Redline Communications Inc. AN100UA 用户手册
Red
MAX
™
Base Station
User Manual
Doc. #70-00058-01-01
Proprietary Redline Communications © 2007
July 13, 2007
Page 90 of 119
Management messages between AN-100U and subscriber modem are protected with a
HMAC digest that ensures the data was not altered over the air in any way. The
authenticity of the CA's signature, and whether the CA can be trusted, can be determined
by examining its certificate in turn. This chain must however end somewhere, and it does
so at the root certificate, so called as it is at the root of a tree structure. Root certificates
are implicitly trusted. Redline Root CA certificate is issued by Verisign. It can be uses to
validate the certificates of the subscriber modem and cannot be used to validate the
certificates supplied by another vendor.
HMAC digest that ensures the data was not altered over the air in any way. The
authenticity of the CA's signature, and whether the CA can be trusted, can be determined
by examining its certificate in turn. This chain must however end somewhere, and it does
so at the root certificate, so called as it is at the root of a tree structure. Root certificates
are implicitly trusted. Redline Root CA certificate is issued by Verisign. It can be uses to
validate the certificates of the subscriber modem and cannot be used to validate the
certificates supplied by another vendor.
Authentication Using Digital Certificates
The entire authentication process is performed inside the AN-100U and it does not
require external AAA servers (e.g. RADIUS, TACCACS, LDAP, etc). On AN-100U
there is a space of 64 Kbyte of memory reserved for X509 Root CA certificates. A root
certificate allows the validation of subscriber modem certificates.
Validation process implies a check of the certificates against the information stored on
the AN-100U. The result of this check is a truth value based on which the AN-100U will
allow the subscriber to join the network. There are two scenarios:
1. Base station can skip the validation of the certificates sent from subscriber and
require external AAA servers (e.g. RADIUS, TACCACS, LDAP, etc). On AN-100U
there is a space of 64 Kbyte of memory reserved for X509 Root CA certificates. A root
certificate allows the validation of subscriber modem certificates.
Validation process implies a check of the certificates against the information stored on
the AN-100U. The result of this check is a truth value based on which the AN-100U will
allow the subscriber to join the network. There are two scenarios:
1. Base station can skip the validation of the certificates sent from subscriber and
performs only a basic test to ensure is properly encoded.
2. Base station checks the digital signature with the information stored on the board.
To switch between the two scenarios the operator modifies the field TrustAll under
"privacy" group.
To switch between the two scenarios the operator modifies the field TrustAll under
"privacy" group.
6.2.2 Configuring
Privacy
This section describes the CLI commands for Privacy sublayer functions. Settings for
privacy modules are defined under "privacy" group. The values set by the user are taken
into account only after a system reset, even though the values are stored into NVRAM
memory immediately. The privacy module on the AN-100U always running, while the
subscriber modem can be enabled or disabled.
privacy modules are defined under "privacy" group. The values set by the user are taken
into account only after a system reset, even though the values are stored into NVRAM
memory immediately. The privacy module on the AN-100U always running, while the
subscriber modem can be enabled or disabled.
X509 Root CA Certificates
Each subscriber modem shipped from the factory comes with two X509 certificates -
subscriber modem certificate and CA certificate. The subscriber modem certificate is
unique per subscriber modem sends the certificates to the AN-100U during network entry
procedure in order to authenticate itself. The AN-100U verifies the certificates are valid
and allows or denies the subscriber request to join the network.
subscriber modem certificate and CA certificate. The subscriber modem certificate is
unique per subscriber modem sends the certificates to the AN-100U during network entry
procedure in order to authenticate itself. The AN-100U verifies the certificates are valid
and allows or denies the subscriber request to join the network.
Privacy Sublayer Settings
This section is AN-100U specific and describes CLI support to manipulate X509
certificates. The commands are available under "x509" group.
certificates. The commands are available under "x509" group.
add
Download new certificates into the device. (FTP setup required)
delete
Delete one of or all the certificates from the device non volatile memory.
show
Display a list of certificates stored in non-volatile memory.
An FTP server is required to upload Redline Root CA certificates to an AN-100U.
If required, use the 'delete' command to initialize the certificate storage before loading a
new certificate. For example:
If required, use the 'delete' command to initialize the certificate storage before loading a
new certificate. For example: