Mutual Tls Authentication - AudioCodes Mediant 800B User Manual
Enterprise session border controller analog & digital voip media gateway
Hide thumbs
Also See for Mediant 800B:
- User manual (1338 pages) ,
- Installation and maintenance manual (104 pages) ,
- Hardware installation manual (56 pages)
Table of Contents
Advertisement
9.3
Mutual TLS Authentication
By default, servers using TLS provide one-way authentication. The client is certain that the
identity of the server is authentic. When an organizational PKI is used, two-way
authentication may be desired - both client and server should be authenticated using X.509
certificates. This is achieved by installing a client certificate on the managing PC and
loading the root CA's certificate to the device's Trusted Root Certificate Store. The Trusted
Root Certificate file may contain more than one CA certificate combined, using a text
editor.
Since X.509 certificates have an expiration date and time, the device must be configured to
use NTP (see 'Simple Network Time Protocol Support' on page 97) to obtain the current
date and time. Without the correct date and time, client certificates cannot work.
To enable mutual TLS authentication for HTTPS:
1.
Set the 'Secured Web Connection (HTTPS)' field to HTTPS Only (see 'Configuring
Web Security Settings' on page 63) to ensure you have a method for accessing the
device in case the client certificate does not work. Restore the previous setting after
testing the configuration.
2.
Open the Certificates page (see 'Replacing the Device's Certificate' on page 91).
3.
In the Upload certificate files from your computer group, click the Browse button
corresponding to the 'Send Trusted Root Certificate Store ...' field, navigate to the file,
and then click Send File.
4.
When the operation is complete, set the 'Requires Client Certificates for HTTPS
connection' field to Enable (see 'Configuring Web Security Settings' on page 63).
5.
Save the configuration with a device reset (see 'Saving Configuration' on page 530).
When a user connects to the secured Web interface of the device:
If the user has a client certificate from a CA that is listed in the Trusted Root Certificate
file, the connection is accepted and the user is prompted for the system password.
If both the CA certificate and the client certificate appear in the Trusted Root
Certificate file, the user is not prompted for a password (thus, providing a single-sign-
on experience - the authentication is performed using the X.509 digital signature).
If the user does not have a client certificate from a listed CA or does not have a client
certificate, the connection is rejected.
Notes:
9.4
Self-Signed Certificates
The device is shipped with an operational, self-signed server certificate. The subject name
for this default certificate is 'ACL_nnnnnnn', where nnnnnnn denotes the serial number of
the device. However, this subject name may not be appropriate for production and can be
changed while still using self-signed certificates.
User's Manual
The process of installing a client certificate on your PC is beyond the
scope of this document. For more information, refer to your operating
system documentation, and/or consult your security administrator.
The root certificate can also be loaded via the Automatic Update facility,
using the HTTPSRootFileName ini file parameter.
You can enable the device to check whether a peer's certificate has been
revoked by an Online Certificate Status Protocol (OCSP) server (see
Configuring Certificate Revocation Checking (OCSP) on page 95.
94
Mediant 800B GW & E-SBC
Document #: LTRT-10274
- Quick Links:
- Establishing a Cli Session
- Ping Command
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
