FSU-Secure Access Manager (FSU-SAM) 4.9 User Guide: Silver Spring Networks 555 Broadway Street Redwood City, CA 94063

FSU-Secure Access Manager
(FSU-SAM) 4.9 User Guide
Silver Spring Networks

555 Broadway Street
Redwood City, CA 94063
www.silverspringnet.com
FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 1

FSU-SAM User Guide 4.9
Confidential Information of Silver Spring Networks, Inc., provided under nondisclosure obligations.
Copyright 2013 Silver Spring Networks, Inc. All rights reserved.
The Silver Spring Networks logo, UtilityIQ, and UtilOS are registered trademarks of Silver Spring Networks, Inc.
GridScape, CustomerIQ, and Direct-to-Grid are trademarks of Silver Spring Networks, Inc.
All other company and product names are used for identification purposes only and may be registered trademarks,
trademarks, or service marks of their respective owners.
Please consider the environment before printing this document.
Customer Support
Telephone Hours Email

Toll free within the US and Canada: 5:00 AM - 6:00 PM support@silverspringnet.com
1-888-SSN-9876 US Pacific Time
(1-888-776-9876)
Non-toll-free: 1-650-298-4298
In Australia: 9:00 AM - 9:00 PM aus-support@silverspringnet.com
1300 706 769 Australia Eastern Time
Contact us on the Web: http://www.silverspringnet.com/services/customer-support/

FSU-SAM User Guide 4.9 Contents
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Whats New in This Release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. How FSU-SAM Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

FSU-SAM Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Deciding the Certificate Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Deciding the Number of Credits to Assign an FSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Preventing an FSU From Being Refreshed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Required Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
PKI Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
FSU-CA Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Types of Administrators and Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Privilege Management FSUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3. Using FSU-SAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Logging Into FSU-SAM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Placing the FSU into Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Removing an FSU from Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Recovering from a Partial Smart Card Personalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Refreshing Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Changing a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Reviewing Credits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4. Auditing FSU-SAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

FSU-SAM User Guide 4.9 1 Introduction
1 Introduction
TheSilverSpringNetworksFieldServiceUnit(FSU)isapowerfultoolusedbyfield
technicianstoperforminstallations,testing,andtroubleshootingofremotecommunication
moduleproblemsinelectricmetersandotherendpoints.TheFSUallowstechniciansinthe
fieldtheabilitytoissuecommandswithoutconnectivitytothebackofficeandwhenanend
pointcannototherwisebecontacted.
TheFSUwithsmartcard(FSU2.1andabove)representsasignificantsecurityupgrade.
ActionsthattheFSUwithsmartcardcanperformincludethefollowing:
Operateinasecuremode,inwhichitexchangesappropriatecryptographiccertificates
forauthenticationandauthorization.
Establishsecuremaintenancelinkswiththeseendpoints.
Limitthenumberofsecuremaintenancelinksthatcanbemade.
Upgrademeterfirmware.
Performremediationtasks(withaprivilegemanagementcertificate).
Issuedeviceautomationcommands(withappropriatecertificate)
Issueloadcontrolswitch(LCS)commands.
SecureAccessManager,orFSUSAM,isawebserviceusedinconjunctionwiththeFSUthat
letsanadministratorlimitthenumberofencryptedsecuremaintenancelinkseachFSUcan
setupwiththeCommunicationsModule(alsocalledaNetworkInterfaceCardorNIC)of
anendpointwithinaconfiguredamountoftime.
Whats New in This Release

Table1describesthenewFSUSAMfeaturesinthisrelease.
Table 1. New FSU-SAM features in version 4.9
Feature/Enhancement Description
Login and The instructions for logging in and for device personalization
Personalization have been enhanced for greater clarity. See Logging Into FSU-
instructions enhanced. SAM on page 12 and Placing the FSU into Service on page 14.
About This Guide

ThisguideisintendedtoexplainhowtouseFSUSAMfromthestandpointofanFSUSAM
administratorandanFSUSAMuser.Foradefinitionoftheseroles,seeAudienceandTypes
ofAdministratorsandUsersonpage9.

FSU-SAM User Guide 4.9 1 Introduction
Audience
TheaudienceconsistsofFSUSAMadministratorsandFSUSAMusers.Theseusersarenot
typicallyFSUendusers,butmightinsteadconsistofatrustedfieldclerkorcrewlead,or
otherrolecapableofactingasabackupresourceforsupervisorsandwhocanrefreshFSU
credits.
Related Documentation
Forinformation,seethefollowingguides:
FSUSecureAccessManager(FSUSAM)4.9InstallationGuide
CentralAuthenticationandAuthorizationService(CAAS)1.6AdministratorsGuide
FieldToolsInstallationGuide
HANCommunicationsManager1.8UserGuide
RolesandPrivilegesforCAAS,UtilityIQ,FSUSAM,andHANCommunicationsManager
KeySafev4.6AdministrationGuideforOperators

FSU-SAM User Guide 4.9 2 How FSU-SAM Works
2 How FSU-SAM Works

Thisdocumenthasthefollowingtopics:
FSUSAMCryptographyonpage6
DecidingtheCertificateValidityPeriodonpage7
DecidingtheNumberofCreditstoAssignanFSUonpage7
RequiredCertificatesonpage8
FSUCAPoliciesonpage8
AuthenticationandAuthorizationonpage8
TypesofAdministratorsandUsersonpage9
PrivilegeManagementFSUsonpage11
FSU-SAM Cryptography
SecureAccessManager,orFSUSAM,isawebserviceusedinconjunctionwiththeFSUthat
letsanadministratorlimitthenumberofencryptedsecuremaintenancelinkseachFSUcan
setupwiththeCommunicationsModule(NetworkInterfaceCard)ofanendpointwithina
configuredamountoftime.Thesesecuremaintenancelinksallowcriticalcommands,for
example,remotedisconnects,tobeissuedfromtheFSUtotheendpointfirmware,providing
protectionagainstFSUmisuseandpotentialsabotageofthenetwork.
Securemaintenancelinksaredifferentfromsecureassociations(usedbyCriticalOperations
Protector,forexample)inthefollowingways:
Securemaintenancelinkscannotpropagatebetweennodesindistantlocations.Any
commandsissuedfromanFSUarelimitedtoanendpointthatisdirectlyreachable.
Securemaintenancelinksexpirefasterthansecureassociations,becauseitisassumed
thattheyareintendedforanimmediatetaskrequiringarelativelyshortduration.For
thisreason,ifanFSUwithanactivesecuremaintenancelinkisleftidlefor5minutes,the
linkexpiresbydefaulttopreventpotentialmisuseoftheFSU.Thelinklifespanforan
idleFSUmaybelengthened,ifdesired,bymeansofaconfigurationinCommunications
Tester.RefertotheCommunicationsTesterUserGuide.
SecuremaintenancelinksuseRSAkeysratherthanEllipticalCurve(EC)keys.
TherearethreekeypairsforeachsecureFSU(2.1andabove):
TwosecuremaintenancelinkkeypairsGeneratedduringpersonalization.Theprivate
keysofthesetwopairsresidewithintheFSUsmartcardandthepublickeysresidein
twocertificatechainsthatFSUSAMsignsduringpersonalization.

OnesecureoperationskeypairGeneratedbythewebserver.Thepublickeyremains
onthesmartcardoftheFSU,whiletheprivatekeyisinstalledinencryptedformina
tableoftheSAMdatabase.Thekeyrequiredforencryption/decryptionresidesinaslotof
theKeySafev4.6+HSMorisinafilebasedkeystore.
BecauseFSUSAMisaWebbasedservice,afteryousignin,aJavaappletbridgesthegap
betweenthebackofficeandthesmartcardwithintheFSU.Thisallowsthebackofficeto
communicatesecurelywiththeFSU.
Deciding the Certificate Validity Period

Aspartofacorporatesecuritypolicy,administratorsmustdecidethelengthoftimethe
certificateassignedtoanFSUcanexistbeforeexpiring.Thevalidityperiodisdeterminedby
theadministratoratthetimeofFSUpersonalization,orrepersonalization.
WhenanFSUispersonalizeditisassignedaspecificnumberofsecuremaintenancelinks
(calledcredits)duringwhichtheengineercanissuecriticalcommandsagainstanendpoint.
Thesecreditsmayberefreshedmultipletimesaslongasthecertificatecreatedatthetimeof
personalizationhasnotyetexpired.Whenthatoccurs,theadministratormustrepersonalize
theFSU,assigninganewcertificateforaparticularduration.Otherwise,asecure
maintenancelinkcannotbeestablishedbetweentheFSUandtheendpoint.
Thedefaultmaximumvalidityperiodforacertificateis365days.However,SilverSpring
NetworksrecommendsthatadministratorsnotassignacertificatevalidityperiodtoanyFSU
thatlastslongerthan90days.Themaximumvalidityperiodmaybeadjustedduringpre
installationconfiguration.
Deciding the Number of Credits to Assign an FSU

AsecureFSUisakindofrovingbackoffice.Itisforthisreasonthatwesuggestthefollowing
stringentsecurityprecautions:
Administratorsshouldassignonlyenoughcreditstolastonedayorshould,atleast,
assignsofewthattheFSUmustberefreshedfairlyfrequently.
Ifanengineerisinthefieldforextendedperiodsoftime,arefreshcanbeperformed
whentheengineerusingtheFSUhasaccesstotheindividualwithresponsibilityfor
refreshingitscredits.
Ifthisprovesinconvenientordifficultinsomecases,yourutilitymustweighthetradeoff
betweenconvenienceandsecurityandassessthelevelofriskyouarecomfortableintaking.
Preventing an FSU From Being Refreshed

ShouldadministratorseverneedtorevokethecapabilityofanFSUtoberefreshed,theycan
deletethisFSUfromthefsu_sam_fsu_key_table,locatedintheFSUSAMdatabase.
ThismeansthatwhentheFSUrunsoutofitspreviouslyassignedcreditsorifthepassword
entrylimitisexceeded,theFSUisnolongeroperational.ThisstateappliesonlytotheFSU
thatwasdeletedfromthepreviouslymentionedtable.
IfyoufindthatyoumustlockoutanFSUimmediately,youmustissueacertificate
revocationlist(CRL)torevokeitscertificates.

IfyouareahostedcustomerofSilverSpringNetworks,thiscanbedonebylookingupthe
certificatesissuedforitintheoperationlogtable,andthencontactingSilverSpring
NetworksTechnicalSupportwiththisinformation.
IfyouarealicensedcustomerusingCertWebwithKeySafe,youcanuseCertWebtogenerate
aCRLandthensupplythistoSilverSpringNetworks.Formoreinformation,contactyour
SilverSpringNetworksrepresentative.
Required Certificates
SSL Certificates
Becauseitisawebservice,FSUSAMrequiresanSSLcertificatetomaintainsecuresocket
layersecurity.Theseareobtainedfromathirdpartycertificatevendor.Forinformation,see
theinstallationdocumentation.
PKI Certificates
TheFSUmustbeauthenticatedandauthorizedtoconnecttotheSilverSpringNetworksRF
meshnetwork.Todothis,acertificateundertheSilverSpringNetworksPKIhierarchythe
FSUCertificateAuthority(FSUCA)mustbeobtainedfromSilverSpringNetworks.This
certificateissignedbytheOperatorKey,whichestablishesasignaturechainbacktothe
SilverSpringNetworksroot.
UsingtheFSUSAMapplicationasavehicle,theFSUCAissuesindividualFSUcertificates
foravarietyofpurposes,describedlaterinthistopic.
FSU-CA Policies
CertainpoliciesarebakedintothegenericFSUCAwhenitisgeneratedbythenetwork
operator.TheseincludetheabilitytoissueFSUcertificateswithrolesandprivilegesrequired
forthestandardoperationsanFSUperformsagainstanetworkendpointinthefield,suchas
meterreadsandCommunicationsModulemanagement.
However,therearealsospecialpoliciesthesystemoperatorcanincludewhengeneratingthe
FSUCAPKIprivatekeyandcertificate:
Privilegemanagement
Disconnect/reconnect
ThesepoliciesarerequiredtoissuecertificatestoFSUsdesignatedwithspecial,more
sensitivecapabilities.Unlessthesepolicieswereconfiguredwhenthecertificatewas
generated,neithertheprivilegemanagementadministratornorthestandardSAM
administratorcanpersonalizeanFSUfortheserespectivepurposes.
Authentication and Authorization

WhenFSUSAMreceivesarequest,itredirectstheusersbrowsertoCentralAuthentication
andAuthorizationService(CAAS).CAASissuesanauthenticationchallengeandtheuser
entershisorherloginnameandpassword,whichCAASusestoperformalookupinitsown
database.

IfLDAPsupportwasconfigured,CAASpassestherequesttotheLDAPcustomersActive
Directory(AD)datasource(Figure1).ADlooksuptheuser(orusergroup)andpassesthe
resultbacktoCAAS.CAASdirectstheusersbrowserbacktoFSUSAM,usingaservice
ticket.FSUSAMthenverifiestheserviceticketwithCAASoverHTTPS.
Ifauthenticationwassuccessful,theuserisauthorizedtoaccessSAMaccordingtothe
privilegesgrantedintheUserRoletablesintheCAASdatabase.
WhileusernamesandprivilegesresideintheCAASdatabase,theSAMdatabasecontains
logsofthefollowinginformation:
Everyactiontakenbyeveryrole/username.
Allencrypted,secureoperationkeysforallpersonalizedFSUs.SeeFSUSAM
Cryptographyonpage6.
Figure 1. Authentication using CAAS
LDAP
HTTPS CAAS
FSU
Active
DB Directory
Oracle JDBC
SAM
USB
Back Office
Cable
User
HTTPS
SAM
Database
Types of Administrators and Users

Therearetwotypesofadministrators,aSAMadministratorandaprivilegemanagement
administrator:
TheSAMadministratorpersonalizesandrestoresFSUsusedforstandardfieldtooltasks.
ThePrivilegeManagementadministratorpersonalizesFSUsthatcanconductoperations
andissuecommandsrequiringtheprivilegemanagerrole.
Therefreshuserroleandtherefreshprivilegemanagementuserhavemorelimited
privilegesthatcenteraroundrefreshingcredits,updatingtheirownpasswords,or

performingasigningtestontheFSUSAMTesttab(Table2).Neithercanperformany
personalizationtasks.
Table 2. Roles and privileges
Roles
Refresh Privilege Mgt. User

Privilege Mgt. Admin.
FSU-SAM Admin.:
Refresh User1
Privilege
Designates one or more FSUs in the field to act
as the privilege manager FSU; it possesses all
privileges.
Refreshes any privilege management FSUs
whose credits have expired.
Personalizes (assigns credits) and refreshes
credits on an FSU.
Can update a user password without knowing
the old password.
Can perform a test of signing or encryption on
the FSU-SAM Test tab.
Can update their own password, using old
password.
Refreshes credits on an FSU.
1.You may, optionally, want to assign the refresh responsibility to a different
user than the FSU owner (or field engineer) for security reasons.
Withtheexceptionoftheprivilegemanagementadministrator,therolesareassignedbythe
CAASadministrator.Thesystemoperator(SilverSpringNetworks,unlesstheutility
operatesitsownSilverSpringNetworkscomponents)createstheprivilegemanagement
administratorroleonbehalfoftheutility.
TheCAASrootadministrator,AMMrootadministrator,andnetworkadministratoralso
havesomeoftheseprivileges.(Fordetails,seethedocumentRolesandPrivilegesforCAAS,
UtilityIQ,FSUSecureAccessManager,andHANCommunicationsManageronSpringboardat
https://springboard.silverspringnet.comundertheDocumentation/ReleaseNotestab.)

Privilege Management FSUs

PrivilegemanagementFSUsareusedforremediationofcritical,typically,securityrelated,
issuesinthenetwork.Asaconsequence,theseFSUsareverypowerful.Theycaneven
removetheoperatorcertificatefromdevices.
Circumstancesunderwhichyoumightwanttoconsiderremovingthecertificatemay
includethefollowing:
Whenyouaremovingdevicesfromatestnetworktoaproductionnetwork,orvice
versa.However,Firmwareimage3.4.1andaboveandCommunicationsTester6.4allow
utilitiestoachievethiswithoutprivilegemanagementFSUs.
Whenyouneedtosendameterunderwarrantytoitsmanufacturerforrepairor
replacement.Utilitiesmustmakesurethatthecleartextportisonbeforeshippingthe
metertothemetervendorfordiagnosticsandrepair.
Whenyoubelieveadevicehasbeencompromisedbyarogueactororthroughsome
othermeans.
YoucanalsouseaprivilegemanagementFSUtoturnoff/onthelegacy(cleartext)port.
OnlyaprivilegemanagementadministratorcanpersonalizeanFSUwithprivilege
managementcapability.AnFSUSAMadministratordoesnotpossesstheprivilegestodo
this.

FSU-SAM User Guide 4.9 3 Using FSU-SAM
3 Using FSU-SAM
ThefollowingtopicsdescribetheuseofFSUSAMbyadministratorsandusers:
LoggingIntoFSUSAMonpage12
PlacingtheFSUintoServiceonpage14
RemovinganFSUfromServiceonpage17
RecoveringfromaPartialSmartCardPersonalizationonpage19
RefreshingCreditsonpage19
ChangingaPasswordonpage20
ChangingaPasswordonpage20
ReviewingCreditsonpage22
Troubleshootingonpage23
Logging Into FSU-SAM

BeforeyoulogintoFSUSAM,makesureyoumeetthefollowingrequirements:
YoumusthavealreadyinstalledtheotherUtilityIQandsharedservicescomponents.
YoumusthaveanaccountinFSUSAMandlogincredentialscreatedforyoubythe
CAASadministrator.
YoumusthaveacomputerrunningacurrentandsecureversionofJava.
OraclereleasessecurityupdatestoJavaonaregularbasis.IftheversionofJavayouhave
onyourlaptopisnolongeruptodatefromasecuritystandpoint,youreceiveawarning
afteryoulogintoFSUSAMthatyourJavapluginisinsecure.Ifthisoccurs,download
thelatestversionofJavafromtheOraclewebsite.
Important: If your utility uses its own SSL PKI certificate, you must add the root of your
utilitys private PKI to the trusted root cache of the new JVM. Otherwise, the JVM does not
trust the SSL connection to the server and it refuses authentication. See your system
administrator.

IfyouareplugginginanFSUforthefirsttimewiththislaptoporifyoupreviously
usedFSU2.1,butyouarenowusingFSU4.0forthefirsttime,seetheFieldTools
InstallationGuideforinstructionsondriverinstallation.
Important: Before logging in, check whether or not the FSU service is running. If it is,
you must stop it. Otherwise, FSU-SAM does not connect to the smart card in the FSU.
After you are done using FSU-SAM, you should restart the FSU service, so that the other
field tools recognize the FSU.
IfyourtestenvironmentusesadifferentOperatorcertificatefromyourproduction
environment,youcanonlyusetheFSUinsecuremodeintheenvironmentforwhichit
wasinitiallypersonalized.YoucannotdepersonalizetheFSUandrepersonalizeitforthe
otherenvironment,becausetheFSUstillretainstheoriginalOperatorcertificateinits
NIC.
AsofCommunicationsTester6.4,youcanremovetheinitialOperatorcertificateinthe
NICtoallowdistributionofanewOperator,usingtheOpCert,Deletecommand.
However,FSUNICfirmwaremustbeat3.4.1orabove.Toverifywhichfirmwarelevel
yourFSUhas,usetheCommunicationsTesterImage,Listcommand.
To log into FSU-SAM

1. IfyouhaveCommunicationsTesteroranotherfieldtoolopen,closeit.
2. LogintoUtilityIQforeitheryourtestorproductionenvironment,asappropriate.
3. VerifythatyouhavethecorrectuserprofiletopersonalizeFSUSAMbyaccessingthe
MyProfilelink,inthemenubaratthetoprightofyourUtilityIQscreen.Fordetailson
privilegesbyrole,seeTable2onpage10.
Ifyoudonothavethecorrectprivilege,contactyoursystemadministrator.
4. AttachtheFSUtothecomputer.
IftheFSUisnotalreadypluggedintoyourlaptopwhenyoulogintoFSUSAM,yougeta
message:Status:FSUnotpresentandasliderbarmovesbackandforthatthe
bottomofthescreennexttothelabelWaitingforcard.
Note: If you launch FSUSAM without the FSU attached, plug in the FSU. FSUSAM then
recognizes the smart card embedded in the FSU and you see the message: FSUpresent.
5. AccessingFSUSAM
(Upgradesonly)FromtheCAASLoginSuccessfulpage,selectFSUSAM.
(Freshinstallationsonly)
a.PointyourbrowsertotheFSUSAMURLgiventoyoubyyouradministrator:
https://SAM_HOST:SAM_SSL_HTTP_PORT
Where:
SAM_HOST=URLforFSUSAMthatyouradministratorsharedwithyou.
SAM_SSL_HTTP_PORT=PortFSUSAMwasconfiguredtorunon.

b.OntheWelcometoCentralAuthenticationandAuthorizationServicescreen,enter
theusercredentialsgivenyoubyyourCAASadministratorandclickLogin.
c.RespondtotheJavaSecurityWarningpromptDoyouwanttorunthisapplication,
byselectingIaccepttheriskandwanttorunthisapplication,thenclickRun.
If,afterclickingRun,youreceiveanexceptionmessage,itwilldescribetheproblem
encountered,sothatyoucanfixitorcancontactSilverSpringNetworksSupportfor
apromptresolution.
TheFSUSAMInformationtabappearsandshowsFSUPresentandotherdetailsabout
theFSUyouconnectedtothecomputer.
Placing the FSU into Service

BeforeafieldtechniciancanusetheFSU,theFSUSAMadministratormustplaceitinto
service,alsocalledpersonalization.
BypersonalizinganFSU,theadministratoraddssecuritycredentialstoitthatidentifyit
uniquelyaspartoftheutilitysSilverSpringNetworkssystem.Thisauthorizesittoconnect
tothemeshnetworkoftheutility.Theprivatekeypermitsthecreationofasecure
maintenancelinkthatallowstheconfiguredcredentialstoexecutecommandsforaspecific
duration.
PersonalizationcanonlybeperformedbyauserwithAdministratorprivileges.Users
withoutthisprivilegedonotseethePersonalizetabaftertheylogin.(Formoredetails,see
TypesofAdministratorsandUsersonpage9.)
Personalizationconsistsofthefollowingtasks,whetherornottheFSUwillbeusedfor
standardtasks,asdescribedearlier,orforprivilegemanagement:
Assigningtechniciansasecurepasswordthattheycanusetoidentifythemselvesasthe
authorizeduserofanFSUsmartcardwhentheyareinthefield.
Configuringthenumberoftimes(calledcredits)afieldtechniciancanmakeasecure
maintenancelinkwithwhichtoissuecommands,usingtheFSU.
Configuringtheduration(lifetime)ofthecertificatethatallowsthesecuremaintenance
linkstobecreated.Ifthetimehasexpired,anyremainingcreditscannolongerbeused.
Note: Users with refresh permission may only refresh credits, as long as the certificate for the
credits has not yet expired.
ConfiguringthenumberoftimesuserscanenterthepasswordincorrectlybeforetheFSU
stopsoperating.Ifusersexceedtheconfigurednumberofretries,anadministratormust
resetthepassword.
To personalize an FSU
1. VerifywhetherornottheFSUhasbeenpersonalizedalreadybyselectingtheInfotab.
Note: If it has, you must depersonalize it before reassigning it to another user or to a different
environment (test, development, or production). See Removing an FSU from Service on
page 17.

2. SelectthePersonalizetab.
3. AssignthenumberofcreditsyouwantthisFSUtohavebytypingthatnumberinthe
AssignCreditsfield(Figure2).
Thenumbermaynotexceed65,535.Theinstallermaysetthisnumberlowerusingthe
MAXIMUM_CREDIT_COUNT=65535parameterintheoverridessam.propertiesfile.
Figure 2. Personalizing the FSU
4. IntheUserpasswordfield,enterauserpasswordandreenteritintheConfirmfield.
FSUpasswordstrengthwillhavebeendeterminedatthetimeofinstallationandfollows
oneoffourlevelsbelow:
0=(Default)FSUpasswordcanbeanycharacters.
2=Usersmustcreateapasswordconsistingoftwoofthecategories.
3=Usersmustcreateapasswordconsistingofthreeofthecategories.
4=Usersmustcreateapasswordconsistingoffourofthecategories.
Ifyoutypeapasswordthatconflictswiththepasswordstrengthrule,FSUSAMdisplays
anerrormessage.
ThenewpasswordismaskedinboththeUserpasswordandConfirmfields.
Important: Make sure to write down the password, because the FSU user must know it
to execute secure commands.

5. (Optional)Ifavailable,indicatewhetherornotthecertificateofthisFSUshouldhaveany
ofthefollowingprivileges:
FirmwareUpdateControlsimageoperations,includingupgrades.
Disconnect/ReconnectDisconnects/reconnectsservice.
DistributionAutomationAbilitytoexecutecommandsagainstthe
CommunicationsModuleinaneBridgeortheSentientFaultCircuitIndicator(FCI).
Note: Distribution Automation (DA) configuration requires that you also have the DA role.
MeterConfigGrantspermissiontoconfigureanyendpoint,notjustthemeter.
PrivilegeManagementGrantsauthoritytoremoveoperatorcertificatesorto
rewritetheprivilegetableforcommandsexecutedwithintheCommunications
Module.
Becauseofthesecurityrisk,whenenabled,thePrivilegeManagementcheckbox
defaultstounchecked.Tomitigaterisk,privilegemanagementadministratorsshould
limitthenumberofcreditsthisFSUcanusetoaverysmallnumber.
Anotherbestpracticeistoreducethecertificatelifespantooneweekorless.
Important: To enable privilege management, the FSU-CA generated for

personalization of a privilege management FSU must possess the Priv. Mgt. policy. This
must be configured using CA Tools by the network operator. Also, in order to personalize
an FSU with the Privilege Manager role, the user performing the personalization must be
assigned the Privilege Manager Administrator role in CAAS.
LocalLCSControlPermissiontoexecuteloadcontrolcommandsagainstthe
CommunicationsModuleinaloadcontrolswitch.
Note: These selections appear enabled on the Personalize tab only if a certificate was
generated by the network operator that contains one or more of these privileges.
6. UsethesliderunderOptionstosetthemaximumnumberoftimestheusercantryto
entertheirpasswordunsuccessfullybeforetheFSUlockstheuserout.
7. IntheValidityPeriodbox,indicatethenumberofdaysthecertificateshouldremain
valid.
Thedefaultmaximumvalidityperiodis360days,butinstallersmayreducethisusingthe
parameterMAXIMUM_VALIDITY_PERIOD.
8. ClickPersonalize.
Note: The Personalize button becomes accessible only after you assign credits. See Step 3.
Thefollowingstatusmessagesappearatthepage:
Installingapplet
GeneratePrivateKeysonCard

Theprogramgeneratesanumberofmessagesandwhentheprocessisfinallycomplete,
thefollowingappears:
PersonalizationSuccessful
Theprocessshouldnottakelongerthanaboutfiveminutes.
ReceiptofthePersonalizationSuccessfulmessageisareliableindicatorthatthe
personalizationwasaccepted.
9. Toverifythecreditsassigned,gototheInfotab(ReviewingCreditsonpage22).
Ifasystemcausedanincompletepersonalization,seeRecoveringfromaPartialSmart
CardPersonalizationonpage19.
Note: The Test tab does not test personalization, but rather whether or not the smart chip
inside the FSU is able to encrypt and decrypt data. For information about use of the Test tab,
see Troubleshooting on page 23.
Afterpersonalizationiscomplete,theFSUisreadytobeunpluggedandtakentothe
field.
Removing an FSU from Service

ThefollowingproceduresdescribehowtodepersonalizeanFSU.Thisdeletesitscertificate,
sothatitcanbeusedforadifferentpurpose.RepersonalizinganFSUdownloadsanew
secureappletandtherequiredcertificateandkeys.
ThistopicalsoexplainshowtoreturnanFSU2.1toitsstatebeforepersonalization.
ReturningtheFSU2.1toitsoriginalstatesimplymeansthatyouhavedeletedthesecure
appletintheFSUsmartcard,alongwithitscertificate.
InFSU4.0,theappletcannotberemoved,butdepersonalizationremovesthecertificates
anyway,makingtheFSUavailableforanotheruserorpurpose.
Note: The Clear button remains visible, but appears grayed-out.
Itisimportanttonotethat,afterdepersonalization,thereisstillacertificatecacheintheNIC
oftheFSUthatisnotremovedwhenyouclearordepersonalizetheFSU.Ifyouwanttouse
theFSUinadifferentenvironmentforexample,productioninsteadoftestyoumust
deletethesecertificatestoo.ThisisdonethroughacommandinCommunicationsTester6.4,
requiringfirmwareintheFSUbeat3.4.1orabove.
To depersonalize an FSU
1. OnthePersonalizetab,clickDepersonalize(Figure3).
Amessageappears,stating:
ThiswilldeletetheFSUscertificatesandremoveallcredits.
OKCancel
2. Tocontinue,clickOK.

Thefollowingstatusmessagesappearatthebottomofthepage:
FetchedUID
Depersonalized
Note: The Depersonalize button becomes accessible only after successful personalization of
the FSU. After depersonalization, the button becomes unavailable for use until the FSU is
repersonalized. If you are unable to depersonalize the FSU, verify that it was previously
personalized.
Figure 3. Depersonalizing or clearing the smart card
To remove the Smart Card applet and its certificates (FSU 2.1 only)
1. FromthePersonalizetab,clickClearFSU.
Atextboxappears,stating:
ThiswillreturntheFSUtofactorycondition,removingtheappletand
allcredits.
OKCancel
2. ToreturntheFSUtoitsoriginalfactorysetting,clickOK.
Thefollowingstatusmessagesappear:
Clearingcard
Selectdevice
Thisdeletestheappletandthecertificatefromthesmartcard.TheStatusboxattopright
thendisplaysthemessage,showninFigure4:
FSUnotinitialized.
Figure 4. Status message after removing the applet

Recovering from a Partial Smart Card Personalization

IfasystemproblemoccursduringpersonalizationofthesmartcardinanFSU,partial
personalizationofthesmartcardmayresult.ThisstatecanbeverifiedontheSAM
Informationtab,wherethePersonalizedfieldreadsINCOMPLETE.
ForanexplanationoftheInformationtabfields,seeReviewingCreditsonpage22.
To recover from a partial personalization

1. DepersonalizetheFSU,asdescribedunderRemovinganFSUfromService.
2. Repeatthepersonalizationprocedure,asdescribedunderPlacingtheFSUintoServiceon
page14.
Refreshing Credits
Bothadministratorsandrefreshuserscanrefreshthenumberofcredits(numberoftimes
thatasecuremaintenancelinkcanbecreated)backtotheamountissuedatthetimeof
personalization(Figure5).
Figure 5. Refreshing credits on the Recharge tab.
Forinformationabouthowtoinitiallysetthenumberofcredits,seePlacingtheFSUinto
Serviceonpage14.
To refresh credits to the default level

ClickRechargetoDefault.
Thefollowingmessageappears:
Completedrefresh
Forinformationabouthowtosetthedefaultnumberofcredits,seePlacingtheFSUinto
Serviceonpage14.
To assign a new credit value

TypethenewnumberofcreditsyouwanttoassigntotheFSUintheAssignCreditsfield
andthenclickRechargetoCredit.
Ifyouinputagreaternumberthattheconfiguredmaximum,thecharactersturnred.

Note: Only administrators can assign a new credit value.
Changing a Password
Fromtimetotime,administratorsorusersmayneedtochangethesmartcardpassword.For
example,autilityemployeemightissueanFSUwithadefaultpassword,writtenonapiece
ofpaperorinemail,toafieldtechnician,whothenneedstochangeitforsecurityreasons
andtopersonalizeitforhisorheruse.
Note: This password is the same one that CATT and other field tools prompt for when a user logs
in. It is used to access the private keys within the FSU that are required to make secure
maintenance links with meters and other endpoints.
To change the smart card password (administrator procedure)

1. Inthelefthandnavigationpane,selectPassword.
2. IntheNewpasswordfield,typethenewpassword.
Note: Password strength rules apply in creating a new password. For more information, see
Placing the FSU into Service on page 14.
3. IntheConfirmfield,reenterthepassword.
TheChangepasswordbutton(showngrayedoutinFigure6)nowbecomesavailable.
4. ClickChangepassword.
Thefollowingmessageappearsatthebottomofthepage:
Successfullychangedpassword
Figure 6. Changing the password (Administrator view).
To change the smart card password (user procedure)

1. Inthelefthandnavigationpane,selectPassword(Figure7onpage21).
2. IntheCurrentpasswordfield,typeyourexistingpassword.
3. IntheNewpasswordfield,typethenewpassword.

Note: Password strength rules apply in creating a new password. For more information, see
Placing the FSU into Service on page 14.
4. IntheConfirmfield,reenterthepassword.
TheChangepasswordbutton(showngrayedoutinFigure6)nowbecomesavailable.
5. ClickChangepassword.
Thefollowingmessageappearsatthebottomofthepage:
Successfullychangedpassword
Note: Users cannot update their password if they have been locked out of FSU-SAM due to
exceeding the configured number of allowed unsuccessful login attempts.
Figure 7. Changing the password (user view)

Reviewing Credits
TheInformationtabshowsyouhowmanycredits(securemaintenancelinks)theFSUhas
remaininginwhichtoissuecriticalcommandsbeforearefreshisneeded,amongother
information(Figure8).
Figure 8. Information tab, showing FSU privilege management status
WiththemostrecentFSUsmartcards,FSUSAMalsodisplaystheappletID(AppletOID).
Thefielddoesnotappearwitholdersmartcards.
Table3describesthefieldsontheInformationtab.
Table 3. SAM Information tab fields
Field Description
Version FSU-SAM Administration version.
Terminal Text string describing smart card manufacturing information.
Card Text string describing smart card manufacturing information.
Applet OID Identification of the applet in the smart card.
Appears only in FSU-SAM only when newer smart cards are
present in an FSU. The ID is for information only and does
not affect operation.
Certs Expire Date and time the certificates for this FSU smart card expire.
FSU MAC Mac address of the FSU you have plugged into your
computer.

Table 3. SAM Information tab fields (Continued)
Field Description
FSU Roles Privileges assigned to the holder of the FSU smart card who
is logged into SAM. These consist of:
Firmware UpdateAuthorized to update FSU firmware
Meter ConfigAuthorized to configure meters and other
endpoints
Disconnect/ReconnectCan issue disconnect and
reconnect commands
Privilege Management
FSUCertificate belongs to an FSU
Load Control SwitchAuthorized to create and cancel
load control events
Personalized Indicates whether or not the connected FSU has been
personalized: yes or no
UID UID (Unique ID) is a random, unique value assigned each
time the card is personalized. The UID can be traced
through the SAM log in the database, if needed.
Signing Signing occurs once during establishment of a maintenance
link.
This is a counter that indicates how many credits remain for
signing a certificate out of the number that was originally
assigned (for example, 2 remaining, 4 total).
This decrements every time a maintenance link is
established.
Decryption Decryption occurs once during establishment of a
maintenance link over link-layer security.
This is a counter that indicates how many credits remain for
decryption out of the number that was originally assigned.
This decrements every time a maintenance link is
established.
Troubleshooting
YoumaybeaskedbySilverSpringNetworksfromtimetotimetoperformtestsonFSU
SAMtotroubleshootproblems.Forexample,youmaybeaskedtotesttheabilityoftheFSU
toperformencryptionordecryption.Alternatively,youmaywanttoreviewissued
certificates.
Thesigningcertificatecanbeusedtosignmessages,whiletheencryptioncertificatecanbe
usedtodecryptencryptedmessages.Thesigningtestgivesthesmartcarddatatosign,then
verifiesthatthesignatureiscorrect.
Theencryptiontestpassesdatatothesmartcardfordecryption,thenvalidatesthatthe
decrypteddataisthesameasthecleartextdata.
To test encryption and decryption for this FSU

1. Inthelefthandnavigationpane,selectTest(Figure9).

2. IntheEnterpasswordfield(withintheCryptoTestsarea),typethepasswordforthe
connectedFSU.
3. ClickeitherTestSigningorTestEncryption.
Afterthetesthasfinishedrunningsuccessfully,theprogressmeteratthebottomofthe
pagemovestothefarrightandstatusmessagesappear,stating:
Loggedin
Successfultest
Otherwise,anerrormessageappears,describingthenatureofthefailure.
Figure 9. Using the Test tab
To review certificates
1. GotheTesttab.
2. FromtheSelectcertificatemenuunderDownloadCertificates,selectthetypeof
certificatechaintodownload:
Signingcertificatechain
Cryptocertificatechain
3. ClickFetchCertificate.
Note: When you fetch a new chain, the previous chain is overwritten.
TheselectedcertificatechainappearsintheCertcontentpane.
4. Tocopyandpastetheinformationintoatextfileoraterminalwindowforfuture
troubleshootinguse,selectthetextintheCertcontentpaneandrightclickit.
TheCopyoptionboxappears.

5. Selectthis,thenpastethecopiedcertificatechainfromtheclipboardtoyourtextfileor
terminalwindowforreview.
6. ToclearthecontentsoftheCertContentpane,reloadpageinyourbrowser.

FSU-SAM User Guide 4.9 4 Auditing FSU-SAM
4 Auditing FSU-SAM
FSUSAMactivityisloggedtoatableintheSAMschemacalledfsu_sam_operation_log
(Table4).Thistablecanonlybewrittentoifyouaretheschemaowner.TheSAMapplication
usercanperforminsertionsandselectionsonly.FSUSAMdoesnotstorelogins.
YoumayusestandardOraclereportingtoolstoreadthistable,shouldyouwanttodoso.
FSUSAMdoesnotpresentlydelete,archive,orperformanyothertablemaintenance
functions.Also,FSUSAMalsohasnomechanismatthistimeformonitoringthetable.
Table 4. FSU-SAM operation log content
name datatype width no-nulls

ID NUMBER 22 *
USERNAME VARCHAR2 64 *
OPERATION VARCHAR2 64 *
FSU_UID RAW 8
MAC RAW 8
CERT RAW 2000
OPERAND NUMBER 22
OP_TIMESTAMP TIMESTAMP 11 *
Table5describesthenamecolumncontents.
Table 5. Log column definitions
Name Column Entry Definition

ID A primary key for the table. There is a unique number for each
row.
USERNAME The username of the user who performed the action. The
username is supplied by CAAS, following a successful
authentication.
OPERATION A brief string description of the nature of the operation. A
personalization results in two rows being added to this table for
each certificate creation (signing and crypto) that occurs.
FSU_UID The UID of the FSU.
UIDs are created randomly by the FSU during personalization.
The FSU retains the UID, which remains constant until
depersonalization. At that time, it is destroyed.
This tracing of operations is identified with a particular user.

FSU-SAM User Guide 4.9 4 Auditing FSU-SAM
Table 5. Log column definitions (Continued)
Name Column Entry Definition

MAC The MAC address of the FSU, recorded during personalization
and depersonalization operations.
MAC address should be considered informational only since
smart cards can be removed.
CERT The actual FSU certificate containing the public key resulting
during personalization when a certificate is generated.
This information can be used to revoke the certificate, if
needed.
OPERAND Records the new credit limit for an FSU.
This column is only used for Reset Credit Level operations, in
which an FSU administrator changes the number of credits
allowed during a refresh operation.
OP_TIMESTAMP The timestamp of the operation.

FSU-Secure Access Manager (FSU-SAM) 4.9 User Guide: Silver Spring Networks 555 Broadway Street Redwood City, CA 94063

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FSU-Secure Access Manager (FSU-SAM) 4.9 User Guide: Silver Spring Networks 555 Broadway Street Redwood City, CA 94063

Uploaded by

Copyright:

Available Formats

FSU-Secure Access Manager

(FSU-SAM) 4.9 User Guide

Silver Spring Networks

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 1

Please consider the environment before printing this document.

Telephone Hours Email

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 2

2. How FSU-SAM Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 3

Whats New in This Release

Table 1. New FSU-SAM features in version 4.9

About This Guide

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 4

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 5

2 How FSU-SAM Works

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 6

Deciding the Certificate Validity Period

Deciding the Number of Credits to Assign an FSU

Preventing an FSU From Being Refreshed

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 7

Authentication and Authorization

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 8

Figure 1. Authentication using CAAS

Types of Administrators and Users

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 9

Table 2. Roles and privileges

Refresh Privilege Mgt. User

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 10

Privilege Management FSUs

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 11

Logging Into FSU-SAM

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 12

To log into FSU-SAM

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 13

Placing the FSU into Service

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 14

Figure 2. Personalizing the FSU

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 15

Important: To enable privilege management, the FSU-CA generated for

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 16

Removing an FSU from Service

Note: The Clear button remains visible, but appears grayed-out.

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 17

Figure 3. Depersonalizing or clearing the smart card

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 18

Recovering from a Partial Smart Card Personalization

To recover from a partial personalization

Figure 5. Refreshing credits on the Recharge tab.

To refresh credits to the default level

To assign a new credit value

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 19

Note: Only administrators can assign a new credit value.

To change the smart card password (administrator procedure)

Figure 6. Changing the password (Administrator view).

To change the smart card password (user procedure)

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 20

Figure 7. Changing the password (user view)

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 21

Table 3. SAM Information tab fields

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 22

Table 3. SAM Information tab fields (Continued)

To test encryption and decryption for this FSU

FSU-SAM User Guide 4.9 7 October 2013 Silver Spring Networks 23