Cisco Systems OL-27172-01 Mobility Aid User Manual


 
13-10
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring SSL Service
Importing Certificates for Client Authentication
This step is required only if you have configured client authentication by using client certificates on the
DPE. If you have enabled client authentication by using client certificates, the cacerts keystore must
contain the public certificate of the signing authority that signed the CPE client certificates. This
certificate must be present to enable the DPE to validate certificates presented to it.
Example 13-7 Keytool -import (Signing Authority Certificate)
# ./keytool -import -alias DeviceClientRoot -file rootCA3.crt -keystore
/opt/CSCObac/jre/lib/security/cacerts
Enter keystore password: changeit
Owner: EMAILADDRESS=linksys-certadmin@cisco.com, CN=Acme Device Client Root Authority 1,
OU=Acme Device Certificate Authority, O=Acme Device LLC., L=Irvine, ST=California, C=US
Issuer: EMAILADDRESS=linksys-certadmin@cisco.com, CN=Acme Device Client Root Authority 1,
OU=Acme Device Certificate Authority, O=Acme Device LLC., L=Irvine, ST=California, C=US
Serial number: d07d8a7badba7cb6446998b1ea89879f
Valid from: Fri Jul 01 21:19:50 EDT 2005 until: Mon Jun 29 21:19:50 EDT 2015
Certificate fingerprints:
MD5: 40:B0:40:49:37:3A:51:1F:0D:78:B6:B3:E2:2C:1A:E8
SHA1: 96:F5:84:71:84:CC:0A:A2:1E:7B:44:A2:B6:F5:B7:3D:C4:9F:81:3B
Trust this certificate? [no]: yes
Certificate was added to keystore
Note This procedure is exactly the same as the one described in Importing Signing Authority Certificate into
Cacerts Keystore, page 13-8. In both cases, you are loading the public certificate of the signing authority.
If the signing authority of the server certificates is the same as the signing authority for the device
certificates, you must add the certificate only once.
Providing the DPE with the service-provider keystore
Once you have a new service certificate keystore, which contains the signed public key certificate, you
must move the keystore file to the DPE. The file must be moved to the BPR_HOME/dpe/conf directory.
Example 13-8 Move Keystore to DPE Configuration Directory
# mv train-1.keystore /opt/CSCObac/dpe/conf
Once you complete this step, you can configure the DPE services to use the new keystore by using the
DPE CLI.
Note You do not need to copy the cacerts keystore anywhere. The DPE will use the new keystore as soon as
it is restarted.
For more information, see Configuring Security for DPE Services, page 13-11. For additional
information on DPE configuration commands, see the Cisco Broadband Access Center 3.8 DPE CLI
Reference.