MITEL 6900, 6970, 6800, AND 6700 SIP TERMINALS FOR MIVOICE MX-ONE
77 26/1531-ANF 901 14 Uen S 2019-10-18
21 APPENDIX
21.1 TELEWORKER WITH PERSISTENT MUTUAL TLS (MTLS)
Please note that persistent mutual TLS is used default method when MiVoice Border
Gateway (MBG) is used as SBC.
Reference http://en.wikipedia.org/wiki/Transport_Layer_Security
Any TLS will encrypt the SIP signaling to prevent eavesdropping. However if the simple
TLS handshake used in ‘persistent TLS’ is used only the server is authenticated by its
certificate (this is the method used in chapter 19.5 “How to enable security for home
worker on Mitel 6700, 6800 and 6900”). In a client-authenticated TLS handshake (also
referred to as mutual TLS), the server will request to authenticate the client based on
its certificate as well. In ‘Persistent mutual TLS’ the client will make a client-authenti-
cated TLS handshake and the TLS session is kept by the client as long as the phone
is registered (logged on).
Why would you do the effort to create both server certificate and client certificate? The
SBC who is the access point for traffic from a teleworker (perhaps working from home)
and is configured to do ‘client-authenticated TLS’ will only allow clients (phones) which
offers the expected client certificate in the handshake. So this is a way to block
unwanted registration attempts early. If a registration reaches the MX-ONE, the only
check would be to require a password for the registering directory number, which is
recommended anyway. Also check the SBC manual for other ways to block/allow
traffic.
21.1.1 CREATE PERSISTENT MTLS USING A ENTERPRISE CA (OPENSSL)
TO SIGN BOTH SERVER AND CLIENT CERTIFICATE AND
CONFIGURE THE SBC
Prerequisites using openssl on the linux server acting as Enterprise CA. In this
example you will sign certificates. Be careful with the root password to this server as
the CA can sign any TLS Request. This chapter will show how to sign certificates.
Note: This is an example valid for InGate SBC.
For MiVoice Border Gateway (MBG) follow the Applicaton note MiVoice
Border Gateway (MBG) - How to configure Teleworker 68xxi with MX-ONE in
the CPI library.
Use your own passwords in a shell (as root) do the following.
1. >cd /etc/pki (or wherever the certs should live)
>mkdir sbc
>cd sbc
>mkdir private
>chmod 0700 private
>echo “01” > serial
2. Create a CA
>openssl genrsa -aes256 -out private/cakey.pem 1024[password:
test]
>openssl req -new -x509 -days 3650 -key private/cakey.pem -out
CA.pem -set_serial 1 [answer cert questions accordingly]
To Next Page
Loading...
