Provisioning Mode

The provisioning mode is intended to enable the initial security configuration of the server using UA GDS functionality. In provisioning mode the server accepts untrusted certificates, but requires password authentication. Therefor the client (e.g. a GDS application) needs to authenticate using a user which has the "SecurityAdmin" role assigned. This allows the GDS to install the initial certificate and trustlist. As soon as the server has a valid security configuration, it will not enter the provisioning mode anymore when started.

In provisioning mode the server utilizes a reduced functionality. Only the server provider is started. Any other specified providers are not started and not usable while the server is in provisioning mode.

Provisioning mode

Important note: The issuing CA certificate must be added to the trustlist before the CA issued application instance certificate is added. Only trusted certificates will be accepted. Without the issuing CA certificate the certificate cannot be verified.

Enabling Provisioning Mode

The provisioning mode is entered via a command line option when the server is started. The option is:

./uaserverhp -g

The second possibility is to set the "enable_provisioning_mode" option within the "server" section in the configuration file.

[server]

enable_provisioning_mode = 1

These options have only an effect when the trustlist is empty.

Prerequisites to enter the provisioning mode.

The following prerequisites need to be fulfilled:

• Certificate support must be on (CMake option "HAVE_PKI").
• The trust list of the server must be empty. In the default configuration this would be "embeddedstack/bin/pki_store_0/trusted/". If the trust list is not empty the provisioning mode is not activated. This is not treated as an error and the server will start in normal mode.

Leaving the Provisioning Mode

To leave the provisioning mode the server needs to be restarted.