...
The credential of this interface is known by all ConnectWare modules. The public interface only provides access to the provisioning endpoint (provisionsprovision.sitesage.net or provisiondevsprovisiondev.sitesage.net). This connection uses port 443. This interface should be configured as “hidden” network for security.
The second SSID is designated as the secure interface and the SSID and PSK are unique to each AP. This interface provides full internet access including traffic to pushspush.sitesage.net or pushdevspushdev.sitesage.net.
This interface can be configured “hidden” or “broadcast”.
...
MAC address of the network gateway of the secure SSID that ConnectWare Modules and Equipment connect. All messages sent to Open Kitchen include a parameter labeled as gwmac carrying this MAC address. If there are multiple gateways at one location, all gwmac(s) should be provided to Open Kitchen
Open Kitchen maintains a mapping table of locations and gwmac(s) which will be used to automatically associate equipment to a specific location
(TBD) Open Kitchen provides a set of APIs that can be used to configure/update interface credential (ssid/psk), gateway MAC address, activate license, etc.
...
Access to the API is via a RESTful call to https://provision.sitesage.net or
https://provisiondev.sitesage.net using a x509 certificate key pair (manufacturer client cert(customer cert provided by PhD (cert and key)) for security.
The API call follows the form:
GETPOST
/provision/vsapProvisionAPI?devid=88665a4a92c3&mac=88665a4a92c3&location_id=6270
where devid is the unique identifier of the virtual SAP device (can be a mac address), mac is the mac
address of the virtual SAP device (or equivalent), and location_id is the PhD location identifier for the
location the virtual SAP is being setup for. The mac address should not include any delimiters.
The location_id will need to be known prior to submitting the API call. For initial testing, we can provide
these identifiers. For production, there are multiple approaches to providing the information. The
easiest may be to provide spreadsheets/csv files of any newly provisioned locations within Open
Kitchen. We also have APIs that can be used to query for this information on demand.
The devid should be treated as case sensitive by the PhD API server.
A sample curl request using the provided x509 files would look like:
curl --cert ./dev_customer_mfg.crt --key ./dev_customer_mfg.key
'https://provisiondev.sitesage.net/provision/vsap?devid=88665a4a92c3&mac=88665a4a92c3&location_id=6270'Upon receiving the GET request the server will determine if it generates a new configuration for a new
AAP device or provides the existing information for the previously configured AAP device. If
the API call is not successful, then a non-200 status code shall be returned.
Otherwise, the API call will generate/report an OpenVPN configuration for the AAP, which will include
the files ca.crt, client.crt, client.key, and openvpn. Additionally, the secure SSID information will be
provided in the sap_info.json file. A status code of 200 will be returned along with response data. The
response data is a gzipped tarball of the four files. The files in the tarball shall not include any directory
path information. For example, if the tarball were untarred from the command line using the zxf options
the output would be:
ca.crt
openvpn
client.crt
client.key
sap_info.jsonBecause the tarball is returned as response data there is no filename associated with the tarball.
The ca.crt file is the Certificate Authority for the OpenVPN server and allows the client to authenticate
that it is connecting to the expected server. The format of the ca.crt file shall be a format supported by
the OpenVPN client, typically X509 certificate format.The client.crt file is the client's certificate, used by the server to authenticate the client. The format of
the client.crt file shall be a format supported by the OpenVPN client, typically X509 certificate format.The client.key file is the client's private key. The private key is used by the client to attest to its
authenticity. The key shall be in a format supported by the OpenVPN client.
The ca.crt, client.crt, and client.key files need to be copied to the AAP's /etc/openvpn/ovpn0
directory or equivalent. You may end up modifying the path provided in the openvpn file to support
your implementation.The openvpn file is the configuration of the OpenVPN client in OpenWRT Unified Configuration Interface
(UCI) syntax. This file directly replaces a client.conf file written in OpenVPN configuration syntax. A
minimal valid openvpn configuration file would be:
package openvpn
config openvpn phd_config
option enabled 1
option client 1
option dev tun0
option proto tcp
option remote " secure10.sitesage.net 443"
option ca "/etc/openvpn/ovpn0/ca.crt"
option cert "/etc/openvpn/ovpn0/client.crt"
option key "/etc/openvpn/ovpn0/client.key"
In the case of the configuration for the dev environment, option remote would be
“securedev10.sitesage.net 443”.
The sap_info.json file will contain information in a format similar to:
{
"psk": "I(F)g4@Sk+rv0LXHJY;49iVl",
"ssid": "SecureSAP88665a4a92c3",
"sap_id": "602",
"location_id": "6270",
"sap_device_id": "88665a4a92c3"
}
The sap_device_id and location_id should mirror what was provided in the call. The ssid and psk should
be used to setup the secure interface on the customer network.GET or POST
/provision/listLocation?
gwmac, ssid, psk can be submitted via https REST API, JSON payload