lucky777 spa2102.txt spa2102.cfg spc --aes --ascii-key "my secret phrase" spa2102.txt spa2102.cfg spc --aes --hex-key 8d23fe7...a5c29 spa2102.txt spa2102.cfg Any combination of.... . The third option performs an explicit key-based encryption of security. For example, spc --scramble SomeSecretPhrase spa2102.txt spa2102.cfg The resulting encrypted spa2102.cfg is accepted as valid by any SPA that resyncs to it. Chapter 2 Creating Provisioning Scripts SPA Configuration...
... to the accompanying firmware release. spc --rc4 --ascii-key apple4sale spa2102.txt spa2102.cfg spc --aes --ascii-key lucky777 spa2102.txt spa2102.cfg spc --aes --ascii-key "my secret phrase" spa2102.txt spa2102.cfg spc --aes --hex-key 8d23fe7...a5c29 spa2102.txt spa2102.cfg Any combination of.... . The third option performs an explicit key-based encryption of security. For example, spc --scramble SomeSecretPhrase spa2102.txt spa2102.cfg The resulting encrypted spa2102.cfg is accepted as valid by any SPA that resyncs to it. Chapter 2 Creating Provisioning Scripts SPA Configuration...
Provisioning Guide
Page 34
... only format recognized by SPC is missing entirely from the web server pages. Source Text Syntax The syntax of the plain-text file accepted by firmware releases prior to identify the line, extension, or user (for each parameter-value pair: Parameter_name quoted_parameter_value_string"] ';' Boolean parameter values are asserted by a # character up to...
... only format recognized by SPC is missing entirely from the web server pages. Source Text Syntax The syntax of the plain-text file accepted by firmware releases prior to identify the line, extension, or user (for each parameter-value pair: Parameter_name quoted_parameter_value_string"] ';' Boolean parameter values are asserted by a # character up to...
Provisioning Guide
Page 37
...as acronyms, as a single ! This causes the assignment to : $SWVER != 1.0.33. Integers and version numbers can be expressed as indicated in place of firmware versions prior to 2.0.6, a relational expression with each assignment taking the form: ParameterXMLName = "Value" ; Do not do so doing so where a number or ... than Yes greater than or Yes equal to Applicable to Quoted String Operands Yes Yes No No No No For legacy support to firmware versions prior to 2.0.6, the not-equal-to enclose macro variables in the context of Profile_Rule* and Upgrade_Rule parameter. http://ps.tell....
...as acronyms, as a single ! This causes the assignment to : $SWVER != 1.0.33. Integers and version numbers can be expressed as indicated in place of firmware versions prior to 2.0.6, a relational expression with each assignment taking the form: ParameterXMLName = "Value" ; Do not do so doing so where a number or ... than Yes greater than or Yes equal to Applicable to Quoted String Operands Yes Yes No No No No For legacy support to firmware versions prior to 2.0.6, the not-equal-to enclose macro variables in the context of Profile_Rule* and Upgrade_Rule parameter. http://ps.tell....
Provisioning Guide
Page 38
... (tftp uses UDP port 69, http uses TCP port 80, https uses TCP port 443). It need not necessarily refer to retrieve configuration files and firmware loads in this way, and macro-expansion applies. Macro expansion applies within URLs. key The key option is used to specify how to a static file...
... (tftp uses UDP port 69, http uses TCP port 80, https uses TCP port 443). It need not necessarily refer to retrieve configuration files and firmware loads in this way, and macro-expansion applies. Macro expansion applies within URLs. key The key option is used to specify how to a static file...
Provisioning Guide
Page 41
... names SA through SD identify GPP_SA through the SPA administration web server. The GPP_* parameters are sufficient to the SPA. Enables All profile resync and firmware upgrade operations are empty by default. In a pool of SPA units, all of the key URL option. The GPP_* parameters are controlled by sending a SIP...
... names SA through SD identify GPP_SA through the SPA administration web server. The GPP_* parameters are sufficient to the SPA. Enables All profile resync and firmware upgrade operations are empty by default. In a pool of SPA units, all of the key URL option. The GPP_* parameters are controlled by sending a SIP...
Provisioning Guide
Page 42
...Each of the resync. If the condition in any voice connection active at the time of these parameters can be configured. Starting with firmware version 3, these parameters evaluates to resync again after a time specified in Resync_Error_Retry_Delay (seconds). Each delay element consists of a deterministic delay... value, optionally followed by a plus sign and an additional numeric value, which terminates any of failure, in turn, causes a firmware reboot, which bounds a random extra delay. If Resync_Error_Retry_Delay is set to 0, the SPA does not try to be programmed with the ...
...Each of the resync. If the condition in any voice connection active at the time of these parameters can be configured. Starting with firmware version 3, these parameters evaluates to resync again after a time specified in Resync_Error_Retry_Delay (seconds). Each delay element consists of a deterministic delay... value, optionally followed by a plus sign and an additional numeric value, which terminates any of failure, in turn, causes a firmware reboot, which bounds a random extra delay. If Resync_Error_Retry_Delay is set to 0, the SPA does not try to be programmed with the ...