Troubleshooting guide

ManualsBrandsCisco ManualsComputer equipmentOL-4015-08

181

182

183

184

185

186

187

188

189

190

6-3

Cisco Broadband Local Integrated Services Solution Troubleshooting Guide

OL-5169-01

Chapter 6 Troubleshooting MTAs

Troubleshooting EMTA Provisioning

Call Management Server

The CMS is essentially a softswitch, or call-agent, with additional PacketCable functionality to control

QoS on a cable network, among other things. The MTA sends a network call signaling (NCS) restart in

progress (RSIP) message to the CMS upon successful PacketCable provisioning.

Key Variables

This section describes the key variables that you need to know to provision an EMTA correctly.

• Certificates

• Scope Selection Tag(s)

• MTA Configuration File

Certificates

The MTA_Root.cer file contains the MTA root certificate. This has not changed in some time, and all

MTA vendors now contain certs rooted in official PacketCable MTA root. The MTA_Root.cer will not

likely cause you problems.

You must know in advance what telephony root certificate is required for the MTAs you are trying to

provision. In most cases, you should be using telephony certs rooted in the PacketCable test root.

Deployments in production networks may use telephony certs rooted in the PacketCable real root. The

KDC cert used by the KDC to authenticate itself to the MTA must be rooted in the same telephony root

that is stored on the MTA. Most MTA vendors support test images that have telnet and/or http login

capabilities such that you can determine which telephony root is enabled, and change the root used (in

most cases, you can only select between the PacketCable real or test root).

The most common scenario would have the KDC loaded with certificates (from the

$BPR_HOME/kdc/solaris/packetcable/certificates dir) as follows:

• CableLabs_Service_Provider_Root.cer

• Service_Provider.cer

• Local_System.cer

• KDC.cer

• MTA_Root .cer

The first 4 certificates comprise the telephony certificate chain, the MTA_Root.cer file contains the MTA

root, so that the KDC can authenticate MTAs.

To determine if you are using PacketCable test root, open the CableLabs_Service_Provider_Root.cer

file in Windows, and validate that the Subject OrgName entry is “O = CableLabs”, and/or check the

Subject Alternative name reads “

CN=CABLELABS GENERATED TEST ROOT FOR EQUIPMENT TEST

PURPOSES ONLY, ”

as seen below.

The KDC certificate (KDC.cer) has the realm name to use embedded in it. The realm name that BACC

(and the corresponding DNS zone) is configured to use must match this realm name. Additionally, the

MTA config file realm org name must match the organization name as seen in the telephony root .

The KDC certificate has a corresponding private key that must be installed in the

$BPR_HOME/kdc/solaris directory. Usually it is named kdc_private_key_proprietary or

kdc_private_key.pkcs8. When changing certificates, you must also change the private key.