Cisco Systems OL-27172-01 Mobility Aid User Manual

Open as PDF

of 322

CHAPTER

13-1

Cisco Broadband Access Center 3.8 Administrator Guide

OL-27172-01

Configuring CWMP Service Security

This chapter describes security options for Cisco Broadband Access Center’s (BAC) CWMP services,

including authentication and encryption. It describes how to enable HTTP over SSL transport, called

SSL in this chapter, for the CWMP services and the HTTP file services on the DPE, and use the

certificate-management tool to create a certificate store on the DPE.

This chapter includes the following sections:

• Overview, page 13-1

• Key and Certificate Management in Cisco BAC, page 13-2

• Configuring SSL Service, page 13-3

• Configuring Security for DPE Services, page 13-11

• Configuring Security for RDU Services, page 13-18

• Signed Configuration for Devices, page 13-20

Overview

Cisco BAC supports secure provisioning of CWMP devices by using SSL, specifically SSL 3.0 and TLS

1.0, as defined in RFC 2246. It supports device authentication based on shared secrets with the DPE by

using Basic and Digest authentication as defined in RFC 2617.

Cisco BAC provides multiple services at the DPE: two instances of the CWMP service and two instances

of the HTTP file service. You enable and configure each service independently, with different security

options providing the flexibility of handling various devices differently on the same DPE.

Cisco BAC also provides secure device authentication by using unique or generic client certificates.

• Generic—Enables device certificate authentication through SSL by using a generic certificate that

is common to all customer premises equipment (CPE) or a large subset of CPE. For example, all

VoIP devices in a given deployment may have the same generic certificate that the service provider

issues.

The client certificate is validated against a signing authority key, but does not establish identity of

a given device. The device identifier is formed by using the data provided using HTTP Basic or

Digest authentication; or by using the data in the CWMP Inform message.

• Unique—Enables client certificate authentication through SSL by using the unique certificate that

each device provides. After the client certificate is validated by using the signing certificate

authority's public key, the device's unique identifier is formed by using the CN field of the client

certificate.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-27172-01 Mobility Aid User Manual