cmp > cmp-server

The cmp-server element provides access to the parameters you use to configure individual CMP servers.

Parameters

name
String to identify this object and reference it elsewhere.
cmp-server-address
The destination CMP server IP address or hostname to which the system sends CMP requests. If a hostname is configured, then the system performs DNS resolution to obtain the IP address. If DNS resolution returns multiple IP addresses, only the first one is used. If that fails, the SBC retries on the CMP processing timer, rather than iterating through all returned IPs.
  • Default: empty
  • Valid hostname, IPv4, or IPv6 address

    Note:

    If secure-certificate-mode is enabled, you cannot set this to an IP address (IPv4 or IPv6) for media interfaces, only a hostname. You can use a hostname or an IPv4 address (not IPv6) for management interfaces.
path
HTTP path at the CMP server (aka CMP alias) to use for POST requests.
  • Default: "/" (The forward slash character)
  • Valid path
port
Port - The destination port of CMP server to send CMP requests to.
  • Default: 443
  • Range: 1 through 65535
cmp-client-address
The source IP address used to send out the CMP request.
  • Default: empty
  • Range: IPv4 or IPv6 address
realm-id
The realm used for sending out CMP requests to this CMP server. If not configured, the system uses the management (wancom0) interface.
tls-profile
Name of the tls-profile object used to establish a TLS/HTTPS connection with this CMP server.
auth-method
Authentication method used to protect and authenticate messages sent and received by the SBC.
  • Default: secret
secret
Shared secret value (also known as IAK) used to protect and authenticate PKI message generated and received by the SBC. This includes reference value used to identify the secret value.
reference
Reference number/string/value to use as fallback senderKID (sender Key Identifier) field in the PKI message header. This is required if no sender name can be determined from the certificate and is typically used when authenticating with pre-shared key (password-based MAC).
pop
Proof of Possession (POP) method used for Initialization request (IR), Key Update Request (KUR).
  • Default: Signature means signature is used to perform POP using signature keys.
  • None means no POP is used.
  • Keyenc means Key
  • Encipherment is used to perform POP using encryption keys.
server-certificate
Allows the system to verify the signature-based protection of the CMP response message from the CMP server. You enter the name of the certificate-record that holds the CMP server certificate that issued the end-entity certificate.
cmp-msg-timeout
Number of seconds a CMP request-response message round trip is allowed to take before a timeout error is returned. Default is to use the total-timeout.
  • Default: Default: 120 seconds
  • Values: Min: 1 / Max: 120 seconds
total-timeout
Maximum number of seconds a CMP transaction may take, including polling and so forth.
  • Default: 180
  • Range: 1 - 360 seconds
polling-retry-count
The count after which the SBC stops sending polling requests for outstanding transaction. This expiry results in the failure of the outstanding transaction.
  • Default: 10
  • Range: 1 - 255

Path

cmp-server is an element of the security path. The full path from the topmost ACLI prompt is: configure terminal , and then security, and then cmp, and then cmp-server.

Note:

This is a multiple instance configuration element.