Table of Contents
Advertisement
Grey Headline (continued)
Security certificates
Overview
For extra security, you may want to have the VCS communicate
with other systems (such as LDAP servers, neighbor VCSs, or
clients such as SIP endpoints) using TLS encryption.
For this to work successfully in a connection between a client
and server:
•
The server must have a certificate installed that verifies
its identity. This certificate must be signed by a Certificate
Authority (CA).
•
The client must trust the CA that signed the certificate used
by the server.
The VCS allows you to install appropriate files so that it can act
as either a client or a server in connections using TLS. The VCS
can also authenticate client connections (typically from a web
browser) over HTTPS. You can also upload certificate revocation
lists (CRLs) for the CAs used to verify LDAP server and HTTPS
client certificates.
For an endpoint to VCS connection, the VCS acts as the
TLS server. For a VCS to LDAP server connection, the
VCS is a client. For a VCS to VCS connection either VCS
may be the client with the other VCS being the TLS server. For
HTTPS connections the web browser is the client and the VCS is
the server.
TLS can be difficult to configure. For example, when using
!
it with an LDAP server it is recommended that you
confirm that your system is working correctly before you
attempt to secure the connection with TLS. It is also
recommended that you use a third party LDAP browser to verify
that your LDAP server is correctly configured to use TLS.
Be careful not to allow your CA certificates or CRLs to
!
expire as this may cause certificates signed by those CAs
to be rejected.
For more information on setting up security certificates, refer to
the
Certificate Creation and Use Deployment Guide
Overview and
System
Introduction
status
configuration
D14049.07
March 2010
To enable certificate security using the web interface:
•
Maintenance > Security certificates.
You are taken to the Security certificates page.
Certificate and certificate revocation list (CRL) files can
only be loaded via the web interface. They cannot be
installed using the CLI.
Trusted CA certificate
This section manages the list of certificates for the Certificate
Authorities trusted by this VCS. Certificates presented to the VCS
must be signed by a trusted CA on this list and there must be a
full chain of trust to the root CA.
•
To upload a new file of CA certificates, Browse to the required
PEM file and click Upload CA certificate. This will replace any
previously uploaded CA certificates.
If certificate revocation list checking for TLS encrypted
LDAP server connections
enabled, the necessary PEM encoded CRL data must be
included within the trusted CA certificate file.
•
Click Reset to default CA certificate to replace the currently
uploaded file with a default list of trusted CA certificates.
•
Click Show CA certificate to view the currently uploaded file.
Server certificate data
This section is used to upload the VCS's server certificate. This
certificate is used to identify the VCS when it communicates with
client systems using TLS encryption, and with web browsers over
HTTPS.
•
Use the Browse buttons to select the server certificate PEM
file and the server private key PEM file that is used to encrypt
it. After selecting both files, click Upload server certificate
data. The private key must not be password protected.
•
Click Reset to default server certificate to replace the current
server certificate with the VCS's default certificate.
•
Click Show server certificate to view the currently uploaded
[32].
server certificate file.
VCS
Zones and
Clustering and
configuration
neighbors
peers
Enabling security
HTTPS client certificate validation
The Client certificate validation setting controls whether client
systems (typically web browsers) that communicate with the VCS
over HTTPS have to present a valid client certificate before the
connection can be established. Note that a restart is required for
changes to this setting to take effect.
trusted CA certificate list. Ensure your browser (the client system)
has a valid (in date and not revoked by a CRL) client certificate
before enabling this feature. You can test if a client certificate is
valid by using the client certificate test feature described below.
The procedure for uploading a certificate to your browser may
vary depending on the browser type and you may need to restart
your browser for the certificate to take effect.
(for account authentication) is
Client certificate revocation list (CRL) file
You are recommended to upload CRL data for the CAs that sign
the HTTPS client certificates. Note that CRL checking is applied
for every CA in the chain of trust.
•
•
Client certificate test
To verify if a client certificate will be accepted before enabling
client certificate validation:
•
Call
Bandwidth
processing
control
158
TANDBERG
VIDEO COMMUNICATION SERVER
If you enable client certificate validation your browser will
!
be able to use the VCS web interface only if it has a valid
client certificate that is signed by a CA in the VCS's
To upload a PEM encoded CRL file, Browse to the required file
and click Upload CRL for client certificates. This will replace
any previously uploaded CRL file.
Click Remove revocation list if you want to remove all HTTPS
client CRL information from the VCS.
CRL data uploaded here only applies to HTTPS client
certificate validation; CRL data intended for validating TLS
connections with an LDAP server must be contained
within the trusted CA certificate file.
Click Browse to select the required PEM file and then click
Test client certificate file. The selected file will be checked
against the VCS's trusted CA list and the client certificate
revocation list. A success or failure message will be displayed.
Firewall
Applications
Maintenance
traversal
ADMINISTRATOR GUIDE
Appendices
Advertisement
Table of Contents
