Developer Guide Release

Over the Air Update of Security Files
Downloads Using the Communications Virtual Machine
Supported Files
Generating Security Configuration Files
Generating TLS Security Configuration Files
The Security Services on the target platform are accessible using the whole system firmware update or the OTA interface.
The OTA interface allows for:
Controlled access to the configuration files that are pushed to the Service
Access to the Security logs to be extracted from the Service.
Downloads Using the Communications Virtual Machine
The security config and TLS security files can be downloaded directly to the Communications partition, then pushed to the Security partition.
In this case, the download is available at:
Supported Files
The supported files are as follows:
To push the files to the security partition
1. Execute the command:
nvsecpush /userdata/otavmclient/download/<filename>
2. After transferring the file, remove it from the download directory.
Removal of the file is not automatically performed.
Generating Security Configuration Files
The Security configuration files are bundled with the release files. They can be manually generated using the Configuration Tool.
Generating TLS Security Configuration Files
The TLS security configuration files are created by using OpenSSL.
For details, consult the OpenSSL website at:
To install Openssl on Linux
1. Navigate to the /home directory and execute these commands:
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar -xvzf openssl-1.1.1.tar.gz
cd openssl-1.1.1
./config --prefix=/usr/
sudo make install
2. Add the installed tool to your PATH:
export PATH=$PATH:$HOME/openssl-1.1.1/apps
To verify the installation is successful
Execute the command:
openssl version
The system returns:
OpenSSL 1.1.1 11 Sep 2018
To create the TLS Proxy server certificate files
This procedure describes how to create the following files:
1. Create a new directory. For example, $HOME/tls_cert/, then navigate to the newly created directory.
2. Execute these commands:
sudo perl $HOME/openssl-1.1.1/apps/CA.pl -newca
For each of these commands, identify the PEM pass phrase, Country code, State, Common Name etc.
The PEM pass phrase must be the same as the pwd phrase in the security.config file.
The server certificate file must be added to the trusted certificates in the Guest OS; otherwise, the connection is NOT trusted.
If all the information has been entered successfully, the directory now contains the following files and subdirectories:
demoCA/careq.pemdemoCA/certs -empty
demoCA/crl -empty
demoCA/newcerts/xxxxxxxxxxxx.pem -Root ca certificate
To rename the files
Once the certificate files have been generated, they must be renamed to match the naming convention for the Security Services as follows:
demoCA/private/cakey.pem -> ca_key.pem
demoCA/cacert.pem -> ca_cert.pem
When generating a new TLS proxy ca_key.pem or new ca_cert.pem , the user must ensure the certification information (from ca_cert.pem) is added to the local certificate storage on the Guest OS.
For example, for a Linux Guest OS, the user must update/add the security information to the file:
Or add the security information as a separate file/link at the certs directory at:
TLS Proxy CA certificate list
The Certificate Authority Trust chain file is likely to require frequent updates because it contains the certificate authentication details for the signing Certificate Authorities. The data for this file is available at:
The certificate collection is kept in a proprietary format and must be converted before it can be loaded into any OpenSSL libraries.
For example, by using this Curl project tool:
The Curl project provides a ready available version in .pem format at:
Once downloaded, or generated, the file must be in the .pem format and renamed to tls_client_ca_chain.pem
If there are any local certificates that are used on the system, they must be manually added to the tls_client_ca_chain.pem file; otherwise the TLS proxy is not trusted by the remote server.