Provisioning Tutorial
Secure Resync
Cisco Small Business IP Telephony Devices Provisioning Guide 75
3
Exercise
STEP 1 Enable client certificate authentication on the HTTPS server.
STEP 2 In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient require
Also ensure that the spacroot.cert has been stored as shown in the previous
exercise.
STEP 3 Restart the HTTPS server and observe the syslog trace from the IP Telephony
Device.
Each resync to the server now performs symmetric authentication, so that both the
server certificate and the client certificate are verified before the profile is
transferred.
STEP 4 Using ssldump, capture a resync connection between the IP Telephony Device
and the HTTPS server.
If client certificate verification is properly enabled on the server, the ssldump trace
shows the symmetric exchange of certificates (first server-to-client, then client-to-
server) before the encrypted packets containing the profile.
With client authentication enabled, only a IP Telephony Device with a MAC
address matching a valid client certificate can request the profile from the
provisioning server. A request from an ordinary browser or other unauthorized
device is rejected by the server.
HTTPS Client Filtering and Dynamic Content
If the HTTPS server is configured to require a client certificate, then the
information in the certificate identifies the resyncing IP Telephony Device and
supplies it with the correct configuration information.
The HTTPS server makes the certificate information available to CGI scripts (or
compiled CGI programs) invoked as part of the resync request. For the purpose of
illustration, this exercise uses the open source Perl scripting language, and
assumes that Apache (v.2) is used as the HTTPS server.
To Next Page
Loading...