Professional Documents
Culture Documents
TLSandCertGuidelineforR7 1 Ver 0 1
TLSandCertGuidelineforR7 1 Ver 0 1
1
(includes Gateways & H.323 IP Phones)
March 2, 2017
The Customer’s Security Administrator must enable the following ports to support
TLS links to gateways and H.323 phones:
TCP port 1300 is used for the TLS signaling connection to the H.323 phones.
TCP port 2944 is used for the TLS connection to tunnel the H.248 control channel
between CM and the G430/G450 gateways.
Product Release Requirements
CM Release 7.1
CM does not require being placed into FIPS mode.
CM supports the option of “TLS Min Version” on ‘Server Access’ SMI page.
96x1-H.323 Phone Release 6.6.2- Load 27 (or newer)
Only 96x1-H.323 phones will support the feature of TTS-TLS
G430/G450 Release 7.1 – load 38.15.0 (or newer)
Administration setting for “TLS Min Version”.
Administration setting enhancement for CRL/OCSP and for SubjectAlternate field
checking for certificates.
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
EncryptedHandshakeMessage
ChangeCipherSuite
EncryptedHandshakeMessage
Intermediate
CA
PKI
Communication Manager
Web-Based
Application
HTTPS Apache Remote Serviceability Remote
Server Web Logging
TCP 443 Logging
Services Service Server
W
R
H.323
H.323 Signaling
–96x1
TCPxxxxx out Trusted Repository
NOTE:
TCP 1300 inward
CA CA CA 1)Load CA cert chain for
AES AES (TCP 8765) 1 2 3 who signs the CM ID
cert, plus who signed all
of the peer TLS entitites.
CM Dup (TCP 12080) 2) 2) Load CM Identity
Cert.
CM
Filesync (TCP21874)
Peer
96x1 H.323 phone has a single application directory to store the certificate set
(Identity cert and Root-CA).
– CM H.323 Signaling channel to phone.
If an application certificate set (Identity cert, Trusted chain) is not loaded, there
will be no TLS established for this application under Mutual authentication.
– In order to build an environment in phases, if CM is set for “Mutual Authentication”
set to “no”; and the administrator does not load an Identity Certificate on the phone,
then CM will allow the endpoint to open a TLS session without authenticating a
phone certificate.
– If the phone contains an Identity certificate for 802.1X or VPN applications (and not
for the H.323 signaling/registration over TLS), then CM shall include the Root CA
certificate in the CM’s Trust repository. In this case, independent of the Mutual
Authentication flag, CM will be able to verify these other certificates, which the
phone has exchanged.
96x1 Phones support Identity certificates which have a digital signature of
(SHA2 and RSA 2048 key lengths).
SSO –
TCP/18414
PC CA
OCSP –
Directory
OCSP over HTTPS TCP/443
Certificate
CA 1 CA 2
SLA Monitor Serviceability Directory
CA for CA for
Server {Discover on SSO 802.1x
UDP 50011} EAP-TLS
{TLS on TCP NOTE:
50010} 1) Load CA cert chain
CA 3 CA 4 for who signs the CM
Radius 802.1x EAP-TLS Identity cert.
Server CA for CA for 2) Load Phone Identity
CM SLA Mon Cert.
Configuration
files download CA 5 3) Administrator may
TCP/411 decide to have the SAME
HTTP/S file Configuration CA for a few
server Backup/restore & applications.
files download
debug report
4) Up to 6 trusted
TCP/443 Cert certificates files are
CA 6
supported.
WML browser
Phone Identity
WML server TCP/443 IPSec VPN
IKE TCP/UDP
500/2070/4500
IPSec VPN Gateway to 500/4500
G4xx Gateway
CM
H248reg App H248reg App NOTE:
H.248 Signaling
Certificate CA 1)Load CA cert chain for
TCP 2944 who signs the CM cert.
Directory Directory
2)Load GW Identity Cert.
Cert
1 CA
1
GW Identity
SLA Monitor
SLA SLA
Serviceability Server
Certificate CA
{Discover on
Directory Directory UDP 50011}
{TLS on TCP
Cert
2 CA 50010}
2
GW Identity
Trust Chains {includes both the CA Root and the Trusted chain (if there are
intermediate CA’s)} should be presented as a “.pem” file.
It is strongly recommended that all certificates be signed with a 2048 bit RSA
and a SHA2 hash algorithm.
Avaya – Proprietary. Use pursuant to Avaya policy. 15
Operation of H.323 phone for Initial Registration and
TLS connection establishment
Upon CM re-opening the TCP socket, the H.323 station shall perform the
following actions:
a) The H.323 station shall then issue a ClientHello to initiate TLS Connection
establishment.
b) The phone sees the TTS flag and understands that it does not have to perform a
re-registration.
c) Then the H.225/Q.931 exchange will complete the Signaling channel
establishment.
The Customer’s Security Administrator must enable the following ports to support TLS links
to gateways and H.323 phones:
TCP port 1300 is used for the TLS signaling connection to the H.323 phones.
TCP port 2944 is used for the TLS connection to tunnel the H.248 control channel between CM
and the G430/G450 gateways.
The Customer’s Security Administrator needs to perform the following tasks on the CM
server to prepare for deployment on a government customer site:
Install CM software load CM R7.0.1 (or later)
Get a 3rd party host certificate set (CM Identity cert & Trusted Root CA cert which
signed the Gateway Identity cert & Trusted Root CA cert which signed the H.323
Phone’s Identity cert)
This is required for both the Communication and the Web Identity Cert repositories.
Check that the CM SAT’s System Capacity form’s ‘H.323 Stations via TLS’ has
sufficient capacity to support those customer H.323 phones that need to operate in
TLS mode.
Check that the CM SAT’s Security-Related System Parameters form so that the field
‘TLS Mutual Authentication’ is administered to “yes” on a system-wide basis.
Check that the CM SAT’s IP-Network-Region form (covering where the phones are
located) so that the field ‘H.323 Security Profile’ is set to “H323TLS”.
Configure the CM SAT’s Media Gateway form
Link Encryption Type
Mutual Authentication (recommended to be set to yes)
Once the third party certificates have been created/located, the customer needs to copy
the rootCA.pem certificate and the Identity certificate into the /var/home/ftp/pub directory
on the CM server.
Then go to the ‘Trusted Certificates’ menu item on the SMI web page and select “Add”.
Note 1: Please note that at any stage of the following pages, that clicking on the “Help”
button will resolve your questions.
Note 2: for simplicity, on the following pages we have presented the example of loading
the Communication Manager Identity certificate. The customer’s Security Administrator
could check the “Web” box as well and load this Identity certificate into both the “C and W”
repositories. The CM Trust CA store should be loaded with the CA Trust chain that is
required for each of the TLS applications.
Type a desired filename for the stored CA file and select “Communication Manager” as the
desired CA application repository. Then select “Add”.
2) Go to the “Server/Application Certificates” SMI page (as shown on slide #30) and
select:
• The Identity certificate file which you wish to copy.
• Then select “Copy”.
• When prompted, select the “W” trusted repository
• At the conclusion of this action, check to see that this Identity Cert now shows ‘Installed in W’.
The Minimum TLS Versions feature will provide a method for the System
Administrator to specify TLS version usage for the following connection types.
(See next slide for SMI page).
System Management (SMI) pages (Apache web services)
CM Duplication link (Communication services)
FileSync connection (Communication services)
CM Signaling for SIP trunks, H.248 gateways, H.323 phones, AES)
Policy rules:
• Pull-down window offers choices of TLS versions (1.0, 1.1, 1.2).
• Must restart CM after a change to SMI page.
• Default is to use “TLS Version 1.0” in CM registry file.
• CM Signaling currently affects all trunks. So, if a given peer can only support
version 1.0, Administrator must set all to operate with TLS version 1.0.
o Desirable enhancement (post R7.1) would change Signaling-Group SAT form to allow
override on an individual trunk group basis.
Avaya – Proprietary. Use pursuant to Avaya policy. 33
CM Administration via Server Access SMI Page
For each station user, the ‘Require Mutual Authentication’ parameter on the SAT station form must be
configured to “yes” to direct that “Mutual Authentication” is enabled.
– This means that the TLS Server (CM) and the TLS Client (96x1 H.323 phone) must both
exchange Identity certificates and CM shall authenticate the other side’s certificate.
– For staging, if the customer does not load an Identity certificate on the individual phone, then this
field can be turned to “no”. CM will not expect a certificate to be shared from the phone.
For all customers, the IP Network Region form contains a parameter that governs H.323 phone
registration within a defined network region.
– Change the “H.323 Security Profile” parameter to “H323TLS to enable the use of TLS connections
for all H.323 phones which exist in this defined network region.
Type: g450
Name:
Serial No:
Link Encryption Type: TLS-only
Network Region: Location: 1
Site Data:
Recovery Rule: none
Registered? n
FW Version/HW Vintage:
MGP IPV4 Address:
MGP IPV6 Address:
Controller IP Address:
MAC Address:
Mutual Authentication? y
The Customer’s Security Administrator needs to configure the ‘Settings’ file on the phone
Utility Server
Install 96x1 Phone software load 6.6.2 (Load 27 or greater)
Get a 3rd party host certificate set (Phone Identity cert & Trusted Root CA cert which
signed CM’s Identity cert)
CRAFT UI option shall be set to ON (by default).
PROCSTAT should be set to 0 (its default value) so that static IP addresses can be
configured.
TLSSRVRVERIFYID should be set to 1 to direct the phone to validate the identity of the TLS
server (such as CM) is checked against the Common Name in its Identity certificate.
This parameter requires that the value of “MCIPADD” will match the SubjectAltName field of the peer’s
(CM) Identity certificate.
MCIPADD can be either an IP address or a hostname.
Any change to a PKCS12 file (Identity cert) or Trusted Certificate files requires a change in the filename to
enforce the phone to download the update to the correct phone cert repositories after a reboot action.
TLSSRVR should be set to the IP address of a file server that can download configuration files
via HTTPS.
TPSLIST should be set to null (its default value) because the Push server does not support
TLS or IPv6. VVoIP STIG request to disable HTTP servers if no authentication is done
AUTH should be set to 1 so that configuration files will only be downloaded via HTTPS.
HTTPSRVR should be set to the IP address of a file server that can download software files
via HTTP.
NVVPNMODE should be set to 0 (its default value) because the IKE/IPSec implementation
does not meet some requirements (5.4.6.2.3, 1.c(1)(c)ii, 1.c(1)(c)viA), VPN is not supported in
FIPS mode, and VPN does not support IPv6.
VLANSEP should be set to 1 (its default value) and VLANSEPMODE should be set to 1 to
enable VLAN separation. In this mode the PC cannot reach the phone. Note that the network
switch must be configured to leave 802.1Q tags on frames forwarded to the telephone and PC
(for both data and voice VLANs) so that the switch in the telephone can enforce VLAN
separation.
L2QVLAN shall be configured to the voice VLAN. L2QVLAN shall be set to value other than 0
or PHY2VLAN.
L2Q shall be set to a value of 0 (auto) or 1 (Tagging). The phone will try to get IP address from
DHCP server on voice VLAN and if succeeded the phone will send all the rest of the packets
tagged on voice VLAN.
SSO_ENABLED should be set to 0 (its default value) because it does not support IPv6.
Console port shall NOT be enabled in the DEBUG menu under CRAFT menus since there is
no session timeout or authentication supported on the console port once enabled.
802.1x shall be disabled (DOT1XSTAT=”0”) since 802.1x is not supported in FIPS mode.
WMLIDLEURI shall be configured to null string (default) since the “VvoIP STIG” requires
disable of browsers.
AUTOANSSTAT shall be configured to 0 (by default) since the “VvoIP STIG” request to
disable auto answer feature.
GUESTLOGINSTAT shall be disabled (0, default) since “VvoIP STIG” requests to disable the
guest login feature if not activated for certain users only.
VUMCIPADD shall be null string (default) since “VvoIP STIG” requests to disable the visiting
login feature if not activated for certain users only.
Update the Settings file with the following configuration if On-Line Certificate Status
Protocol (OCSP) is to be employed for certificate revocation checking:
OCSP_ENABLED should be set to 1 so that OCSP will be used to check the revocation status
of received certificates .
OCSP_URI_PREF should be set to 1 if OCSP requests should be sent to the URI specified by
OCSP_URI before trying a value provided in the OCSP field of the Authority Information
Access (AIA) extension of the certificate being checked, or it should be set to 2 if OCSP
requests should be sent to the URI specified by the value provided in the OCSP field of the
Authority Information Access (AIA) extension of the certificate being checked before trying the
URI specified by OCSP_URI.
OCSP_URI should be set to the URI of the OCSP responder if one is to be used that is not
specified in the certificates to be checked.
Update the Settings file with the following configuration if On-Line Certificate Status
Protocol (OCSP) is to be employed for certificate revocation checking:
OCSP_NONCE should be set to 1 (the default) so that a nonce will be included in OCSP
requests.
SCEP (Simple Certificate Enrollment Protocol) was originally developed by Cisco and
Verisign.
This allows the phone to automatically sends a certificate signing request to a SCEP server
A summary of this certificate enrollment is:
Request/response model base on HTTP.
Employs RSA-based cryptography.
Uses PKCS#10 as the certificate request format.
Uses PKCS#7 in order to convey cryptographically signed/encrypted messages.
Supports asynchronous granting by the server and regular polling by the requester.
Has limited Certificate Revocation List retrieval support.
Does not support online certificate revocation (must be handled by another process).
Requires the use of a challenge password field within the signing request, which is shared
between the server and the requesting phone.
Update the Settings file with the following configuration if the phone Identity Certificate
is to be created automatically by a SCEP server
MYCERTURL should be set to the IP address for the SCEP server.
This may be a Windows server running “Active Directory Certificate Services”
This may be an Avaya System Manager with SCEP configured.
MYCERTCN should be set to “$SERIALNO” to use the serial number of the phone as the
client side identification.
MYCERTAID is optional and should be configured it you want someone other than Microsoft to
act as the CA (for case of using a Windows application).
MYCERTKEYLEN should be set to “2048” to direct that RSA2048 be the key length for
forming the digital signauture.
Update the Settings file with the following configuration if the phone Identity Certificate
is to be created automatically by a SCEP server
MYCERTWAIT should be set to “1” to direct that the SCEP protocol request will wait until
either an Identity Certificate is returned or an SCEP Request message is received.
The gateway has a command line interface (CLI) that supports a set of new commands for the enabled
of a FIPS certified mode of operation.
The gateway’s control module “Gateway.o” and the maintenance module “Maintenance.o” will enforce
the policies for operation while the gateway is in FIPs mode.
The following policies will be enforced while in FIPS mode”
1. The two choices of H.248 establishment will be:
a) TLS ( UDP port 2944)
b) None (UDP port 2945)
2. The local survivability feature, SLS, will be disabled since SLS does not currently support the use
of encryption over the media to the co-located IP phones nor does it support TLS over the H.323
control link to the co-located IP phones.
3. The administrator is advised to disable Telnet.
4. The gateway shall enforce that when CM sends a media connection request, that it only be using
the SRTP encryption modes (SHA1-AES128-80, SHA1-AES128-32, SHA2-AES256-80, SHA2-
AES256-32 or None). Otherwise the call request will be denied.
The following pages review the administration steps, with detail paid to the CLI commands
for the gateways.
The Customer’s Security Administrator needs to perform the following tasks on the gateway
to prepare for deployment on a government customer site:
Install Gateway software load 38.15.0 (or greater)
Get a 3rd party host certificate set (Gateway Identity cert & Trusted Root CA cert which
signed CM’s Identity cert)
Follow the follow configuration steps (refers to gateway CLI commands:
Set the certificate management options for cert validation with the ‘certificate-options’
command
Configure the ‘set ip-address-map’
Use the ‘copy scp root-ca’ command to download the Trusted Root CA certificate(s)
Use the ‘copy gw-identity-cert’ command to download the Gateway Identity certificate
Optionally employ the copy commands to download the SLA Monitor certificate set
Configure the ‘set http proxy’ command if the enterprise requires a proxy firewall
Use the ‘show crl’ and ‘erase crl’ commands to cleanup the CRL list which gets built by the
gateway
• show fips-mode
• This command will show the state of the FIPS mode configuration
• Example:
G450-gloin-020(develop)#
G450-gloin-020(develop)# show sls
SLS is : disabled
The media gateway’s CLI command for the Media Gateway Controller (MGC) list has been expanded to
include the new encryption option of ‘TLS’.
Remember that in the gateway’s FIPS mode, that the only two permitted choices are ‘TLS’ and “None’.
The gateway will attempt to register by going to the first member of the MGC list and trying to register
with first ‘TLS’ and then secondly with ‘none’. It will repeat this three times and then move to the next
host H.248 controller in the MGC list.
• show mgc
• This command will show the state of the FIPS mode configuration
• Example:
G450-gloin-200(develop)# show mgc
sls disabled
The media gateway has a new CLI command under the “root” login that will provide the ability for the
customer’s Security Administrator to define the policy rules for the client offer for TLS version.
• set link-encryption h248reg {protocol} <yes | no>
o Where {protocol} = <all | tls | tls1.2 | tls1.1 | tls1.0 | ptls | unencrypted>
The media gateway has a new CLI command under the “root” login that will provide the ability for the
customer’s Security Administrator to define the policy rules for the client offer for TLS version.
• The following shall be the default options in FIPS mode:
set link-encryption h248reg tls-1.2 yes
set link-encryption h248reg tls-1.1 no
set link-encryption h248reg tls-1.0 no
set link-encryption h248reg ptls no
set link-encryption h248reg unencrypted no
TLS : yes
TLS 1.2 : yes
TLS 1.1 : no
TLS 1.0 : no
PTLS : yes
Unencrypted : yes
TLS : yes
TLS 1.2 : yes
TLS 1.1 : no
TLS 1.0 : no
The media gateway has a new CLI command under the “root” login that will provide the ability for the
customer’s Security Administrator to define the policy rules for the verification of the received Server’s
Identity certificate.
• Certificate-options {this is a new command with a two-level context}
o set validate-common-name{yes | no}
• Where “yes” operates to validate on commonName of received cert and to reject TLS
connection on a failure. Validation uses the field content of the IP-Map-Address command.
o set validate-alternate-name{yes | no}
• Where “yes” operates to validate on subjectAlternateName of received cert and to reject
TLS connection on a failure. Validation uses the field content of the IP-Map-Address
command.
o set validate-expiration { initial connection | always | never}
• “initial connection” is the recommended choice for most customers. This is the default.
• “always” is the choice for JITC testing to conform to the UCR dictate to release H.248
connection upon event.
o set crl-http-validation <none | best-effort | mandatory>
• Where “best-effort” or “mandatory” operates to verify certificate revocation by using the url
inside of the cert to do a search of the CDP site(s).
• Default is best-effort
• CRLs will be refreshed per the setting of the crl-refresh-interval
o show certificate-options
show certificate -options:
Certificate Options
====================================
Validate Alternate Name: no
Validate Common Name: yes
Validate Expiration: initial-connection
CRL HTTP Validation: yes
CRL-Refresh-Interval: 14
OCSP Validation: no
OCSP Local URL:
OCSP URL Precendence: certificate
The gateway shall support a new CLI command that will allow the customer to administer a mapping
table to help translate string names into ‘IPv4’ or ‘IPv6” addresses. The gateway’s Certificate
Management uses this to assist in the resolution of commonName field of the server’s Identity Cert.
The gateway’s command is as follows:
• set ip-address-map <name> <ip>
• where <name> is the string name that is a FQDN, URI domain name, or any string name.
• <ip> is the IP address that corresponds to the ‘name’ field.
• If an IP address is used as the “commonName” then you must still input the IP address in the
second parameter.
• Example
set ip-address-map “ukbbcomacm01.ukbb.intern” 10.130.27.23
set ip-address-map “10.130.27.20” 10.130.27.20
This is the entry you will erase - do you want to continue (Y/N)? y
• show ip-address-map
• This command will show the administered mapping entries;
• Example:
Index #1
numero.uno
145.176.123.087
Index #2
the.second.one
2300:4567:9876:4837:2345:9834:2345:3825
The gateway supports a new CLI command group (copy, show, erase) that supports the download of
one or more Root-CA certificates from a host server.
• Note that the signing authority for CM may be different from the signing authority for the gateway.
• In complex security enterprise topologies, there may be multiple CMs, each of which has a different signing
authority.
• This feature supports two application directories in which Root-CA certificates may be placed (h248reg and sla)
• H248reg designates the directory to place Root-CA certificates for validation of link establishment to CM.
• SLA designates the directory to place the single Root-CA certificate used for validation of link establishment to
the SLA Monitor server for diagnostic purpose.
• The copy mechanism is the SCP (secure copy)
The gateway’s command is as follows:
• Copy scp root-ca <app> <filename> <ip>
• where <app> is the application directory in which the cert is to be stored.
– Choices are h248reg or sla.
• <filename> is the full file path useable be an SCP login on the target host server.
• <ip> is the IP address of the target host server which owns a copy of the file to be loaded.
The”index of each line above can be used as a “handle” to identify the certificate. If one desires more
detail about a certificate, supply the index of the cert on the command line.
• show root-ca <app>
• Example:
G450Qu-018(super)# show root-ca h248reg 1
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD JITC Root
CA 2
Validity
Not Before: Jul 15 03:31:31 2005 GMT
Not After : Jul 4 03:31:31 2030 GMT
Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD JITC
Root CA 2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:48:ca:63:29:78:43:a1:94:65:ac:9c:0a:d2:
77:2b:83:30:df:2f:b3:92:d4:cd:ee:97:8d:ea:47:
56:05:ea:04:f4:31:d8:05:9b:f7:1d:81:38:87:e3:
4a:a0:88:ca:5f:06:38:1c:a7:24:bc:1a:c8:66:29:
51:12:46:49:c9:df:2d:93:12:5e:bb:7a:48:73:e8:
7f:68:27:97:e8:6a:03:bd:52:b1:bc:3e:8e:d3:3c:
b4:00:e5:7e:06:93:db:59:28:d6:26:26:f3:c9:da:
9a:56:f7:15:16:d3:cf:81:b6:70:1b:07:21:a0:f4:
0e:19:03:d8:35:6d:3d:42:61:5b:86:9b:56:24:d0:
The”index of each line above can be used as a “handle” to identify the certificate in order to erase
(delete) the Root-CA certificate referenced ty the ‘index’.
• erase root-ca <app> <index)
• Example:
G450Qu-018(super)# erase root-ca h248reg 1
Done!
G450Qu-018(super)# show root-ca h248reg
Index Issued To Issued By Expires
1 DOD JITC CA-27 DoD JITC Root CA 2 Mar 16 00:00:00
2017 GMT
Done!
The gateway supports a new CLI command group (copy, show, erase) that supports the download of
the Gateway’s Identity certificate from a host server.
• Note that the command must be run as root and will prompt the user for a login/password on the
remote host system.
• The file to be installed must be in PKCS #12 format.
• The encapsulated certificate must contain at least the Identity certificate, and if encoded in PEM
format, it may have an appended trust chain as well.
• When trust chains are embedded, the chain elements must be ordered from low-to-high trust, and
the Identity certificate must be the first element in the file.
• copy scp gw-identity-cert<app> <filename> <ip>
• where <app> is the application directory in which the cert is to be stored.
– Choices are h248reg or sla.
• <filename> is the full file path useable be an SCP login on the target host server.
• <ip> is the IP address of the target host server which owns a copy of the file to be loaded.
• Example: G450Qu-018(super)# copy scp gw-identity-cert h248reg
/home/ldg/jitc_1.p12 172.16.1.252
Username: ldg
Password:
The gateway supports a show command to provide a display dump of the contents of the Gateway’s
Identity certificate.
• show gw-identity-cert<app>
• where <app> is the application directory in which the cert is to be stored.
– Choices are h248reg or sla.
• Example:
The Gateway Identity Certificate Erase command allows the removal of the Identity Cert for a given
application (that supports a TLS connection).
• erase gw-identity-cert <app>
• The enumeration choices for “app” are “h248reg” and “sla”
• Example:
G450Qu-018(super)# erase gw-identity-cert h248reg
Done!
The CRL lookup process may have to access the Internet to access a CDP site to check whether a
certificate has been revoked. If the customer’s enterprise requires a proxy firewall to access the
Internet, then this feature is recommended.
The gateway’s command is as follows:
• set http proxy <ip> [ <port>}
• Where <IP> is the ip address (or hostname) of the proxy server
• <port> is the optionally specified UDP port.
• To disable the feature, ‘set http no-proxy’.
• show http
• This command will show the state of the http proxy
• Example 1:
HTTP Proxy Host: proxyhost
HTTP Proxy Port: 8000
No Proxy
The gateway supports a new CLI command group (show, erase) that supports the ability to display the
CRLs that have been downloaded into the gateway and to erase unnecessary CLRs which have been
download as part of certificate management.
• Show crl [ <index> ]
• where <app> is the application directory in which the cert is to be stored.
– Choices are h248reg or sla.
• <index> refers to an index for this entry in a table (as provided by the ‘show crl’ command.
• All displayed timestamps are GMT-relative
• Example:
This example shows 7 CRLs which have been installed on the gateway. Line #5 is a legal
example of a CRL which has no ‘Issuer Common Name’.
Line #6 displays a file which is not a CRL and may be safely removed.
G450Qu-018(develop)# show crl
• Issuing ‘show crl’ with the <index> argument results in a display of the contents of a given
CRL.
• Example:
G450Qu-018(super)# show crl 2
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
Last Update: Nov 4 21:00:48 2013 GMT
Next Update: Nov 14 21:00:48 2013 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:A7:A2:83:BB:34:45:40:3D:FC:D5:30:4F:12:B9:3E:A1:01:9F:F6:DB
• Issuing ‘erase crl’ with the <index> argument results in the removal of an unwanted CRL from
the list that has been built the gateway’s Certificate Management softward
• Example of ‘show’ and ‘erase’:
G450Qu-018(super)# show crl
• This
Index is the CRL that you are
Issuer-Common-Name about to erase:
Last-Update Next-Update Size
6 bad format CRL file ? ? 5
Do you want to continue (Y/N)? y
Done!
• G450Qu-018(super)#
Now you can use thecrl‘show’ command to review:
show
This Appendix has been provided to guide the user through the steps of loading CA
certificates and Identity certificates onto a CM Server pair.
Note that this pair of servers has an alias DNS name and an alias IP address. In this
example:
– Alias DNS name is “aji-srv.dr.avaya.com”
– Alias IP address is “135.9.138.51”
The DoD customer will employ 3rd party hosted certificates. This means that the
certificates were generated on a pc/workstation that is using an OpenSSL toolkit.
Examples of using this interface will be demonstrated immediately in the following slides.
– Since some customer may require the use of the SubjectAltName field in the CM Identity
certificates, our example will include the specification of this as well.
Finally the CM web server command interface will be illustrated with Screen pictures to
guide the user through downloading certificates onto the primary and the backup servers.
Note that the examples are for loading the “C” repository. Many customers will load this
same CM Identity certificate into the “W” repository as well!
The first step is to create a new key file for the Identity Certificate Signing Request (CSR):
[root@aji-srv2 newcerts]# openssl genrsa -out dupServer.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................+++
.........................................................................................+++
e is 65537 (0x10001)
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=IP:135.9.138.51
The second step (continued from last page) is to create a CSR from this key:
[root@aji-srv2 newcerts]# openssl req -new -key dupServer.key -out dupServer.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Colorado]:
Locality Name (eg, city) [Thornton]:
Organization Name (eg, company) [Avaya]:
Organizational Unit Name (eg, section) [cmcpe]:
Common Name (eg, your name or your server's hostname) []:aji-srv
Email Address []:
The third step is to have this cert file signed. For this example we have used a private root
CA in a lab environment (named dupRootCA.
[root@aji-srv2 newcerts]# openssl x509 -req -in dupServer.csr -extfile
/etc/pki/tls/openssl.cnf -extensions v3_req -CA dupRootCA.pem -CAkey dupRootCA.key -
CAcreateserial -out dupServer.pem -days 1095
Signature ok
subject=/C=US/ST=Colorado/L=Thornton/O=Avaya/OU=cmcpe/CN=aji-srv
Getting CA Private Key
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:135.9.138.51
Signature Algorithm: sha1WithRSAEncryption
92:e6:04:96:2f:6f:66:99:8c:e4:80:9a:03:1a:b2:24:65:db:
03:8a:ca:28:ef:38:c1:4e:74:4b:b5:69:ca:be:b7:08:1a:82:
30:3e:11:7d:de:10:50:1b:10:67:b5:23:44:b3:96:c6:f5:38:
f7:85:81:7a:d6:42:75:d4:c9:b7:39:c8:fe:48:e7:58:52:11:
4a:bb:12:5c:fd:89:44:3a:89:ee:a1:3e:71:36:7c:35:04:d9:
89:2c:3d:67:dc:a6:4a:81:8e:76:98:1d:0d:b1:4b:d7:9b:08:
a7:32:1b:55:af:bc:c1:45:16:d3:0f:37:e6:78:3a:eb:b9:41:
a9:4a:81:34:68:b2:d2:e6:2b:ef:f6:03:2b:a0:59:0c:cb:a5:
d1:53:31:bc:8d:28:49:5c:6f:0c:f0:5b:d9:55:28:84:99:0d:
e7:bd:60:d3:ad:58:4c:02:fc:e8:97:5b:d0:3e:24:64:36:b7:
7c:5c:fd:7f:d8:9b:95:7a:24:56:19:fc:c7:e8:d1:36:09:0f:
9b:20:ae:18:13:33:75:62:04:7f:f4:03:21:da:f3:de:87:2c:
87:7a:e0:f7:2a:7a:3e:65:dc:d8:97:ed:a9:8c:25:b0:ed:78:
1e:ac:1e:f9:65:21:21:26:ff:35:36:a4:bc:f2:31:a3:fa:e7:
dd:73:53:39
The fourth step is to create a PKCS12 certificate package for installation on the CM
server.
[root@aji-srv2 newcerts]# openssl pkcs12 -export -out dupServer.pfx -inkey dupServer.key -in
dupServer.pem -certfile dupServer.pem
Enter Export Password:
Verifying - Enter Export Password:
A view of our current file directory has the following files for CA Root and Identity Cert
displayed:
[root@aji-srv2 newcerts]# ls
dupRootCA.key dupRootCA.pem dupRootCA.srl dupServer.csr dupServer.key dupServer.pem
dupServer.pfx
The fifth step is to copy the Root CA pem file and the Identity pkcs12.pfx file into the
following directory on the active CM server
– /var/home/ftp/pub
We must also copy the CM Identity cert file over to the standby CM server in its
/var/home/ftp/pub directory.
Note that there is NO need to copy the root CA cert file to the Standby CM server. This is
copied by CM’s active server, as part of server synchronization, immediately after the CA
cert was installed onto the active CM server.
Now we are at the point of loading the certs. Go to the Active CM’s SMI web page and
vector to Administration>Server Maintenance>Security>Trusted Certificates and press
“Add”.
Type a desired filename for the stored CA file and select “Communication Manager” as the
desired CA application repository. Then select “Add”.
Examples (continued).
3) With TLSSRVRVERIFYID=1: When creating the CM certificate, program the CN to
the CM host name value and set the SubjectAlternateName to blank. Observe that the
H.323 station fails to register and calls can not be completed.
The phone fails to authenticate because it can’t determine the CN Identity. The phone
displays an authentication error message.
4) With TLSSRVRVERIFYID=1: When creating CM certificate, program the CN set to
a CM hostname value which is valid in our DNS system and the SubjectAltName field
set to the IP Address of the CM server. Observe that the H.323 station can register
and can complete calls successfully.
The phone validates based upon the SubjectAltName field.
In the Security screen, select “Certificates” to enter the cert management screen.
In order to create an Identity cert for a CM switch, we first need to register CM with the
Registration Authority (RA). To do this, select “Add End Entity” under the Functions navigation
entry.
Type a “username” and “password”. This password is used to encrypt the PKCS12 file store
which is exchanged (after being signed) and sent from SMGR down to the CM server.
Complete the fields that will be inserted into the certificate signing request:
• E-mail address: labmanager@yourcompany.com
• CN (Common Name): aeshostname.yourcompany.com
• OU (Organization Unit): IT
• O (Organization): Your company name
• L (Locality):Your city
• ST (State or Province): Your state
• C (Country): Your country
In the “Certificate Profile” drop-down menu, enter “ID_Client_Server”.
In the “CA drop-down menu, enter “tmdefaultca”.
In the “Token drop-down menu, enter “P12” file.
Click on the ‘Add’ button.
The top of the page of the system displays the message “End Entity<username> added
successfully”.
An example of this is illustrated on the next slide:
This illustrates an example of the ‘Add End Entity’ screen entry, with all field entries completed.
Enter the username and password of the “End Entity” and click “OK”.
Save the server certificate into a known location on the SMGR file space.
Note: This is the signed server certificate that you have to import into the CM server.
Using the SMGR web console, navigate to the “Public Web” page and click on “Fetch CA
Certificates”.
Click on the url for “Download PEM chain” (on the line starting with “CA certificate Chain”).
Identity cert
Type a desired filename for the stored CA file and select “Communication Manager” as the
desired CA application repository. Then select “Add”.
If you are having any questions during this ‘Add’ process, you may select the “Help” tab. The
SMI interface server will present the following task information: