02-09-2012 06:48 AM - edited 03-21-2019 09:42 AM
Just getting started with Provisioning SPA8000 and I am wondering if I am missing something obvious.
As I see it, the best way to set up and test a new config is to do so on the device using the gui and then retrieve it to 'copy' to other devices
But, since the device only outputs an XML config ( using <IP_address>/admin/spacfg.xml) I need to import this into the SPC tool so I can then create encrypted files etc
I can get the SPC tool to output xml but if I try to input an XML file it does not know what to do with it.
How do I get SPC tool to read XML?
Thanks
Bill
02-09-2012 10:53 AM
For my experience, SPC can't import xml file, but I've found a note on Provisioning guide.
Extracted from Provisioning Guide:
The XML-style format lets you use standard tools to create the configuraqtion file.
A configuration file in open, XML-style format can be sent from the provisioning
server to the IP Telephony Device during a resync operation without compiling the
file as a binary object.
...
This open format consists of a text file with XML-like syntax. Optionally, the file can
be compressed by using the gzip deflate algorithm (RFC1951). In addition, the file
can be encrypted by using 256-bit AES symmetric key encryption.
...
Configuration File Compression
Optionally, the XML configuration profile can be compressed to reduce the
network load on the provisioning server. The supported compression method is
the gzip deflate algorithm (RFC1951). The gzip utility and a compression library
that implements the same algorithm (zlib) are readily available from Internet sites.
To identify when compression is applied, the IP Telephony Device expects the
compressed file to contain a gzip compatible header, as generated by invoking the
gzip utility on the original XML file.
For example, if profile.xml is a valid profile, the file profile.xml.gz is also accepted.
This example can be generated with either of the following commands:
# first invocation, replaces original file with compressed file:
gzip profile.xml
# second invocation, leaves original file in place, produces new compressed file:
cat profile.xml | gzip > profile.xml.gz
The IP Telephony Device inspects the downloaded file header to determine the
format of the file. The choice of file name is not significant and any convention that
is convenient for the service provider can be used.
...
File Encryption
An XML configuration profile can be encrypted using symmetric key encryption,
whether or not it is already compressed. The supported encryption algorithm is
the American Encryption Standard (AES), using 256-bit keys, applied in cipher
block chaining mode.
NOTE
Compression must precede encryption for the IP Telephony Device to recognize a
compressed and encrypted XML profile. First generate the XML, then compress
with gzip, and finally encrypt.
The OpenSSL encryption tool, available for download from various Internet sites,
can be used to perform the encryption. Note that support for 256-bit AES
encryption may require recompilation of the tool (so as to enable the AES code).
The firmware has been tested against version openssl-0.9.7c.
If the file is encrypted, the profile expects the file to have the same format as
generated by the following command:
# example encryption key = SecretPhrase1234
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out
profile.cfg
# analogous invocation for a compressed xml file
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml.gz –out
profile.cfg
A lower case –k precedes the secret key, which can be any plain text phrase and
is used to generate a random 64-bit salt. Then, in combination with the secret
specified with the –k argument, it derives a random 128-bit initial vector, and the
actual 256-bit encryption key.
When this form of encryption is used to encrypt a configuration profile, the IP
Telephony Device needs to be informed of the secret key value to decrypt the file.
This value is specified as a qualifier in the pertinent profile URL. The syntax is as
follows, using an explicit URL:
[--key “SecretPhrase1234”] http://prov.telco.com/path/profile.cfg
This value is programmed using one of the Profile_Rule parameters. The key must
be preprovisioned into the unit at an earlier time. This bootstrap of the secret key
can be accomplished securely by using HTTPS.
Preencrypting configuration profiles offline with symmetric key encryption allows
the use of HTTP for resyncing profiles. The provisioning server uses HTTPS to
handle initial provisioning of IP Telephony Devices after deployment. This feature
reduces the load on the HTTPS server in large scale deployments.
The final file name does not need to follow a specific format, but it is conventional
to end the name with the .cfg extension to indicate that it is a configuration profile.
Regards.
02-09-2012 11:26 AM
I saw that too but what I want is a way to import that huge XML file that is generated when grabbing the config off my tested device
Bill
02-10-2012 02:25 PM
Bill,
Don't send the device a huge config file, there's no need. You'll end up with a device that reboots when you don't expect/desire it and you'll have a huge file to troubleshoot if you inject any syntax errors.
The SPA devices use "sane defaults" so a factory defaulted device only needs changes specific to your deployment in order to work.
The device's config file only needs to be a handful of lines long.
Read this for some additional help:
https://supportforums.cisco.com/docs/DOC-13031
Note: SPA devices all behave in a very similar manner when it comes to provisioning. This means that if you read a SPA phone document, it's pretty-much valid for a SPA ATA too.
If you're worried about the xml config being transmitted in the clear, use HTTPS as the transport scheme. Here's how to perform a certificate signing request (CSR):
https://supportforums.cisco.com/docs/DOC-9852
Regards,
Patrick
----------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide