Secure provisioning

This page will help you to setup secure remote provisioning of OBi100 / OBi110 / OBi202 / OBi302 devices. After you make setup, described on this page, you'll be able to securely upload configuration to remote OBi device.

Before you start
What we will need/use
Tools

Secure remote provisioning setup requires following tools:

Preparation

Preparation could be done only once.

  1. Configure and test your local OBi device. Make sure that:
  2. Create backup file for current configuration. Go to System Management | Device Update | Backup Configuration, put check at the box Use OBi Version and make backup file. It will create file with this name:
    backup9CADEF100000.xml
    
  3. Make a copy of the backup file and rename it as 9CADEF100001.xml
    Note: we have changed MAC here from local device (MAC ending with '0') to remote one (MAC ending with '1').

    Then edit the new and renamed file:

  4. Encrypt configuration file using openssl tool:
    openssl enc -aes-128-cbc -K 1234567890abcdef1234567890abcd01 -iv 1234567890abcdef1234567890abcd02 -in 9CADEF100001.xml -out 9CADEF100001.aes
    
    

    where: 1234567890abcdef1234567890abcd01 and 1234567890abcdef1234567890abcd02 are keys, used to encrypt configuration file. Replace them with actual keys you want to use in your setup.

  5. Create new file with name 9CADEF100001-init.xml:
    <?xml version="1.0" encoding="UTF-8"?>
    <ParameterList X_Reset="All">
      <O>
        <N>X_DeviceManagement.ITSPProvisioning.</N>
        <P>
          <N>ConfigURL</N>
          <V>SYNC -A=aes -K=$SPRM0 -IV=$SPRM1 http://storage.domain.tld/OBi/$MAC.aes</V>
        </P>
        <P>
          <N>SPRM0</N>
          <V>1234567890abcdef1234567890abcd01</V>
        </P>
        <P>
          <N>SPRM1</N>
          <V>1234567890abcdef1234567890abcd02</V>
        </P>
      </O>
    </ParameterList>
    
  6. Encode the file, using OBiCrypt tool:
    obcrypt -M=9CADEF100001 -O=9CADEF100001-init.obi 9CADEF100001-init.xml
    
  7. Copy two files to HTTP server (put them into storage.gate2.net/OBi folder):
    9CADEF100001-init.obi        -- initialization file, encrypted by OBi
    9CADEF100001.aes             -- configuration file, encrypted by AES
    

    Important: make sure, that Web Server you use allows downloading files with extensions .obi and .aes. In IIS server e.g., go to Properties | HTTP Headers | MIME Types... and add those two new types there.

At this point preparation for secure remote provisioning is completed. You're ready to deploy configuration in remote OBi device

Initial setup

Steps below have to be performed only once. After this action Obi device downloads OBi-encrypted file (9CADEF100001-init.xml file, see above), that contains proper URL for downloading actual configuration file and SSL keys, needed to AES-decrypt that configuration.

To perform initial setup you have to ask owner of OBi device to (or do it yourself):

At this point OBi device is ready to take its new configuration automatically.

Provisioning

After you have completed preparation and initial setup phases, mentioned above, remote OBi device should be already configured. In case, if you need to change its configuration later on:

  1. Edit configuration file (9CADEF100001.xml) to reflect the needed change
  2. Encode this file again, using openssl tool (see command line mentioned above)
  3. Copy new encoded file 9CADEF100001.aes to HTTP server

At this point you need to upload that new configuration to remote OBi device. Generally there are two ways to do it:


Home
Last modified: 2017-01-01 Copyright © 2000-2017 Gate2NET. All Rights Reserved.