Skip to content

GenieACS SSL

Jump to bottom Edit New page
akcoder edited this page Oct 10, 2014 · 7 revisions

In it's default-state GenieACS is accessed via an unencrypted HTTP connection. If you establish the TR-069 connection via a public network (e.g. "Internet"), this leads to the problem that confidential information are exchange as plain text (for example confidential SIP credential).

To establish an encrypted connection via CPE and GenieACS (and vice versa), you need the following:

  • a valid certificate (by a Certificate Authority or as self-signed certificate)
  • a CPE capable of storing (additional) certificates

In the /pathtogenieacs/config/ folder are two example files, httpscert.crt (the certificate) and httpscert.key (the private key to the certificate). It's a self-signed certifcate by Zaid (owner of GenieACS). WARNING!: Don't use those both, because the certificate is allready expired!

To use this certificate you have to push it onto your CPE. Most CPEs allow to upload a certificate, which to trust, via it's web interface. If your CPE doesn't support this, it might be neccessary to implement it into the filesystem.

What if I don't have a certificate from a CA?:

If you didn't bought/got a certificate from a CA, you can self-sign one. For this you need openssl installed (use the latest version). To generate them, use the following commands:

openssl genrsa 1024 > key.pem
openssl req -new -x509 -key key.pem > cert.pem

Attention1:Without "-days " paramter the certificate is valid for one month. If you like to have a higher validity, you have to append -days 3650, e.g. 10 years, after -x509.

Attention2: When the second command is issued, there are multiple prompts to enter data for that certificate. The most important one is the CN (common name) field. Don't give a name here! If you do, you likely run into "domain mismatch" errors. Enter either the IP or the URL of the server, where GenieACS is hosted on.

User@Host:~$ openssl req -x509 -new -key key.pem > cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Hamburg
Locality Name (eg, city) []:Hamburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACS
Organizational Unit Name (eg, section) []:ACSTest
Common Name (e.g. server FQDN or YOUR name) []:mydomain.toacs.com
Email Address []:help@toacs.com
User@Host:~$

After generating both files (key.pem/cert.pem) copy both into the config/ folder as key.key (key.pem) and cert.crt (cert.pem). For each GenieACS service you wish to run in secure mode, you will need to set the corresponding config entry _SSL entry to true, and copy/link the key.key and cert.crt to servicename.key/crt. For example, if you want to run the CWMP in SSL mode, set the CWMP_SSL entry to true in config/config.json, and copy/link cert.crt to cwmp.crt and key.key to cwmp.key.

The next step is to include this self-signed certificate onto the CPE. There is no general tutorial for that, because it depends on the provided options of the CPE. In this tutorial case it was possible to upload a certificate via CPE's web interface.

After that, change the ManagementURL of the CPE to a "HTTPS URL" and start GenieACS. When the TR-069 client of the CPE tries to connect, it should do it via an encrypted connection.

After GenieACS is configured correctly, the certificate is loaded into the CPE, and the ManagementURL is updated, you will need to restart GenieACS.

tr69c:243.822:verify_callback:202:error_num = 0, err_msg = ok, depth = 0,
subject = /C=DE/ST=Hamburg/L=Hamburg/O=ACS/OU=ACSTesting/CN=192.168.1.3/emailAddress=Chr.Heyl@googlemail.com,
issuer = /C=DE/ST=Hamburg/L=Hamburg/O=ACS/OU=ACSTesting/CN=192.168.1.3/emailAddress=Chr.Heyl@googlemail.com

tr69c:243.823:verify_callback:216:return X509_V_OK, CN = 192.168.1.3, URL = https://192.168.1.3:7548

tr69c:243.837:stopListener:172:removed listener on fd=5
Add a custom footer
Add a custom sidebar
Clone this wiki locally