Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAP2T provisioning

Currently we provision our customers' adaptors by providing each adaptor the address of a TFTP server as part of the DHCP response. The config files reside on the server but presently in unencrypted form. How can we encrypt these and still have the adaptor understand them? The documentation does give a couple of hints but is confusing and seems to assume an https solution, which isn't really appropriate given the TFTP solution we use (we could change, but it is an upheaval I would rather avoid - I'd rather simply provide encrypted files on the TFTP server).

Everyone's tags (2)
23 REPLIES
Cisco Employee

Re: PAP2T provisioning

Dear Sir;

If you use tftp, you can encrypt them using e.g. the MAC address as the encryption key of the device. The provisioning guide (in the documentation section) provides information about how to accomplish it: basically you need to encrypt the file (using SPC) with the key (recommend MAC address as then you dont need to pass the key to the device), and then in the device profile rule, need to include the encryption key as a token. I recommend you have a look at the provisioning guide as it explains the mechanism.

Regards
Alberto

New Member

Re: PAP2T provisioning

Hi Alberto,

Thanks for your answer. By "SPC" you mean the Profile Compiler, right? We don't use that at present - can we use openssl as described in the provisioning guide and get the same behaviour/results?

I don't understand when you say at one point "basically you need to encrypt the file [...] with the key  (recommend MAC address as then you dont need to pass the key to the  device)" and then "in the device profile rule, need to include the encryption key as a  token". So if I use something like:

openssl enc –e –aes-256-cbc –k –in profile.xml –out profile.cfg

to encrypt each config file which then get placed on the TFTP server, do the adaptors need to be separately informed of the keys/passphrases or not?

Cisco Employee

Re: PAP2T provisioning

Dear Sir;

If the paraphrase is the MAC or serial number, it is not required as these are MACRO variables on the device. Check the provisioning guide for a full explanation about how to use MACROS.

Regards
Alberto

New Member

Re: PAP2T provisioning

I seem to have encrypted the file correctly (I can decrypt it using "openssl enc -d ..." as mentioned in the documentation), but the adaptor I am using to test this on is not showing the new values, so I'm not sure if it is not requesting the file from the TFTP server (that part is out of my hands, and there does not seem to be any log information anywhere) or if the adaptor cannot decrypt the file it fetches.

Is there any way to find out from the adaptor when it last tried to download a config file, why the fetch or decrypt might have failed, or anything like that? Or is there some way I can hand it the encrypted file "directly" so I know it gets it (that would at least tell me that if the changes still don't take then something in the encryption/decryption is incorrect)?

An additional point: how should the MAC address be formatted when used as the passphrase? For example if the MAC is 00:25:9C:6D:08:45 one could use that as the passphrase, or without the ":"s, or lowercase 00:25:9c:6d:08:45, or lower case without ":"s. Did I miss anything out?

New Member

Re: PAP2T provisioning

The error is in the encryption string. This is because the unit can download the file but can't read it.

That's because the guide mentioned here in the "string" is wrong.

If you are using XML as a configtemplate and unix you can do this:

To encrypt a file you need to do two thing

1. zip the file using

qzip file.xml

2. encrypt the file using openssl

openssl enc -e -aes-256-cbc -k passkey -in file.xml.gz  -out file.cfg

This works as long as you place the correct value in Profile rule.(this downloads a lowercase macaddress file ex. 0000aaaabbbb.cfg)

[--key passkey]tftp://address/$MA.cfg

This only works with xml!!!

For plaintext configs you might want to use the SPC tool created by Cisco.

create the file and write this in a windows command window

spc --aes --ascii-key passkey file.txt file.cfg

If you want to be able to decrypt the files (if you are using a configenerator that also encrypts the files) i would recommend the use of XML.

Only thing you then have to do to decrypt the files are:

1.

openssl enc -d -aes-256-cbc -k passkey -in file.cfg -out file.xml.gz

2.

uncompress file.xml.gz

New Member

Re: PAP2T provisioning

> That's because the guide mentioned here in the "string" is wrong.

What do you mean? What "string"?

> If you are using XML as a configtemplate

We are.

> 1. zip the file using

Why? Why on earth would I need to compress it? Please stop trying to complicate matters.

> This works as long as you place the correct value in Profile rule.(this  downloads a lowercase macaddress file ex. 0000aaaabbbb.cfg)

That's exactly what I get - the file on the tftp server is named exactly as you said. Whether I should use this lower case value as the passphrase, uppercase, with or without the typical ":" separation characters seems to be completely unknown. I can confirm that 00259a6b01666 for example does not work, neither does 00259A6B01666. The config file is successfully retrieved from the tftp server, however.

> If you want to be able to decrypt the files (if you are using a  configenerator that also encrypts the files) i would recommend the use  of XML.

Only thing you then have to do to decrypt the files are:

I can do this on the command line. The problem occurs in "live" use when the adaptor itself tries to decrypt the config.

New Member

Re: PAP2T provisioning

well.

When it comes to the "string" i just meant  the string of replies.

if you wonder why on earth you need to compile please ask linksys/cisco that question. That is what is written in the admin prov docs.


Yes. the unit recognizes the file when it decrypts the .cfg file. if it finds a txt file it opens it straight away.

But the xml files needs to be compressed to an archivel, dont know why. its just how it is.

New Member

Re: PAP2T provisioning

Odd. The Provisioning Guide I have says "The SPA configuration profile open format consists of a text file (with XML-like syntax), optionally
compressed using the gzip deflate algorithm (RFC1951), and further optionally encrypted" (my emphasis) and the examples don't seem to indicate a compressed file:

Example 2-8     Encrypting the Configuration Profile
# example encryption key = SecretPhrase1234
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out profile.cfg

Still, I will try it out...

New Member

Re: PAP2T provisioning

by the way.

are you using @ or $ in you encryption key? that won't work. I've learned that the hard way when using xml.

I had the same problem as you when i tried to implement ata xml files on a https server.

New Member

Re: PAP2T provisioning

No, just the MAC as suggested by Alberto. So I encrypt an XML config with (for example):

openssl enc -e -aes-256-cbc -k  00259c6d0845 -in 00259c6d0845.cfg -out 00259c6d0845.cfg

and can happily decrypt the resulting file on the command line as well, using

openssl enc -d -aes-256-cbc -k  00259c6d0845 -in 00259c6d0845.cfg

I am trying your suggestion of gzipping the config first, now, and will let you know what happens.

New Member

Re: PAP2T provisioning

No, doesn't work.

Edit: Wait. It's still trying to get the .cfg file...

I don't suppose there is any way of configuring things so that /ata_linksys_pap2t/$MA.cfg could be something like /ata_linksys_pap2t/$MA.xml.gz for one specific adaptor (for testing purposes), is there?

New Member

Re: PAP2T provisioning

are you using tftp or http(s)?

what is the server address? i'll create two configfiles so you can test.

also need the macaddress for the unit you are testing on.

btw. what firmware are the units running? and what version of spc are you using?

New Member

Re: PAP2T provisioning

We're using tftp, but we don't use spc, we create xml config files via our own software that fits in with the rest of our environment. Those files work fine, I'm now trying to add encryption to that to protect the customer information. Firmware version is 5.1.6(LS) apparently. You could try 00:25:9c:6d:08:45 if you want.

New Member

Re: PAP2T provisioning

Well I don't know what is wrong. I've tried using the MAC as the passphrase/encryption key as advised by Alberto, using both upper and lower case, with and without separating ":"s, and nothing seems to work.

New Member

Re: PAP2T provisioning

i've created the files.Thos should work.

i've used these commands.

gzip 00259c6d0845.xml
openssl enc -e -aes-256-cbc -k 123456789 -in 00259c6d0845.xml.gz -out 00259c6d0845.cfg

in the specific ATA box set this as a profile rule:

[--key 123456789]tftp://addresstotftp/$MA.cfg

(change also these settings so the "download" goes faster

          -   3600 <-- set it to 30
          -   3600 <--set it to 30

     in the webgui)

btw.

i see that one of the files got renamed from                                               00259c6d0845.cfg to                                               00259c6d0845.cfg.zip

remember to rename the file back to .cfg

New Member

Re: PAP2T provisioning

btw. the cfg file can be decompiled using these commands

openssl enc -d -aes-256-cbc -k 123456789 -in 00259c6d0845.cfg -out 00259c6d0845.xml.gz

uncompress 00259c6d0845.xml.gz

you should then be able to read the xml file. i've tested it here and it works on those files

New Member

Re: PAP2T provisioning

i've created the files.Thos should work.

i've used these commands.

gzip 00259c6d0845.xml
openssl enc -e -aes-256-cbc -k 123456789 -in 00259c6d0845.xml.gz -out 00259c6d0845.cfg

in the specific ATA box set this as a profile rule:

[--key 123456789]tftp://addresstotftp/$MA.cfg

Thanks, but if you read the rest of the thread, Alberto says you can use the MAC as the passphrase for en/decryption. I guess from your own experiences you found this wasn't true and that is why you are using the [--key 123456789]?

We basically have a number of config files, each "pointing" to the next. That is, init.cfg has e profile_rule_b  entry that points to ata_linksys_$PN.cfg, which in turn contains a profile_rule_c entry pointing to $MA.cfg. Even if I can somehow add something to the profile_rule_c entry to indicate the passphrase, that does not seem any more secure than leaving the file unencrypted on the tftp server (since the previous files are unencrypted and would have the passphrase in cleartext in them).

This entire area seems rather shambolic on the part of Linksys.

Cisco Employee

Re: PAP2T provisioning

Dear Sirs;

In the case of using the MAC, can you please let me know the commands as well as the profile rule you are using?

This should work properly.

Regards;
Alberto

New Member

Re: PAP2T provisioning

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz

/ata_linksys_pap2t/$MA.xml.gz

The profile decrypts perfectly with

openssl enc -d -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz.openssl -out 00259C010203.xml.gz

The file is definitely being requested from the TFTP server.

New Member

Re: PAP2T provisioning

I can see one fault in you command and that is:

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz

Should be

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.cfg
New Member

Re: PAP2T provisioning

marius.wehmer@get.no

I can see one fault in you command and that is:

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz

Should be

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.cfg

I changed the filename ending but it didn't make any difference.

New Member

Re: PAP2T provisioning

Is this the command you are using as a profile rule on the unit?

/ata_linksys_pap2t/$MA.cfg

?


Remember to add [--key 00259C01020] in front of the URL.

[--key 00259C01020]/ata_linksys_pap2t/$MA.cfg

New Member

Re: PAP2T provisioning

marius.wehmer@get.no

Is this the command you are using as a profile rule on the unit?

/ata_linksys_pap2t/$MA.cfg

?

Yes. In another config file on the tftp server actually.

Remember to add [--key 00259C01020] in front of the URL.

[--key 00259C01020]/ata_linksys_pap2t/$MA.cfg

No, because:

amontill wrote:

you can encrypt them using e.g. the MAC address as the encryption key of the device. [...] basically you need to encrypt the file (using SPC) with the key (recommend MAC address as then you dont need to pass the key to the device), and then in the device profile rule, need to include the encryption key as a token.

(My emphasis)

Admittedly, that's not very clear, but it was clarified a couple of posts later:

amontill wrote:

If the paraphrase is the MAC or serial number, it is not required as these are MACRO variables on the device.

3734
Views
0
Helpful
23
Replies
CreatePlease login to create content