Bootstrapping To Use a CPF File

Send Feedback

Windows Mobile-based devices can be bootstrapped and then continuously provisioned by using XML files that are signed with a manager certificate, rather than using a WAP push message that is signed with a network PIN. The manager of the device owns the manager certificate in this scenario. Continuous provisioning can be achieved by allowing the end user to pull a Cab Provisioning Format (CPF) File from a Web site.

This method provides more security for enabling continuous provisioning.

To use a ROM configuration XML file, or a remote API (RAPI) call to bootstrap, and enable continuous provisioning, the XML file should contain the certificate that is assigned the Manager role, the request for changing to the Grant Manager Role policy, and the basic information for creating a data connection. Without the data connection information, the device will be unable to connect to the Web site to retrieve the signed provisioning file. In addition, other changes that the mobile operator wants to set in the bootstrap procedures, such as changes to the security model or to e-mail settings, can be placed in the bootstrap XML document. For more information about bootstrapping through a ROM configuration XML file and using a RAPI call, see Provisioning Using a ROM Configuration XML File, and Provisioning From a Desktop Computer Using Remote API and ActiveSync.

To use WAP push to bootstrap and enable continuous provisioning, the WAP push provisioning file must be signed with both the network PIN and user PIN. The USERNETWPIN mechanism is defined in the OMA Provisioning Bootstrap Specification Version 1.1. The push message must contain at least the certificate, the request for changing to the Grant Manager Role policy, and information about how to connect to the Web site to pull the .cpf file. Other bootstrap information can be put in the signed .cab file and pulled to the device by the user at a later time. This is performed over the air from a Web site through the data channel. For more information about bootstrapping through WAP push with provisioning files, see Provisioning OTA Through a WAP Push.

The following is an XML example that can be used for sending a manager certificate and data connectivity information to the device:

<!-- the HTTP proxy and its corresponding PPP settings used to browse to www.Northwind -->
   <characteristic type="CM_ProxyEntries">
      <characteristic type="HTTP Proxy 1">
         <parm name="SrcId" 
         value="{A1182988-0D73-439e-87AD-2A5B369F808B}" />
         <parm name="DestId" 
         value="{C1182988-0D73-439e-87AD-2A5B369F808A}" />
         <parm name="Proxy" value="myitgproxy:80" />
   <characteristic type="CM_PPPEntries">
      <characteristic type="Corp PPP 1">
         <parm name="DestId" 
         value="{A1182988-0D73-439e-87AD-2A5B369F808B}" />
         <parm name="CountryCode" value="1" />
         <parm name="AreaCode" value="425" />
         <parm name="Phone" value="5550150" />
         <parm name="UserName" value="myuser" />
         <parm name="Password" value="mypassword" />
         <parm name="Domain" value="mydomain" />
<!-- Add a cert which is assigned a Manager role. -->
   <characteristic type= "CertificateStore">
      <characteristic type="SPC"> 
         <!-- The following characteristic type is used to provide a hash of the certificate. In actual XML, "hash of certificate" 
         should be replaced with the real hash value. -->
         <characteristic type="hash of certificate">
            <!-- The following parm provides a base64 encoded certificate. In actual XML, "Base64 encoded x.509 certificate" should be replaced with the real encoded certificate value. -->
            <parm name="EncodedCertificate" 
            value="Base64 encoded x.509 certificate"/> 
            <parm name= "role" value= "8"/>  

<!-- Updating the Grant Manager policy so that only the message that is already assigned the manager role could be worked as manager message. -->  
   <characteristic type="SecurityPolicy">
      <parm name="4119" value="8"/>
Note   Replace the sample values in braces ({}) with correct values for your system.

In the preceding example, the thumbprint information (certificate hash) for CertificateStore can be viewed from Microsoft Windows 2000 and Microsoft Windows XP on the Details tab of a certificate in certmgr.msc.

See Also

Bootstrapping Windows Mobile-Based Devices | Cab Provisioning Format (CPF) File

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.