Filter
Top Products
13-3
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring SSL Service
As defined in the TR-069 specification, the ACS URL must be identical to the Common Name (CN)
value of the server certificate, which is imported into the keystore.
The DPE ships with a default sample server certificates keystore, called servercerts, which contains a
self-signed server certificate.
However, because a CWMP device does not normally trust self-signed certificates, you cannot use the
sample keystore to enable SSL for device provisioning. Instead, you must obtain a signed ACS certificate
with private key and use it to create a new server certificate keystore (see Configuring DPE Keystore by
Using the Keytool, page 13-3). You can use the default keystore to test the SSL service link before
acquiring and configuring an ACS certificate.
Configuring SSL Service
To enable SSL on Cisco BAC:
Step 1 Create a server certificate keystore, which contains the private key and the associated ACS public key
certificate. This process also requires updating the cacerts keystore to load the public certificate of the
signing authority for the server certificate.
Step 2 Optionally, if you would like to configure CPE authentication to use client certificates, update the cacerts
keystore with the public key of the CPE certificate authority root certificate, which can validate CPE
certificates. For details, see Configuring DPE Keystore by Using the Keytool, page 13-3.
Step 3 Configure the DPE to use the new server certificate keystore from the DPE CLI. For details, see
Configuring Security for DPE Services, page 13-11.
Step 4 Enable SSL transport for the CWMP service or the HTTP file service by using the DPE CLI. For more
details, see Configuring Security for DPE Services, page 13-11.
Note To ensure that the changes you make to the keystore take effect, you must restart the DPE by
using the dpe reload command from the CLI, or the /etc/init.d/bprAgent restart dpe command
from the watchdog agent command line (see Using Cisco BAC Process Watchdog from the
Command Line, page 9-2).
Configuring DPE Keystore by Using the Keytool
You use Cisco BAC to configure the server certificate keystore and the cacerts keystore by using the
keytool utility. The keytool is a key and certificate-management utility, which you use to administer the
certificates on the DPE server.
The keytool utility resides in the Cisco BAC default installation directory, at
/opt/CSCObac/jre/bin/keytool. Run the keytool utility by using a secure connection to the DPE server.
Note You must execute the keytool utility bundled with this Cisco BAC version, because the keystore file
format varies between keytool releases.