AudioCodes Mediant 2000 User Manual page 108
Media sip gateway
Hide thumbs
Also See for Mediant 2000:
- User manual (702 pages) ,
- Installation manual (44 pages) ,
- Hardware installation manual (30 pages)
Table of Contents
Advertisement
3.4.6.4.2 Client Certificates
By default, Web servers using SSL provide one-way authentication. The client is certain
that the information provided by the Web server is authentic. When an organizational PKI is
used, two-way authentication may be desired: both client and server should be
authenticated using X.509 certificates. This is achieved by installing a client certificate on
the managing PC, and loading the same certificate (in base64-encoded X.509 format) to
the device's Trusted Root Certificate Store. The Trusted Root Certificate file should contain
both the certificate of the authorized user and the certificate of the CA.
Since X.509 certificates have an expiration date and time, the device must be configured to
use NTP (refer to ''Simple Network Time Protocol Support'' on page 383) to obtain the
current date and time. Without the correct date and time, client certificates cannot work.
To enable two-way client certificates, take these 5 steps:
Set the parameter 'Secured Web Connection (HTTPS)' to 'HTTPS Only' (0) in
1.
''Configuring the General Security Settings'' on page
of accessing the device in case the client certificate doesn't work. Restore the previous
setting after testing the configuration.
Open the 'Certificates Signing Request' page (refer to ''Server Certificate
2.
Replacement'' on page 105).
In the 'Certificates Files' group, click the Browse button corresponding to 'Send
3.
"Trusted Root Certificate Store" file ...', navigate to the file, and then click Send File.
When
4.
HTTPSRequireClientCertificates to 1.
Save the configuration (refer to ''Saving Configuration'' on page 230), and then restart
5.
the device.
When a user connects to the secured Web server:
If the user has a client certificate from a CA that is listed in the Trusted Root Certificate
file, the connection is accepted and the user is prompted for the system password.
If both the CA certificate and the client certificate appear in the Trusted Root Certificate
file, the user is not prompted for a password (thus, providing a single-sign-on
experience - the authentication is performed using the X.509 digital signature).
If the user doesn't have a client certificate from a listed CA, or doesn't have a client
certificate at all, the connection is rejected.
Notes:
SIP User's Manual
the
operation
is
•
The process of installing a client certificate on your PC is beyond the
scope of this document. For more information, refer to your Web browser
or operating system documentation, and/or consult your security
administrator.
•
The root certificate can also be loaded via ini file using the parameter
HTTPSRootFileName.
•
You can enable Online Certificate Status Protocol (OCSP) on the device
to check whether a peer's certificate has been revoked by an OCSP
server. For further information, refer to the Product Reference Manual.
109
complete,
set
the
108
Mediant 2000
to ensure you have a method
file
parameter
ini
Document #: LTRT-68808
Advertisement
Table of Contents
