Can SPC tool read XML?

Comlabs2007 · ‎02-09-2012

Just getting started with Provisioning SPA8000 and I am wondering if I am missing something obvious.

As I see it, the best way to set up and test a new config is to do so on the device using the gui and then retrieve it to 'copy' to other devices

But, since the device only outputs an XML config ( using <IP_address>/admin/spacfg.xml) I need to import this into the SPC tool so I can then create encrypted files etc

I can get the SPC tool to output xml but if I try to input an XML file it does not know what to do with it.

How do I get SPC tool to read XML?

Thanks

Bill

Daniele Giordano · ‎02-09-2012

For my experience, SPC can't import xml file, but I've found a note on Provisioning guide.

Extracted from Provisioning Guide:

The XML-style format lets you use standard tools to create the configuraqtion file.

A configuration file in open, XML-style format can be sent from the provisioning

server to the IP Telephony Device during a resync operation without compiling the

file as a binary object.

...

This open format consists of a text file with XML-like syntax. Optionally, the file can

be compressed by using the gzip deflate algorithm (RFC1951). In addition, the file

can be encrypted by using 256-bit AES symmetric key encryption.

...

Configuration File Compression

Optionally, the XML configuration profile can be compressed to reduce the

network load on the provisioning server. The supported compression method is

the gzip deflate algorithm (RFC1951). The gzip utility and a compression library

that implements the same algorithm (zlib) are readily available from Internet sites.

To identify when compression is applied, the IP Telephony Device expects the

compressed file to contain a gzip compatible header, as generated by invoking the

gzip utility on the original XML file.

For example, if profile.xml is a valid profile, the file profile.xml.gz is also accepted.

This example can be generated with either of the following commands:

# first invocation, replaces original file with compressed file:

gzip profile.xml

# second invocation, leaves original file in place, produces new compressed file:

cat profile.xml | gzip > profile.xml.gz

The IP Telephony Device inspects the downloaded file header to determine the

format of the file. The choice of file name is not significant and any convention that

is convenient for the service provider can be used.

...

File Encryption

An XML configuration profile can be encrypted using symmetric key encryption,

whether or not it is already compressed. The supported encryption algorithm is

the American Encryption Standard (AES), using 256-bit keys, applied in cipher

block chaining mode.

NOTE

Compression must precede encryption for the IP Telephony Device to recognize a

compressed and encrypted XML profile. First generate the XML, then compress

with gzip, and finally encrypt.

The OpenSSL encryption tool, available for download from various Internet sites,

can be used to perform the encryption. Note that support for 256-bit AES

encryption may require recompilation of the tool (so as to enable the AES code).

The firmware has been tested against version openssl-0.9.7c.

If the file is encrypted, the profile expects the file to have the same format as

generated by the following command:

# example encryption key = SecretPhrase1234

openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out

profile.cfg

# analogous invocation for a compressed xml file

openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml.gz –out

profile.cfg

A lower case –k precedes the secret key, which can be any plain text phrase and

is used to generate a random 64-bit salt. Then, in combination with the secret

specified with the –k argument, it derives a random 128-bit initial vector, and the

actual 256-bit encryption key.

When this form of encryption is used to encrypt a configuration profile, the IP

Telephony Device needs to be informed of the secret key value to decrypt the file.

This value is specified as a qualifier in the pertinent profile URL. The syntax is as

follows, using an explicit URL:

[--key “SecretPhrase1234”] http://prov.telco.com/path/profile.cfg

This value is programmed using one of the Profile_Rule parameters. The key must

be preprovisioned into the unit at an earlier time. This bootstrap of the secret key

can be accomplished securely by using HTTPS.

Preencrypting configuration profiles offline with symmetric key encryption allows

the use of HTTP for resyncing profiles. The provisioning server uses HTTPS to

handle initial provisioning of IP Telephony Devices after deployment. This feature

reduces the load on the HTTPS server in large scale deployments.

The final file name does not need to follow a specific format, but it is conventional

to end the name with the .cfg extension to indicate that it is a configuration profile.

Regards.

Comlabs2007 · ‎02-09-2012

I saw that too but what I want is a way to import that huge XML file that is generated when grabbing the config off my tested device

Bill

Patrick Born · ‎02-10-2012

Bill,

Don't send the device a huge config file, there's no need. You'll end up with a device that reboots when you don't expect/desire it and you'll have a huge file to troubleshoot if you inject any syntax errors.

The SPA devices use "sane defaults" so a factory defaulted device only needs changes specific to your deployment in order to work.

The device's config file only needs to be a handful of lines long.

Read this for some additional help:

https://supportforums.cisco.com/docs/DOC-13031

Note: SPA devices all behave in a very similar manner when it comes to provisioning. This means that if you read a SPA phone document, it's pretty-much valid for a SPA ATA too.

If you're worried about the xml config being transmitted in the clear, use HTTPS as the transport scheme. Here's how to perform a certificate signing request (CSR):

https://supportforums.cisco.com/docs/DOC-9852

Regards,

Patrick

----------