Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Confidential Information of Silver Spring Networks, Inc., provided under nondisclosure obligations.
Copyright 2013 Silver Spring Networks, Inc. All rights reserved.
The Silver Spring Networks logo, UtilityIQ, and UtilOS are registered trademarks of Silver Spring Networks, Inc.
GridScape, CustomerIQ, and Direct-to-Grid are trademarks of Silver Spring Networks, Inc.
All other company and product names are used for identification purposes only and may be registered trademarks,
trademarks, or service marks of their respective owners.
Customer Support
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Whats New in This Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Using FSU-SAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Logging Into FSU-SAM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Placing the FSU into Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Removing an FSU from Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Recovering from a Partial Smart Card Personalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Refreshing Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Changing a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Reviewing Credits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4. Auditing FSU-SAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1 Introduction
TheSilverSpringNetworksFieldServiceUnit(FSU)isapowerfultoolusedbyfield
technicianstoperforminstallations,testing,andtroubleshootingofremotecommunication
moduleproblemsinelectricmetersandotherendpoints.TheFSUallowstechniciansinthe
fieldtheabilitytoissuecommandswithoutconnectivitytothebackofficeandwhenanend
pointcannototherwisebecontacted.
TheFSUwithsmartcard(FSU2.1andabove)representsasignificantsecurityupgrade.
ActionsthattheFSUwithsmartcardcanperformincludethefollowing:
Operateinasecuremode,inwhichitexchangesappropriatecryptographiccertificates
forauthenticationandauthorization.
Establishsecuremaintenancelinkswiththeseendpoints.
Limitthenumberofsecuremaintenancelinksthatcanbemade.
Upgrademeterfirmware.
Performremediationtasks(withaprivilegemanagementcertificate).
Issuedeviceautomationcommands(withappropriatecertificate)
Issueloadcontrolswitch(LCS)commands.
SecureAccessManager,orFSUSAM,isawebserviceusedinconjunctionwiththeFSUthat
letsanadministratorlimitthenumberofencryptedsecuremaintenancelinkseachFSUcan
setupwiththeCommunicationsModule(alsocalledaNetworkInterfaceCardorNIC)of
anendpointwithinaconfiguredamountoftime.
Feature/Enhancement Description
Login and The instructions for logging in and for device personalization
Personalization have been enhanced for greater clarity. See Logging Into FSU-
instructions enhanced. SAM on page 12 and Placing the FSU into Service on page 14.
Audience
TheaudienceconsistsofFSUSAMadministratorsandFSUSAMusers.Theseusersarenot
typicallyFSUendusers,butmightinsteadconsistofatrustedfieldclerkorcrewlead,or
otherrolecapableofactingasabackupresourceforsupervisorsandwhocanrefreshFSU
credits.
Related Documentation
Forinformation,seethefollowingguides:
FSUSecureAccessManager(FSUSAM)4.9InstallationGuide
CentralAuthenticationandAuthorizationService(CAAS)1.6AdministratorsGuide
FieldToolsInstallationGuide
HANCommunicationsManager1.8UserGuide
RolesandPrivilegesforCAAS,UtilityIQ,FSUSAM,andHANCommunicationsManager
KeySafev4.6AdministrationGuideforOperators
FSU-SAM Cryptography
SecureAccessManager,orFSUSAM,isawebserviceusedinconjunctionwiththeFSUthat
letsanadministratorlimitthenumberofencryptedsecuremaintenancelinkseachFSUcan
setupwiththeCommunicationsModule(NetworkInterfaceCard)ofanendpointwithina
configuredamountoftime.Thesesecuremaintenancelinksallowcriticalcommands,for
example,remotedisconnects,tobeissuedfromtheFSUtotheendpointfirmware,providing
protectionagainstFSUmisuseandpotentialsabotageofthenetwork.
Securemaintenancelinksaredifferentfromsecureassociations(usedbyCriticalOperations
Protector,forexample)inthefollowingways:
Securemaintenancelinkscannotpropagatebetweennodesindistantlocations.Any
commandsissuedfromanFSUarelimitedtoanendpointthatisdirectlyreachable.
Securemaintenancelinksexpirefasterthansecureassociations,becauseitisassumed
thattheyareintendedforanimmediatetaskrequiringarelativelyshortduration.For
thisreason,ifanFSUwithanactivesecuremaintenancelinkisleftidlefor5minutes,the
linkexpiresbydefaulttopreventpotentialmisuseoftheFSU.Thelinklifespanforan
idleFSUmaybelengthened,ifdesired,bymeansofaconfigurationinCommunications
Tester.RefertotheCommunicationsTesterUserGuide.
SecuremaintenancelinksuseRSAkeysratherthanEllipticalCurve(EC)keys.
TherearethreekeypairsforeachsecureFSU(2.1andabove):
TwosecuremaintenancelinkkeypairsGeneratedduringpersonalization.Theprivate
keysofthesetwopairsresidewithintheFSUsmartcardandthepublickeysresidein
twocertificatechainsthatFSUSAMsignsduringpersonalization.
OnesecureoperationskeypairGeneratedbythewebserver.Thepublickeyremains
onthesmartcardoftheFSU,whiletheprivatekeyisinstalledinencryptedformina
tableoftheSAMdatabase.Thekeyrequiredforencryption/decryptionresidesinaslotof
theKeySafev4.6+HSMorisinafilebasedkeystore.
BecauseFSUSAMisaWebbasedservice,afteryousignin,aJavaappletbridgesthegap
betweenthebackofficeandthesmartcardwithintheFSU.Thisallowsthebackofficeto
communicatesecurelywiththeFSU.
IfyouareahostedcustomerofSilverSpringNetworks,thiscanbedonebylookingupthe
certificatesissuedforitintheoperationlogtable,andthencontactingSilverSpring
NetworksTechnicalSupportwiththisinformation.
IfyouarealicensedcustomerusingCertWebwithKeySafe,youcanuseCertWebtogenerate
aCRLandthensupplythistoSilverSpringNetworks.Formoreinformation,contactyour
SilverSpringNetworksrepresentative.
Required Certificates
SSL Certificates
Becauseitisawebservice,FSUSAMrequiresanSSLcertificatetomaintainsecuresocket
layersecurity.Theseareobtainedfromathirdpartycertificatevendor.Forinformation,see
theinstallationdocumentation.
PKI Certificates
TheFSUmustbeauthenticatedandauthorizedtoconnecttotheSilverSpringNetworksRF
meshnetwork.Todothis,acertificateundertheSilverSpringNetworksPKIhierarchythe
FSUCertificateAuthority(FSUCA)mustbeobtainedfromSilverSpringNetworks.This
certificateissignedbytheOperatorKey,whichestablishesasignaturechainbacktothe
SilverSpringNetworksroot.
UsingtheFSUSAMapplicationasavehicle,theFSUCAissuesindividualFSUcertificates
foravarietyofpurposes,describedlaterinthistopic.
FSU-CA Policies
CertainpoliciesarebakedintothegenericFSUCAwhenitisgeneratedbythenetwork
operator.TheseincludetheabilitytoissueFSUcertificateswithrolesandprivilegesrequired
forthestandardoperationsanFSUperformsagainstanetworkendpointinthefield,suchas
meterreadsandCommunicationsModulemanagement.
However,therearealsospecialpoliciesthesystemoperatorcanincludewhengeneratingthe
FSUCAPKIprivatekeyandcertificate:
Privilegemanagement
Disconnect/reconnect
ThesepoliciesarerequiredtoissuecertificatestoFSUsdesignatedwithspecial,more
sensitivecapabilities.Unlessthesepolicieswereconfiguredwhenthecertificatewas
generated,neithertheprivilegemanagementadministratornorthestandardSAM
administratorcanpersonalizeanFSUfortheserespectivepurposes.
IfLDAPsupportwasconfigured,CAASpassestherequesttotheLDAPcustomersActive
Directory(AD)datasource(Figure1).ADlooksuptheuser(orusergroup)andpassesthe
resultbacktoCAAS.CAASdirectstheusersbrowserbacktoFSUSAM,usingaservice
ticket.FSUSAMthenverifiestheserviceticketwithCAASoverHTTPS.
Ifauthenticationwassuccessful,theuserisauthorizedtoaccessSAMaccordingtothe
privilegesgrantedintheUserRoletablesintheCAASdatabase.
WhileusernamesandprivilegesresideintheCAASdatabase,theSAMdatabasecontains
logsofthefollowinginformation:
Everyactiontakenbyeveryrole/username.
Allencrypted,secureoperationkeysforallpersonalizedFSUs.SeeFSUSAM
Cryptographyonpage6.
LDAP
HTTPS CAAS
FSU
Active
DB Directory
Oracle JDBC
SAM
USB
Back Office
Cable
User
HTTPS
SAM
Database
performingasigningtestontheFSUSAMTesttab(Table2).Neithercanperformany
personalizationtasks.
Roles
FSU-SAM Admin.:
Refresh User1
Privilege
Designates one or more FSUs in the field to act
as the privilege manager FSU; it possesses all
privileges.
Refreshes any privilege management FSUs
whose credits have expired.
Personalizes (assigns credits) and refreshes
credits on an FSU.
Can update a user password without knowing
the old password.
Can perform a test of signing or encryption on
the FSU-SAM Test tab.
Can update their own password, using old
password.
Refreshes credits on an FSU.
1.You may, optionally, want to assign the refresh responsibility to a different
user than the FSU owner (or field engineer) for security reasons.
Withtheexceptionoftheprivilegemanagementadministrator,therolesareassignedbythe
CAASadministrator.Thesystemoperator(SilverSpringNetworks,unlesstheutility
operatesitsownSilverSpringNetworkscomponents)createstheprivilegemanagement
administratorroleonbehalfoftheutility.
TheCAASrootadministrator,AMMrootadministrator,andnetworkadministratoralso
havesomeoftheseprivileges.(Fordetails,seethedocumentRolesandPrivilegesforCAAS,
UtilityIQ,FSUSecureAccessManager,andHANCommunicationsManageronSpringboardat
https://springboard.silverspringnet.comundertheDocumentation/ReleaseNotestab.)
3 Using FSU-SAM
ThefollowingtopicsdescribetheuseofFSUSAMbyadministratorsandusers:
LoggingIntoFSUSAMonpage12
PlacingtheFSUintoServiceonpage14
RemovinganFSUfromServiceonpage17
RecoveringfromaPartialSmartCardPersonalizationonpage19
RefreshingCreditsonpage19
ChangingaPasswordonpage20
ChangingaPasswordonpage20
ReviewingCreditsonpage22
Troubleshootingonpage23
Important: If your utility uses its own SSL PKI certificate, you must add the root of your
utilitys private PKI to the trusted root cache of the new JVM. Otherwise, the JVM does not
trust the SSL connection to the server and it refuses authentication. See your system
administrator.
IfyouareplugginginanFSUforthefirsttimewiththislaptoporifyoupreviously
usedFSU2.1,butyouarenowusingFSU4.0forthefirsttime,seetheFieldTools
InstallationGuideforinstructionsondriverinstallation.
Important: Before logging in, check whether or not the FSU service is running. If it is,
you must stop it. Otherwise, FSU-SAM does not connect to the smart card in the FSU.
After you are done using FSU-SAM, you should restart the FSU service, so that the other
field tools recognize the FSU.
IfyourtestenvironmentusesadifferentOperatorcertificatefromyourproduction
environment,youcanonlyusetheFSUinsecuremodeintheenvironmentforwhichit
wasinitiallypersonalized.YoucannotdepersonalizetheFSUandrepersonalizeitforthe
otherenvironment,becausetheFSUstillretainstheoriginalOperatorcertificateinits
NIC.
AsofCommunicationsTester6.4,youcanremovetheinitialOperatorcertificateinthe
NICtoallowdistributionofanewOperator,usingtheOpCert,Deletecommand.
However,FSUNICfirmwaremustbeat3.4.1orabove.Toverifywhichfirmwarelevel
yourFSUhas,usetheCommunicationsTesterImage,Listcommand.
Note: If you launch FSUSAM without the FSU attached, plug in the FSU. FSUSAM then
recognizes the smart card embedded in the FSU and you see the message: FSUpresent.
5. AccessingFSUSAM
(Upgradesonly)FromtheCAASLoginSuccessfulpage,selectFSUSAM.
(Freshinstallationsonly)
a.PointyourbrowsertotheFSUSAMURLgiventoyoubyyouradministrator:
https://SAM_HOST:SAM_SSL_HTTP_PORT
Where:
SAM_HOST=URLforFSUSAMthatyouradministratorsharedwithyou.
SAM_SSL_HTTP_PORT=PortFSUSAMwasconfiguredtorunon.
b.OntheWelcometoCentralAuthenticationandAuthorizationServicescreen,enter
theusercredentialsgivenyoubyyourCAASadministratorandclickLogin.
c.RespondtotheJavaSecurityWarningpromptDoyouwanttorunthisapplication,
byselectingIaccepttheriskandwanttorunthisapplication,thenclickRun.
If,afterclickingRun,youreceiveanexceptionmessage,itwilldescribetheproblem
encountered,sothatyoucanfixitorcancontactSilverSpringNetworksSupportfor
apromptresolution.
TheFSUSAMInformationtabappearsandshowsFSUPresentandotherdetailsabout
theFSUyouconnectedtothecomputer.
Note: Users with refresh permission may only refresh credits, as long as the certificate for the
credits has not yet expired.
ConfiguringthenumberoftimesuserscanenterthepasswordincorrectlybeforetheFSU
stopsoperating.Ifusersexceedtheconfigurednumberofretries,anadministratormust
resetthepassword.
To personalize an FSU
1. VerifywhetherornottheFSUhasbeenpersonalizedalreadybyselectingtheInfotab.
Note: If it has, you must depersonalize it before reassigning it to another user or to a different
environment (test, development, or production). See Removing an FSU from Service on
page 17.
2. SelectthePersonalizetab.
3. AssignthenumberofcreditsyouwantthisFSUtohavebytypingthatnumberinthe
AssignCreditsfield(Figure2).
Thenumbermaynotexceed65,535.Theinstallermaysetthisnumberlowerusingthe
MAXIMUM_CREDIT_COUNT=65535parameterintheoverridessam.propertiesfile.
4. IntheUserpasswordfield,enterauserpasswordandreenteritintheConfirmfield.
FSUpasswordstrengthwillhavebeendeterminedatthetimeofinstallationandfollows
oneoffourlevelsbelow:
0=(Default)FSUpasswordcanbeanycharacters.
2=Usersmustcreateapasswordconsistingoftwoofthecategories.
3=Usersmustcreateapasswordconsistingofthreeofthecategories.
4=Usersmustcreateapasswordconsistingoffourofthecategories.
Ifyoutypeapasswordthatconflictswiththepasswordstrengthrule,FSUSAMdisplays
anerrormessage.
ThenewpasswordismaskedinboththeUserpasswordandConfirmfields.
Important: Make sure to write down the password, because the FSU user must know it
to execute secure commands.
5. (Optional)Ifavailable,indicatewhetherornotthecertificateofthisFSUshouldhaveany
ofthefollowingprivileges:
FirmwareUpdateControlsimageoperations,includingupgrades.
Disconnect/ReconnectDisconnects/reconnectsservice.
DistributionAutomationAbilitytoexecutecommandsagainstthe
CommunicationsModuleinaneBridgeortheSentientFaultCircuitIndicator(FCI).
Note: Distribution Automation (DA) configuration requires that you also have the DA role.
MeterConfigGrantspermissiontoconfigureanyendpoint,notjustthemeter.
PrivilegeManagementGrantsauthoritytoremoveoperatorcertificatesorto
rewritetheprivilegetableforcommandsexecutedwithintheCommunications
Module.
Becauseofthesecurityrisk,whenenabled,thePrivilegeManagementcheckbox
defaultstounchecked.Tomitigaterisk,privilegemanagementadministratorsshould
limitthenumberofcreditsthisFSUcanusetoaverysmallnumber.
Anotherbestpracticeistoreducethecertificatelifespantooneweekorless.
LocalLCSControlPermissiontoexecuteloadcontrolcommandsagainstthe
CommunicationsModuleinaloadcontrolswitch.
Note: These selections appear enabled on the Personalize tab only if a certificate was
generated by the network operator that contains one or more of these privileges.
6. UsethesliderunderOptionstosetthemaximumnumberoftimestheusercantryto
entertheirpasswordunsuccessfullybeforetheFSUlockstheuserout.
7. IntheValidityPeriodbox,indicatethenumberofdaysthecertificateshouldremain
valid.
Thedefaultmaximumvalidityperiodis360days,butinstallersmayreducethisusingthe
parameterMAXIMUM_VALIDITY_PERIOD.
8. ClickPersonalize.
Note: The Personalize button becomes accessible only after you assign credits. See Step 3.
Thefollowingstatusmessagesappearatthepage:
Installingapplet
GeneratePrivateKeysonCard
Theprogramgeneratesanumberofmessagesandwhentheprocessisfinallycomplete,
thefollowingappears:
PersonalizationSuccessful
Theprocessshouldnottakelongerthanaboutfiveminutes.
ReceiptofthePersonalizationSuccessfulmessageisareliableindicatorthatthe
personalizationwasaccepted.
9. Toverifythecreditsassigned,gototheInfotab(ReviewingCreditsonpage22).
Ifasystemcausedanincompletepersonalization,seeRecoveringfromaPartialSmart
CardPersonalizationonpage19.
Note: The Test tab does not test personalization, but rather whether or not the smart chip
inside the FSU is able to encrypt and decrypt data. For information about use of the Test tab,
see Troubleshooting on page 23.
Afterpersonalizationiscomplete,theFSUisreadytobeunpluggedandtakentothe
field.
Itisimportanttonotethat,afterdepersonalization,thereisstillacertificatecacheintheNIC
oftheFSUthatisnotremovedwhenyouclearordepersonalizetheFSU.Ifyouwanttouse
theFSUinadifferentenvironmentforexample,productioninsteadoftestyoumust
deletethesecertificatestoo.ThisisdonethroughacommandinCommunicationsTester6.4,
requiringfirmwareintheFSUbeat3.4.1orabove.
To depersonalize an FSU
1. OnthePersonalizetab,clickDepersonalize(Figure3).
Amessageappears,stating:
ThiswilldeletetheFSUscertificatesandremoveallcredits.
OKCancel
2. Tocontinue,clickOK.
Thefollowingstatusmessagesappearatthebottomofthepage:
FetchedUID
Depersonalized
Note: The Depersonalize button becomes accessible only after successful personalization of
the FSU. After depersonalization, the button becomes unavailable for use until the FSU is
repersonalized. If you are unable to depersonalize the FSU, verify that it was previously
personalized.
To remove the Smart Card applet and its certificates (FSU 2.1 only)
1. FromthePersonalizetab,clickClearFSU.
Atextboxappears,stating:
ThiswillreturntheFSUtofactorycondition,removingtheappletand
allcredits.
OKCancel
2. ToreturntheFSUtoitsoriginalfactorysetting,clickOK.
Thefollowingstatusmessagesappear:
Clearingcard
Selectdevice
Thisdeletestheappletandthecertificatefromthesmartcard.TheStatusboxattopright
thendisplaysthemessage,showninFigure4:
FSUnotinitialized.
Figure 4. Status message after removing the applet
Refreshing Credits
Bothadministratorsandrefreshuserscanrefreshthenumberofcredits(numberoftimes
thatasecuremaintenancelinkcanbecreated)backtotheamountissuedatthetimeof
personalization(Figure5).
Forinformationabouthowtoinitiallysetthenumberofcredits,seePlacingtheFSUinto
Serviceonpage14.
Changing a Password
Fromtimetotime,administratorsorusersmayneedtochangethesmartcardpassword.For
example,autilityemployeemightissueanFSUwithadefaultpassword,writtenonapiece
ofpaperorinemail,toafieldtechnician,whothenneedstochangeitforsecurityreasons
andtopersonalizeitforhisorheruse.
Note: This password is the same one that CATT and other field tools prompt for when a user logs
in. It is used to access the private keys within the FSU that are required to make secure
maintenance links with meters and other endpoints.
Note: Password strength rules apply in creating a new password. For more information, see
Placing the FSU into Service on page 14.
3. IntheConfirmfield,reenterthepassword.
TheChangepasswordbutton(showngrayedoutinFigure6)nowbecomesavailable.
4. ClickChangepassword.
Thefollowingmessageappearsatthebottomofthepage:
Successfullychangedpassword
Note: Password strength rules apply in creating a new password. For more information, see
Placing the FSU into Service on page 14.
4. IntheConfirmfield,reenterthepassword.
TheChangepasswordbutton(showngrayedoutinFigure6)nowbecomesavailable.
5. ClickChangepassword.
Thefollowingmessageappearsatthebottomofthepage:
Successfullychangedpassword
Note: Users cannot update their password if they have been locked out of FSU-SAM due to
exceeding the configured number of allowed unsuccessful login attempts.
Reviewing Credits
TheInformationtabshowsyouhowmanycredits(securemaintenancelinks)theFSUhas
remaininginwhichtoissuecriticalcommandsbeforearefreshisneeded,amongother
information(Figure8).
Figure 8. Information tab, showing FSU privilege management status
WiththemostrecentFSUsmartcards,FSUSAMalsodisplaystheappletID(AppletOID).
Thefielddoesnotappearwitholdersmartcards.
Table3describesthefieldsontheInformationtab.
Field Description
Version FSU-SAM Administration version.
Terminal Text string describing smart card manufacturing information.
Card Text string describing smart card manufacturing information.
Applet OID Identification of the applet in the smart card.
Appears only in FSU-SAM only when newer smart cards are
present in an FSU. The ID is for information only and does
not affect operation.
Certs Expire Date and time the certificates for this FSU smart card expire.
FSU MAC Mac address of the FSU you have plugged into your
computer.
Field Description
FSU Roles Privileges assigned to the holder of the FSU smart card who
is logged into SAM. These consist of:
Firmware UpdateAuthorized to update FSU firmware
Meter ConfigAuthorized to configure meters and other
endpoints
Disconnect/ReconnectCan issue disconnect and
reconnect commands
Privilege Management
FSUCertificate belongs to an FSU
Load Control SwitchAuthorized to create and cancel
load control events
Personalized Indicates whether or not the connected FSU has been
personalized: yes or no
UID UID (Unique ID) is a random, unique value assigned each
time the card is personalized. The UID can be traced
through the SAM log in the database, if needed.
Signing Signing occurs once during establishment of a maintenance
link.
This is a counter that indicates how many credits remain for
signing a certificate out of the number that was originally
assigned (for example, 2 remaining, 4 total).
This decrements every time a maintenance link is
established.
Decryption Decryption occurs once during establishment of a
maintenance link over link-layer security.
This is a counter that indicates how many credits remain for
decryption out of the number that was originally assigned.
This decrements every time a maintenance link is
established.
Troubleshooting
YoumaybeaskedbySilverSpringNetworksfromtimetotimetoperformtestsonFSU
SAMtotroubleshootproblems.Forexample,youmaybeaskedtotesttheabilityoftheFSU
toperformencryptionordecryption.Alternatively,youmaywanttoreviewissued
certificates.
Thesigningcertificatecanbeusedtosignmessages,whiletheencryptioncertificatecanbe
usedtodecryptencryptedmessages.Thesigningtestgivesthesmartcarddatatosign,then
verifiesthatthesignatureiscorrect.
Theencryptiontestpassesdatatothesmartcardfordecryption,thenvalidatesthatthe
decrypteddataisthesameasthecleartextdata.
2. IntheEnterpasswordfield(withintheCryptoTestsarea),typethepasswordforthe
connectedFSU.
3. ClickeitherTestSigningorTestEncryption.
Afterthetesthasfinishedrunningsuccessfully,theprogressmeteratthebottomofthe
pagemovestothefarrightandstatusmessagesappear,stating:
Loggedin
Successfultest
Otherwise,anerrormessageappears,describingthenatureofthefailure.
To review certificates
1. GotheTesttab.
2. FromtheSelectcertificatemenuunderDownloadCertificates,selectthetypeof
certificatechaintodownload:
Signingcertificatechain
Cryptocertificatechain
3. ClickFetchCertificate.
Note: When you fetch a new chain, the previous chain is overwritten.
TheselectedcertificatechainappearsintheCertcontentpane.
4. Tocopyandpastetheinformationintoatextfileoraterminalwindowforfuture
troubleshootinguse,selectthetextintheCertcontentpaneandrightclickit.
TheCopyoptionboxappears.
5. Selectthis,thenpastethecopiedcertificatechainfromtheclipboardtoyourtextfileor
terminalwindowforreview.
6. ToclearthecontentsoftheCertContentpane,reloadpageinyourbrowser.
4 Auditing FSU-SAM
FSUSAMactivityisloggedtoatableintheSAMschemacalledfsu_sam_operation_log
(Table4).Thistablecanonlybewrittentoifyouaretheschemaowner.TheSAMapplication
usercanperforminsertionsandselectionsonly.FSUSAMdoesnotstorelogins.
YoumayusestandardOraclereportingtoolstoreadthistable,shouldyouwanttodoso.
FSUSAMdoesnotpresentlydelete,archive,orperformanyothertablemaintenance
functions.Also,FSUSAMalsohasnomechanismatthistimeformonitoringthetable.
Table5describesthenamecolumncontents.