CGE Configuration Writer

Document created by mathaker on May 29, 2014Last modified by linyan on Nov 8, 2016
Version 9Show Document
  • View in full screen mode

Slide12.jpg

Cisco provides a utility called "cfgwriter" to generate the specific configuration file that must be programmed into each endpoint's Communications Module(CM) at the time of manufacture or else at the time of staging prior to field installation.  These configurations include among other items, the endpoint's unique EUI64 ID, the SSID of the WPAN it must join, the security certificates, etc.

"cfgwriter" is a java program that takes as input an XML file (see below) with the endpoint's configuration info and produces a binary memory image file that must be programmed into the CM's Flash memory (e.g. CGEREF1: 0x80e0000 for TI design, but different location for Semtech board).  The java program may be executed on any host platform with Java Run Time Enviroment installed.  The resulting .bin file could be be programmed into the CM using the JTAG interface or use the tool provided by Semtech.  See STM32 Firmware Load via JTAG

Detailed information on the cfgwriter, its command line arguments, and a sample input XML file (see below) is bundled with the program package.  The config writer package (ZIP file) is now packaged with the PPP/NIC firmware package and may be downloaded from here: CG-Mesh


NAME
     cfgwriter -- Build or read a binary configuration for cg-mesh applications

USAGE
     java -jar cfgwriter-<ver>.jar [-iDv] [..options..] -w <config_file>  <binary_file>
     java -jar cfgwriter-<ver>.jar -r <binary_file>

OPTIONS

   -w <config_file>
      Write out a self contained binary config given an input configuration file.
   -r
      Read/validate a binary configuration and print the XML results to stdout.
   -e <EUI64>
      Overrides the EUI64 value specified in the config file with <EUI64>
   -s <SSID>
      Overrides the SSID value specified in the config file with <SSID>
   -x <pfxfile>
      Supplicant Cert & Key file in PKCS12(.pfx) format (overrides Ieee8021x_Supplicant_X509Cert
      and Ieee8021x_Supplicant_Key fields in config file)
   -p <password>
      Supplicant Cert & Key PFX password. Default 'Cisco123' (overrides)
   -c,-k <derfile>
      Supplicant Cert and Key files respectively in DER format (overrides Ieee8021x_Supplicant_X509Cert
      and Ieee8021x_Supplicant_Key fields in config file)
   -ca <derfile>
      AAA CA Cert (overrids Ieee8021x_CA_X509Cert in config file)
   -nc <derfile>
      NMS CSMP Certificate file (overrides NMS_X509Cert in config file)
   -l <lkey>
      Local link shared secret (AES Key) in BASE64 format.
   -i <class>
      Generate Itron OpenWay binary file of C1222 Class <class> (e.g. for optical upload).
   -D
      Use the DEVEL Abraxas image signature key (Default is RELEASE key)
   -v
      Verbose mode (default is terse).
   -ver
      Print version and exit
   -P
      Pad output to <arg>-byte boundary

 

 

Some of the most common configuration parameters are explained below.

EUI64

For unique idenification of a Comm Module, we use an EUI64, which is an 8 octet unique identifier that the CM firmware creates from the STmicro chip's serial number and the vendor's OUI (IEEE-SA - Registration Authority MA-L).  The OUI is in the MSB 3 octets while the LSB 5 octets are from the STM chip's SN.

For the OUI, the CM firmware uses the Cisco OUI (00-17-3B) by default.  But you can override this by using the config file (.xml) element Ieee_Cfg.EUI64 to supply the complete EUI64, including your own OUI.

If you have a registered OUI from IEEE, please use it to generate the EUIDs for the nodes you will be testing.  If you don't have it, the above link is a good place to start to get one.

SSIDThe SSID of the PAN.  This is must match the SSID configured in the FAN router where the CGE is expected to be deployed.
Security Credentials

These credentials must be configured:

  • X.509 certificate for CGE authentication
  • CSMP POST message signature verification key
  • Utility CA Cert
  • FW image signature verification key
RF Notch ListIn many parts of the world, some subsets of the 900MHz frequency band where the RF-mesh CGE operates are reserved for other uses.  The Cisco CGE can be configured with "notch" list of frequency channels to avoid.

Configuration XML File

The schema of the configuration file is dynamic and may change with each release of the CGE firmware.  the documentation packaged with each cfgwriter release ZIP file is the most accurate source of information for the config schema.  However here is a sample from release 5.4.25:

        NAME                                        TYPE          DEFAULT     DESCRIPTION
     Ieee_Cfg.EUI64                             Escaped Bytes    None       EUI64 for the device
     Ieee_Cfg.SSID                              String            None       SSID for the device
     Ieee_Cfg.SecurityMode                      Integer                      The 802.15.4 security mode. Acceptable values:  0 = None,  1 = 802.1x
     Ieee_Cfg.Ieee8021x_CA_X509Cert             Escaped Bytes     None       DER encoded form of the X509 CA for the 802.1x AAA
     Ieee_Cfg.Ieee8021x_Supplicant_X509Cert     Escaped Bytes     None       DER encoded form of the 802.1x supplicant (device) signed cert
     Ieee_Cfg.Ieee8021x_Supplicant_Key          Escaped Bytes     None       802.1x Supplicant's private key
     Ieee_Cfg.Ieee8021xAuthIntervalMax          Integer       3600 The Ieee 802.1x maximum authentication retr  interval (in seconds) 
     Ieee_Cfg.Ieee8021xAuthIntervalMin          Integer       300 The Ieee 802.1x minimum authentication retry interval (in seconds) 
     Ieee_Cfg.Ieee802154Mode                    Integer                      Ieee 802.15.4 Mode
     Ieee_Cfg.Ieee802154NotchList.startChnl     Integer                      Ieee 802.15.4 Notch definition start channel
     Ieee_Cfg.Ieee802154NotchList.stopChnl      Integer                      Ieee 802.15.4 Notch definition stop channel
     Ieee_Cfg.Ieee802154Dwell.window            Integer       20000 Ieee 802.15.4 channel dwell time window (in ms)
     Ieee_Cfg.Ieee802154Dwell.maxdwell          Integer       400 Ieee 802.15.4 channel max dwell in window (in ms)
     Dhcpv6_Cfg.Dhcpv6SolicitIntervalMax        Integer       3600 The DHCPv6 maximum solicit retry interval (in seconds) 
     Dhcpv6_Cfg.Dhcpv6SolicitIntervalMin        Integer       60 The DHCPv6 minimum solicit retry interval (in seconds) 
     Csmp_Cfg.RegIntervalMax                    Integer       3600 The CSMP maximum registration retry interval (in seconds)
     Csmp_Cfg.RegIntervalMin                    Integer       600 The CSMP minimum registration retry interval (in seconds)
     Csmp_Cfg.NMS_X509Cert                      Escaped Bytes     None       DER encoded x509 certificate of the NMS
     Csmp_Cfg.ReqSignedPost                     Boolean          false       Require signed NMS POSTS to the device.
     Csmp_Cfg.ReqValidCheckPost                 Boolean          false       Require time period validity for signed NMS posts.
     Csmp_Cfg.ReqTimeSyncPost                   Boolean          false       If False and ReqValidCheckPost is True, then
time period validity checks will not be enforced
if the node does not have global time sync
     Csmp_Cfg.ReqSecLocalPost                   Boolean          false       If True, CSMP Posts from locally attached clients
(i.e. the register) will enforce signature checking
from these devices. Should normally be be set
  to 'false'.
     Csmp_Cfg.ReqSignedResp                     Boolean          false       Require signed NMS RESPONSES to the device.
     Csmp_Cfg.ReqValidCheckResp                 Boolean          false       Require time period validity for signed NMS responses.
     Csmp_Cfg.ReqTimeSyncResp                   Boolean          false       If False and ReqValidCheckPost is True, then time
period validity checks will not be enforced if the
  node does not have global time sync.
     Csmp_Cfg.ReqSecLocalResp                   Boolean          false       If True, CSMP responses from locally attached
clients (i.e. the register) will enforce signature
checking from these devices. Should normally be be
set to 'false'.
     LocalSec_Cfg.ReqLocalPPPEncryption [1]     Boolean          false       Enables link encryption on locally attached devices
     LocalSec_Cfg.PPP_AESKey [1]                Escaped Bytes     None       Preshared AES key for local link encryption
     Abraxas_Cfg.PubKey [2]                     Escaped Bytes     [2]        Abraxas image signature public key
     CC1101_Cfg.PATABLE                         Escaped Bytes     [3]        CC1101 PATABLE Values.
     P19012_Cfg.TxPower                         Integer           [4]        IEEE P1901.2 PLC Transmit Power base value
     P19012_Cfg.BandPlan                        Integer       1 IEEE P1901.2 PLC Bandplan. Acceptable values:
1  CENELEC-A
2  ARIB 1
3  FCC LOW
4  CENELEC-B
5  ARIB 2
6  FCC above CENELEC
     P19012_Cfg.ToneMask                        Integer           [5]        IEEE P1901.2 PLC ToneMask

     DemoMode_Cfg.DemoModeEnable

BooleanfalseIf True, the demo mode is enabled for fast networking.  should normally be set to 'false'

Notes:
  [1] - Currently not used/implemented on ITRON30 platform, but may be written to for future use.
  [2] - This value will automatically be populated by the 'cfgwriter' tool and need not be specified in the xml config.
  [3] - For the itron30 platform, if not specified, the stack will default to a low power value.
  [4] - Default is full power for the given platform.
  [5] - Default is full tonemask for the given bandplan

Here is a sample XML file that enables security:

 

 

<DevCfgSchema>

 

  <Ieee_Cfg>

    <SSID>cisco</SSID>

    <SecurityMode>1</SecurityMode>

    <Ieee8021x_Supplicant_X509Cert>\x30\x82\x03 ... </Ieee8021x_Supplicant_X509Cert>

    <Ieee8021x_Supplicant_Key>\x30\x81\x87 ... </Ieee8021x_Supplicant_Key>

    <Ieee8021xAuthIntervalMax>120</Ieee8021xAuthIntervalMax>

    <Ieee8021xAuthIntervalMin>60</Ieee8021xAuthIntervalMin>

    <Ieee802154Mode>1</Ieee802154Mode>

  </Ieee_Cfg>

 

<Dhcpv6_Cfg>

<Dhcpv6SolicitIntervalMax>180</Dhcpv6SolicitIntervalMax>

<Dhcpv6SolicitIntervalMin>30</Dhcpv6SolicitIntervalMin>

</Dhcpv6_Cfg>

 

  <Csmp_Cfg>

    <RegIntervalMax>900</RegIntervalMax>

    <RegIntervalMin>300</RegIntervalMin>

    <ReqSignedPost>true</ReqSignedPost>

    <ReqValidCheckPost>true</ReqValidCheckPost>

    <ReqTimeSyncPost>false</ReqTimeSyncPost>

    <ReqSecLocalPost>false</ReqSecLocalPost>

    <ReqSignedResp>true</ReqSignedResp>

    <ReqValidCheckResp>true</ReqValidCheckResp>

    <ReqTimeSyncResp>false</ReqTimeSyncResp>

    <ReqSecLocalResp>false</ReqSecLocalResp>

    <NMS_X509Cert>\60\202\1 ... </NMS_X509Cert>

  </Csmp_Cfg>

</DevCfgSchema>

 

Here is another example that disables securiy, and enables the Demo Mode for faster network joins for CGE:

 

 

<DevCfgSchema>

 

  <Ieee_Cfg>

    <SSID>cisco</SSID>

    <SecurityMode>0</SecurityMode>

    <Ieee8021xAuthIntervalMax>120</Ieee8021xAuthIntervalMax>

    <Ieee8021xAuthIntervalMin>60</Ieee8021xAuthIntervalMin>

    <Ieee802154Mode>1</Ieee802154Mode>

  </Ieee_Cfg>

 

<Dhcpv6_Cfg>

<Dhcpv6SolicitIntervalMax>180</Dhcpv6SolicitIntervalMax>

<Dhcpv6SolicitIntervalMin>30</Dhcpv6SolicitIntervalMin>

</Dhcpv6_Cfg>

 

  <Csmp_Cfg>

    <RegIntervalMax>3600</RegIntervalMax>

    <RegIntervalMin>300</RegIntervalMin>

    <ReqSignedPost>false</ReqSignedPost>

    <ReqValidCheckPost>false</ReqValidCheckPost>

    <ReqTimeSyncPost>false</ReqTimeSyncPost>

    <ReqSecLocalPost>false</ReqSecLocalPost>

    <ReqSignedResp>false</ReqSignedResp>

    <ReqValidCheckResp>false</ReqValidCheckResp>

    <ReqTimeSyncResp>false</ReqTimeSyncResp>

    <ReqSecLocalResp>false</ReqSecLocalResp>

  </Csmp_Cfg>

  <DemoMode_Cfg>

    <DemoModeEnable>true</DemoModeEnable>

  </DemoMode_Cfg>

</DevCfgSchema>

Attachments

    Outcomes