LKS User Guide On-Ramp Wireless Confidential and Proprietary. Restricted Distribution. This document is not to be used, disclosed, or distributed to anyone without express written consent from On-Ramp Wireless. The recipient of this document shall respect the security of this document and maintain the confidentiality of the information it contains.
On-Ramp Wireless Incorporated 10920 Via Frontera, Suite 200 San Diego, CA 92127 U.S.A. Copyright © 2011 On-Ramp Wireless Incorporated. All Rights Reserved. The information disclosed in this document is proprietary to On-Ramp Wireless Inc., and is not to be used or disclosed to unauthorized persons without the written consent of On-Ramp Wireless. The recipient of this document shall respect the security of this document and maintain the confidentiality of the information it contains.
Contents 1 Introduction ........................................................................................................... 1 2 ULP Key Management Overview ......................................................................... 2 3 Local Key Server ................................................................................................... 5 4 Installing the Software .......................................................................................... 6 4.1 System Requirements ........
LKS User Guide Contents Figures Figure 1. ULP Key Generation and Key Export ............................................................................... 4 Figure 2. ULP Key Management in Operational Mode .................................................................... 5 On-Ramp Wireless Confidential and Proprietary iv 010-0059-00 Rev.
Revision History Revision Release Date Change Description A May 17, 2011 Initial release On-Ramp Wireless Confidential and Proprietary v 010-0059-00 Rev.
1 Introduction This document describes the setup, configuration, and use of the Local Key Server (LKS) for provisioning eNodes (also referred to as nodes) with security keys during production. It also provides instructions on importing Gateway keys from the Key Management Server (KMS) and creating a node key database. NOTE: This guide is intended for system administrator level users with root privileges. General familiarity with security concepts is required.
2 ULP Key Management Overview This chapter provides a brief overview of how Ultra-Link Processing™ (ULP) network keys are generated and managed. This involves the following basic steps: 1. The Key Management Server (KMS) generates the Gateway keys and creates the Master Key File ‘keyring.csv’ using the Generate Gateway Keys Utility (generate_gw_keys.py). This utility also creates an encrypted and signed output file that contains the Gateway keys for delivery to one or more Local Key Server (LKS) sites. 2.
LKS User Guide ULP Key Management Overview The Gateway key file is then sent to all LKS machines that provision nodes for the system. The shared symmetric key is generated on the KMS side from a user-entered passphrase when the Master Key File is created by the Generate Gateway Keys Utility (generate_gw_keys.py). The shared symmetric key is generated on the LKS side from a user-entered passphrase when the node key database is created using the Import Gateway Keys Utility (import_gw_keys.py).
LKS User Guide ULP Key Management Overview CUSTOMER KMS (Server) ULP Gateway (Server) generate_gw_keys.py Diameter Protocol gw_keys.csv.aes Master Key File (keyring.csv) IPsec Tunnel MANUFACTURER 1 / INTEGRATOR 1 NPT (Client) LKS (Server) SSL eNode provision_node_keys.py eNode import_gw_keys.py node_keys.db NPT (Client) SSL eNode provision_node_keys.py eNode MANUFACTURER 2 / INTEGRATOR 2 NPT (Client) LKS (Server) SSL eNode provision_node_keys.py eNode import_gw_keys.py node_keys.
3 Local Key Server The Local Key Server (LKS) is an integral part of the key provisioning, management, and ULP network access control system. The LKS is a physically secured server that uses secure TCP protocols (SSL) to communicate with one or more Node Provisioning Tools (NPT) clients. The LKS maintains a database (for example, node_keys.db) containing the Gateway key, the code download (CDLD) key, and the node root key for a range of eNodes. The database file name is specified by the customer.
4 Installing the Software 4.1 System Requirements The system requirements for an LKS are as follows: An enterprise-level server running CentOS 5.5 (or later) or Red Hat® Enterprise Linux® (RHEL) 5.5 (or later) operating system (OS) NOTE: The LKS has been tested by On-Ramp Wireless on a system running CentOS/RHEL 5.5 operating system. Python 2.6 including the module for PyCrypto (version 2.0.1 or 2.1.0). For Python and PyCrypto software installation instructions, refer to sections 4.3 and 4.4. 4.
LKS User Guide Installing the Software OS from operating properly. This requires Python 2.6 to co-exist with Python 2.4. The Python 2.6 executable cannot use the default ‘python’ name so it must be renamed (for example, ‘python26’). This affects the various Python scripts that follow. NOTE 2: The person performing this installation must have root privileges on the server. 1. If using Yum, follow the steps below and continue on to step 3. If not using Yum, skip to step 2. a.
LKS User Guide Installing the Software 3. Verify: rpm -qa | grep python26 4. Examine /usr/bin for the presence of python26 ls -la /usr/bin/python* The result should include: /usr/bin/python /usr/bin/python2.4 /usr/bin/python26 /usr/bin/python2.6 /usr/bin/python2.6-config 5. Run Python using the following command: python26 6. At the Python Interpreter prompt “>>>”, type the following: import sys dir(sys) The result should be a few lines of comma-separated module functions that will look like this: ...
LKS User Guide Installing the Software To install and configure the LKS server: 1. Identify a parent directory location on the LKS where a subdirectory is to be created containing the LKS scripts and utilities. The subdirectory is created when the LKS scripts are extracted. If the parent directory (for example, /opt/onramp) does not already exist, create it using the following command: mkdir –p /opt/onramp 2. Go to the parent directory as follows: cd /opt/onramp 3. Copy the ‘provisioning_lks.tar.
LKS User Guide Installing the Software NOTE: When the new node key database is created with this command, it prompts the user for a passphrase which generates a symmetric key for digitally signing exported key files. This same symmetric key is also used for decrypting the KMS Gateway key file which is imported into the node key database. You only need to enter this passphrase once for each database when it is first created.
LKS User Guide Installing the Software user-defined intervals, the keys can be exported, encrypted, and signed, using the ‘export_keys.py’ utility. It may be necessary to modify the firewall settings to allow LKS protocol traffic through the specified TCP ports. 8. Starting one or more instances of the LKS automatically at system startup is platform and implementation specific. For additional information and support for this functionality, contact On-Ramp Wireless at support@onrampwireless.com.
5 Key Creation, Export, and Backup Each eNode must be provisioned with three security keys: 1. Gateway key 2. Code download (CDLD) key 3. Node-specific root key 5.1 Gateway Key and Code Download Key The KMS generates the Gateway key and the code download (CDLD) key. Both keys are imported when a new node key database is created. Because the Gateway key and the code download (CDLD) key are network-wide keys, they are tied to a particular customer or network deployment.
LKS User Guide Key Creation, Export, and Backup tracked together. If the sales order number is not a true integer but contains alpha-numeric characters, then it must be mapped to and associated with an integer batch number. NOTE: If batch numbers are not monotonically increasing, when keys are exported to the KMS based on the most recent batches (see section 5.3), it is difficult to distinguish the keys that were created at an earlier date from those that were created at a later date.
LKS User Guide Key Creation, Export, and Backup python26 export_keys.py –d –o –p –b 1 –B 33-37 where: node_keys.db is the LKS key database containing all the node keys for a specific customer or product (filename is user-defined) out_file.csv is the key output file which holds the Gateway, code download (CDLD), and node keys in CSV format (filename is user-defined) kms_key.pub.
LKS User Guide Key Creation, Export, and Backup 3. The 16 byte code download (CDLD) key All subsequent lines in the exported key file contain the following four columns: 1. node ID 2. node root key 3. batch number 4.
Appendix A Creating RSA Keys These instructions describe the steps necessary to create an RSA public/private key pair. RSA key pairs must be generated for secure communication between entities such as a Local Key Server or a Node Provisioning Tool client. Note that RSA key generation does not need to be performed on the computer that will be using the keys. NOTE 1: Creation of RSA keys can be performed on any computer and copied to another computer.
Appendix B Creating SSL Certificates This appendix describes the steps necessary to create signed SSL Authentication Certificates for the LKS server. It is necessary to create a signed certificate for the LKS server as well as for each client running the eNode Key Provisioning Utility. Note that certificate generation and signing does not need to be performed on the machine that will be using the signed certificate. NOTE: It is recommended that all certificate signing be performed on a secure server.
LKS User Guide Creating SSL Certificates Unlike the LKS certificate, the Common Name for the CA certificate does not need to be an actual IP address or fully qualified domain name of a particular computer. An arbitrary common name can be used for the CA certificate, such as ‘cert_authority’.
LKS User Guide Creating SSL Certificates Email Address []:support@onrampwireless.com A challenge password []: An optional company name []: 5. After the CSR file has been created, transfer the CSR file to a secure server acting as a certificate authority that has the CA private key and certificate. 6. On the secure server, sign the CSR using the CA’s certificate and private key to generate the LKS’s certificate file (lks_cert.crt).
Appendix C Abbreviations and Terms Abbreviation/Term Definition 3DES Triple Data Encryption Standard AES Advanced Encryption Standard CA Certificate Authority CDLD Code Download CMAC Cipher-based Message Authentication Code CSR Certificate Signing Request CSV Comma Separated Values DNS Domain Name System EMS Element Management System eNode Also referred to as Node.