Mutual Tls Authentication - Polycom IP 320 Administrator's Manual

Mutual TLS Authentication

For more information on digital certificates, refer to
http://www.ietf.org/html.charters/pkix-charter.html
http://www.ietf.org/rfc/rfc2459.txt
To determine if there is a digital certificate on a SoundPoint IP, SoundStation IP,
or Polycom VVX phone:
1. Press the Menu key, and then select Status > Platform > Phone.
2. Scroll down to the bottom of screen.
One of three messages will be displayed:
— "Device Certificate: Installed" is displayed if the certificate is available
in flash memory, all the certificate fields are valid (listed above) and
certificate has not expired.
— "Device Certificate: Not Installed" is displayed if the certificate is not
available in flash memory (or the flash memory location where the
device certificate is to be stored is blank).
— "Device Certificate: Invalid" is displayed if the certificate is not valid
(if any of the fields listed above are not correct).
Mutual Transport Layer Security (TLS) authentication is a process in which
both entities in a communications link authenticate each other. In a network
environment, the phone authenticates the server and vice-versa. In this way,
phone users can be assured that they are doing business exclusively with
legitimate entities and servers can be certain that all would-be users are
attempting to gain access for legitimate purposes.
This feature requires that the phone being used has a Polycom
factory-installed device certificate. Refer to the previous section,
Certificates.
Prior to SIP 3.2, and in cases where the phones do not have factory-installed
device certificates, the phone will authenticate to the server as part of the TLS
authentication, but the server cannot cryptographically-authenticate the
phone. This is sometime referred to as Server Authentication or single-sided
Authentication.
Mutual TLS authentication is optional and is initiated by the server. When the
phone acts as a TLS client and the server is configured to require mutual TLS,
the server will request, and then validate the client certificate during the
handshake. If the server is configured to require mutual TLS, a device
certificate and an associated private key must be loaded on the phone.
The digital certificate, stored on the phone, is used by:
• HTTPS device configuration, if the server is configured for Mutual
Authentication
Configuring Your System
and
.
Digital
4 - 97