KMS User Guide On-Ramp Wireless Confidential and Proprietary. Restricted Distribution. This document is not to be used, disclosed, or distributed to anyone without express written consent from On-Ramp Wireless. The recipient of this document shall respect the security of this document and maintain the confidentiality of the information it contains.
On-Ramp Wireless Incorporated 10920 Via Frontera, Suite 200 San Diego, CA 92127 U.S.A. Copyright © 2011 On-Ramp Wireless Incorporated. All Rights Reserved. The information disclosed in this document is proprietary to On-Ramp Wireless Inc., and is not to be used or disclosed to unauthorized persons without the written consent of On-Ramp Wireless. The recipient of this document shall respect the security of this document and maintain the confidentiality of the information it contains.
Contents 1 Introduction ........................................................................................................... 1 2 ULP Key Management Overview ......................................................................... 1 3 Key Management Server ...................................................................................... 3 4 Installing the Software .......................................................................................... 5 4.1 System Requirements ................
KMS User Guide Contents Figures Figure 1. ULP Key Generation and Key Export ............................................................................... 2 Figure 2. ULP Key Management in Operational Mode .................................................................... 4 Tables Table 1. Stack-Specific Properties for the Diameter Configuration File ........................................ 11 On-Ramp Wireless Confidential and Proprietary iv 010-0062-00 Rev.
Revision History Revision Release Date Change Description A May 17, 2011 Initial release. On-Ramp Wireless Confidential and Proprietary v 010-0062-00 Rev.
1 Introduction This document describes the setup, configuration, and use of the Key Management Server (KMS which is the main key server for the ULP network. The KMS maintains the Ultra-Link Processing™ (ULP) network's gateway key and code download key, as well as the root keys for all nodes provisioned and authorized to access the ULP network.
2 ULP Key Management Overview This chapter provides a brief overview of how ULP network keys are generated and managed. This involves the following basic steps: 1. The Key Management Server (KMS) generates the Gateway keys and creates the Master Key File ‘keyring.csv’ using the Generate Gateway Keys Utility (generate_gw_keys.py). This utility also creates an encrypted and signed output file that contains the Gateway keys for delivery to one or more Local Key Server (LKS) sites. 2.
KMS User Guide ULP Key Management Overview Master Key File is created by the Generate Gateway Keys Utility (generate_gw_keys.py). The shared symmetric key is generated on the LKS side from a user-entered passphrase when the node key database is created using the Import Gateway Keys Utility (import_gw_keys.py). The passphrase used by KMS must be the same as the passphrase used by the LKS. NOTE: The Gateway key and the code download (CDLD) key are unique to the network operator.
3 Key Management Server The Key Management Server (KMS) is a physically secured server that uses the standard Diameter Protocol (RFC3538) to communicate with one or more ULP Gateway servers. The Gateway server requests keys from the KMS and the KMS implements the Diameter Protocol which services Gateway node key requests. The KMS server maintains a Master Key File (keyring.
KMS User Guide Key Management Server CUSTOMER KMS (Server) Master Key File (keyring.csv) ULP Gateway (Server) Diameter Protocol import_keys.py IPsec Tunnel ULP KMS MANUFACTURER 1 / INTEGRATOR 1 NPT (Client) LKS (Server) lks_server.py SSL eNode provision_node_keys.py node_keys.db eNode export_keys.py NPT (Client) Encrypted Batch Key File (node_keys.csv.rsa) SSL eNode provision_node_keys.py eNode MANUFACTURER 2 / INTEGRATOR 2 NPT (Client) LKS (Server) lks_server.
4 Installing the Software 4.1 System Requirements The system requirements for the KMS/KMC are as follows: An enterprise-level server running CentOS 5.5 (or later) or Red Hat® Enterprise Linux® (RHEL) 5.5 (or later) operating system (OS) NOTE: The KMS has been tested by On-Ramp Wireless on a system running CentOS/RHEL 5.5 operating system. Python 2.6 including the module for PyCrypto (version 2.0.1 or 2.1.0). For Python and PyCrypto software installation instructions, refer to sections 4.3 and 4.4.
KMS User Guide Installing the Software 4.3 Installing Python Software To install Python 2.6 on a Linux-based computer (CentOS/RHEL 5.5 or later), follow the steps below. NOTE 1: In the CentOS 5.5 (or later) operating system, Python 2.4 is used by default. Python 2.6 must be installed but must not replace the existing Python 2.4 as it prevents the OS from operating properly. This requires Python 2.6 to co-exist with Python 2.4. The Python 2.
KMS User Guide Installing the Software RPMs for 64-bit: libffi-3.0.5-1.el5.x86_64.rpm python26-devel-2.6.5-6.el5.x86_64.rpm python26-2.6.5-6.el5.x86_64.rpm python26-distribute-0.6.10-4.el5.noarch.rpm python26-libs-2.6.5-6.el5.x86_64.rpm 3. Verify: rpm -qa | grep python26 4. Examine /usr/bin for the presence of python26 ls -la /usr/bin/python* The result should include: /usr/bin/python /usr/bin/python2.4 /usr/bin/python26 /usr/bin/python2.6 /usr/bin/python2.6-config 5.
KMS User Guide Installing the Software 4.5 Installing the KMS Software The KMS software runs on a server with CentOS 5.5 (or later) or RHEL 5.5 (or later) operating system. Install the KMS software using the following command as root: rpm -Uvh ulp-kms-1.0.0-17827M.i386.rpm After installing the KMS software, the KMS binary file and the diameter_server.conf file are located in the /opt/onramp directory. 4.
KMS User Guide Installing the Software 4.7 Installing the KMC Software The KMC software is part of the Gateway. For more information, see the ULP Gateway Software Installation Guide. On-Ramp Wireless Confidential and Proprietary 9 010-0062-00 Rev.
5 Configuring the Software 5.1 Configuring the KMS Files The KMS must contain the Diameter Configuration File and the Master Key File. These files are described below. 5.1.1 Diameter Configuration File The Diameter Configuration File (diameter_server.conf) contains the information to configure the Diameter Protocol, such as the address of peers and clients to allow connections and/or Diameter Protocol security options. Edit the ‘diameter_server.conf’ file to match your environment.
KMS User Guide Configuring the Software The following table lists and describes the properties that are stack-specific and configure the stack to be either client or server depending on the values of the properties. Table 1. Stack-Specific Properties for the Diameter Configuration File Property Name Description Example URI Defines the Universal Resource Identifier (URI) of a Diameter node for both the client and the server.
KMS User Guide Configuring the Software NOTE: Specify the following parameters for the KMS Diameter Configuration file. ApplicationID=2 for the SupportedApplicationIds property. The KMS uses Mobile IPv4 (RFC4004) as the application interface over base Diameter Protocol to exchange the Gateway and the node keys. Fully Qualified Domain Name (FQDN) in the URI property. The FQDN in the URI property must match your computer's Internet Protocol (IP) address or FQDN. 5.
KMS User Guide Configuring the Software 5.5 Using Secure Communication between the KMS and the Gateway Servers The default installation and default Diameter Configuration does not set up a secure communication between the KMS and the Gateway servers, however, a secure communication can be set up using IPsec. IPsec is used for securing the server-to-server communication, in this case KMS to Gateway. Set up IPsec on the KMS and Gateway servers with a pre-shared key. To do this, follow the steps below. 1.
KMS User Guide Configuring the Software For the Gateway: /sbin/service ulp-gateway restart 2. The log file for the KMS is: /tmp/kms.log 3. The log file for the KMC (on the Gateway) is: /opt/onramp/logs/kmc.log On-Ramp Wireless Confidential and Proprietary 14 010-0062-00 Rev.
6 Uninstalling the KMS Software WARNING: Uninstalling the KMS software deletes the /opt/onramp directory. Before you uninstall the software, be sure to back up the /opt/onramp directory to preserve keys and configuration. To uninstall the KMS software on your computer, run the following command for CentOS/RHEL 5.5 (or later) as root: rpm -e ulp-kms On-Ramp Wireless Confidential and Proprietary 15 010-0062-00 Rev.
Appendix A Key Generation, Provisioning, and Backup This appendix provides instructions on how to generate and export gateway keys for distribution to one or more LKS sites as well as how to import and merge an incremental batch key file exported from the LKS into the Master Key File used by the KMS. The batch key files exported from the LKS contain the node root keys. The KMS Master Key File contains the keys for all nodes authorized to join the network. The KMS Master Key File must be named ‘keyring.csv’.
KMS User Guide Key Generation, Provisioning, and Backup Use both upper and lower case characters Use numbers and special characters (for example, #, $, ^, *, &, ~, !) A.2 eNode Key Provisioning Each eNode must be provisioned with three security keys: Gateway key Code download (CDLD) key Node-specific root key The Gateway key and the code download (CDLD) key are used by all nodes on a network. However, each node has its own unique node root key.
KMS User Guide Key Generation, Provisioning, and Backup NOTE: After merging the new batch keys into the existing ‘keyring.csv’ file, the KMS process must be restarted using the following command as root: /sbin/service ulp-kms restart If the KMS process is not restarted after updating the ‘keyring.csv’ file, the KMS will not be able to provide the new keys to the Gateway. A.4 Master Key File A.4.
Appendix B Abbreviations and Terms Abbreviation/Term Definition 3DES Triple Data Encryption Standard AES Advanced Encryption Standard AH Authentication Header AP Access Point. The ULP network component geographically deployed over a territory.