Version 6.8 97 Mediant 2600 E-SBC
User's Manual 10. Configuring SSL/TLS Certificates
2. Configure a TLS Context with the following certificates:
• Import the certificate of the CA that signed the certificate of the SIP client, into the
Trusted Root Store so that the device can authenticate the client (see 'Importing
Certificates and Certificate Chain into Trusted Certificate Store' on page 95).
• Make sure that the TLS certificate is signed by a CA that the SIP client trusts so
that the client can authenticate the device.
10.1.7.2 TLS for Remote Device Management
By default, servers using TLS provide one-way authentication. The client is certain that the
identity of the server is authentic. When an organizational PKI is used, two-way
authentication may be desired - both client and server should be authenticated using X.509
certificates. This is achieved by installing a client certificate on the management PC and
loading the root CA's certificate to the device's Trusted Root Certificate Store. The Trusted
Root Certificate file may contain more than one CA certificate combined, using a text
editor.
To enable mutual TLS authentication for HTTPS:
1. Set the 'Secured Web Connection (HTTPS)' field to HTTPS Only in the Web Security
Settings page (see Configuring Web Security Settings on page 58) to ensure you have
a method for accessing the device in case the client certificate does not work. Restore
the previous setting after testing the configuration.
2. Open the TLS Contexts page (Configuration tab > System menu > TLS Contexts).
3. In the TLS Contexts table, select the required TLS Context index row, and then click
the Context Trusted-Roots button, located at the bottom of the TLS Contexts
page; the Trusted Certificates page appears.
4. Click the Import button, and then select the certificate file.
5. When the operation is complete, set the 'Requires Client Certificates for HTTPS
connection' field to Enable in the Web Security Settings page.
6. Save the configuration with a device reset (see Saving Configuration).
When a user connects to the secured Web interface of the device:
If the user has a client certificate from a CA that is listed in the Trusted Root Certificate
file, the connection is accepted and the user is prompted for the system password.
If both the CA certificate and the client certificate appear in the Trusted Root
Certificate file, the user is not prompted for a password (thus, providing a single-sign-
on experience - the authentication is performed using the X.509 digital signature).
If the user does not have a client certificate from a listed CA or does not have a client
certificate, the connection is rejected.
Notes:
• The process of installing a client certificate on your PC is beyond the scope of this
document. For more information, refer to your operating system documentation,
and/or consult your security administrator.
• The root certificate can also be loaded via the Automatic Update facility, using the
HTTPSRootFileName ini file parameter.
• You can enable the device to check whether a peer's certificate has been revoked
by an OCSP server, per TLS Context (see 'Configuring TLS Certificate Contexts'
on page 87).
To Next Page
Loading...
