|
Table Of Contents
CWMP Technology Commands
This chapter contains information about the command line interface (CLI) commands that you can use to manage and monitor the CPE WAN Management Protocol (CWMP) technology on the Broadband Access Center (BAC) Device Provisioning Engine (DPE).
Using the commands described in this chapter, you can configure settings for the CWMP services and the HTTP file services on the DPE. Both services feature individual instances: service 1 and service 2, each of which you must configure separately.
BAC supports different instances so that you can configure different options for each service. For example, CWMP service 1 is, by default, configured to require HTTP digest authentication; but without supporting HTTP over SSL/TLS. This service is configured to run on port 7547 and is enabled by default. CWMP service 2 is configured on port 7547 with HTTP over SSL/TLS; but is disabled by default. You can reconfigure any of these defaults for each service to suit your requirements. See Table 4-1 for the default configuration for each service.
Note You cannot globally enable or disable CWMP-related services. You can enable or disable CWMP features only individually.
The commands described in this chapter are:
– service cwmp num allow-unknown-cpe
– service cwmp num client-auth mode
– service cwmp num enable {true | false}
– service cwmp session timeout value
– service cwmp num ssl client-auth mode
– service cwmp num ssl client-auth client-cert-css-ext
– service cwmp num ssl cipher {all-cipher-suites | value}
– service cwmp num ssl enable {true | false}
– service cwmp num ssl keystore keystore-filename keystore-password key-password
– service http num client-auth mode
– service http num enable {true | false}
– service http num ssl client-auth mode
– service http num ssl client-auth client-cert-css-ext
– service http num ssl cipher {all-cipher-suites | value}
– service http num ssl enable {true | false}
– service http num ssl keystore keystore-filename keystore-password key-pasword
service cwmp
This is the global syntax of the commands that you can use to configure various settings for the CWMP service running on the DPE. Using these commands, you can:
•Enable the CWMP service
•Specify the instance of the service,
•Configure client authentication and client certificate authentication
•Set the port number for the service
•Configure the service to use HTTP over SSL/TLS.
Use service cwmp in conjunction with the commands listed in Table 4-2.
Note When using these commands, you must restart the DPE—unless specified otherwise—for the changes to take effect. To restart the DPE, run the dpe reload command (see dpe reload, page 3-5).
Table 4-2 List of service cwmp Commands
Command Usage Syntax Description Examplesservice cwmp num allow-unknown-cpe
no service cwmp num allow-unknown-cpe
Enables or disables the DPE to request configuration from the RDU for devices unknown to the DPE.
Note Enabling this feature may allow a Denial of Service attack on the RDU.
You need not restart the DPE for this command to take effect.num—Identifies the CWMP service, which could be 1 or 2.
dpe# service cwmp 1 allow-unknown-cpe
% OK
service cwmp num client-auth mode
Enables or disables client authentication by using HTTP for the CWMP service on the DPE.
For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
•num—Identifies the CWMP service, which could be 1 or 2.
•mode—Identifies the client authentication mode for the CWMP service. The client authentication mode could be:
–basic—Enables Basic HTTP authentication.
–digest—Enables Digest HTTP authentication. This is the default configuration.
–none—Disables Basic and Digest authentication. In this mode, the CWMP service uses the Device ID in the Inform message to authenticate CPE.
Note To limit security risks during client authentication, Cisco recommends using the Digest mode (the default configuration). It is not advisable to allow client authentication in the Basic mode, or altogether disable Basic and Digest authentication.
dpe# service cwmp 1 client-auth digest
% OK (Digest authentication was enabled. Basic authentication was disabled. Requires DPE restart "# dpe reload")
service cwmp num enable {true | false}
Enables or disables the CWMP service running on the DPE.
•num—Identifies the CWMP service, which could be 1 or 2.
By default, the CWMP service is:
–Enabled on service 1.
–Disabled on service 2.
•true—Enables the CWMP service.
•false—Disables the CWMP service.
dpe# service cwmp 2 enable true
% OK (Requires DPE restart "# dpe reload")
service cwmp num port port
Identifies the port on which the CWMP service communicates with the CPE. By specifying a different port number, this command enables the DPE to prevent potential sharing violations among ports used by other applications.
•num—Identifies the CWMP service, which could be 1 or 2.
•port—Identifies the port number that the service is to use.
By default, the CWMP service is configured to listen on:
–Port 7547 for service 1.
–Port 7548 for service 2.
dpe# service cwmp 1 port 7547
% OK (Requires DPE restart "# dpe reload")
service cwmp session timeout value
Sets the duration for timing out a CWMP session.
Note You need not restart the DPE for this command to take effect.
value—Identifies the timeout period for the CWMP session, in milliseconds (ms). The timeout period could be anything between 1000 ms (1 second) and 3000000 ms (50 minutes).
By default, the duration for a timeout is set as 60000 ms or 60 seconds.
dpe# service cwmp session timeout 60000
% OK
service cwmp num ssl client-auth mode
Enables or disables client certificate authentication using HTTP over SSL/TLS for the CWMP service running on the DPE.
For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
•num—Identifies the CWMP service, which could be 1 or 2.
By default, client certificate authentication with SSL/TLS is:
–Disabled for service 1.
–Disabled for service 2.
•mode—Identifies the mode of client certificate authentication for the CWMP service. BAC supports:
–client-cert-generic—Enables client certificate authentication through SSL/TLS by using a generic certificate common to all CPE or a large subset of CPE. The client certificate is validated by using the signing certificate authority's public key. This key is preconfigured in the DPE keystore. This certificate-validation process ensures that the certificate is valid, but does not establish the identity of a device. Therefore, the device identifier is not formed by using the data in the CN field of the client certificate. Instead, the device identifier is formed by using the data provided via Basic or Digest authentication, or by using the data in the CWMP Inform message.
–client-cert-unique—Enables client certificate authentication through SSL/TLS by using the unique certificate that each CPE provides. After the client certificate is validated by using the signing certificate authority's public key, the device's unique identifier is formed by using the CN field of the client certificate.
–none—Disables client certificate authentication by using HTTP over SSL/TLS for the CWMP service.
Example 1
dpe# service cwmp 1 ssl client-auth client-cert-generic
% OK (Requires DPE restart "# dpe reload")
Example 2
dpe# service cwmp 1 ssl client-auth client-cert-unique
% OK (Requires DPE restart "# dpe reload")
service cwmp num ssl client-auth client-cert-css-ext
Enables the authentication of CPE whose connection that used HTTP over SSL/TLS was terminated at a Cisco CSS 11500 Series Content Services Switch (CSS 11500). The downstream CSS extracts information about the SSL session, specifically client certificate fields, from the CPE device and inserts that data into various HTTP headers. BAC then retrieves the CN field from the CSS header ClientCert-Subject-CN to form the unique device identifier.
Note Before enabling this command, ensure that you configure CSS to insert the client certificate fields into the HTTP header. For detailed information, see the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).
For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
num—Identifies the CWMP service, which could be 1 or 2.
By default, client certificate authentication by using HTTP over SSL/TLS for the CWMP service is:
•Disabled for service 1.
•Disabled for service 2.
dpe# service cwmp ssl 1 client-auth client-cert-css-ext
% OK (Requires DPE restart "# dpe reload")
service cwmp num ssl cipher {all-cipher-suites | value}
no service cwmp num ssl cipher {all-cipher-suites | value}
Enables or disables authentication between the DPE server and CPE by using cryptographic algorithms, or ciphers, supported by HTTP over SSL/TLS for certificate management and session management. During an SSL handshake, the DPE server and a CPE device identify the strongest cipher suite enabled on both, and use that suite for the SSL session.
Note BAC supports a list of cipher suites that you can configure from the DPE command line interface. For a list of cipher suites supported in BAC, see Table 4-5.
•num—Identifies the CWMP service, which could be 1 or 2.
•all-cipher-suites—Enables all the cipher suites to authenticate a session by using HTTP over SSL/TLS for the CWMP service. This is the default configuration.
Note The service cwmp ssl cipher all-cipher-suites command works only if you have not configured any individual ciphers. To disable an individual cipher suite, use the no service cwmp ssl cipher value command. To disable all ciphers, use the no service cwmp ssl cipher all-cipher-suites command.
•value—Identifies the individual cipher to be enabled for authenticating a session by using HTTP over SSL/TLS for the CWMP service. You can enable or disable any cipher suite.
Each cipher suite specifies a set of algorithms that are associated with a specific cryptography function. For a list of cryptography algorithms supported in BAC, see Table 4-4.
Example 1
dpe# service cwmp 1 ssl cipher all-cipher-suites
% OK (Requires DPE restart "# dpe reload")
Example 2
dpe# service cwmp 1 ssl cipher ssl_dh_anon_with_des_c bc_sha
% OK (Requires DPE restart "# dpe reload")
service cwmp num ssl enable {true | false}
Enables or disables use of HTTP over SSL/TLS for the CWMP service on the DPE.
Note The CWMP service will fail to start up if you do not configure the keystore file and the keystore passwords before restarting the DPE. For information on how to configure a keystore file and keystore passwords, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
•num—Identifies the CWMP service, which could be 1 or 2.
•true—Enables SSL/TLS transport. This is the default configuration for service 2.
•false—Disables SSL/TLS transport. This is the default configuration for service 1.
dpe# service cwmp 1 ssl enable true
% OK (Requires DPE restart "# dpe reload")
service cwmp num ssl keystore keystore-filename keystore-password key-password
Sets a keystore file, which contains the provisioning server certificate. This certificate is used to authenticate the provisioning server to the devices by using HTTP over SSL/TLS.
Note This setting is relevant only if the service instance is enabled (as in the case of service cwmp 2, which is by default disabled), and the SSL/TLS protocol is enabled for that service. To enable SSL/TLS transport, use the service cwmp num ssl enable true command.
•num—Identifies the CWMP service, which could be 1 or 2.
•keystore-filename—Identifies the keystore file that you created previously.
•keystore-password—Identifies the keystore password that you used when you created your keystore file. The keystore password must be between 6 and 30 characters.
•key-password—Identifies the private key password that you used when you created your keystore file. The private key password must be between 6 and 30 characters.
dpe# service cwmp 1 ssl keystore example.keystore changeme changeme
% OK (Requires DPE restart "# dpe reload")
The DPE ships with a default sample keystore, which contains a self-signed certificate. However, because a CWMP device does not trust a self-signed certificate, you cannot use this keystore to enable HTTP over SSL/TLS to provision a device; instead, you must obtain a signed service provider certificate and keystore. For detailed information, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
keystore import-pkcs12
Use this command to import existing private key and certificates into a DPE-compatible file used in authenticating the DPE to SSL clients. The keystore import-pkcs12 command opens a PKCS#12 file, reads the contents, and writes a new keystore in the Sun-proprietary Java keystore format called JKS.
The PKCS#12 file format is a standard used for storing certificates and private keys; for example, an imported certificate from a Microsoft Windows 2000 IIS 5.0 server.
Note If your private key and certificate are stored in separate files, combine them into a single PKCS#12 file before running the keystore import-pkcs12 command.
You can use the syntax described in the following example, where the openssl command combines the keys inexample.key
and the certificate in theexample.crt file
into theexample.pkcs12
file:#
openssl pkcs12 -inkey example.key -in example.crt -export -out example.pkcs12Syntax Description
keystore import-pkcs12 keystore-filename pkcs12-filename keystore-password key-password export-password export-key-password
•keystore-filename—Identifies the JKS keystore file that will be created. If it already exists, it will be overwritten.
Note Remember to specify the full path of the keystore file.
•pkcs12-filename—Identifies the PKCS#12 file from which you intend to import the key and certificate.
•keystore-password—Identifies the private key password and the keystore password that you used when you created your keystore file. This password must be between 6 and 30 characters.
•key-password—Identifies the password used to access keys within DPE keystore. This password must be between 6 and 30 characters.
•export-password—Identifies the password used to decrypt the key in the PKCS#12 file. The export password must be between 6 and 30 characters.
•export-key-password—Identifies the password used to access keys within the PKCS#12 keystore. This password must be between 6 and 30 characters.
Examples
dpe# keystore import-pkcs12 example.keystore example.pkcs12 changeme changeme changeme changeme
% Reading alias [1]
% Reading alias [1]: key with format [PKCS8] algorithm [RSA]
% Reading alias [1]: cert type [X.509]
% Created JKS keystore: example.keystore
% OK
service http
This is the global syntax of the commands that you use to configure various settings for the HTTP service running on the DPE. Using these commands, you can:
•Enable the service
•Specify the instance of the service
•Configure client authentication and client certificate authentication
•Set the port number for the service
•Configure the service to use HTTP over SSL/TLS
Use service http in conjunction with the list of commands described in Table 4-3.
Note When using these commands, you must restart the DPE—unless specified otherwise—for the changes to take effect. To restart the DPE, run the dpe reload command (see dpe reload, page 3-5).
Table 4-3 List of service http Commands
Command Usage Syntax Description Examplesservice http num client-auth mode
Enables or disables client authentication for the HTTP file service on the DPE.
For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0
•num—Identifies the HTTP file service, which could be 1 or 2.
•mode—Identifies the client authentication mode for the HTTP file service. The client authentication mode could be:
–basic—Enables Basic HTTP file service authentication.
–digest—Enables Digest HTTP file service authentication. This is the default configuration.
–none—Disables Basic and Digest authentication. In this mode, the HTTP file service uses the Device ID in the Inform message to authenticate CPE.
Note To limit security risks during client authentication, Cisco recommends using the Digest mode (the default configuration). It is not advisable to allow client authentication in the Basic mode, or disable Basic and Digest authentication.
dpe# service http 1 client-auth digest
% OK (Digest authentication was enabled. Basic authentication was disabled. Requires DPE restart "# dpe reload")
service http num enable {true | false}
Enables or disables the HTTP file service running on the DPE
•num—Identifies the HTTP file service, which could be 1 or 2.
By default the HTTP file service is:
–Enabled on service 1.
–Disabled on service 2.
•true—Enables the HTTP file service.
•false—Disables the HTTP file service.
dpe# service http 2 enable true
% OK (Requires DPE restart "# dpe reload")
service http num port port
Identifies the port on which the HTTP file service communicates with a CPE device. By specifying a different port number, this command enables the DPE to prevent potential sharing violations among ports used by other applications.
•num—Identifies the HTTP file service, which could be 1 or 2.
By default, the HTTP file service is configured to listen on:
–Port 7549 for service 1.
–Port 7550 for service 2.
•port—Identifies the port number that the service is to use.
Note The service http port command does not check if the port number specified is being used by other applications or system utilities.
dpe# service http 1 port 7549
% OK (Requires DPE restart "# dpe reload")
service http num ssl client-auth mode
Enables or disables client certificate authentication by using HTTP over SSL/TLS for the HTTP file service running on the DPE.
For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
•num—Identifies the HTTP file service, which could be 1 or 2.
By default, client certificate authentication by using HTTP over SSL/TLS for the HTTP file service is:
–Disabled for service 1.
–Disabled for service 2.
•mode—Identifies the mode of client certificate authentication for the HTTP file service. BAC supports:
–client-cert-generic—Enables client certificate authentication through SSL/TLS by using a generic certificate common to all CPE or a large subset of CPE. The public key of the signing certificate authority is used to validate the client certificate. This key is preconfigured in the DPE keystore. This certificate validation process ensures that the certificate is valid, but does not establish identity of a given device. Therefore, the device identifier is not formed by using the data in the CN field of the client certificate. Instead, the device identifier is formed by using the data provided via Basic or Digest authentication, or by using the data in the CWMP Inform message.
–client-cert-unique—Enables client certificate authentication through SSL/TLS using the unique certificate provided by each CPE. After the client certificate is validated by using the signing certificate authority's public key, the device's unique identifier is formed by using the CN field of the client certificate.
–none—Disables client certificate authentication by using HTTP over SSL/TLS.
Example 1
dpe# service http 1 ssl client-auth client-cert-generic
% OK (Requires DPE restart "# dpe reload")
Example 2
dpe# service http 1 ssl client-auth client-cert-unique
% OK (Requires DPE restart "# dpe reload")
service http num ssl client-auth client-cert-css-ext
Enables the authentication of CPE whose connection that uses HTTP over SSL/TLS was terminated at a Cisco CSS 11500 Series Content Services Switch (CSS 11500). The downstream CSS extracts information about the SSL session, specifically client certificate fields, from the CPE device, and inserts that data into various HTTP headers. BAC then retrieves the CN field from the CSS header ClientCert-Subject-CN to form the unique device identifier.
Note Before enabling this command, ensure that you configure CSS to insert the client certificate fields into the HTTP header. For detailed information, see the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).
For a list of authentication options in BAC, refer to the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
num—Identifies the HTTP file service, which could be 1 or 2.
By default, client certificate authentication by using HTTP over SSL/TLS for the HTTP file service is:
•Disabled for service 1.
•Disabled for service 2.
dpe# service http ssl 1 client-auth client-cert-css-ext
% OK (Requires DPE restart "# dpe reload")
service http num ssl cipher {all-cipher-suites | value}
no service http num ssl cipher {all-cipher-suites | value}
Enables or disables authentication between the DPE server and CPE by using cryptographic algorithms, or ciphers, that HTTP supports over SSL/TLS for certificate management and session management. During an SSL handshake, the DPE server and a CPE device identify the strongest cipher suite enabled on both, and use that suite for the SSL session.
Note BAC supports a list of cipher suites that you can configure from the DPE command line interface. For a list of cipher suites that BAC supports, see Table 4-5.
•num—Identifies the HTTP file service, which could be 1 or 2.
•all-cipher-suites—Enables all the cipher suites to authenticate a session by using HTTP over SSL/TLS for the HTTP file service. This is the default configuration.
Note The service http ssl cipher all-cipher-suites command works only if you have not configured any individual ciphers. To remove an individual cipher suite, use the no service http ssl cipher value command. To disable all ciphers, use the no service http ssl cipher all-cipher-suites command.
•value—Identifies the individual cipher to be enabled for authenticating a session using HTTP over SSL/TLS for the HTTP file service. You can enable or disable any cipher suite.
Each cipher suite specifies a set of algorithms that are associated with a specific cryptography function. For a list of cryptography algorithms that BAC supports, see Table 4-4.
Example 1
dpe# service http 1 ssl cipher all-cipher-suites
% OK (Requires DPE restart "# dpe reload")
Example 2
dpe# service http 1 ssl cipher ssl_dh_anon_with_des_c bc_sha
% OK (Requires DPE restart "# dpe reload")
service http num ssl enable {true | false}
Enables or disables use of HTTP over SSL/TLS for the HTTP file service on the DPE.
Note The HTTP file service will fail to start up if you do not configure the keystore file and the the keystore passwords before restarting the DPE. For information on how to configure a keystore file and keystore passwords, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
•num—Identifies the HTTP file service, which could be 1 or 2.
•true—Enables SSL/TLS transport. This is the default configuration for service 2.
•false—Disables SSL/TLS transport. This is the default configuration for service 1.
dpe# service http 1 ssl enable true
% OK (Requires DPE restart "# dpe reload")
service http num ssl keystore keystore-filename keystore-password key-pasword
Sets a keystore file, which contains the provisioning server certificate. This certificate is used to authenticate the provisioning server to the devices by using HTTP over SSL/TLS.
Note This setting is only relevant if the service instance is enabled (as in the case of service http 2, which is by default disabled) and HTTP over SSL/TLS is enabled for the service. To enable SSL/TLS transport, use the service http num ssl enable true command.
•num—Identifies the HTTP file service, which could be 1 or 2.
•keystore-filename—Identifies the keystore file that you created previously.
•keystore-password—Identifies the keystore password that you used when you created your keystore file. The keystore password must be between 6 and 30 characters.
•key-password—Identifies the private key password that you used when you created your keystore file. The private key password must be between 6 and 30 characters.
dpe# service http 1 ssl keystore example.keystore changeme changeme
% OK (Requires DPE restart "# dpe reload")
The DPE ships with a default sample keystore, which contains a self-signed certificate. However, because a CWMP device does not trust a self-signed certificate, you cannot use this keystore to enable HTTP over SSL/TLS to provision a device; instead, you must obtain a signed service provider certificate and keystore. For detailed information on how to obtain a signed service provider certificate and keystore, see the Cisco Broadband Access Center Administrator's Guide, Release 3.0.
Selecting Cipher Suites
A typical SSL session requires encryption ciphers to establish and maintain the secure connection. Cipher suites provide the cryptographic algorithms that the SSL/TLS protocol requires to authenticate client/server exchanges, and establish and maintain secure connections.
Table 4-4 defines the cryptography algorithms supported in this release of BAC:
Note For detailed information on cipher suites, see the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).
Caution The dh-anon series of cipher suites are intended for completely anonymous Diffie-Hellman communications in which neither party is authenticated. Note that this cipher suite is vulnerable to attacks.
Cipher suites with "export" in the title indicate that they are intended for use outside the United States, and that they have encryption algorithms with limited key sizes; for example, 3DES or RC4 with 128-bit encryption.
Posted: Thu Aug 31 21:41:11 PDT 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.