Session Border Controller for Enterprise

TLS-SHA2 Certificate deployment

Deploying Third-Party CA Identity Certificates
 Leverage the OpenSSL Utility to generate a Certificate Signing
Request and Private Key.
– Edit the OpenSSL Default Configuration File to
include Certificate extension attributes not available
via the OpenSSL interactive prompt.
– The following command generates the keys & a corresponding CSR.

 Get the CSR signed by the CA.

 Package the signed Identity Certificate and private key into a
PKCS#12 archive format.

 Install the third-party trusted Root certificate.

 Import the PKCS #12 file and install the third-party signed
identity certificate (key import password required).
© 2012 Avaya Inc. All rights reserved. 2
SMGR Self signed CA
 SMGR Self Signed CA
– Efficient and cost effective for phones, but requires Certificate installation
in trusted store of computing device.
Pros:
 Works “out of the Box”.
 Independent PKI Root for VOIP solution.
 High efficient Trust Management of Avaya Aura elements.
 Consolidate VOIP management functions with VOIP PKI function.
Cons:
 Yet another PKI (for telecom) to manage.
 Certificates lack Enterprise branding.
 Trusted Root Certificate not distributed to computing device.

© 2012 Avaya Inc. All rights reserved. 3

System Manager as a Certificate Authority (CA)

 System Manager is by default a Root CA (self-signed root

certificate) or can be setup as a Sub-CA (from a Third Party
Certificate Authority).
 Uses a third-party open source application, Enterprise Java
Beans Certificate Authority (EJBCA) to issue identity and
trusted certificates to applications through Simple Certificate
Enrollment Protocol (SCEP).
 System Manager Trust Management provisions and manages
certificates of various applications, such as servers and
devices, enabling the applications to have secure inter-
element communication
 System Manager generates Certificates using SHA2 as the
signing algorithm and 2048 as the default key size.

© 2012 Avaya Inc. All rights reserved. 4

 Certificate Generation Capabilities in SMGR
 Generating a PKCS#12 file including  Creating a signed certificate directly
a signed certificate and private key from the SMGR UI using a CSR.
directly from the SMGR UI.
 For Products generating the keys on
 For Products with PKCS#12 their end and having the Certificate
keystore import functionality. signed by the SMGR CA.

1 Creating an end entity with Certificate Parameters 1

2 2
Generate a PKCS12 format keystore Sign the given CSR and generate a
with the Identity certificate containing PEM formatted certificate containing
the values given in the end entity. the values given in the end entity.

© 2012 Avaya Inc. All rights reserved. 5

 TLS Certificate Management on ASBCE

© 2012 Avaya Inc. All rights 6

reserved. 6
On SBCE, We can deploy identity certificate using
two ways.

By using Generate CSR Method – in this method we

can generate CSR from EMS GUI and get the certificate
signed from SMGR-CA or any third party CA e.g Verisign.

Deploying Identity certificate on SBCE(Easy way

to deploy certificate on SBCE) – in this method, we
can generate the CSR on any machine using openssl and
get it signed from any third party or if we are using SMGR-
CA, we can create the certificate and private keys on that.

© 2012 Avaya Inc. All rights reserved. 7

 Method 1: By using Generate CSR Method
on EMS

Procedure

1. Generate CSR from EMS GUI.

2. Save the CSR and private key to your local desktop.
3. get the certificate signed from third party or SMGR-CA – SMGR-CA is
covered in this presentation.
4. Install the certificate on EMS-GUI.
5. run cert sync on CLI.
6. Create Server and Client TLS profile.
7. Assign TLS profile to signaling interface.

© 2012 Avaya Inc. All rights 8

reserved. 8
Generate a CSR through the GUI
1. From TLS Management screen click the Generate CSR button
2. Fill in Country Name / State/Province Name / Locality Name
3. Fill in Organization Name / Organization Unit / Common Name
4. Choose Algorithm SHA256
5. Choose Key Size as 2048 bits.

© 2012 Avaya Inc. All rights 9

reserved. 9
Generate a CSR through the GUI… Conti…
6. Choose Key Usage Extension
7. Fill in Subject Alt Name / Passphrase / Confirm Passphrase
8. Fill in Contact Name / Contact Email
9. Click on Generate CSR

© 2012 Avaya Inc. All rights10

reserved. 10
Generate a CSR through the GUI… Conti…
NOTE:
Recommended settings for CSRs
If you want to generate your own CSR for use with the Avaya SBCE, the
following settings are recommended:
• Private Key Strength: 2048-bit
• Key Usage: keyUsage=keyEncipherment
• Extended Key Usage: extendedKeyUsage=serverAuth,clientAuth
• Common Name can be the SBCE FQDN.
• Subject Alt Name IP address needs to have the SBC IP Address (Int or
Ext); ie. the interface facing the device you are going to use this cert to
talk to.
Format example: IP:10.10.10.1
Subject Alt Name DNS needs to have the sip domain

• Passphrase has to be 7 to 32 characters in length

© 2012 Avaya Inc. All rights reserved. 11

Generate a CSR through the GUI… Conti…
10. After clicking Generate CSR it will bring up window showing CSR
11. Scroll through it to make sure all info looks correct
12. Then you can download CSR and Key to computer by clicking on
Download CSR button and Download Private Key button

© 2012 Avaya Inc. All rights reserved. 12

SBCE Certificate generation using SMGR-CA
1> Login to SMGR as user admin.
2> Click on Services>Security>Certificates>Authority.
3> click on add end entity and fill the required fields

© 2012 Avaya Inc. All rights13

reserved. 13
SBCE Certificate generation using SMGR-CA… Conti…

Add Entity Field Description:

End Entity Profile: select EXTERNAL_CSR_PROFILE from dropdown.
Username: select any username e.g.sbcecert. This username is only used for
cert creation.
Password: choose any password for the username e.g. sbcecert123.
Confirm password: confirm the same password as above.
Email: enter your email id (optional)

CN, Common Name: Enter FQDN of SBCE (Required). This should be same
as the one used during CSR generation on SBCE.

Fill the OU, O, L, ST and Country fields same as while generating CSR.

Certificate profile should be ID_CLIENT_SERVER

CA should be tmdefaultca
Token should be User Generated
Click Add End Entity

© 2012 Avaya Inc. All rights14

reserved. 14
After adding End Entity, click on Public Web and this should open a new
window to EJBCA in your browser.
From the left menu click on Create Server Certificate
Provide the username and password created during end entity addition and
copy paste the CSR contents in the white box.
Result Type should be set to PEM Certificate and click OK. This should
download .pem certificate file to your desktop.

© 2012 Avaya Inc. All rights15

reserved. 15
 SBCE Certificate generation using SMGR-CA…
Conti…
Now you have the ID cert for SBCE.

You can download the SMGR-ROOT-CA cert from the SMGR

Services>Security>Certificate>Basic Function and on the right side of

window click on download pem file to down the SMGR-CA root cert in .pem
format.

You can just rename the cert to .crt extension.

© 2012 Avaya Inc. All rights16

reserved. 16
SBCE Certificate and private key generation using
SMGR-CA
1> Login to SMGR as user admin.
2> Click on Services>Security>Certificates>Authority.
3> click on add end entity and fill the required fields

© 2012 Avaya Inc. All rights17

reserved. 17
Add Entity Field Description:
End Entity Profile: select INBOUND_OUTBOUND_TLS from dropdown.
Username: select any username e.g.sbcecert. This username is only used for
cert creation.
Password: choose any password for the username e.g. sbcecert123.
Confirm password: confirm the same password as above.
Email: enter your email id (optional)

CN, Common Name: Enter FQDN of SBCE (Required).

OU, Organization Unit: Enter Name of organization Unit e.g. Tier-4
O, Organization: enter Organization name e.g. Avaya
L, Location: Enter Location e.g. Magarpatta
ST, State or Province: Enter State e.g. Maharashtra
C, Country (ISO 3166): Enter 2 character country code e.g IN for india

DNS Name: Enter Sip domain e.g. sbct4.com

IP Address: Enter external IP of SBCE e.g. 10.133.39.192
URI, Uniform Resource ID: enter sip:<sip domain> e.g.sip.sbct4.com

Certificate profile should be ID_CLIENT_SERVER

CA should be tmdefaultca
Token should be P12 file
Click Add End Entity
© 2012 Avaya Inc. All rights18
reserved. 18
After adding End Entity, click on Public Web and this should open a new
window to EJBCA in your browser.
From the left menu click on Create Key store
Provide the username and password created during end entity addition and
click OK.

© 2012 Avaya Inc. All rights19

reserved. 19
 On the Next Screen, select key length as 2048 bits, Certificate profile
should be ID_CLIENT_SERVER and OpenVPN installer should be
unchecked. Click OK and it should download a pkcs12 cert file to your
desktop.

© 2012 Avaya Inc. All rights20

reserved. 20
Next Step will be to extract the .pem format cert and key file from PKCS12
cert file.

 Using Winscp move the pkcs12 file to any linux machine, which has
openssl, or to SBCE
 Extract the cert file with below command
openssl pkcs12 –in <filename>.p12 -out <filename>.crt -nokeys –
clcerts

 Extract the key file with the following command

openssl pkcs12 –in <filename>.p12 -out <filename>.key –nocerts

 Using Winscp Copy the cert and key file to your desktop

 Follow the Certificate Installation instruction to install the cert on SBCE.

© 2012 Avaya Inc. All rights21

reserved. 21
Install Root Certificate in the ASBCE GUI
1. In GUI go to TLS Management>>Certificates
2. Click on the Install button
3. Click on the CA Certificate in the Type area
4. Name it whatever you want so you know what it is
5. Hit the Browse button and browse to where you have the root cert
6. Click on Upload

© 2012 Avaya Inc. All rights reserved. 22

Install Root Certificate in the ASBCE GUI.. Conti..
7. After clicking on Upload button it will bring up a window to view it
8. Scroll down to make sure all the information in it is correct
9. Once verified click on the Install button
10. Make sure it says installation was successful
11. Click the Finish button

© 2012 Avaya Inc. All rights reserved. 23

Installing the ASBCE certificate in the ASBCE GUI
1. Login to the ASBCE GUI as an administrator
2. Click on “TLS Management”
3. Click on Certificates and then Install button
4. Type the Name for the cert file in the Name box.
5. Click on Browse button next to Certificate File and select the new
cert file

© 2012 Avaya Inc. All rights reserved. 24

Installing the certificate in the ASBCE GUI.. Conti..
6. Select the checkbox next to “Upload Key File”.
7. Click on the Browse button next to Key File.
8. Select the key file given by the customer then click Upload button

© 2012 Avaya Inc. All rights25

reserved. 25
 Installing the certificate in the ASBCE GUI.. Conti..

9. After clicking the “Upload” button it shows the certificate in window

10. Verify the information in it looks correct
11. Then click the “Install” button

© 2012 Avaya Inc. All rights26

reserved. 26
Installing the certificate in the ASBCE GUI…
Conti..
12. After clicking the Install button it will install into GUI
13. Once completed it shows “successful”
14. Click on the Finish button

© 2012 Avaya Inc. All rights27

reserved. 27
Installing the certificate in the ASBCE GUI…
Conti…
15. After clicking the Finish button it will show the new cert under
Installed certificates.
16. You can click View to see the Certificate details.
17. Or you can click Delete if a Certificate is not used or needed

© 2012 Avaya Inc. All rights28

reserved. 28
Finish new Certificate installation via CLI - HA
1. If this is an HA deployment then SSH into SBC as “ipcs” and become
root user by doing “sudo su”
2. First command is “clipcs” without the quotes
3. Once CLIPCS console comes up run “certsync”

© 2012 Avaya Inc. All rights29

reserved. 29
Finish new Certificate installation via CLI… Conti…

4. After doing the “certsync” you will then do certinstall “certname”

5. You will be prompted for the passphrase

© 2012 Avaya Inc. All rights30

reserved. 30
Finish new Certificate installation via CLI-SA
1. If this is a standalone unit then SSH into SBC as “ipcs” and become
root user by doing “sudo su”
2. cd /usr/local/ipcs/cert/key directory then run the following command
3. enc_key "key_filename" "passphrase“ (run without quotes)
4. If the passphrase has a special character you need \ in front of it
5. Example Av@ya1 would be entered like Av\@ya1

© 2012 Avaya Inc. All rights31

reserved. 31
Create Client Profile in the GUI

1. Under TLS Management>>Client Profiles click Add button

2. Put name in the Profile Name box
3. Certificate drop down box choose new Certificate you installed
4. On Peer Certificate Authorities choose the root certificate
5. Verification Depth put a 1 in the box
6. Cipher Options choose what is needed or leave it to default and click
Finish button
7. It will now display the new Client Profile in the GUI
8. If something input incorrectly you can hit Edit button at bottom
9. Any options can be changed depending on what is needed/setup

NOTE:
Client Profile – SBC will initiate the connection
Depth – if multiple certificate (Certificate chain), it will look for up to
specified depth to verify certificate.

© 2012 Avaya Inc. All rights32

reserved. 32
Create Client Profile in the GUI… Conti..

© 2012 Avaya Inc. All rights reserved. 33

Create Server Profile in the GUI… Conti…
1. Under TLS Management>>Server Profiles click Add button
2. Put name in the Profile Name box
3. Certificate drop down box choose new Certificate you installed
4. On Peer Verification just leave it as None or select optional.
5. Verification Depth leave empty in the box.
6. Cipher Options choose what is needed or leave default and click
Finish button
7. It will now display the new Server Profile in the GUI
8. If something input incorrectly you can hit Edit button at bottom
9. Any options can be changed depending on what is needed/setup

NOTE:
Server Profile – Accepting connection from other side.
Depth – if multiple certificate (Certificate chain), it will look for up to
specified depth to verify certificate.

© 2012 Avaya Inc. All rights34

reserved. 34
Create Server Profile in the GUI… Conti…

© 2012 Avaya Inc. All rights reserved. 35

Install the certificate on Network Interface
1. In the GUI click Device Specific Settings>>Signaling Interface
2. Click Edit on the Interface you want to do TLS on
3. On TLS Port put 5061 (TLS port used) in the box
4. In TLS Profile dropdown box choose new Profile and click Finish

© 2012 Avaya Inc. All rights36

reserved. 36
Install the certificate on Network Interface…
Conti…
5. Repeat for all interfaces needing the new TLS Certificate
6. It will now show the new TLS profile on the main Signaling Interface
screen

© 2012 Avaya Inc. All rights37

reserved. 37
Install the certificate on Server Config
1. In the GUI click Global Profiles>>Server Configuration
2. In the General Tab choose the Profile you need Certificate on
3. Click Edit
4. Click Add in Port put 5061 and Transport dropdown choose TLS
5. Then click Finish

© 2012 Avaya Inc. All rights38

reserved. 38
Creating Routing Profiles for TLS
1. In the GUI click Global Profiles>>Routing
2. Choose any Routing Profile you need changed to TLS
3. Click Edit and then in popup window choose Add button
4. Under Next Hop Address choose the IP address with TLS
5. Then click Finish

© 2012 Avaya Inc. All rights39

reserved. 39
Subscriber Flow with Client Profile
1. In the GUI click Device Specific Settings>>End Point Flows
2. Click Edit on Subscriber Flow needing changed and then Next
3. On the TLS Client Profile dropdown choose the new Profile
4. Then click Finish

© 2012 Avaya Inc. All rights40

reserved. 40
Reverse Proxy with HTTPS
1. In the GUI click Device Specific Settings>>DMZ Services>>Relay
Services>>Reverse Proxy tab
2. Click Add fill in Listen IP/Port, Listen Protocol is HTTPS and on the
TLS Client Profile dropdown choose the new Profile, Choose your
Server Protocol and TLS Profile, Connect IP and PPM Mapping
Profile and lastly put in your Server Address:port.
3. Then click Next and then click Finish

© 2012 Avaya Inc. All rights41

reserved. 41
HTTPd Cert on EMS
You need the following files to install the cert file in tomcat keystore.

1. A PEM-encoded CA signed X.509 public key certificate

2. The associated RSA or DSA PEM-encoded private key for the signed
certificate
3. A file containing the PEM-encoded X.509 CA certificates concatenated
together (this is also known as a trust chain file). The first entry must be
either our signed X.509 public key certificate or the CA certificate that signed
our public key certificate. The next entry should be the CA certificate that
signed the preceding certificate, and so forth. The last entry will need to be
a CA certificate that is trusted in the browser (e.g. - an internal IT root
certificate or a CA certificate signed by a publicly trusted entity such as
Verisign or Thawte).
OR
A PKCS#12 keystore file containing all of the above

© 2012 Avaya Inc. All rights42

reserved. 42
HTTP Cert on EMS… Conti…

Importing the key pair and trust chain into a PKCS#12 keystore

The very first step we must perform is to convert the key pair into a form
readable by the Java key tool. Since the key tool is unable to import
external keys, we will need to work around this.
To generate the PKCS#12 keystore, we can run the following command:

openssl pkcs12 \
-export \
-in {certificate-file-name} \
-inkey {certificate-key-file-name} \
-passin pass:{key-file-password} \
-out {output-file} \
-passout pass:sipera \
-name tomcat \
-certfile {trust-chain-file-name}

© 2012 Avaya Inc. All rights43

reserved. 43
In this command, you will need to replace the following:
{certificate-file-name}: This should be the file system path to our signed
X.509 public key certificate
{certificate-key-file-name}: This should be the file system path to our private
key file
{key-file-password}: This is the password for our private key file, if any is
set. If none is set, this entire line can be omitted.
{output-file}: This is the file we want to output the PKCS#12 keystore to.
{trust-chain-file-name}: This should be the file system path to our trust chain
file.
Converting the PKCS#12 keystore into a Tomcat keystore
Once you have the PKCS#12 keystore, we can convert this to the format we
intend to use with Tomcat
keytool -importkeystore \
-deststorepass {keystore-password} \
-destkeypass {private-key-password} \
-destkeystore {keystore-file-name} \
-srckeystore {pkcs-keystore-file-name} \
-srcstoretype PKCS12 \
-srcstorepass {pkcs-keystore-password} \
-alias tomcat

© 2012 Avaya Inc. All rights44

reserved. 44
In this command, you'll need to replace the following:
{keystore-password}: This should be the password we want to generate our
JKS keystore file with. Tomcat is expecting the password "sipera", so this is
what we will need to use for our password.
{private-key-password}: This is the password of our private key file. If none is
set, this line may be omitted.
{keystore-file-name}: This is the name of the keystore file we are generating.
{pkcs-keystore-file-name}: This should be the file system path to our PKCS
keystore file. If you generated a PKCS keystore in the last step, this should be
the same value as what we used for {output-file}.
{pkcs-keystore-password}: This is the password for our PKCS keystore file. If
you generated a PKCS keystore in the last step, this will be "sipera".

Move existing tomcat.keystore in /usr/local/ipcs/etc/

(e.g..: #mv tomcat.keystore tomcat.keystore.orig)
mv -v /usr/local/ipcs/etc/tomcat.keystore /usr/local/ipcs/etc/tomcat.keystore.orig

Copy modified tomcat.keystore in /usr/local/ipcs/etc/

(e.g.: #cp /home/ipcs/tomcat.keystore /usr/local/ipcs/etc/tomcat.keystore)
mv -v /home/ipcs/tomcat.keystore /usr/local/ipcs/etc/tomcat.keystore

© 2012 Avaya Inc. All rights45

reserved. 45
Reset permissions on new tomcat.keystore

chown -v root:root /usr/local/ipcs/etc/tomcat.keystore

chmod -v 600 /usr/local/ipcs/etc/tomcat.keystore

Reboot Tomcat to activate the new certificate

/usr/local/tomcat/bin/shutdown.sh
/usr/local/tomcat/bin/startup.sh

© 2012 Avaya Inc. All rights46

reserved. 46
Common OPENSSL Commands
OpenSSL is an open source project that provides a robust, commercial-grade,
and full-featured toolkit for the Transport Layer Security (TLS) and Secure
Sockets Layer (SSL) protocols. It is also a general-purpose cryptography
library.
Checking Using OpenSSL
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
Check a private key
openssl rsa -in privateKey.key –check
Check a certificate
openssl x509 -in certificate.crt -text –noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12

© 2012 Avaya Inc. All rights47

reserved. 47
Common OPENSSL Commands
Converting Using OpenSSL
To extract certificate from P12 File
openssl pkcs12 –in <filename>.p12 -out <filename>.crt -nokeys –clcerts
To extract Private key from P12 file
openssl pkcs12 –in <filename>.p12 -out <filename>.key –nocerts

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in
certificate.crt -certfile CACert.crt
Check an MD5 hash of the public key to ensure that it matches with what
is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
© 2012 Avaya Inc. All rights48
reserved. 48
Common OPENSSL Commands
Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout
privateKey.key
Generate a certificate signing request (CSR) for an existing private key
openssl req -out CSR.csr -key privateKey.key –new
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
Remove a passphrase from a private key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Check an SSL connection. All the certificates (including Intermediates)
should be displayed
openssl s_client -connect www.avaya.com:443

© 2012 Avaya Inc. All rights49

reserved. 49