Digitally signed meter configuration export option

OpenWay Collection Engine components use public and private keys to provide non-repudiation for messages sent to other network nodes. The use of digital signatures builds on that non-repudiation infrastructure.

Digital signatures can be used to ensure that exported meter configuration files have not been tampered with in transmission. The Meter Configuration Security Validation settings in the OpenWay Collection Engine user interface in Administrator > System Settings > Security include options to require that a digital signature be attached to each exported meter configuration file. By default, exported meter configuration files do not require digital signatures.

When enabled, digital signatures can be required to export meter configuration files from the OpenWay Collection Engine and import meter configuration files into the OpenWay Collection Engine.

Preparing a signing certificate

Use this procedure to grant permission to the OpenWay Collection Engine user interface web site to access the signing certificate required to sign export files and verify import files.

Before digital signatures can be used for security, a configuration meter file including a signing certificate must be validated and imported into the local computer. Begin by importing a signing certificate, used by the OpenWay Collection Engine, into the Local Computer Personal (LOCAL_MACHINE\My) certificate store. The OpenWay Collection Engine will use this certificate to sign meter configuration files for export.

Note: There is no need to import a new signing certificate if one is available to the OpenWay Collection Engine. The existing certificate will require the addition of user access rights so that the OpenWay Collection Engine user interface can perform the signing process.

Defining and configuring a signing certificate

  1. Open the Microsoft Management Console (MMC) application for certificate management and locate the certificate to be used to sign meter configuration export files.

  2. Under Actions > localhost, select the Manage Private Keys action.

  3. In the Permission for localhost private keys dialog , select Add to enable additional private key users for the certificate.

  4. In the Select Users or Groups dialog , select Locations and locate the host that contains the certificate.

    In the Enter the object names to select dialog , enter IIS APPPOOL\OpenWayAppPool.

  5. Select Check Names to verify that the object name is available.

  6. Click OK.

  7. In the Permissions for localhost private keys dialog , under Security, select OpenWayAppPool.

  8. In the Permissions for OpenWayAppPool dialog , verify that Full control and Read are checked to Allow.

  9. Click OK.

    The certificate is now ready to use to digitally sign meter configuration export files.

Enabling digitally signed meter configuration export files

  1. From the OpenWay Collection Engine user interface, click Administrator.

  2. Click System Settings.

  3. Click the Security tab.

  4. Scroll to the Meter Configuration Security Validation section.

  5. Select the Enable Digitally Signed Meter Configuration Export Files checkbox.

    Screenshot of the Digitally Signed Meter Configuration Export Files.

    Note: Be sure that the selected certificate has been assigned appropriate permissions so that the OpenWay Collection Engine user interface can access the private key of the certificate (see Preparing a signing certificate).

  6. From the dropdown menu, select a Distinguished Name for the signing certificate.

  7. If the imported meter configuration documents require validation, select the Require Meter Configuration Import Digital Signature Validation checkbox. If validation is not required, clear the checkbox.

  8. Click Save Security Settings to enable the changes, or click Restore Security Defaults to abandon your edits.

Exporting digitally signed meter configuration files

  1. Verify that the Enable digitally signed meter configuration export files setting in the OpenWay Collection Engine user interface in Administrator > System Settings > Security Features is enabled. (See Digitally signed meter configuration export option.)

  2. Use the Configuration Engine user interface to create a meter configuration file. See Adding a New Meter Configuration to the Itron Enterprise Edition.

  3. Export the meter configuration file. See Exporting a Configuration. The OpenWay Collection Engine attaches the digital signature.

  4. Send the signed meter configuration to the Itron meter production facility, where the meter configuration is used to configure future meters.