Mutual Tls Authentication - AudioCodes Mediant 1000 User Manual
Voip media gateways, sip protocol
Hide thumbs
Also See for Mediant 1000:
- User manual (1195 pages) ,
- Hardware installation manual (84 pages) ,
- Installation manual (76 pages)
Table of Contents
Advertisement
SIP User's Manual
8.3
Mutual TLS Authentication
By default, servers using TLS provide one-way authentication. The client is certain that the
identity of the server is authentic. When an organizational PKI is used, two-way
authentication may be desired - both client and server should be authenticated using X.509
certificates. This is achieved by installing a client certificate on the managing PC and
loading the root CA's certificate to the device's Trusted Root Certificate Store. The Trusted
Root Certificate file may contain more than one CA certificate combined, using a text
editor.
Since X.509 certificates have an expiration date and time, the device must be configured to
use NTP (see 'Simple Network Time Protocol Support' on page 95) to obtain the current
date and time. Without the correct date and time, client certificates cannot work.
To enable mutual TLS authentication for HTTPS:
1.
Set the 'Secured Web Connection (HTTPS)' field to HTTPS Only (see 'Configuring
Web Security Settings' on page 69) to ensure you have a method for accessing the
device in case the client certificate does not work. Restore the previous setting after
testing the configuration.
2.
Open the Certificates page (see 'Replacing Device Certificate' on page 89).
3.
In the Upload certificate files from your computer group, click the Browse button
corresponding to the 'Send Trusted Root Certificate Store ...' field, navigate to the file,
and then click Send File.
4.
When the operation is complete, set the 'Requires Client Certificates for HTTPS
connection' field to Enable (see 'Configuring Web Security Settings' on page 69).
5.
Save the configuration with a device reset (see 'Saving Configuration' on page 482).
When a user connects to the secured Web interface of the device:
If the user has a client certificate from a CA that is listed in the Trusted Root Certificate
file, the connection is accepted and the user is prompted for the system password.
If both the CA certificate and the client certificate appear in the Trusted Root
Certificate file, the user is not prompted for a password (thus, providing a single-sign-
on experience - the authentication is performed using the X.509 digital signature).
If the user does not have a client certificate from a listed CA or does not have a client
certificate, the connection is rejected.
Notes:
Version 6.4
•
The process of installing a client certificate on your PC is beyond the
scope of this document. For more information, refer to your operating
system documentation, and/or consult your security administrator.
•
The root certificate can also be loaded via the Automatic Update facility,
using the HTTPSRootFileName ini file parameter.
•
You can enable Online Certificate Status Protocol (OCSP) on the device
to check whether a peer's certificate has been revoked by an OCSP
server. For more information, refer to the Product Reference Manual.
93
8. Configuring Certificates
March 2012
- Quick Links:
- Mediant 1000
Hide quick links:
Advertisement
Table of Contents
