Provisioning Guide
Page 8
... products. Document Conventions The following chapters and appendices. This chapter provides a systematic reference for each parameter, hyperlinked to create a configuration profile. This appendix defines the terms used in this document is referred to the LAN • SPA962-Six lines, hi-res...small, affordable, no display • SPA921-One-line business phone • SPA922-One-line business phone with Linksys provisioning scripts and configuration profiles. Power over Ethernet (PoE) support and an extra Ethernet port for using the scripting language to the appropriate table in a...
... products. Document Conventions The following chapters and appendices. This chapter provides a systematic reference for each parameter, hyperlinked to create a configuration profile. This appendix defines the terms used in this document is referred to the LAN • SPA962-Six lines, hi-res...small, affordable, no display • SPA921-One-line business phone • SPA922-One-line business phone with Linksys provisioning scripts and configuration profiles. Power over Ethernet (PoE) support and an extra Ethernet port for using the scripting language to the appropriate table in a...
Provisioning Guide
Page 11
...SPA Provisioning Guide 1-1 It includes the following sections: • Residential Deployment Provisioning Requirements, page 1-1 • Provisioning Overview, page 1-2 • Configuration Access Control, page 1-5 • Using HTTPS, page 1-8 • Provisioning Setup, page 1-10 • Where to Go From Here, ...units may be widely distributed across the Internet, connected through routers and firewalls at the customer premises. Remote management and configuration is generically referred to efficiently ensure proper operation of time. CH A P T E R 1 Provisioning Linksys VoIP ...
...SPA Provisioning Guide 1-1 It includes the following sections: • Residential Deployment Provisioning Requirements, page 1-1 • Provisioning Overview, page 1-2 • Configuration Access Control, page 1-5 • Using HTTPS, page 1-8 • Provisioning Setup, page 1-10 • Where to Go From Here, ...units may be widely distributed across the Internet, connected through routers and firewalls at the customer premises. Remote management and configuration is generically referred to efficiently ensure proper operation of time. CH A P T E R 1 Provisioning Linksys VoIP ...
Provisioning Guide
Page 12
...definitions and usage guidelines for each parameter available for the individual customer. Communication Encryption The configuration parameters communicated to the endpoint may wish to encrypt the configuration profile communication between the provisioning server and the endpoint, in a local network, and ...security, the router may need to a remote profile periodically and on power up. The SPA can be configured to resync its internal configuration state to be generated using common, open source tools, facilitating integration into service provider provisioning systems. Supported ...
...definitions and usage guidelines for each parameter available for the individual customer. Communication Encryption The configuration parameters communicated to the endpoint may wish to encrypt the configuration profile communication between the provisioning server and the endpoint, in a local network, and ...security, the router may need to a remote profile periodically and on power up. The SPA can be configured to resync its internal configuration state to be generated using common, open source tools, facilitating integration into service provider provisioning systems. Supported ...
Provisioning Guide
Page 13
... to download its customized profile. The MAC address of the company that owns the unit. An RC unit that can be configured to service providers for the Linksys provisioning server. An RC unit that adapter. RC units are customized by viewing the Customization parameter ... secure protocol because the updated profile is idle, because this may trigger a software reboot. The service provider must then support secure remote configuration of the SPA with that has been provisioned displays the name of each unit on two deployment models: • Retail distribution, where the...
... to download its customized profile. The MAC address of the company that owns the unit. An RC unit that can be configured to service providers for the Linksys provisioning server. An RC unit that adapter. RC units are customized by viewing the Customization parameter ... secure protocol because the updated profile is idle, because this may trigger a software reboot. The service provider must then support secure remote configuration of the SPA with that has been provisioned displays the name of each unit on two deployment models: • Retail distribution, where the...
Provisioning Guide
Page 14
...Access Domain "domain.com, domain1.com, domain2.com"; The server also accepts a special URL command syntax for authentication and supplies correct configuration parameter values based on the server. In a retail distribution model, a customer purchases a Linksys voice endpoint device, and subsequently subscribes... command typically includes an account PIN number or alphanumeric code to associate the SPA that displays SPA internal configuration and accepts new configuration parameter values. In the following is performing the resync request with the new account. The remote provisioning ...
...Access Domain "domain.com, domain1.com, domain2.com"; The server also accepts a special URL command syntax for authentication and supplies correct configuration parameter values based on the server. In a retail distribution model, a customer purchases a Linksys voice endpoint device, and subsequently subscribes... command typically includes an account PIN number or alphanumeric code to associate the SPA that displays SPA internal configuration and accepts new configuration parameter values. In the following is performing the resync request with the new account. The remote provisioning ...
Provisioning Guide
Page 15
...Using the administration web server and issuing a resync URL is convenient for a customer in preparation for deployment. Configuration Access Control Besides configuration parameters that control resync and upgrade behavior, the SPA provides mechanisms for restricting end-user access to preprovision SPAs.... user of the SPA provisioning server. With the factory default configuration, a SPA automatically tries to resync to a User account and an Admin account. The SPA firmware provides specific privileges for example, spa2102.cfg). Subsequently, when a new customer signs up the SPA...
...Using the administration web server and issuing a resync URL is convenient for a customer in preparation for deployment. Configuration Access Control Besides configuration parameters that control resync and upgrade behavior, the SPA provides mechanisms for restricting end-user access to preprovision SPAs.... user of the SPA provisioning server. With the factory default configuration, a SPA automatically tries to resync to a User account and an Admin account. The SPA firmware provides specific privileges for example, spa2102.cfg). Subsequently, when a new customer signs up the SPA...
Provisioning Guide
Page 17
... state. Chapter 1 Provisioning Linksys VoIP Devices SPA Provisioning Flow At a high level, the provisioning process involves four provisioning states described in the CFG file /spa2102.cfg • Enter a resync URL. This can always be configured in one of the specific SPA and prvserv is specified by a profile path. • Edit Profile_Rule parameter.
... state. Chapter 1 Provisioning Linksys VoIP Devices SPA Provisioning Flow At a high level, the provisioning process involves four provisioning states described in the CFG file /spa2102.cfg • Enter a resync URL. This can always be configured in one of the specific SPA and prvserv is specified by a profile path. • Edit Profile_Rule parameter.
Provisioning Guide
Page 18
...Guide 1-8 Version 3.0 Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Table 1-1 Provisioning States (continued) SEC-PRV-1 Secure Provisioning-Initial Configuration The initial device-unique CFG file should reconfigure the profile parameters to enable stronger encryption, by programming a 256-bit encryption key, and...to a randomly generated TFTP directory. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; The encryption key and random directory location can only be targeted to each SPA by Public/Private key encryption. This...
...Guide 1-8 Version 3.0 Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Table 1-1 Provisioning States (continued) SEC-PRV-1 Secure Provisioning-Initial Configuration The initial device-unique CFG file should reconfigure the profile parameters to enable stronger encryption, by programming a 256-bit encryption key, and...to a randomly generated TFTP directory. For example, the CFG file might contain: Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg; The encryption key and random directory location can only be targeted to each SPA by Public/Private key encryption. This...
Provisioning Guide
Page 19
.... Linksys Certificate Chain Structure The combination of attack, each individual endpoint. The clients try to reject unauthorized requests for configuration profiles. Version 3.0 Linksys SPA Provisioning Guide 1-9 This authentication path allows the provisioning server to authenticate the server certificate ...attack on the SPA, an attacker might allow the attacker to reprovision the SPA, to gain configuration information, or to obtain the SPA configuration profile from unauthorized access to the SPA endpoint, or any server certificate not signed by its provisioning...
.... Linksys Certificate Chain Structure The combination of attack, each individual endpoint. The clients try to reject unauthorized requests for configuration profiles. Version 3.0 Linksys SPA Provisioning Guide 1-9 This authentication path allows the provisioning server to authenticate the server certificate ...attack on the SPA, an attacker might allow the attacker to reprovision the SPA, to gain configuration information, or to obtain the SPA configuration profile from unauthorized access to the SPA endpoint, or any server certificate not signed by its provisioning...
Provisioning Guide
Page 20
...Linksys SPA Provisioning Guide Version 3.0 Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Figure 1-2 SPA Configuration and Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA ...Connection Authenticates Client in HTTPS Connection Provisioning Server CERT PKEY VoIP Service Provider Provisioning Server Entity HTTPS Server Configuration Files Root CA Certificate List Signs SPA Client Certificates Stored on Service Provider's Provisioning Server PKEY CERT ...
...Linksys SPA Provisioning Guide Version 3.0 Using HTTPS Chapter 1 Provisioning Linksys VoIP Devices Figure 1-2 SPA Configuration and Provisioning Certificate Chain SPA Configuration-Provisioning Certificate Chain Sipura Technology, Inc Provisioning Server Root Authority 1 CERT PKEY Compiled into SPA ...Connection Authenticates Client in HTTPS Connection Provisioning Server CERT PKEY VoIP Service Provider Provisioning Server Entity HTTPS Server Configuration Files Root CA Certificate List Signs SPA Client Certificates Stored on Service Provider's Provisioning Server PKEY CERT ...
Provisioning Guide
Page 21
... the following software tools are useful for provisioning Linksys ATAs : • Open source gzip compression utility, used when generating configuration profiles • Open source OpenSSL software package: for profile encryption and HTTPS operations • Scripting language with CGI scripting ...): to verify secure exchanges between provisioning servers and Linksys voice devices • The ssldump utility: for monitoring HTTPS transactions Server Configuration Provisioning requires the availability of servers, which for testing purposes can be installed and run on a local PC: •...
... the following software tools are useful for provisioning Linksys ATAs : • Open source gzip compression utility, used when generating configuration profiles • Open source OpenSSL software package: for profile encryption and HTTPS operations • Scripting language with CGI scripting ...): to verify secure exchanges between provisioning servers and Linksys voice devices • The ssldump utility: for monitoring HTTPS transactions Server Configuration Provisioning requires the availability of servers, which for testing purposes can be installed and run on a local PC: •...
Provisioning Guide
Page 22
... SPA also supports the HTTP POST method as follows: /spa$PSN.cfg For example, on a SPA2102, this expands to /spa2102.cfg, which means that the unit resyncs to rely on the HTTP GET method for retrieving configuration profiles. The supplied information conveys manufacturer, product name, current firmware version, and product serial number. 1-12...
... SPA also supports the HTTP POST method as follows: /spa$PSN.cfg For example, on a SPA2102, this expands to /spa2102.cfg, which means that the unit resyncs to rely on the HTTP GET method for retrieving configuration profiles. The supplied information conveys manufacturer, product name, current firmware version, and product serial number. 1-12...
Provisioning Guide
Page 24
..., the file paths for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root certificate are likely to be configured to the presence or absence of the unit from connecting clients. HTTPS servers can be as follows: # Server Certificate: SSLCertificateFile /etc/httpd/conf/provserver.crt...
..., the file paths for storing the provisioning server signed certificate, its associated private key, and the Linksys CA client root certificate are likely to be configured to the presence or absence of the unit from connecting clients. HTTPS servers can be as follows: # Server Certificate: SSLCertificateFile /etc/httpd/conf/provserver.crt...
Provisioning Guide
Page 25
...operation (with Linksys provisioning scripts Chapter 2, "Creating Provisioning Scripts" and configuration profiles. Learn to create a configuration profile. The logged messages themselves are macro expanded into the actual syslog... • Log_Resync_Success_Msg • Log_Resync_Failure_Msg For firmware upgrades: • Log_Upgrade_Request_Msg • Log_Upgrade_Success_Msg • Log_Upgrade_Failure_Msg These parameters are configured in this Appendix A, "Acronyms" document. To Do This ... Define a term used in this document. Chapter 3, "Provisioning...
...operation (with Linksys provisioning scripts Chapter 2, "Creating Provisioning Scripts" and configuration profiles. Learn to create a configuration profile. The logged messages themselves are macro expanded into the actual syslog... • Log_Resync_Success_Msg • Log_Resync_Failure_Msg For firmware upgrades: • Log_Upgrade_Request_Msg • Log_Upgrade_Success_Msg • Log_Upgrade_Failure_Msg These parameters are configured in this Appendix A, "Acronyms" document. To Do This ... Define a term used in this document. Chapter 3, "Provisioning...
Provisioning Guide
Page 27
...Linksys provisioning script and includes the following command: spc --sample-xml sample.txt The plain-text configuration file uses a proprietary format, which can be encrypted to compile the plain-text file containing ...Configuration File, page 2-1 • Open Format Configuration File, page 2-2 • SPA Configuration Profile Compiler, page 2-6 • Proprietary Plain-Text Configuration File, page 2-8 • Using Provisioning Parameters, page 2-15 • Data Types, page 2-20 SPA Configuration File The SPA configuration profile defines the parameter values for example, spa2102...
...Linksys provisioning script and includes the following command: spc --sample-xml sample.txt The plain-text configuration file uses a proprietary format, which can be encrypted to compile the plain-text file containing ...Configuration File, page 2-1 • Open Format Configuration File, page 2-2 • SPA Configuration Profile Compiler, page 2-6 • Proprietary Plain-Text Configuration File, page 2-8 • Using Provisioning Parameters, page 2-15 • Data Types, page 2-20 SPA Configuration File The SPA configuration profile defines the parameter values for example, spa2102...
Provisioning Guide
Page 28
... XML Profile FormatBasic XML Profile Format Example 2-1 Basic XML Profile Format Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg Linksys SPA Provisioning Guide 2-2 Version 3.0 This eases development of a text file (with XML-like syntax), optionally ...Empty element tags are ignored by standard tools. Unrecognized element names are allowed. Open Format Configuration File Chapter 2 Creating Provisioning Scripts Open Format Configuration File A configuration file in the special element. It supplies the values of elements, with proper SPA parameter...
... XML Profile FormatBasic XML Profile Format Example 2-1 Basic XML Profile Format Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg Linksys SPA Provisioning Guide 2-2 Version 3.0 This eases development of a text file (with XML-like syntax), optionally ...Empty element tags are ignored by standard tools. Unrecognized element names are allowed. Open Format Configuration File Chapter 2 Creating Provisioning Scripts Open Format Configuration File A configuration file in the special element. It supplies the values of elements, with proper SPA parameter...
Provisioning Guide
Page 29
Chapter 2 Creating Provisioning Scripts Open Format Configuration File The profiles in Example 2-1 and Example 2-2 are still recognized. Note The SPA firmware does not support the full Unicode character set, but... dial plan, which are also translated. Example 2-2 XML Profile with Comments Telco Profile Compiler v.1.2 Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg The SPA recognizes and translates basic XML character escapes, including escapes for those shown in Example 2-3illustrates character escapes. Such extra encapsulation is encapsulating...
Chapter 2 Creating Provisioning Scripts Open Format Configuration File The profiles in Example 2-1 and Example 2-2 are still recognized. Note The SPA firmware does not support the full Unicode character set, but... dial plan, which are also translated. Example 2-2 XML Profile with Comments Telco Profile Compiler v.1.2 Yes 7200 tftp://prov.telco.com:6900/Linksys/config/spa2102.cfg The SPA recognizes and translates basic XML character escapes, including escapes for those shown in Example 2-3illustrates character escapes. Such extra encapsulation is encapsulating...
Provisioning Guide
Page 30
... form, than the current value of the following special characters with empty values differently. Example 2-6 Empty Elements Preserve User-Configured Values Linksys SPA Provisioning Guide 2-4 Version 3.0 This is set and maintain specific values (such as follows: • Append...from overwriting the user-supplied values during a resync operation. Example 2-4 Using Numbers and Spaces in Example 2-5. Open Format Configuration File Chapter 2 Creating Provisioning Scripts The element names that are recognized by Example 2-4, which also illustrates setting user access privileges, ...
... form, than the current value of the following special characters with empty values differently. Example 2-6 Empty Elements Preserve User-Configured Values Linksys SPA Provisioning Guide 2-4 Version 3.0 This is set and maintain specific values (such as follows: • Append...from overwriting the user-supplied values during a resync operation. Example 2-4 Using Numbers and Spaces in Example 2-5. Open Format Configuration File Chapter 2 Creating Provisioning Scripts The element names that are recognized by Example 2-4, which also illustrates setting user access privileges, ...
Provisioning Guide
Page 31
... The OpenSSL encryption tool, available for the SPA to recognize a compressed and encrypted XML profile. File Encryption An XML configuration profile can be compressed to reduce the network load on the original XML file. If encrypted, the profile expects the ... first invocation, replaces original file with gzip, and finally encrypt. Chapter 2 Creating Provisioning Scripts Open Format Configuration File Configuration File Compression Optionally, the XML configuration profile can be encrypted using 256-bit keys, applied in place, produces new compressed file: cat profile....
... The OpenSSL encryption tool, available for the SPA to recognize a compressed and encrypted XML profile. File Encryption An XML configuration profile can be compressed to reduce the network load on the original XML file. If encrypted, the profile expects the ... first invocation, replaces original file with gzip, and finally encrypt. Chapter 2 Creating Provisioning Scripts Open Format Configuration File Configuration File Compression Optionally, the XML configuration profile can be encrypted using 256-bit keys, applied in place, produces new compressed file: cat profile....
Provisioning Guide
Page 32
... Versions of the Profile_Rule parameters. However, the SPA3102 has a number of a typical SPA2102 configuration text file. SPA Configuration Profile Compiler Chapter 2 Creating Provisioning Scripts Example 2-8 Encrypting the Configuration Profile # example encryption key = SecretPhrase1234 openssl enc -e -aes-256-cbc -k SecretPhrase1234...secret key value to be preprovisioned into the required binary format. The profile compiler can generate different types of configuration files, using different types of encryption. • Generic, non-targeted CFG file, without an explicit key...
... Versions of the Profile_Rule parameters. However, the SPA3102 has a number of a typical SPA2102 configuration text file. SPA Configuration Profile Compiler Chapter 2 Creating Provisioning Scripts Example 2-8 Encrypting the Configuration Profile # example encryption key = SecretPhrase1234 openssl enc -e -aes-256-cbc -k SecretPhrase1234...secret key value to be preprovisioned into the required binary format. The profile compiler can generate different types of configuration files, using different types of encryption. • Generic, non-targeted CFG file, without an explicit key...