Provisioning Examples
Secure HTTPS Resync
Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters
57
4
HTTPS Client Filtering and Dynamic Content
If the HTTPS server is configured to require a client certificate, then the
information in the certificate identifies the resyncing ATA and supplies it with the
correct configuration information.
The HTTPS server makes the certificate information available to CGI scripts (or
compiled CGI programs) invoked as part of the resync request. For the purpose of
illustration, this exercise uses the open source Perl scripting language, and
assumes that Apache (v.2) is used as the HTTPS server.
Exercise
STEP 1
Install Perl on the host running the HTTPS server.
STEP 2
Generate the following Perl reflector script:
#!/usr/bin/perl -wT
use strict;
print “Content-Type: text/plain\n\n”;
print “<flat-profile><GPP_D>”;
print “OU=$ENV{‘SSL_CLIENT_I_DN_OU’},\n”;
print “L=$ENV{‘SSL_CLIENT_I_DN_L’},\n”;
print “S=$ENV{‘SSL_CLIENT_I_DN_S’}\n”;
print “</GPP_D></flat-profile>”;
STEP 3
Save this file with the file name reflect.pl, with executable permission (chmod 755
on Linux), in the CGI scripts directory of the HTTPS server.
STEP 4
Verify accessibility of CGI scripts on the server (as in /cgi-bin/…).
STEP 5
Modify the Profile_Rule on the test device to resync to the reflector script, as in the
following example:
https://prov.server.com/cgi-bin/reflect.pl?
STEP 6
Click
Submit All Changes
.
STEP 7
Observe the syslog trace to ensure a successful resync.
STEP 8
Open the admin/advanced page, Provisioning tab.
STEP 9
Verify that the GPP_D parameter contains the information captured by the script.
This information contains the product name, MAC address, and serial number if the
test device carries a unique certificate from the manufacturer, or else generic
strings if it is a unit manufactured before firmware release 2.0.
