Share via


OTA Provisioning Considerations

4/8/2010

When planning over-the-air (OTA) provisioning, consideration should be given to how the provisioning will be initiated and how the process can be kept secure.

Considerations

The following table shows considerations based on the conditions under which the device will accept OTA provisioning messages.

To accept OTA messages ... Consideration

Only when the WAP Push gateway message content is assigned a privileged role by the Provisioning Policy

Use the OTA Provisioning Policy (4111). It indicates whether a WAP push message is accepted based on whether the role assigned to the message matches any of the roles specified in the policy setting.

Consider whether you want to allow a WAP push gateway privileged OTA message to have full control over device settings configurable through a WAP Push. If so, then you must also assign the PPG_Trusted role the Managers role.

For more information, see Security Policy Settings.

Only when the message is from a Trusted Provisioning Server (TPS)

You must know the URL of the Trusted Provisioning Server and bootstrap the device with this URL using the BOOTSTRAP configuration service provider. The device will look for this URL in the OTA message header. If there is a match and the OTA message content is trusted by a trusted WAP push gateway, the TPS role will be assigned to the message.

Consider whether you want to allow TPS full control over device settings configurable through a WAP Push. If so, then you must also assign the TPS role the Managers role.

Questions To Be Answered Before Starting

The following list contains some common questions that need to be answered before attempting to set up OTA provisioning.

What is the SMS address for the WAP push gateway?

A trusted WAP push gateway is required for continuous OTA provisioning and Service Loading (SL) messages. It can also be used for Service Indication messages. A WAP push gateway address is an SMS address.

What is the URL for the Trusted Provisioning Server and its role?

You should know the URL of the Open Mobile Alliance (OMA) Client Provisioning server, if applicable. The message that comes from this URL and that is trusted by a trusted WAP push gateway is given the TPS security role. By default, the TPS security role is granted Manager privileges.

The device knows this URL by accepting an OMA Client Provisioning bootstrap XML that contains bootstrap information. When you bootstrap the TPS URL, you must also bootstrap the trusted WAP push gateway.

What method of OTA configuration and provisioning will you use?

The following policies are related to the Push Router:

  • WSP Push policy -- WSP push policy indicates whether WAP notifications from the WAP stack are routed. This policy applies to any WAP push message that is sent over WSP.
  • Unauthenticated Message policy -- Unauthenticated message policy indicates whether to accept unsigned WAP messages based on their origin. This policy applies to any unsigned WAP push messages.
  • WAP Signed Message policy indicates whether a WAP signed message is accepted based on whether the role assigned to the message matches any of the roles specified in the policy setting.
  • OTA Provisioning policy indicates whether a WAP push provisioning message is accepted by Configuration Manager based on whether the role assigned to the message matches any of the roles that are specified in the policy setting.

For more information see WAP Push Message Format.

Do you want to give the TPS role Manager privileges?

The mobile operator can provision the device with a OMA Client Provisioning Trusted Provisioning Server (TPS) and a privileged Push Proxy Gateway (PPG) used by the TPS for continuous provisioning. The XML example in this section can be used as a template. After the device is bootstrapped, the message coming from the TPS will be granted the Manager role, and WAP push will still be the mechanism for continuous provisioning.

A mobile operator can also set other data connectivity information in the device's configurable settings in this bootstrap message.

The trusted provisioning server (TPS) must send the OTA provisioning message through configured privileged Push Proxy Gateway (PPG), and the PPG must authenticate the TPS (push initiator)

For more information, see Security Policy Settings.

Will you use an OMA DM Server?

An OMA DM server can be used to remotely manage devices, and typically has full access to the device with the role of Manager.

You must know the following information if you will use an OMA DM server:

  • The OMA device management server address, which is the URL for the HTTPS channel.
  • Authentication information to authenticate the server using MD5 algorithm: server ID; server name; server password; server nonce.
  • Authentication information to authenticate the device DM client: user name, client password; client nonce.
  • The APN address of any GPRS connection that is used to connect to the DM server.
  • The correct root certificate for the SSL connection.

See Also

Concepts

Provisioning XML Considerations
Bootstrapping To Use An OMA DM Server