Tls Certificate Configuration; Tls Feature Configuration - Dialogic DMG1000 User Manual

Data Security
carries SIP data in a secure way by encrypting the data and authenticating the transport
connections. Authentication guarantees that you are talking to the intended peer.
7.3.1

TLS Certificate Configuration

A TLS certificate can be self-signed or certificate authority (CA) signed. A self-signed certificate
can be generated by the Media Gateway. CA signed certificates must be requested by the Media
Gateway and signed by a CA.
When using a self-signed certificate:
• The Media Gateway generates a certificate which will be installed on VoIP devices that will
communicate with the Media Gateway via TLS.
When using a CA signed certificate:
• The Media Gateway generates a certificate signature request (CSR) to a PC.
The CSR is used by the CA to create a signed certificate.
•
• The root certificate of the CA that signed the CSR is uploaded to the Media Gateway along
with the CA signed certificate.
• The root certificate of the CA that signed the CSR, as well as the signed certificate, are also
configured into the VoIP devices that will communicate with the Media Gateway via TLS.
The choice of either self-signed or CA-signed certificates depends on the system-administration
and the desired level of trust within the system. Self-signed certificates are generated by the Media
Gateway and therefore, do not cost any money - and may take less time to install. A self-signed
certificate is simply downloaded from the gateway and installed on VoIP devices that will
communicate with the Media Gateway via TLS. However, when self-signed certificates are used
the VoIP device must have a unique certificate installed for each Media Gateway with which it will
communicate. This process could become lengthy if the VoIP device needs to communicate with a
number of Media Gateway units. On the other hand, CA signed certificates require time and effort
since the certificates must be signed by a CA. However, once you have the signed certificate, the
CA root certificate can be used to communicate with multiple Media Gateway units.
7.3.2

TLS Feature Configuration

TLS has the following configurable features. The values of these configuration parameters can
usually be left as default.
• SNTP Server IP Address - A server that the Media Gateway gets current time from to compare
to the expiration date of a certificate. This is how the Media Gateway identifies an expired
certificate when necessary. The expired certificates are identified by certificate date
verification. This time-providing server is needed if a TLS certificate date is verified.
TLS Transport Enabled - This parameter enables use of the TLS protocol and must be set to
•
'Yes'.
• TLS Server Port - This is the IP port post number to listen to for TLS connection requests. Any
number between 1024 and 65000 is valid. The default is 5061. If you wish to use a port
174
®
Dialogic 1000 and 2000 Media Gateway Series User's Guide — September 2007
Dialogic Corporation