Spa Configuration Profile Compiler - Linksys SPA2102-AU Provisioning Manual

SPA Configuration Profile Compiler

Example 2-8
# example encryption key = SecretPhrase1234
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out profile.cfg
# analogous invocation for a compressed xml file
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml.gz –out profile.cfg
A lower case –k precedes the secret key, which can be any plain text phrase and is used to generate a
random 64-bit salt. Then, in combination with the secret specified with the –k argument, it derives a
random 128-bit initial vector, and the actual 256-bit encryption key.
When this form of encryption is used to encrypt a configuration profile, the SPA needs to be informed
of the secret key value to decrypt the file. This value is specified as a qualifier in the pertinent profile
URL. The syntax is as follows, using an explicit URL:
[--key "SecretPhrase1234"] http://prov.telco.com/path/profile.cfg
This is programmed using one of the Profile_Rule parameters. The key must be preprovisioned into the
unit at an earlier time. This bootstrap of the secret key can be accomplished securely using HTTPS.
Preencrypting configuration profiles offline with symmetric key encryption allows the use of HTTP for
resyncing profiles. The provisioning server only needs to use HTTPS to handle initial provisioning of
SPAs after deployment. This reduces the load on the HTTPS server in large scale deployments.
The final file name does not need to follow a specific format, but it is conventional to end the name with
the .cfg extension to indicate that it is a configuration profile.
SPA Configuration Profile Compiler
The SPA also accepts configuration profiles in binary format. The SPA configuration profile compiler is
a translation tool (spc.exe) that translates a plain-text format into the required binary format.
Appendix C, "Example SPA Configuration Profile"
configuration text file. Other ATAs are similar. However, the SPA3102 has a number of unique
parameters.
The SPC tool expects a semicolon, ;", to separate each parameter definition. If a parameter is not defined
in the configuration profile, the current value for that parameter is retained by the SPA.
The SPC tool is available from Linksys upon request in binary executable format in the following
versions:
•
•
Versions of the SPC tool for other platforms may be available by special request.
The profile compiler can generate different types of configuration files, using different types of
encryption.
•
•
•
Linksys SPA Provisioning Guide
2-6
Encrypting the Configuration Profile
spc.exe—Windows 32-bit PC environment
spc-linux-i386-static—Linux ELF environment
Generic, non-targeted CFG file, without an explicit key
Targeted (--target option), also encrypts the CFG file without an explicit key, but uses the MAC
address of the target SPA, and only that SPA can decode it
Explicit key-based encryption of the CFG file.
Chapter 2
provides an example of a typical SPA2102
Creating Provisioning Scripts
Version 3.0