Share via


Bootstrapping To Use a CPF File

4/8/2010

Windows Mobile devices can be bootstrapped and then continuously provisioned by using XML files that are signed with a manager certificate, rather than using a WAP push message that is signed with a network PIN. The manager of the device owns the manager certificate in this scenario. Continuous provisioning can be achieved by allowing the end user to pull a Cab Provisioning Format (CPF) File from a Web site. This method provides more security for enabling continuous provisioning.

Note

The ActiveSync Application Manager does not recognize .cpf files. Therefore, if you use ActiveSync to put the XML on the device, then you must use a CAB file instead of a CPF file.

To use a ROM configuration XML file, or a remote API (RAPI) call to bootstrap, and enable continuous provisioning, the XML file should contain the certificate that is assigned the Manager role, the request for changing to the Grant Manager Role policy, and the basic information for creating a data connection. Without the data connection information, the device will be unable to connect to the Web site to retrieve the signed provisioning file. In addition, other changes that the mobile operator wants to set in the bootstrap procedures, such as changes to the security model or to e-mail settings, can be placed in the bootstrap XML document. For more information about bootstrapping through a ROM configuration XML file and using a RAPI call, see Provisioning Using a ROM Configuration XML File.

To use WAP push to bootstrap and enable continuous provisioning, the WAP push provisioning file must be signed with both the network PIN and user PIN. The USERNETWPIN mechanism is defined in the OMA Provisioning Bootstrap Specification Version 1.1. The push message must contain at least the certificate, the request for changing to the Grant Manager Role policy, and information about how to connect to the Web site to pull the .cpf file. Other bootstrap information can be put in the signed .cab file and pulled to the device by the user at a later time. This is performed over the air from a Web site through the data channel. For more information about bootstrapping through WAP push with provisioning files, see Provisioning OTA Through a WAP Push.

Code Example

The following is an XML example that can be used for sending a manager certificate and data connectivity information to the device:

<wap-provisioningdoc version="1.1">
<!-- the HTTP proxy and its corresponding PPP settings used to browse to www.Northwind Traders.com. -->
   <characteristic type="CM_ProxyEntries">
      <characteristic type="HTTP Proxy 1">
         <parm name="SrcId"
         value="{A1182988-0D73-439e-87AD-2A5B369F808B}" />
         <parm name="DestId" 
         value="{C1182988-0D73-439e-87AD-2A5B369F808A}" />
         <parm name="Proxy" value="myitgproxy:80" />
      </characteristic>
   </characteristic>
   <characteristic type="CM_PPPEntries">
      <characteristic type="Corp PPP 1">
         <parm name="DestId"
         value="{A1182988-0D73-439e-87AD-2A5B369F808B}" />
         <parm name="CountryCode" value="1" />
         <parm name="AreaCode" value="425" />
         <parm name="Phone" value="5550150" />
         <parm name="UserName" value="myuser" />
         <parm name="Password" value="mypassword" />
         <parm name="Domain" value="mydomain" />
      </characteristic>
   </characteristic>

<!-- Add a cert which is assigned a Manager role. -->
   <characteristic type= "CertificateStore">
      <characteristic type="SPC">
         <!-- The following characteristic type is used to provide a hash of the certificate. In actual XML, "hash of certificate"
         should be replaced with the real hash value. -->
         <characteristic type="hash of certificate">
            <!-- The following parm provides a base64 encoded certificate. In actual XML, "Base64 encoded x.509 certificate" should be replaced with the real encoded certificate value. -->
            <parm name="EncodedCertificate"
            value="Base64 encoded x.509 certificate"/>
            <parm name= "role" value= "8"/>
         </characteristic>
      </characteristic>
   </characteristic>
 
<!-- Updating the Grant Manager policy so that only the message that is already assigned the manager role or the message that is assigned OPERATOR_TPS role could be worked as manager message. -->
   <characteristic type="SecurityPolicy">
      <parm name="4119" value="128"/>
   </characteristic>
</wap-provisioningdoc>

Comments

For the device to decode correctly, provisioning XML that contains the APPLICATION characteristic must support OMA Client Provisioning version 1.1.

Replace the sample values in braces ({}) with correct values for your system.

In this example, the thumbprint information (certificate hash) for CertificateStore can be viewed from Windows on the Details tab of a certificate in certmgr.msc.

For information about the provisioning file syntax for different OMA Client Provisioning versions, see OMA Client Provisioning Files.

See Also

Concepts

Bootstrapping a Device
Cab Provisioning Format (CPF) File