Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1593668.1
Update Date:2017-05-09
Keywords:
Solution Type  Technical Instruction Sure

Solution  1593668.1 :   How to Configure Mutually Authenticated Transport Layer Security on the Session Director  

Related Items 
    

  • Acme Packet 4500
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>CommsGBU>Session Delivery Network>SN-SND: Acme Service Provider
    •  






In this Document


Goal


Solution




Applies to:  

Acme Packet 4500 - Version S-Cx6.3.0 and later
Acme Packet OS



Goal


 Here is the procedure for configuring mutually authenticated TLS on SD.


Solution


    

  1. Order and install (if not already present) SSM / SSM2 daughter cards for each SD
    2. 

  2. Create a certificate record for the SD in the security > certficate-record configuration level, for example e.g.

    certficate-record
    name SD-END-ENTITY  --------> any name you prefer
    country US
    state MA
    locality Burlington
    organization CSE
    common-name PSTN-SBC.selab.com  --------> this has to match the IP/host of the sip-interface
    key-size 1024
    trusted enabled

    3. 

  3. Create a certificate record for the Certificate Authority in the security config level e.g.

    certficate-record
    name CA-ROOT    
    country US
    state MA
    locality Burlington
    organization CSE
    key-size 1024
    trusted enabled

    4. 

  4. Create a tls-profile in the security config level that references the certificate records e.g.

    tls-profile
    name SD-LCS
    end-entity-certificate SD-END-ENTITY
    trusted-ca-certificates CA-ROOT
    cipher-list ALL
    verify-depth 10
    mutual-authenticate enabled

    5. 

  5. Create a sip-interface which references the tls-profile above and has transport set to TLS e.g.

    sip-interface
    state enabled
    realm-id core-lcs
    sip-port
    address 172.16.0.100
    port 5061
    transport-protocol TLS
    tls-profile SD-LCS
    allow-anonymous registered

    6. 

  6. Create a session-agent for the TLS enabled next-hop device with transport dynamic-TLS e.g.

    session-agent
    hostname SELAB-LCS.selab.com
    ip-address 172.16.0.10
    port 5061
    state enabled
    app-protocol SIP
    app-type
    transport-method DynamicTLS
    realm-id core-lcs
    description TLS LCS

    7. 

  7. Generate an end entity certificate request from the ACLI e.g.
    

    SD# generate-certificate-request SD-END-ENTITY
    
  
    8. 

  8. Copy and paste the output and provide it to the CA who will generate an end entity certificate as well as providing their root CA certificate
    9. 

  9. Import the CA root certificate with the ACLI command:
    

    SD# import-certificate try-all CA-ROOT
    
  
    Paste in the contents of the root CA certificate when prompted
    10. 

  10. Import the end entity certificate with the ACLI command:
    

    SD# import-certificate try-all SD-END-ENTITY
    
  
    Paste in the contents of the end entity certificate when prompted
    11. 

  11. Save and activate
    12. 

  12. "show certificates [brief|detail] certificate-record" lists all certificates loaded on the SD
    13. 



Notes:

    

  • Wireshark does a nice job of decoding certificate exchange if you "decode-as" SSL
    • 

  • SD debugging done in log.sipd
    • 





 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback