appeartv ca proxy users manual
DESCRIPTION
appeaar tvTRANSCRIPT
-
Changing the way operators deliver TV
SW Version 3.18 9 February 2015
Product User Manual CA Proxy Solution
-
SW Version 3.18 9 February 2015 Page 2 of 20
Change log
Date Revision Who What
1.9.12 1.0 PMJ Initial revision
1.10.13 1.1 PMJ CA proxy system revised and improved. Improved client status
and management on server side. Improved redundancy
scheme in clients. To be supported in software 3.xx
Product User Manual DC1000/1100 SC2000/2100 MC3000/3100
-
SW Version 3.18 9 February 2015 Page 3 of 20
Table of Contents 1 INTRODUCTION ......................................................................................................................... 4
2 THE CA PROXY SOLUTION .................................................................................................... 5
2.1 RECOVERY WINDOW ..................................................................................................................... 6 2.1.1 Recovery window vs client redundancy switching ................................................................. 7
3 SYSTEM SECURITY AND VPN SETUP .................................................................................. 8
3.1 FIREWALL SETTINGS .................................................................................................................... 8 3.1.1 CA proxy server firewall ....................................................................................................... 8 3.1.2 CA proxy Client firewall ........................................................................................................ 8
3.2 CONFIGURING THE OPENVPN SYSTEM ......................................................................................... 8 3.2.1 Proxy server VPN configuration overview ............................................................................ 8 3.2.2 Proxy client VPN configuration overview ............................................................................. 8
3.3 VPN CERTIFICATE FILES CREATION............................................................................................. 9
4 CONFIGURING PROXY SERVER ......................................................................................... 10
4.1 INSTALLING THE VPN CERTIFICATES ......................................................................................... 10 4.2 CA PROXY SERVER IP ADDRESSES .............................................................................................. 10 4.3 DEFINING THE CLIENT LIST ......................................................................................................... 12
4.3.1 Client connection attributes................................................................................................. 12 4.3.2 Edit multiple client attributes .............................................................................................. 13
4.4 DEFINING THE ECMS (ACCESS CRITERIAS) .............................................................................. 13 4.5 DEFINING THE RECOVERY WINDOW ............................................................................................ 13
5 CONFIGURING THE PROXY CLIENT................................................................................. 15
5.1 INSTALLING THE CLIENT VPN CERTIFICATES ............................................................................. 15 5.2 CA PROXY CLIENT IP ADDRESSES ............................................................................................... 15 5.3 ESTABLISH CONNECTION TO THE CA PROXY SERVER ................................................................. 15 5.4 DEFINING A REDUNDANT CA PROXY SERVER ............................................................................. 16
5.4.1 Disable alarm triggers ........................................................................................................ 17 5.5 DEFINING ECMS ....................................................................................................................... 17
6 SYSTEM MONITORING .......................................................................................................... 19
6.1 CLIENT MONITORING ................................................................................................................. 19 6.2 ECM MONITORING ..................................................................................................................... 20
Product User Manual DC1000/1100 SC2000/2100 MC3000/3100
-
SW Version 3.18 9 February 2015 Page 4 of 20
1 Introduction
This users manual is intended as a supplement to the general users manual. It describes the ca proxy solution only.
This manual is divided into two sections. The first aims to explain the solution that has been
developed, while the second section explains how to configure the system using the WEB
interface.
The customer system today is multiple Cable networks being fed through a satellite
distribution channel. All Conditional access is handled centrally and all encryption/scrambling
is handled on the main head-end.
Now, the operator wants to expand the offering to the cable customers, but there is no more
capacity over the satellite link. The solution is to turnaround services from other satellite
distributors locally at the remote head-ends. This can be done in a traditional fashion, but
there will be a requirement for encryption of these added services into those cable networks.
This manual will describe a system that can distribute a Simulcrypt interface in a proxy
fashion from a centralized head-end to multiple remote located head-ends. The solution has
taken into account the security requirements with regard to media of distribution
-
SW Version 3.18 9 February 2015 Page 5 of 20
2 The CA Proxy solution
The CA Proxy solution provides a system for an efficient distribution of CW/ECM pairs to
multiple clients over a secure communication link.
The CA proxy Conditional Access solution will appear as shown in the figure below.
Figure 1 CA proxy Architecture
The solution based on three major components
o SCS_Master : This card does the communication to the CA system.
This card will generate the CW and collect the ECM from the CA system. In essence
this is similar to a standard scrambler card. It has some additional features regarding
communication to the CA proxy Server card.
o CA_PROXY server: This card will request CW/ECM pair from the SCS_Master card,
for each individual SCG_ID (Access Criteria). These pairs will then be transferred to
the connected clients.
o CA_PROXY_client. The scrambler card running in the regional head ends. This card requests CW/ECM pairs from the CA proxy server.
Regional network 1
SCS Slave/ Scrambler
CW/ECM
Regional network n
Internet
SCS Slave/ Scrambler
CW/ECM
CAS
SCS Proxy
Main headend
-
SW Version 3.18 9 February 2015 Page 6 of 20
The flow of the CW and ECMs are shown below.
CAS
SCSMaster
CAproxyserver
SCS
CW_Prov (1, 5)
CW_Prov (1, 12)
ECM(1,5)
CW + ECM(1,5)
CW + ECM(1, 5)
ECM_Req(1)
-
SW Version 3.18 9 February 2015 Page 7 of 20
2.1.1 Recovery window vs client redundancy switching
The CA proxy solution has two independent systems to tackle problems between the CA
proxy server and the client.
1. CA proxy server redundancy switching (Implemented on the CA proxy Client)
2. Recovery Window (implemented on the CA proxy server)
In order for the total system to work optimally it is vital that the switch delay is tuned
according to the recovery window. If a 2 hour Recovery Window is defined on the server,
then the switch delay on the client should be set to the same delay. If the switching
happens much earlier the Recovery Window functionality is obsolete.
-
SW Version 3.18 9 February 2015 Page 8 of 20
3 System security and VPN setup
The communication between the CA proxy server and CA proxy client is done through a VPN
tunnel. The VPN server runs on the CA_PROXY_server card, and the VPN clients run on the
CA_PROXY_client. The VPN system is based on OpenVPN (http://openvpn.net/), the server
is configured such that duplicated client certificates are not allowed.
Both the CA Proxy server and the CA proxy client is firewalled using Iptables.
3.1 Firewall Settings
3.1.1 CA proxy server firewall
The CA proxy server runs a firewall that allows external connection on port 1194 only. When
a connection is established the system opens the required ports within the VPN tunnel. Ports
not used by the simulcrypt communication are closed.
3.1.2 CA proxy Client firewall
The client firewall does not allow any connections outside the VPN tunnel.
Within the tunnel tcp port 22 (SSH) is open such that it is possible to access the remote
clients via the openVPN tunnel.
3.2 Configuring the OpenVPN system
3.2.1 Proxy server VPN configuration overview
This is an overview only, details are found in the following paragraphs.
o In the GUI, define the IP address and the corresponding net mask for the VPN tunnel.
This causes the system to generate a VPN configuration file on the CA_PROXY_server
card with the IP address and subnet defined.
o Generate and install the VPN certificate files.
o The generation of the certificate files must handled externally from the
AppearTV environment.
o Define each client to be allowed access. This access list will add an extra layer of
security, where the serial number of the CA_PROXY_client cards is the identifier.
o The VPN server must be accessed on port 1194.
3.2.2 Proxy client VPN configuration overview
This is an overview only, details are found in the following paragraphs.
o In the GUI define the Ethernet address of the CA_PROXY_server card.
o Install the client certificate (in the archive format explained below)
The client shall now be ready. In the case of a redundant CA_PROXY_server unit you will
need to define a redundant two CA_PROXY server IP addresses. Note that in a redundant
configuration the CA_PROXY_client will not open a tunnel to the backup CA_Proxy_server
until a redundancy switch is performed..
-
SW Version 3.18 9 February 2015 Page 9 of 20
3.3 VPN Certificate Files Creation
In order for the VPN connection can be established both the CA Proxy Server and the clients
must be configured with the correct certificate files.
The keys and certificates shall be created by the user using openvpn.
Follow these instructions to create files correctly.
http://openvpn.net/index.php/open-source/documentation/howto.html#pki to create the
necessary files.
For server(s):
o ca.crt,
o server.key,
o server.crt,
o dhXXXX.pem
For clientX:
o ca.crt,
o clientX.key,
o clientX.crt
Follow the instructions on
http://openvpn.net/index.php/open-source/documentation/howto.html#security
to create the necessary ta.key file.
When the above files has been created they need to be packed into tar-ball files for
installation into the CA proxy server and clients.
Create a tar-ball for the server(s) containing (ca.crt, server.key, server.crt, dhXXXX.pem,
ta.key)
Create a tar-ball for clientX containing (ca.crt, clientX.key, clientX.crt, ta.key)
NOTE: It is mandatory to follow these naming conventions (where XXX is selectable by the
user):
o Master certificate authority: "ca.crt"
o Shared secret tls-auth key: "ta.key"
o Diffie Hellman parameters: "XXX.pem"
o Server/client certificate: XXX.crt"
o Server/client key: "XXX.key"
-
SW Version 3.18 9 February 2015 Page 10 of 20
4 Configuring Proxy server
4.1 Installing the VPN certificates
How to generate the VPN certificates please refer to previous sections in this document.
To install the certificates, press install certificate on the admin page:
o Admin->ca_proxy_server->install certificate , or for the client
o Admin->ca_proxy_client->install certificate
The figure in the next paragraph shows this page.
The system will then prompt the user to browse for the file to install. Choose the appropriate
tar-ball generated earlier, and press Install.
Upon completion the system will list the files that successfully where installed.
NOTE: If the required files are not present this will generate an alarm indicating which files
are not installed.
NOTE: If more than one proxy server is defined for a client, make sure that those servers
have the same certificates installed.
4.2 CA proxy server IP addresses
The CA proxy server card defines two sets of IP addresses, the IP address of the control port
and the VPN network.
To set the network addresses got to the Admin setup page for the CA Proxy server card.
-
SW Version 3.18 9 February 2015 Page 11 of 20
Figure 2: IP address configuration of CA proxy server.
External Proxy Access
(Control Port)
This is the control port of the CA proxy card, to which all the
remote clients should do a VPN connection.
IP address The ip address of the control port
Gateway Address The GW address of the control port.
Subnet mask The subnet mask of the control port.
VPN Tunnel settings This defines the virtual network address space for the VPN tunnel.
VPN server Address This is the address to which the VPN clients will connect. Note
that this address will not be visible to the user in the client
configuration. The client configuration will configure the External Proxy Address only. This network address will be resolved locally by the remote clients via information available in the VPN environment.
This address is resolved from the VPN IP Network Address and the Max number of clients.
VPN Network mask This mask is resolved from the VPN IP Network Address and the Max number of clients
VPN IP Network Address This network address of the VPN network. The value accepted for
this address also depends on the number of clients parameter.
Max number of clients Defines the number of clients that the VPN network shall be able
to handle. The larger number the wider the network mask will be.
NOTE: Do not use network 192.168.0.x mask 255.255.255.0. This is a reserved network for
internal usage.
-
SW Version 3.18 9 February 2015 Page 12 of 20
4.3 Defining the client list
In order for clients to be allowed connection to a proxy server card the client must be added
to the client access list. This access list identifies a client via the serial number of the clients scrambler card
Go to Conditional Access->SCS Proxy Server->Clients
Figure 3 Adding clients
4.3.1 Client connection attributes
From the client connection view it is possible to change the connection attributes of a
client.
To edit a clients attributes, click the edit on the client row.
Client Attribute
Name Client connection name
Serial Number The serial number of the scrambler card in the proxy client.
Connection Allow/Deny Allow is the default value. Set the connection state to Deny to temporally block a user. This can be done to
force the client to switch to the other CA proxy server (if that
is installed)
Recovery Window Include/Exclude Default: Include
Include - This client is part of the recovery window logic.
-
SW Version 3.18 9 February 2015 Page 13 of 20
Exclude- The client is excluded from the RW logic, and hence will not affect the CryptoPeriod of the system upon
communication failures..
4.3.2 Edit multiple client attributes
When multiple clients are selected a new edit icon will appear on the top row
Click the edit icon (the pencil) and the multiple client edit dialog appears.
The edit action will be applied to all selected clients.
4.4 Defining the ECMS (Access criterias) The CA proxy server also hosts a scs card which shall communicate with the CA system.
To do this go to
o Conditional Access->SCS ->ECMG (define the location of the CA system)
o Conditional Access->SCS ->ECM (define the ecms.)
The ECMs is the ink between an access criteria and the SCG_ID. For further details on how to
configure the scs card please refer to the standard users manual.
Note: When the clients are configured later they do not relate to an access criteria, but to
the scg_id only.
4.5 Defining the recovery window
The recovery window is the maximum time a client can be disconnected without causing the
client to do a seamless re-connect.
A long recovery-window essentially accepts long crypto periods when client disconnects
happens. Please refer to the description section above for details.
-
SW Version 3.18 9 February 2015 Page 14 of 20
To set the recovery window go to
o Conditional Access->scs proxy server
Figure 4 Recover window settings
Recovery window
Slot The slot of the CA proxy server card.
Clients Number of connected clients.
Minimum CP The minimum crypto period. Normally this is dictated by the
CA system. Now the proxy server takes that function.
Maximum CP How long crypto period shall the system allow when remote
clients are failing to communicate.
Client recovery window A function of the Max crypto period.
-
SW Version 3.18 9 February 2015 Page 15 of 20
5 Configuring the Proxy client
The ca proxy clients are essentially scramblers which receive the ECMs and CWs from the CA proxy servers. This manual does not describe how to configure services and start scrambling,
but it describes all the operations required to get the CA proxy server communication to
work. For details on how to configure services please refer to the standard users manual.
5.1 Installing the client VPN certificates
How to generate the VPN certificates please refer to previous sections in this document.
For instruction details please refer to the Proxy server VPN certificate installation guide.
NOTE: If more than one proxy server is defined for a client, make sure that those servers
have the same certificates installed.
NOTE: If the client is configured with a redundant CA proxy server, then only the active
connection will be open at the time.
5.2 CA proxy client IP addresses
The ca proxy client card communicates to the ca proxy server via the control port of the
SCS/scrambler card. The IP address of the control port is configured on the admin page of
the caproxy-client card. Please refer to the general users manual for details.
NOTE: Do not use the following networks addresses for the control port.
o The network defined for the VPN network at the CA proxy server
o The internal subnet of the client card: 192.168.0.x mask 255.255.255.0
5.3 Establish connection to the CA proxy server
The ca proxy client supports connection to one ca proxy server, with an option to define a
redundant proxy server.
To add a ca proxy server go to
o Conditional Access->scs -> Connection
Figure 5 Add proxy server connection
-
SW Version 3.18 9 February 2015 Page 16 of 20
CA proxy connection
CA proxy External Access IP This is the IP address where the VPN server can be reached.
This could be the public IP address of a firewall. This firewall
must then redirect port 1194 to the ca proxy server unit. If
the CA proxy server card is connected to a public address
then this ip address shall be the IP address of the control port
of the CA proxy scrambler card.
CAS ID CA system id. This is used locally for generation of the CA
descriptor in the PMT.
Sub ID Simulcrypt sub id. (typical value = 1)
State Connection state to the server. Note that before a successful
connection can e established the server must define the serial
number of this scrambler card as a valid client in its client list.
Note: The VPN certificates must be installed to establish connection to the server.
5.4 Defining a redundant CA proxy server
As for standard ECMG connections it is possible to define a redundant CA proxy server. Note
however that if a client connection to the main ca proxy server is in a failure state it is not
possible to know if this is due to a connection problem or if it is due to a problem with the CA
proxy server on the central head end. Given the recovery window will survive long
connection failures it should be considered how to use this feature. Disabling all alarm
triggers for the CA redundancy module could be an alternative.
If the client attempt to connect to the redundant proxy then the recovery window is broken.
To define a redundant ca proxy server go to
o Redundancy->CA
Figure 6 Defining the redundant CA proxy server
Redundant CA proxy
IP The IP address of the redundant ca proxy server. Use the CA
proxy External Access IP of the proxy server.
Port N/A, 1194 will be used.
-
SW Version 3.18 9 February 2015 Page 17 of 20
Channel N/A for proxy systems, set to 1
CAS Sub id N/A for proxy systems, set to 1
5.4.1 Disable alarm triggers
As discussed above, due to the Recovery window feature, it should be considered to set
redundancy switching into manual mode. This can be achieved by disabling all the
redundancy triggers.
When a trigger is disabled it means it is not sent to the redundancy module, hence an
automatic switch will not occur.
To disable the trigger, go to
o Redundancy->Triggers , then disable alarms associated with the CA Redundancy
module. Currently one alarm only, the No Connection alarm
Figure 7 Redundancy Triggers
5.5 Defining ECMS As for standard scramblers this ca proxy client must define its ECMs.
To add ecms go to
o Conditional Access->SCS -> ECM
-
SW Version 3.18 9 February 2015 Page 18 of 20
Figure 8 Defining client ECMs
Define ECMs
Stream id Simulcrypt stream ID. Stream alarms will be linked to this
value.
Name Name for the ECM
ECM Generator The ca proxy server now represents the ECMG.
SCG_ID The SCG id must match an ID defined on the CA proxy server.
This is essentially the link to the access criteria.
Private data Optional parameter: Private data that can be added to the CA
descriptor in the PMT.
Preferred ECM PID. All services which use this ECM for the scrambling will try to
use the preferred ECM PID value if possible. It may clash with
other pids in the service, and then it will be remapped to
another value. See description of the component type
mapping feature on the output service configuration for more
options on how to control the output pid-line-up. This is
described in the standard users manual
-
SW Version 3.18 9 February 2015 Page 19 of 20
6 System monitoring
6.1 Client Monitoring
The client monitoring aims at giving the operator as much info about a connected client.
Client info Description
Name The name of the client as defined during configuration.
Serial Number The serial number of the client scrambler card.
Software Version Software version running on the remote clients scrambler
card, reported by the client.
Redundancy Mode The currently active redundancy mode configured in the client,
as reported by the client.
Connects Number of times the client has connected.
Connection State Open/ Closed
The state of the communication link.
CP State Crypto period State (MIN/MAX). This is dictated by the
Recovery Window state.
MIN: All ECMs are running fine.
MAX: One or more ECMs are buffered on the server for
recovery.
Recovery Time The recovery time is time it will take until a client is in sync,
given the connection is open. If everything is OK then this
value = 0 seconds. I.e. the client is in synch.
"0s" Everything OK "1h 23m 33s" Within Recovery Window (RW), offset
is as indicated.
Outside RW" the client is outside the RW. "No subscriptions" the client has not subscribed to
any ECMs "Excluded" the client is excluded from the RW logic.
-
SW Version 3.18 9 February 2015 Page 20 of 20
Subscribed ECMs Click the link to get details state overview of all ECMs used by
this client.
6.2 ECM Monitoring
The ECM monitoring provides an overview of the state of each ECM in the system with respect to crypto period and client
associations.
This view is best understood by understanding the recovery window explained elsewhere in this document. However each ECM
has an allocated recovery buffer that can be used to cache CW/ECM pairs that can be re-transmitted to clients that has
temporarily lost connection.
The ECM Usage window lists all ECMs and the state for it. Normally the recovery buffer is empty, if not one or more clients are
not in sync. To see which clients this applies to click the Subscribed clients list.
Client info Description
SCG ID The scrambling control group id.
Name A name for the ECM, defined when creating the ECM.
Client count The number of clients that has subscribed to this ECM.
CP State Crypto period State (MIN/MAX). This is dictated by the
Recovery Window state.
MIN: The ECM is updated correctly. I.e. all connected
clients using this ECM is doing fine.
MAX: One or more client that has subscribed to this
ECM has trouble.
Recovery Time See client monitoring description above
Subscribed clients The link will list all clients that has subscribed to this particular
ecm.