Rfc 8188-Based Http Content Encryption; Optional Resync Arguments - Cisco 8800 Series Manual

Cisco IP Phone Provisioning
If server is missing, the tftp server specified through DHCP (option 66) is used.
Note
For upgrade rules, the server must be specified.
If port is missing, the standard port for the specified scheme is used. Tftp uses UDP port 69, http uses TCP
port 80, https uses TCP port 443.
A filepath must be present. It need not necessarily refer to a static file, but can indicate dynamic content
obtained through CGI.
Macro expansion applies within URLs. The following are examples of valid URLs:
/$MA.cfg
/cisco/cfg.xml
192.168.1.130/profiles/init.cfg
tftp://prov.call.com/cpe/cisco$MA.cfg
http://neptune.speak.net:8080/prov/$D/$E.cfg
https://secure.me.com/profile?Linksys
When using DHCP option 66, the empty syntax is not supported by upgrade rules. It is only applicable for
Profile Rule*.

RFC 8188-Based HTTP Content Encryption

The phone supports RFC 8188-based HTTP content encryption with AES-128-GCM ciphering for configuration
files. With this encryption method, any entity can read the HTTP message headers. However, only the entities
that know the Input Keying Material (IKM) can read the payload. When the phone is provisioned with the
IKM, the phone and the provisioning server can exchange configuration files securely, while allowing
third-party network elements to use the message headers for analytic and monitoring purposes.
The XML configuration parameter IKM_HTTP_Encrypt_Content holds the IKM on the phone. For
security reasons, this parameter is not accessible on the phone administration web page. It is also not visible
in the phone's configuration file, which you can access from the phone's IP address or from the phone's
configuration reports sent to the provisioning server.
If you want to use the RFC 8188-based encryption, ensure the following:
• Provision the phone with the IKM by specifying the IKM with the XML parameter
• If this encryption is applied to the configuration files sent from the provisioning server to the phone,
• If you want the phone to apply this encryption to the configuration reports that it sends to the provisioning

Optional Resync Arguments

Optional arguments, key, uid, and pwd, can precede the URLs entered in Profile_Rule* parameters,
collectively enclosed by square brackets.
IKM_HTTP_Encrypt_Content in the configuration file that is sent from the provisioning server to
the phone.
ensure that the Content-Encoding HTTP header in the configuration file has "aes128gcm".
In the absence of this header, the AES-256-CBC method is given precedence. The phone applies
AES-256-CBC decryption if a AES-256-CBC key is present in a profile rule, regardless of IKM.
server, ensure that there is no AES-256-CBC key specified in the report rule.
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
RFC 8188-Based HTTP Content Encryption
85