CGE SDK Starter Kit: Configure Security

Document created by mathaker on Sep 4, 2014Last modified by mathaker on Sep 18, 2014
Version 2Show Document
  • View in full screen mode

Configure Security on CGR

Configure Security in the end-points

  • Contact us for the certificates.http://solutionpartner.cisco.com/documents/3952742/23075985/SecurityCerts.zip/faf9d1ef-bc7b-4765-b8d3-cbd19f6c1888
  • Find CG-REDI CA's public certificate as CA.cer in the zipped archive,
  • Find CG-REDI HSM's public certificate as certForCsmp.pem in the zipped archive,
  • Find a sample endpoint security configuration XML file in the zipped archive. Make sure to modify the SSID to match the SSID configured on the WPAN interface.
  • Provide us a list of EUI64 for the endpoints (up to 10 endpoints) which require to be enabled with security. We will generate the private and public keys for the endpoints in .pfx format. eg. 00173B0B003E001C.pfx
  • Create the configuration bin file using CGE Configuration Writer with the following syntax for each meter:java -jar cfgwriter-5.4.26.jar -x 00173B0B003E001C.pfx -ca CA.cer -p Cisco123 -nc certForCsmp.pem -w sec-nms.xml sec-nms-00173B0B003E001C.bin

       Use the corresponding pfx file for each meter. All other files will be the same (except name of the .bin file in the CLI). The above CLI will create the bin file sec-nms-00173B0B003E001C.bin for the meter.

  • Embed the bin file generate above in the CM MCU of the meter at location 0x80E0000, using the procedure described here:STM32 Firmware Load via JTAG

 

Verify successful 802.1x authentication

On the CGR:

FAR-1240-CDN1-AS2#show dot1x all details

Sysauthcontrol              Enabled

Dot1x Protocol Version            3

 

Dot1x Info for Wpan5/1

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = Both

HostMode                  = MULTI_AUTH

QuietPeriod               = 60

ServerTimeout             = 0

SuppTimeout               = 30

ReAuthMax                 = 2

MaxReq                    = 2

TxPeriod                  = 30

 

Dot1x Authenticator Client List

-------------------------------

EAP Method                = (13)

Supplicant                = 020b.0030.0039

Session ID                = 0000000000000000771E095A

   Auth SM State         = AUTHENTICATED

    Auth BEND SM State    = IDLE

 

 

Query they CGE TLVs 34 and 35 to ensure that PMK is downloaded, and PTK/GTK are negotiated with the CGR

 

Verify output similar to below for the TLVs:

 

TLV 33:

 

 

 

TLV 34:

 

Attachments

    Outcomes