CableLabs Micronets

Developer documentation for CableLabs Micronets

Registration Server

Abstract

This is a public facing server prototype that could be used by medical facilities (e.g. clinics) to effect the frictionless onboarding of a medical device to an MSO subscriber’s account. Specifically, it facilitates the installation of the credentials required to connect the device to the subscriber’s WiFi network.

Developers

The repository for the Registration Server is micronets-reg-server

Overview

The Registration Server provides a web portal for clinic staff to manage the device onboarding process. It also provides an API for a medical device to initiate the onboard sequence, advertise itself as an available device on the web portal, submit a CSR and finally install the obtained certificate.

Messaging

The Registration Server communicates with the following Micronets components: * Medical Device + IN Device Advertisements & Certificate Requests. * Authorization Server + OUT Redirect for subscriber authentication, device onboarding authorization * MSO Portal + OUT Request a CSR Template on behalf of the medical device + OUT Request a Certificate on behalf of the medical device

Detailed descriptions of the APIs for this server can be found here

Operation

Preliminary Setup

The initial state of a device is that it is provisioned onto the clinic wifi, and does not yet have any subscriber network certificates or credentials. As part of the clinic provisioning, it has the URL of the registration server baked in.

The patient/subscriber is at the clinic with their mobile device, which has an MSO provided app installed that facilitates web page logins via scanning a QRCode.

Onboarding Process

A clinic representative assists the subscriber in selecting a medical device and initiates the onboard operation by pressing a button on the device, which causes an advertise message to be sent to the server.

An icon representing the device appears on the web portal and is selected by the clinic representative. A menu is presented for the selection of the subscriber’s MSO(ISP), and the MSO is then selected.

The web browser is then redirected to the subscriber’s MSO Authorization Server. Information about the device and the action to be performed is displayed, along with a QRCode that contains identifiers for the service provider/application and the active login session. At this point the Authorization Server obtains a registration token from the MSO Portal, which accompanies the flow for the remainder of the onboard process.

The subscriber uses the mobile app to scan the QRCode, which then forwards the scanned metadata to the Credential Server (Micronets IdOra Server). IdOra then executes a remote login request to the MSO Authorization Server, which now has information about the authenticated subscriber.

The Authorization Server then redirects back to the Registration Server, which in turn sends a request to the Micronets MSO Portal for a CSR Template.

When the CSR Template is received, it is returned to the device, which has been waiting with a long poll for a (CSRT) response to its advertise request.

The device generates a CSR and submits it to the Registration Server, which forwards it to the MSO Portal, which forwards it to the Identity Server. The Identity Server creates a certificate and returns it down the chain to the device. Certain metadata such as the subscriber’s SSID are also returned as part of the response.

The device installs the certificate and configures the wpa_supplicant file. When the subscriber returns home with the device, it will automatically connect to the subscriber’s WiFi.

Sequence Diagram

Installation

Detailed instructions for building and installing the Registration Server can be found here