CI Plus: Frequently Asked Questions

General Information ID:    INFO1844
Version:    5.0
Published:    08/03/2012
Updated:    03/19/2013

Description

Which security tokens are accepted by Symantec for brand administrators?
Why do I have to acquire the security tokens and don’t get them directly from Symantec?
Where is the brand administrator certificate used for?
The CI Plus Root CA, Brand CA and Device ID certificates are expired?
The certificate chain can not be verified with OpenSSL?
I can not start the CIPLock tool.
My PO for new certificate batches has not been processed.
CIPLock tool: I get a ‘fail’ for ‘Verify revocation status of signer’.
Old batch files are not available for download anymore.
Why does Symantec request a rolling monthly forecast and what happens to this information?
What is Symantec’s relationship to CI Plus?
I am an OEM manufacturer, how can I on-board to the CI Plus portal? 
What kind of test sets are available?
CIPLock is not decrypting the batches on installing JRE7: 

 

Which security tokens are accepted by Symantec for brand administrators?

The accepted and supported tokens are:
Aladdin eToken Pro
http://www.aladdin.com/etoken/devices/pro-usb.aspxftp://ftp.aladdin.com/pub/marketing/eToken/Factsheets/FS_eToken_PRO.pdf

Why do I have to acquire the security tokens and don’t get them directly from Symantec?

In order to avoid issues with the export/import of cryptographic material we suggest that you acquire the security token from a local supplier. This is quite often quicker and will ensure you have appropriate local support in case of any hardware failures.

Where is the brand administrator certificate used for?

The brand administrator certificate (or more precisely the certificate and its corresponding private key) is used for several purposes on the CI Plus portal. At first the credential is used for login into the Licensee’s portal account. The certificate is a digital credential which is used for authentication on the portal instead of a user name and password. More importantly, the brand administrator certificate is also used to encrypt the Licensee’s batch file(s). When an order has been placed and the Device ID credentials have been generated, the resulting batch file is encrypted with the Licensee’s brand administrator certificates. Therefore only the brand administrators with their certificates and private keys are able to decrypt the batch file. This makes the brand administrator certificates a highly important element in the CI Plus scheme which has to be protected by generating it on a security token. This ensures that no copying of the private key is possible (the private key can not leave the security token). The token should be kept in a secure environment with restricted access only. A Licensee’s portal account can have up to five brand administrators configured which are able to login to the portal account, place Purchase Orders, download and decrypt the resulting batch files.

The CI Plus Root CA, Brand CA and Device ID certificates are expired?

 The certificates are not expired. The Root CA and Brand CA certificates are valid until the end of 2099. Many tools do not display the validity as 2099 but may show 1999 or other unusual dates. This is based on the fact that the date encoding in the certificates is in UTC encoding (Universal Time Code). UTC is only defined until 2049 and any dates beyond 2049 can not be presented correctly. Therefore Certificate viewers like OpenSSL or the MS Certificate Wizard will not display the dates correctly.

The certificate chain cannot be verified with OpenSSL?

 All CI Plus certificates use RSA-PSS. RSA-PSS is a new signature scheme that is based on the RSA cryptosystem and provides increased security assurance. It was added in version 2.1 of PKCS #1 but is not yet widely supported by crypto tools.

What do I need to know about the CIPLock tool

Please follow the instructions on the Symantec web site and meet the preconditions before you can start the CIPLock tool.
https://ciplus-auth.pki.symantec.com/CIPLock/

I cannot start the CIPLock tool.

In order to start the CIPLock tool you have to have a PC where at least 2 GB physical memory is freely available to the CIPLock application. The CIPLock tool allocates 1.5 GB of physical memory as the decryption of a batch file with 100,000 certificates (which is the maximum number of certificates in a single batch files) requires more than 1 GB memory which has to be allocated at the start of the CIPLock application.

My PO for new certificate batches has not been processed.

Before a new batch of Device ID credentials is issued, Symantec has to release the order. This helps Symantec to bring the batches of the various Licensees in line with the capacity planning. Symantec ensures that the Device ID credentials are issued and made available in the portal within the time period agreed in the SLA.

CIPLock tool: I get a ‘fail’ for ‘Verify revocation status of signer’.

When you choose ‘Verify, decrypt and unpack’ in the CIPLock tool for a batch file, the tool then tries to validate the status of the certificate that signed the batch file. This is done via an online connection via the Internet to Symantec. If the PC running the CIPLock tool is either not connected to the Internet or connections are blocked by a firewall you get a fail for ‘Verify revocation status of signer” and an error message indicating that the signer certificate is revoked. This problem can be resolved either by connecting the PC to the internet and not blocking the connection to Symantec or alternatively by choosing the option ‘Decrypt and unpack only’. This option then skips the verification process and starts with the decryption.

Old batch files are not available for download anymore.

Batch files are available on the portal for download for 45 days. After this period the batch files are deleted automatically. A Licensee should download all ordered batch files when they are available for download on the portal. Please note that the batch files are encrypted with the brand administrator certificates only. Symantec is not able to decrypt the batch files and also not able to re-list the files once is has been deleted.

Why does Symantec request a rolling monthly forecast and what happens to this information?

Symantec requests forecasting information to allow us to adequately plan the capacity of the system to meet certificate delivery requirements of all Licensee’s on a month by month basis. Any forecasting information is regarded as highly confidential and is protected and not discussed with any party other than the CI Plus Delivery team within Symantec The forecast is not binding but is considered to be a very important tool to allow us to meet Licensee’s needs.

What is Symantec’s relationship to CI Plus?

Symantec is the Certification Authority and Trusted Agent for CI Plus. As Trusted Agent Symantec is authorised to act on behalf of CI Plus (.e.g. signing the Interim License Agreement (ILA)) and takes care of the Licensees On-boarding. Symantec developed and operates the CI Plus portal, creates Licensee accounts, configures Devices and issues Device ID credentials to the Licensees.

I am an OEM manufacturer, how can I on-board to the CI Plus portal

An OEM manufacturer can on-board to the CI Plus portal like any other adopter by starting with a completed and signed ILA as a product manufacturer. As a full blown licensee, you could have the benefit of selling products as OEM product to the various brands. You then have a completely tested and CI Plus ready device, including valid Device ID credentials which then can be visually branded to the customer's needs but without having to go through the CI Plus process again as the device is already CI Plus compliant.

What kind of test sets is available?

When the adopter has signed the Interim License Agreement (ILA), Symantec will send a test package to the Licensee which contains the CI Plus license specification, test license constants and test credentials. These credentials can be used to basically verify the implementation and usage of digital certificates in the devices. Digital TV Labs provides a CI+ Test Tool for pre-testing and debugging purposes prior to certification. Additionally there are various further test kits on the market which give additional benefits to the Licensee by also providing test CAMs and libraries to help with the implementation. Test kits are available from SmarDTV and Neotion.

CIPLock is not decrypting the batches on installing JRE7:

Those customers, who have upgraded the JRE version from 6 to 7, on the machine where CIPLock is installed.
Once the JRE7 (32-bit version) is installed on the system, one needs to carry out below steps for CIPLock to work:

Step-1: Download JCE7 (http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html)

Step-2: The package contains detailed installation instructions. But essentially, you have to follow these steps:
a.Extract the downloaded archive to a temporary directory. You will find a sub directory jce that contains a sample of files.
b.Locate the Java JRE installation directory. On Windows computers, this is typically something like C:\Program Files\Java\jre7\.
c.Copy all files from jce to the directory lib\security below the Java JRE installation path.

Step-3: Install Bouncy Castle Cryptographic Service Provider
a.As last precondition, you have to download and install a third party, open source cryptographic service provider library. This software is provided by "Bouncy Castle"( bcprov-jdk16-141.jar) and can be downloaded from here:  http://www.bouncycastle.org/download/bcprov-jdk16-141.jar
b.The downloaded file bcprov-jdk16-141.jar has to be copied to the directory lib\ext below the Java JRE installation path. On Windows computers, the Java JRE installation path is typically something like C:\Program Files\Java\jre7\.

Knowledge Center