Академический Документы
Профессиональный Документы
Культура Документы
CA Proxy Solution
SW Version 3.18
9 February 2015
Change log
Date
Revision
Who
What
1.9.12
1.0
PMJ
Initial revision
1.10.13
1.1
PMJ
SW Version 3.18
9 February 2015
Page 2 of 20
Table of Contents
1
INTRODUCTION ......................................................................................................................... 4
SW Version 3.18
9 February 2015
Page 3 of 20
1 Introduction
This users manual is intended as a supplement to the general users manual. It describes the
ca proxy solution only.
This manual is divided into two sections. The first aims to explain the solution that has been
developed, while the second section explains how to configure the system using the WEB
interface.
The customer system today is multiple Cable networks being fed through a satellite
distribution channel. All Conditional access is handled centrally and all encryption/scrambling
is handled on the main head-end.
Now, the operator wants to expand the offering to the cable customers, but there is no more
capacity over the satellite link. The solution is to turnaround services from other satellite
distributors locally at the remote head-ends. This can be done in a traditional fashion, but
there will be a requirement for encryption of these added services into those cable networks.
This manual will describe a system that can distribute a Simulcrypt interface in a proxy
fashion from a centralized head-end to multiple remote located head-ends. The solution has
taken into account the security requirements with regard to media of distribution
SW Version 3.18
9 February 2015
Page 4 of 20
Main headend
CAS
SCS
Proxy
Internet
Figure 1 CA proxy Architecture
CW/ECM
CW/ECM
SCS Slave/
Scrambler
SCS Slave/
Scrambler
Regional network 1
Regional network n
CA_PROXY server: This card will request CW/ECM pair from the SCS_Master card,
for each individual SCG_ID (Access Criteria). These pairs will then be transferred to
the connected clients.
CA_PROXY_client. The scrambler card running in the regional head ends. This card
9 February 2015
Page 5 of 20
CAS
CW_Prov (1, 5)
ECM(1,5)
ECM_Req(1)
SCS
MMI
Master
CW +
ECM(1, 5)
CA
proxy
server
Central Headend
CW +
ECM(1,5)
MMI
DVBS
In
SCS
IP
Out
Regional Headend
Note: Although the clients initially will use their local CP number scheme the CA proxy server
will push down the CP numbering scheme from the Master SCS. So in the end all clients will
be synchronized to the same crypto period. In the above the client initially requests an ecm
for CP=12, the returned value is CP=5.
SW Version 3.18
9 February 2015
Page 6 of 20
SW Version 3.18
9 February 2015
Page 7 of 20
In the GUI, define the IP address and the corresponding net mask for the VPN tunnel.
This causes the system to generate a VPN configuration file on the CA_PROXY_server
card with the IP address and subnet defined.
The generation of the certificate files must handled externally from the
AppearTV environment.
Define each client to be allowed access. This access list will add an extra layer of
security, where the serial number of the CA_PROXY_client cards is the identifier.
The client shall now be ready. In the case of a redundant CA_PROXY_server unit you will
need to define a redundant two CA_PROXY server IP addresses. Note that in a redundant
configuration the CA_PROXY_client will not open a tunnel to the backup CA_Proxy_server
until a redundancy switch is performed..
SW Version 3.18
9 February 2015
Page 8 of 20
to
create
the
For server(s):
o
o
o
o
ca.crt,
server.key,
server.crt,
dhXXXX.pem
For clientX:
o
o
o
ca.crt,
clientX.key,
clientX.crt
Server/client certificate:
Server/client key:
SW Version 3.18
XXX.crt"
"XXX.key"
9 February 2015
Page 9 of 20
Admin->ca_proxy_client->install certificate
Upon completion the system will list the files that successfully where installed.
NOTE: If the required files are not present this will generate an alarm indicating which files
are not installed.
NOTE: If more than one proxy server is defined for a client, make sure that those servers
have the same certificates installed.
SW Version 3.18
9 February 2015
Page 10 of 20
This is the control port of the CA proxy card, to which all the
remote clients should do a VPN connection.
IP address
Gateway Address
Subnet mask
This defines the virtual network address space for the VPN tunnel.
This is the address to which the VPN clients will connect. Note
that this address will not be visible to the user in the client
configuration. The client configuration will configure the External
Proxy Address only. This network address will be resolved locally
by the remote clients via information available in the VPN
environment.
This address is resolved from the VPN IP Network Address and
the Max number of clients.
This mask is resolved from the VPN IP Network Address and the
Max number of clients
This network address of the VPN network. The value accepted for
this address also depends on the number of clients parameter.
Defines the number of clients that the VPN network shall be able
to handle. The larger number the wider the network mask will be.
NOTE: Do not use network 192.168.0.x mask 255.255.255.0. This is a reserved network for
internal usage.
SW Version 3.18
9 February 2015
Page 11 of 20
Client Attribute
Name
Serial Number
Connection
Recovery Window
SW Version 3.18
9 February 2015
Page 12 of 20
Click the edit icon (the pencil) and the multiple client edit dialog appears.
The ECMs is the ink between an access criteria and the SCG_ID. For further details on how to
configure the scs card please refer to the standard users manual.
Note: When the clients are configured later they do not relate to an access criteria, but to
the scg_id only.
SW Version 3.18
9 February 2015
Page 13 of 20
Recovery window
Slot
Clients
Minimum CP
Maximum CP
How long crypto period shall the system allow when remote
clients are failing to communicate.
SW Version 3.18
9 February 2015
Page 14 of 20
The network defined for the VPN network at the CA proxy server
SW Version 3.18
9 February 2015
Page 15 of 20
CA proxy connection
CA proxy External Access IP
CAS ID
Sub ID
State
Note: The VPN certificates must be installed to establish connection to the server.
Redundancy->CA
Redundant CA proxy
IP
Port
SW Version 3.18
9 February 2015
Page 16 of 20
Channel
CAS Sub id
SW Version 3.18
9 February 2015
Page 17 of 20
Define ECMs
Stream id
Name
ECM Generator
SCG_ID
Private data
All services which use this ECM for the scrambling will try to
use the preferred ECM PID value if possible. It may clash with
other pids in the service, and then it will be remapped to
another value. See description of the component type
mapping feature on the output service configuration for more
options on how to control the output pid-line-up. This is
described in the standard users manual
SW Version 3.18
9 February 2015
Page 18 of 20
6 System monitoring
6.1 Client Monitoring
The client monitoring aims at giving the operator as much info about a connected client.
Client info
Description
Name
Serial Number
Software Version
Redundancy Mode
Connects
Connection State
Open/ Closed
The state of the communication link.
CP State
Recovery Time
SW Version 3.18
"0s" Everything OK
"1h 23m 33s" Within Recovery Window (RW), offset
is as indicated.
Outside RW" the client is outside the RW.
"No subscriptions" the client has not subscribed to
any ECMs
"Excluded" the client is excluded from the RW logic.
9 February 2015
Page 19 of 20
Subscribed ECMs
Click the link to get details state overview of all ECMs used by
this client.
This view is best understood by understanding the recovery window explained elsewhere in this document. However each ECM
has an allocated recovery buffer that can be used to cache CW/ECM pairs that can be re-transmitted to clients that has
temporarily lost connection.
The ECM Usage window lists all ECMs and the state for it. Normally the recovery buffer is empty, if not one or more clients are
not in sync. To see which clients this applies to click the Subscribed clients list.
Client info
Description
SCG ID
Name
Client count
CP State
Recovery Time
Subscribed clients
SW Version 3.18
The link will list all clients that has subscribed to this particular
ecm.
9 February 2015
Page 20 of 20