Securing OLAN with Certificates
Introduction
Document Number
ENG-010593
Purpose
This document will describe the usage of certificates within the Tellabs OLAN OLT and Tellabs Panorama PON EMS.
Applies To
- Panorama PON
- All Tellabs OLTs
A Primer on Certificates
PKI Certificates are used to secure nodes and limit access to resources to only trusted machines or individuals. Certificates work via a policy of implicit trust. It works based on the philosophy that if I trust a particular CA (Certificate Authority) then I trust all users/devices that present a certificate created by that Certificate Authority. There are several key concepts that need to be defined.
PKI - Public Key Infrastructure. PKI is a method where public keys and private keys can be created using software that implements PKI.
Certificates - Certificates are created for a given public/private key pair. Certificates give the identity of the party, the allowed operations the certificate is good for, and define a period of validity. The certificate can be tested using the anchor certificate and mathematically verify that the certificate was created by the CA listed as it’s issuer.
Device Certificates - A certificate that is placed on a device and acts as its primary certificate and offers it to peers to validate its identity. It also informs peers of what the certificate can be used for, who issued it and how long it is valid. The public key contained in a device certificate can be used to encrypt messages that can only be decrypted by the private key that corresponds to the public key.
Trust Anchor Certificates - A public certificate given out by CAs (Certificate Authority) which states its identity. It can be used to verify that a Device Certificate really was created by the CA whose name is contained in the Anchor Certificate. I will "trust" any certificate that validates using a Trust Anchor in my list.
Public Keys - When a public/private key pair is created, the public key is given to peers freely as it contains no information that needs to be kept hidden. The public key is used to encrypt data. That data can only be decrypted by the paired private key.
Private Keys - These keys, which are part of a public/private key pair, can be used to decrypt messages encrypted with the public key.
OLT and EMS Certificates
The OLT and EMS are secured by certificates that are placed on the device at create time. Each OLT and EMS Instance has its own unique certificate. In the default state, the system will only allow management of equipment with a Tellabs stock certificate.
The OLT and EMS can load new locally created certificates. Once the certificates are loaded, the OLT can only be managed by an EMS with a validated certificate and vice versa. It is recommended that any secure site always load certificates from the local certificate authority to ensure security of the management link. Once the certificates are loaded, the OLT/EMS connection will only work if the peer certificate can be validated.
Adding Device Certificates and Trust Anchor Certificates to the EMS
Tellabs provides a tool for managing EMS certificates. This tool can be invoked from the server directory of the EMS (C:TellabsPanoramaPonbbmgrservercertificateMgr.bat). This tool allows for importing and exporting certificates into the EMS.
Two types of EMS certificates can be managed:
Trust Anchor Certificates - These are public certificates of the CA (certificate authority). The system will trust any certificates that it receives that were created by certificate authorities in its trust anchor list.
Device Certificates - These are certificates that are presented by the ONT to the softswitches whenever they perform SIP registration.
The certificateMgr application allows the user to:
- Load an EMS device certificate
- Load trust anchors for the Peers (typically OLT, ONTs).
There is a batch file in Windows and a script in Solaris named certificateMgr in the server directory that performs this function.
Figure 1 Windows Certificate Manager Location
Figure 2 Solaris Certificate Manager
The user will be required to log in as a user with the certificate administrator role prior to making changes. The user must be created via the EMS User menus and have the certificate administrator role associated with it.
The user MUST perform a backup prior to modifying any certificates. This is to ensure that you can return the system to a known state prior to the addition of certificates. The Panorama PON Administration manual gives details on how to do this function. You can initiate the backup using the backupems.bat file in the server directory. You will be prevented from modifying certificates until this backup exists.
Adding EMS Trust Anchor(s)
The Trust Anchors for the EMS should first be updated using menu option 3 PON EMS device/anchor certificate menu from the main menu of certificateMgr.
Anchor certificates can be either appended to the existing trust anchor list or can replace the existing list. A pem file is used to import the certificate(s).
Updating the EMS certificate will require shutting down the EMS server. This is non-service affecting, but will prevent management of the OLTs via the EMS GUI for the duration of the certificate management activities.
After the certificate has been added, you will be prompted to restart the server.
Adding EMS Device Certificate
The EMS should also be loaded with a device certificate that is created by one of the CAs in the trust anchor list. Please note the OLTs will lose communication with the EMS until they are loaded with corresponding certificates created by a CA in the trust anchor list of the EMS. This is non-service affecting but the OLTs will not be manageable by the EMS until the OLT certificates have been loaded.
The user will be prompted to restart the EMS Server.
Adding OLT Certificates
This process only addresses certificates on the main controller card (ESU) of the OLT. For ONT 729GP certificate management, since there are typically large numbers of them, this is managed in a different way and is documented in the following document:
You must log into the OLT with a user account that has the Security Admin role. Certificates can only be managed by users with this role assigned.
When using the CLI to import the device certificate into the OLT, it must be in PEM format to be able to paste into the CLI terminal. If your certificate file is in a p12 form, it can be converted using standard openSSL as follows (substituting your file names):
The following command is used to add the device certificate to the OLT:
ne security key edit pem terminal
The device certificate import function requires that the pem file be password protected and will prompt for the file password. The password can also be added to the command line using the passphrase keyword. ONLY the PEM format can be used on the command line as PKCS12 is binary and cannot be pasted into the terminal screen.
|
ESU2C> ne security key edit ?
Parameters:
passphrase - passphrase for validating the certificates
+pem - Specifies PEM certificate storage format
+pkcs12 - Specifies PKCS12 certificate storage format
(+ select one parameter from set)
|
Highlight the certificate and then paste it into the terminal then press <Ctrl-D> to tell the CLI that the import is complete.
The certificate, if valid, will be imported by the OLT and the result of the import is shown:
The accompanying trust anchor(s) can be loaded in a similar fashion using the command:
ne security pki-ca-trustpoint edit certificate pem terminal
The trust anchors are all public certificates and do not need to be protected with a password. They must be loaded to the terminal in pem format. The trust anchors are used to validate the certificates of devices attempting to attach to the OLT. Specifically, this is the EMS CORBA interface used to configure the OLT and retrieve status.
The EMS and OLT should be now communicating using the newly installed certificates.
Displaying OLT Certificates
With the software versions SR31.4_604076 and above, the OLT can display the certificates in several formats from the CLI.
The format of the command to display the OLT device certificate is as follows:
|
ESU2C> ne security key show
Parameters:
+raw - show raw
+summary - show summary
+verbose - show verbose
(+ select one parameter from set).
|
The three formats are defined as follows:
- raw: Shows the exact contents of the device certificate file in raw format. This is sometimes useful for getting access to the public certificate of the OLT in its native format.
- summary: Will just display the subject line and issuer lines. This gives the most important information in the certificate about who I am and who signed my certificate.
- verbose: Shows the entire certificate printed out in x509 format.
Show Raw example:
|
ESU2C> ne security key show raw
Device Certificates:
Bag Attributes
localKeyID: B5 DC 43 94 51 25 A8 2D 6D 10 B1 D9 F6 80 A0 A9 C2 83 D7 3F
subject=/C=US/ST=Texas/L=Carrollton/O=Tellabs/OU=Systems/CN=esu1
issuer=/C=US/ST=Texas/L=Carrollton/O=Tellabs Inc/OU=Systems/CN=bogusCA
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIUZ/nHwthunK/hAHbF8A4E9sCGOFcwDQYJKoZIhvcNAQEL
BQAwbDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRMwEQYDVQQHDApDYXJy
b2xsdG9uMRQwEgYDVQQKDAtUZWxsYWJzIEluYzEQMA4GA1UECwwHU3lzdGVtczEQ
MA4GA1UEAwwHYm9ndXNDQTAeFw0yMzA5MjcxNjE3NTVaFw0yNDA5MjYxNjE3NTVa
MGUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczETMBEGA1UEBwwKQ2Fycm9s
bHRvbjEQMA4GA1UECgwHVGVsbGFiczEQMA4GA1UECwwHU3lzdGVtczENMAsGA1UE
AwwEZXN1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGrqiJBvl2X
GMSqjaMavaGvrLFdEuGMMlZwoqzD1EQIsSrMvGEMPbKVCxcMrP1DuD4EPn3xJ9B1
5JBezmxivNWVPGjegBpb87qUPp5gvNb/ohY9g3QwhOiV6/C4xn9mSghdQ6zW08YC
+PvvuTdqF4VObZojsqKtu2F6DS3JSpDy9B2CWx0CN9gExI9tXVK7xBE7uGWZs9EQ
m3IaHysy3Fc/3XxDCBj1OZjXjZQ4YggDWMc0QKSeMUECue/9NUx0Vu3/8KW9mzni
RhoWwE3RZ/cFamOr+IyYQ6R7+tbbiCC+hWkiR12oJabbDcMP2qclw5SFfIvUz31Z
MSvLtG3IZG8CAwEAAaNTMFEwDwYDVR0RBAgwBocErByKOjAdBgNVHQ4EFgQUcrl6
IjWhskP523ccWU/tEYPewT0wHwYDVR0jBBgwFoAUgvHvBxBOgcqIWXusL1+tnF4P
qQAwDQYJKoZIhvcNAQELBQADggEBABbyeXLo27DU9KBQE6VG7t7DcEKy7FP/cJOC
7pbh8WX2AMwjH9iUtb3Xm5nLirbaHi3LDUOaDuDpePtT+Tgq3q6gTNzGvFvbfRVW
4kTdN3rAd6fJC378jxYQOofWbSUX4dwnt299k7/GjPMyhaStWQDbUOPRaOfGT7AP
111WyfqcLIBxJcFfm08ko8fo/FMa5lyS+uPESgfq9Muo7ap2+J9io2VrDKqsUYcf
jGL+T8D3sBjyJSDZfS9tYw9p2tLFd1t56h2WsN4LkTRqh8IBqLvcYwTzHIF4UFML
WQZraHXGuJHVPRQWj/chI27m2ijZk/lBwzTTEahPBF5aNyfqD6A=
-----END CERTIFICATE-----
|
An example of the summary format:
|
ESU2C> ne security key show summary
Device Certificates:
subject=/C=US/ST=Texas/L=Carrollton/O=Tellabs/OU=Systems/CN=esu1
issuer=/C=US/ST=Texas/L=Carrollton/O=Tellabs Inc/OU=Systems/CN=bogusCA
|
To show the entire details of the certificate in x509:
|
ESU2C> ne security key show verbose
Device Certificates:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
67:f9:c7:c2:d8:6e:9c:af:e1:00:76:c5:f0:0e:04:f6:c0:86:38:57
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Texas, L=Carrollton, O=Tellabs Inc, OU=Systems, CN=bogusCA
Validity
Not Before: Sep 27 16:17:55 2023 GMT
Not After : Sep 26 16:17:55 2024 GMT
Subject: C=US, ST=Texas, L=Carrollton, O=Tellabs, OU=Systems, CN=esu1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:ab:aa:22:41:be:5d:97:18:c4:aa:8d:a3:1a:
bd:a1:af:ac:b1:5d:12:e1:8c:32:56:70:a2:ac:c3:
d4:44:08:b1:2a:cc:bc:61:0c:3d:b2:95:0b:17:0c:
ac:fd:43:b8:3e:04:3e:7d:f1:27:d0:75:e4:90:5e:
ce:6c:62:bc:d5:95:3c:68:de:80:1a:5b:f3:ba:94:
3e:9e:60:bc:d6:ff:a2:16:3d:83:74:30:84:e8:95:
eb:f0:b8:c6:7f:66:4a:08:5d:43:ac:d6:d3:c6:02:
f8:fb:ef:b9:37:6a:17:85:4e:6d:9a:23:b2:a2:ad:
bb:61:7a:0d:2d:c9:4a:90:f2:f4:1d:82:5b:1d:02:
37:d8:04:c4:8f:6d:5d:52:bb:c4:11:3b:b8:65:99:
b3:d1:10:9b:72:1a:1f:2b:32:dc:57:3f:dd:7c:43:
08:18:f5:39:98:d7:8d:94:38:62:08:03:58:c7:34:
40:a4:9e:31:41:02:b9:ef:fd:35:4c:74:56:ed:ff:
f0:a5:bd:9b:39:e2:46:1a:16:c0:4d:d1:67:f7:05:
6a:63:ab:f8:8c:98:43:a4:7b:fa:d6:db:88:20:be:
85:69:22:47:5d:a8:25:a6:db:0d:c3:0f:da:a7:25:
c3:94:85:7c:8b:d4:cf:7d:59:31:2b:cb:b4:6d:c8:
64:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:172.28.138.58
X509v3 Subject Key Identifier:
72:B9:7A:22:35:A1:B2:43:F9:DB:77:1C:59:4F:ED:11:83:DE:C1:3D
X509v3 Authority Key Identifier:
keyid:82:F1:EF:07:10:4E:81:CA:88:59:7B:AC:2F:5F:AD:9C:5E:0F:A9:00
Signature Algorithm: sha256WithRSAEncryption
16:f2:79:72:e8:db:b0:d4:f4:a0:50:13:a5:46:ee:de:c3:70:
42:b2:ec:53:ff:70:93:82:ee:96:e1:f1:65:f6:00:cc:23:1f:
d8:94:b5:bd:d7:9b:99:cb:8a:b6:da:1e:2d:cb:0d:43:9a:0e:
e0:e9:78:fb:53:f9:38:2a:de:ae:a0:4c:dc:c6:bc:5b:db:7d:
15:56:e2:44:dd:37:7a:c0:77:a7:c9:0b:7e:fc:8f:16:10:3a:
87:d6:6d:25:17:e1:dc:27:b7:6f:7d:93:bf:c6:8c:f3:32:85:
a4:ad:59:00:db:50:e3:d1:68:e7:c6:4f:b0:0f:d7:5d:56:c9:
fa:9c:2c:80:71:25:c1:5f:9b:4f:24:a3:c7:e8:fc:53:1a:e6:
5c:92:fa:e3:c4:4a:07:ea:f4:cb:a8:ed:aa:76:f8:9f:62:a3:
65:6b:0c:aa:ac:51:87:1f:8c:62:fe:4f:c0:f7:b0:18:f2:25:
20:d9:7d:2f:6d:63:0f:69:da:d2:c5:77:5b:79:ea:1d:96:b0:
de:0b:91:34:6a:87:c2:01:a8:bb:dc:63:04:f3:1c:81:78:50:
53:0b:59:06:6b:68:75:c6:b8:91:d5:3d:14:16:8f:f7:21:23:
6e:e6:da:28:d9:93:f9:41:c3:34:d3:11:a8:4f:04:5e:5a:37:
27:ea:0f:a0
|
The OLT trust anchors can be displayed using the following command. The options are similar to the device certificate commands in that it support raw, summary, and verbose options.
|
ESU2C> ne security pki-ca-trustpoint show
Commands:
certificate - SSL Certificate Utility
Online-Certificate-Status-Protocol
- manage OCSP-based (PKI) certificate validation configuration
ESU2C> ne security pki-ca-trustpoint certificate show
Parameters:
raw - Display the anchor certs as entered
summary - Displays the Subject and Issuer
verbose - Displays the full details
ESU2C> ne security pki-ca-trustpoint certificate show verbose
Anchor Certificates:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Texas, O=Tellabs, OU=Access, CN=TellabsCA
Validity
Not Before: Jan 1 00:00:00 1969 GMT
Not After : Dec 31 23:59:59 2049 GMT
Subject: C=US, ST=Texas, O=Tellabs, OU=Access, CN=TellabsCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e2:60:0c:7d:37:d0:ab:d5:93:da:99:9a:71:f8:
5d:2c:d5:9b:d4:40:ea:64:53:ac:48:03:68:9f:1b:
fe:62:33:ab:af:c5:3e:a9:01:0f:13:3d:2e:74:e1:
48:54:8e:33:77:f7:55:72:da:47:6d:f0:af:a1:36:
90:a6:36:93:bc:cf:2c:c2:9c:a4:5c:bf:dc:0d:be:
9b:7c:1d:42:31:55:d5:78:55:f3:e8:c6:56:58:d1:
1c:a4:c6:a1:fb:f3:f0:8b:7c:1b:2d:69:51:01:5b:
1e:f5:77:58:c8:1b:64:9c:9d:79:63:69:b3:49:d3:
27:c3:f7:a7:62:ca:47:37:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
74:F9:6C:7D:FC:4D:30:AE:98:C5:F6:F7:77:BD:77:47:6C:3B:3D:CF
X509v3 Authority Key Identifier:
keyid:74:F9:6C:7D:FC:4D:30:AE:98:C5:F6:F7:77:BD:77:47:6C:3B:3D:CF
Signature Algorithm: sha1WithRSAEncryption
db:93:1f:96:4e:b1:c8:61:19:5c:ea:c3:f4:2c:1a:59:01:5f:
ee:f9:cf:7a:be:9f:eb:84:74:56:da:0b:97:28:06:20:04:f9:
90:1e:3c:d0:8a:18:c2:53:97:7f:36:3a:d3:cc:b6:eb:fb:d2:
7d:d1:7a:43:b4:b5:bf:fd:ed:72:68:19:48:5f:39:a9:21:9b:
6d:34:d8:b0:a3:6c:51:f6:ae:5f:00:2b:12:66:d1:44:f4:68:
35:ba:71:da:f3:85:af:ab:16:6e:b1:d3:7d:b5:4d:bd:7a:39:
30:c4:47:dc:6f:ae:38:89:69:bc:00:e1:89:8c:5c:17:d5:5e:
d8:fa
ESU2C>
|
Mutual Authentication
Description of Mutual Authentication
The default behavior of most SSL (Secure Sockets Layer) implementation is to do Server certificate authentication. The purpose of server certificate authentication is to verify the identity of the server and validate that the server has a certificate signed by someone that we trust.
With this default behavior, the client is not obligated to offer its certificate back to the server. The server is validated by the client, but the server does not validate the identity of the client.
When Mutual authentication is enabled, the server will also authenticate the identity of the client.
The server sets a bit in the SSL handshake messages that tells the client that it wants to perform mutual authentication and that the client should send back it's certificate. The client will send back its certificate and the server will validate the client's identity. If either end detects that the certificate is invalid, it will close the connection.
There are two EMS to OLT connections on which certificate exchange can occur.
- EMS to OLT CORBA connection - Used for all configuration of the OLT and for retrieving all status.
- EMS Event Service connection - Used for autonomous reporting of any off-normal conditions via the event channel.
For the EMS to OLT Corba connection, the EMS will connect out to the OLT which makes the EMS the client (for SSL) and the OLT will be the server.
Turning on mutual authentication will cause the OLT to also check the EMS certificate to ensure it is a valid EMS connection. For this connection, mutual authentication is enabled on the OLT as it is the server role in this connection.
In the case of the Event Service, the OLT is the client and the EMS is the server.
For this connection, Mutual Authentication is enabled on the EMS as it performs the server role for the SSL connection.
Configuring OLT Mutual Authentication
To configure the OLT to check the EMS certificate for the EMS server connection used for all configuration and status, Mutual Authentication needs to be enabled on the OLT. For proper operation the OLT must be running OLT load SR31.4_78, or higher. The minimum release for the EMS is SR31.4.0.Y or higher. You must be logged into the CLI with a user that has the security admin role to be able to see or modify this attribute.
The current status of Mutual Authentication at the OLT can be determined using the show command.
|
ESU2C> ne security mutual-auth show
Mutual Authentication Disabled
-SSLAuthenticate=NONE
ESU2C>
|
Ensure before enabling Mutual Authentication that all certificates and trust anchors are installed on both the OLT and EMS. Failure to do so will cause the OLT and EMS to lose all connectivity. Mutual Authentication can be enabled with the following command.
|
ESU2C> ne security mutual-auth
Actions:
disable - turn off mutual authentication
enable - turn on mutual authentication
show - show the mutual authentication state
ESU2C> ne security mutual-auth enable
Synchronization with the mate started.
ESU2C> ne security mutual-auth show
Mutual Authentication Enabled
-SSLAuthenticate=CLIENT
ESU2C>
|
Configuring EMS Mutual Authentication for the OLT Event Channel
Mutual Authentication is always on by default on the OLT Event Channel and no changes are necessary for this connection.
Configuring EMS Mutual Authentication of EMS Client Sessions
The EMS Server Application has the role of server in SSL connections with the Client GUI. Mutual Authentication can be enabled on client sessions by making the following change to the file:
C:TellabsPanoramaPONbbmgrserverdataAuthenticationControllerAuthenticationController.properties
The file should be edited to change the setting of ClientAuthentication=1
|
SecureRMI=1
VerifyCN=0
ClientAuthentication=1
|
Turning on Secure Client during the installation of the server software will set this attribute to enable Mutual Authentication on the EMS server. When installing the Server software, select Custom Installation:
Summary
Several points should be noted:
- Ensure the user has all the needed certificates ready prior to adding the certificates to the EMS or OLT. This minimizes the time when the OLT and EMS are out of communication. This does NOT affect traffic running through the OLT, only management of the OLT during that period.
- Ensure the user destroys or secures the certificate files after loading them on the EMS and / or OLT. The certificates are persistently stored on the OLT and EMS and are typically not needed after installation. Certificates will cross-copy between ESUs and are stored persistently in the flash of both ESUs in a secure key store. The EMS certificate is stored in the EMS backup.
- Keep an eye on certificate validity dates as when the certificates expire, communications will fail. Both the EMS and OLT will warn prior to certificate expiration and will alarm expired certificates.
- If the user does not have a certificate authority, EJBCA (Enterprise Java Beans Certificate Authority) is a good freeware opensource tool for generating certificates.