Configure cmp-server

Certificate authorities provide you with the detail you need to interact with their CMP servers. You establish a cmp-server object for each of these servers.

This feature is most applicable for managing deployments that include large numbers of certificates. Follow the steps below to configure each cmp-server:
  1. Access the cmp-server configuration element. 
    ORACLE(cmp)# cmp-server
  2. name: Enter the name for this CMP server with this required parameter. You use this name to apply this CA list one or more cmp-server-group objects.
  3. cmp-server-address: Specify the destination CMP server IP address or hostname to which the system sends CMP requests. If you use a hostname, the system performs DNS resolution to obtain the IP address. If DNS resolution returns multiple IP addresses, only the first one is used. If that fails, the SBC retries on the CMP processing timer, rather than iterating through all returned IPs.
    • Default: empty
    • Valid hostname, IPv4, or IPv6 address

      Note:

      If secure-certificate-mode is enabled, you cannot set this to an IP address (IPv4 or IPv6) for media interfaces, only a hostname. You can use a hostname or an IPv4 address (not IPv6) for management interfaces.
  4. path: Enter the HTTP path at the CMP server (the CMP alias) to use for POST requests.
    • Default: "/" (The forward slash character)
    • Valid path
  5. port: Enter the destination port of CMP server to which the system sends CMP requests.
    • Default: 443
    • Range: 1 to 65535
  6. cmp-client-address: Enter the IP address for the applicable SBC sip-interface. The CMP server sends requests to this address.
    • Default: empty
    • Valid IPv4 or IPv6 address
  7. realm-id: Enter the realm the system uses to send CMP requests to this CMP server. If not configured, the system uses the management interface (wancom0).
  8. tls-profile: Enter the name of the tls-profile object the system uses to establish a TLS/HTTPS connection with this CMP server.
  9. auth-method: Enter the authentication method the system uses to protect and authenticate messages sent and received.
    • Default: Secret
  10. secret: Enter the shared secret Initial Attestation Key value (IAK) the system uses to protect and authenticate PKI messages generated and received. This includes the reference value used to identify the secret value. The default is empty.
  11. reference: Enter the reference number/string/value the system uses as a fallback senderKID (sender Key Identifier) field in the PKI message header. This is required if no sender name can be determined from the certificate. It is typically used when authenticating with a pre-shared key (password-based MAC). The default is empty.
  12. server-certificate: Enter the name of the certificate-record that holds the CMP server certificate that issues the end-entity certificate.
    This parameter serves two key purposes:
    • Sender Authentication (PBE, signature-based protection): Specifically, it validates the authenticity of the response sender by comparing the actual sender’s name in the CMP response against the expected sender’s name, which is derived from the configured server certificate.
    • It enables the SBC to verify the signature-based protection of CMP response messages from the CMP server.
  13. pop: Enter the Proof of Possession (POP) method used for Initialization Requests (IRs) and Key Update Requests (KURs).
    • Default: Signature

      The system performs POP using signature keys, such as ECDSA.

    • None

      Leaving this parameter empty means the system does not use a POP.

    • Keyenc

      The system uses key encipherment to perform POP using encryption keys, such as RSA.

  14. cmp-msg-timeout: Enter the number of seconds a CMP request-response message round trip is allowed to take before a timeout error is returned. This should be less than or equal to the total-timeout setting.
    • Default: 120 seconds
    • Range: 1 to 120 seconds
  15. total-timeout: Enter the maximum number of seconds a CMP transaction may take, including polling.
    • Default: 180 seconds
    • Range: 1 - 360 seconds
  16. polling-retry-count: Enter the number maximum number of polling cycles the system uses, after which it stops sending polling requests. When this count is exceeded, the system stops polling until the CMP processing timer is reached (at which point it resumes polling), the cmp-msg-timeout or total-timeout is reached, or the transaction from the CMP server completes.
    • Default: 10
    • Range: 1 - 255
  17. Type done to establish this cmp-server.
  18. Save and Activate your configuration.