Filter
Top Products
13-2
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Key and Certificate Management in Cisco BAC
Cisco BAC supports a unique option of performing client-certificate authentication at a hardware load
balancer and SSL accelerator such as Cisco ACE 4710.
In this scenario, the ACE performs certificate validation, extracts information about the SSL session,
specifically client certificate fields, from the device certificate, and inserts that data into special HTTP
headers. Cisco BAC then retrieves the CN field from the ACE header ClientCert-Subject-CN to form the
unique device identifier.
Cisco BAC allows a mix of authentication options. For example, you can validate that the device has a
generic certificate by using SSL and then perform additional HTTP Basic or Digest authentication once
SSL connection is established.
Cisco BAC also provides an option of no-device authentication. This option is useful if the device is
authenticated downstream from the DPE and the identity that the device presents can be trusted. If the
Cisco BAC DPE is configured to perform no-authentication, it extracts the device identity from the
Inform message and trusts it.
You can encrypt traffic between the device and a DPE by using SSL. Cisco BAC supports a variety of
cipher suites, which determine the encryption algorithms to be used with the device and the encryption
key length. You can configure acceptable cipher suites on the DPE by using the CLI. Another option is
to terminate SSL at a hardware load balancer and accelerator for higher scalability.
Note Use the DPE CLI to configure security options for the CWMP service and the HTTP file service. For
configuration instructions, see the Cisco Broadband Access Center 3.8 DPE CLI Reference.
Key and Certificate Management in Cisco BAC
The DPE stores the certificates that the SSL protocol requires for authentication in the keystore. This
keystore is a database in the form of a file that contains private keys and their associated public key
X.509 certificates.
There are two keystores on the DPE server. The keystores are the cacerts keystore and the server
certificates keystore.
• The cacerts keystore contains public key certificates that the DPE trusts for authenticating devices’
client certificates.
• The server certificates keystore contains the private key and the associated certificate chain for the
server-side certificate, which is used to authenticate the DPE to the devices.
All DPE SSL services share a single cacerts keystore. This keystore can contain any number of signing
authority certificates. The name of the cacerts keystore is fixed, and it must always reside in
BPR_HOME/jre/lib/security directory. Cisco BAC ships with a default cacerts keystore, which can be
manipulated by adding and removing signing authority certificates.
In contrast to the cacerts keystore, there can be multiple server certificate keystores and you can
configure each SSL service in the DPE to use a different server certificate keystore. Each server
certificate keystore should contain only one certificate chain. The server certificate keystores must reside
in the BPR_HOME/dpe/conf directory.
If SSL is being terminated on the DPEs, and the provisioning group contains multiple DPEs, then all the
DPEs must be configured with an identical keystore. An identical keystore is required since the same
fully qualified domain name (FQDN) URL of the autoconfiguration server (ACS) is used to resolve to
all DPEs in the provisioning group.