Tls For Sip Clients; Tls For Remote Device Management - AudioCodes E-SBC User Manual
Hide thumbs
Also See for E-SBC:
- User manual (1482 pages) ,
- Hardware installation manual (39 pages) ,
- User manual (887 pages)
Table of Contents
Advertisement
CHAPTER 14 Security
TLS for SIP Clients
When Secure SIP (SIPS) is implemented using TLS, it is sometimes required to use two-way
(mutual) authentication between the device and a SIP user agent (client). When the device acts as
the TLS server in a specific connection, the device demands the authentication of the SIP client's
certificate. Both the device and the client use certificates from a CA to authenticate each other,
sending their X.509 certificates to one another during the TLS handshake. Once the sender is
verified, the receiver sends its' certificate to the sender for verification. SIP signaling starts when
authentication of both sides completes successfully.
TLS mutual authentication can be configured for calls by enabling mutual authentication on the SIP
Interface associated with the calls. The TLS Context associated with the SIP Interface or Proxy
Set belonging to these calls are used.
SIP mutual authentication can also be configured globally for all calls, using the 'TLS
Mutual Authentication' (SIPSRequireClientCertificate) parameter (see
for
SIP).
➢
To configure mutual TLS authentication for SIP messaging:
1.
Enable two-way authentication on the specific SIP Interface: In the SIP Interfaces table (see
Configuring SIP
the specific SIP Interface.
2.
Configure a TLS Context with the following certificates:
●
Import the certificate of the CA that signed the certificate of the SIP client into the Trusted
Certificates table (certificate root store) so that the device can authenticate the client (see
Importing Certificates into Trusted Root Certificate
●
Make sure that the TLS certificate is signed by a CA that the SIP client trusts so that the
client can authenticate the device.
TLS for Remote Device Management
By default, servers using TLS provide one-way authentication. The client is certain that the identity
of the server is authentic. When an organizational PKI is used, two-way authentication may be
desired - both client and server should be authenticated using X.509 certificates. This is achieved
by installing a client certificate on the management PC and loading the root CA's certificate to the
device's Trusted Certificates table (certificate root store). The Trusted Root Certificate file may
contain more than one CA certificate combined, using a text editor.
➢
To enable mutual TLS authentication for HTTPS:
1.
On the Web Settings page (see
Web Connection (HTTPS)' parameter to HTTPS Only. The setting ensures that you have a
method for accessing the device in case the client certificate doesn't work. Restore the
previous setting after testing the configuration.
2.
In the TLS Contexts table (see
Context row, and then click the Trusted Root Certificates link located below the table; the
Trusted Certificates table appears.
3.
Click the Import button, and then select the certificate file.
4.
Wait until the import operation finishes successfully.
5.
On the Web Settings page, configure the 'Require Client Certificates for HTTPS connection'
parameter to Enable.
6.
Reset the device with a save-to-flash for your settings to take effect.
Interfaces), configure the 'TLS Mutual Authentication' parameter to Enable for
Configuring Secured (HTTPS)
Configuring TLS Certificate
- 135 -
Mediant 1000 Gateway & E-SBC | User's Manual
Store).
Web), configure the 'Secured
Contexts), select the required TLS
Configuring TLS
- Quick Links:
- Default Ip Address
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
