Configuring TLS on the Web Server

The Web GUI supports the use of HTTP over Transport Layer Security (TLS) using the TLS Protocol. TLS is a cryptographic protocol that provides communication security over the Internet. It encrypts the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

Note:

For more information about setting up security on the Oracle® Enterprise Session Border Controller (E-SBC), see the chapter on security in this guide.

To use TLS with SIP Monitor and Trace, you must configure a TLS certificate and a TLS profile using the ACLI at the path Configure Terminal > Security. This configuration stores the information required to run SIP over TLS.

If you enable TLS on the active E-SBC, the Web-based GUI interface on the standby system is disabled.

Process Overview

In summary, you need to take the following steps to enable the Oracle® Enterprise Session Border Controller (E-SBC) for TLS.

1. Make sure that the E-SBC has the appropriate hardware installed and that you have obtained an enabled the licenses related to TLS support.
2. Configure certificates.
3. Configure the specific parameters related to TLS.

Certificate Configuration Process

The process for configuring a certificate on the Oracle® Enterprise Session Border Controller (E-SBC) requires the following steps.

1. Configure a certificate record on the E-SBC. See "Configure a Certificate Record."
2. Generate a certificate request by the E-SBC. See "Generate a Certificate Request."
3. Import the certificate into the E-SBC. See "Import a Certificate."
4. Reboot the system.

Configure a Certificate Record

Use the certificate-record object to add a certificate record to the Oracle® Enterprise Session Border Controller (E-SBC). The certificate record configuration represents either the end-entity or the Certificate Authority (CA) certificate on the E-SBC.

When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use when you generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.

• If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
• If this certificate record is created to hold a CA certificate or certificate in PKCS12 format, a private key is not required.

1. Access the certificate-record configuration element.

   ORACLE# configure terminal
   ORACLE(configure)# security
   ORACLE(security)# certificate record
   ORACLE(certificate-record)# 

2. Do the following:

   name—Enter the name of the certificate record. Required.

   country—Enter the name of the country. Default: U.S.

   state—Enter the name of the state of for the country. Default: MA.

   locality—Enter the name of the locality for the state. Default: Burlington.

   organization—Enter the name of the organization holding the certificate. Default: Engineering.

   unit—Enter the name of the unit for the holding the certificate within the organization.

   common-name—Enter the common name for the certificate record.

   key-size—Enter the size of the key for the certificate. Default:1024 Valid values: 512 | 2048 | 4096.

   alternate-name—Enter the alternate name of the certificate holder.

   key-usage-list—Enter the usage extensions you want to use with this certificate record. This parameter can be configured with multiple values, and it defaults to the combination of digitalSignature and keyEncipherment. For a list of possible values and their descriptions, see "Key Usage Control."

   extended-key-usage-list—Enter the extended key usage extensions you want to use with this certificate record. Default: serverAuth. For a list of possible values and their descriptions, see "Key Usage Control."

3. Type done to save your configuration.

To verify a certificate record, see "Security" in the ACLI Configuration Guide.

Generate a Certificate Request

Using the ACLI generate-certificate-request <record-name> command allows you to generate a private key and a certificate request in PKCS10 PEM format.

Note:

You can only perform this task after you configure a certificate record.

The Oracle® Enterprise Session Border Controller (E-SBC) stores the private key that is generated in the certificate record configuration in 3DES encrypted form with an internally generated password. The E-SBC displays the PKCS10 request in PEM (Base64) form.

You use this command for certificate record configurations that hold end-entity certificates. If you have configured the certificate record to hold a CA certificate, then you do not need to generate a certificate request because the CA publishes its certificate in the public domain. You import a CA certificate by using the ACLI import-certficate <certficate-record-name> command.

The generate-certificate-request command sends information to the CA to generate the certificate, but you cannot have Internet connectivity from the E-SBC to the Internet. You can access the Internet through a browser such as Internet Explorer if it is available, or you can save the certificate request to a disk and then submit it to the CA.

To run the applicable command, you must use the value you entered in the name parameter of the certificate record configuration. You run the command from the main Superuser mode command line, and then save and activate the configuration.

ACMEPACKET# security certificate request acmepacket 
Generating Certificate Signing Request. This can take several 
minutes.... 

-----BEGIN CERTIFICATE REQUEST----- 

MIIB2jCCAUMCAQAwYTELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH 
EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzEMMAoGA1UECxMDYWJj 
MQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOMLHo8 
/qIOddIDVuqot0Y72l/BfH8lolRKmhZQ4e7sS+zZHzbG8phzmzhfOSECnZiA2bEo 
f+Nti7e7Uof4lLwiYl9fvhURfzhENOKThAPKPiJCzBBglTITHTYal00Cq2fj5A8B 
ZcuAHj7Vp5wP2zpz6EUTFpqTDMLVdwJGJrElAgMBAAGgOTAMBgNVHRExBRMDZGVm 
MCkGA1UdDzEiEyBkaWdpdGFsU2lnbmF0dXJlLGtleUVuY2lwaGVybWVudDANBgkq 
hkiG9w0BAQUFAAOBgQAtel4ZSLI8gqgMzodbYwgUHUGqTGeDzQDhJV5fKUXWeMFz 
JsTmWn5Gy/kR4+Nq274G14fnk00fTAfMtgQ5aL3gM43TqaPOTZjJ6qgwuRKhoBPI 
7hkovkgAxHge7wClghiAp/ELdl7tQ515k04BMd5f/fxG7nNiu8iEg7PO0OIBgg== 
-----END CERTIFICATE REQUEST----- 
WARNING: Configuration changed, run "save-config" command. 
ACMEPACKET# save config 
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
copying file /code/config/tmp/editing/dataDoc.gz -> 
/code/config/dataDoc.gz 
Save complete 
ACMEPACKET# activate config 
activate complete

Import a Certificate Using the ACLI

For an end-entity certificate, after a certificate is generated using the ACLI security certificate request command, submit the request to a CA for generation of a certificate in PKCS7 or X509v3 format. When the certificate has been generated, you can import it into the Oracle® Enterprise Session Border Controller (E-SBC) using the security certificate import command.

The syntax is:

ACMEPACKET # security certificate import [try-all | pkcs7 | pkcs12 |
x509] [certificate-record file-name]

To import a certificate:

1. When you use the import-certificate <certificate-record-name> command, you can specify whether you want to use PKCS7, PKCS12, X509v3 format, or try all. In the command line, you enter the command, the format specification, and the name of the certificate record. The E-SBC prompts you to enter the certificate in PEM format. Paste the certificate in the ACLI. For example:

   ACMEPACKET# security certificate import try-all acmepacket
   The following displays:
   Please enter the certificate in the PEM format.
   Terminate the certificate with ";" to exit.......
   -----BEGIN CERTIFICATE----
   VMIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
   VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
   BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
   A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
   bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
   vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
   o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
   tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
   2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
   ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
   aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
   gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
   QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
   2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
   -----END CERTIFICATE-----;
   Certificate imported successfully....
   WARNING: Configuration changed, run "save-config" command.

2. Enter save-config to save the configuration.

   ACMEPACKET# save-config
   copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
   copying file /code/config/tmp/editing/dataDoc.gz -> 
   /code/config/dataDoc.gz 
   Save complete

3. Enter activate-config to activate as the current configuration.

   ACMEPACKET# activate-config
   activate complete

   Note:

   For importing a certificate using SFTP, see the Security section of the ACLI Configuration Guide for your E-SBC model.

Import a Certificate Using SFTP

You can put the certificate file in the directory /ramdrv and execute the import-certificate command, or you can paste the certificate in PEM/Base64 format into the ACLI. If you paste the certificate, you may have to copy and paste it a portion at a time, rather than pasting the whole certificate at once.

1. SFTP the certificate file to the Oracle® Enterprise Session Border Controller (E-SBC) (directory /ramdrv). For the following example, suppose the name of the certificate file is cert.pem.
2. When the certificate is successfully transferred to the E-SBC, run the import-certificate command.

   The syntax is:

   ACMEPACKET# import-certificate [try-all|pkcs7|x509] [certificate-record file-name]

   Example results:

   ACMEPACKET# import-certificate try-all acme cert.pem
   Certificate imported successfully....
   WARNING: Configuration changed, run "save-config" command.

3. Save the configuration.

   ACMEPACKET# save-config
   Save-Config received, processing.
   waiting 1200 for request to finish
   Request to 'SAVE-CONFIG' has Finished,
   Save complete
   Currently active and saved configurations do not match!
   To sync & activate, run 'activate-config' or 'reboot activate'.

4. Synchronize and activate the configurations.

   ACMEPACKET# activate-config
   Activate-Config received, processing.
   waiting 120000 for request to finish
   Add LI Flows
   LiSysClientMgr::handleNotifyReq
   H323 Active Stack Cnt:  0
   Request to 'ACTIVATE-CONFIG' has Finished,
   Activate Complete
   ACMEPACKET#

PKCS #12 Container Import and Export Capability

The Oracle® Enterprise Session Border Controller (E-SBC) supports Public Key Cryptography Standard (PKCS) #12 for bundling a private key with the associated X.509 public key certificate in a file for archiving, importing, and exporting. The E-SBC does not support bundling all members of the chain of trust.

Note:

The SBC only supports PKCS12 files that are bundled with either RSA or ECDSA private keys and their X.509 certificates.

E-SBC customers often need to use keys and certificates stored in the E-SBC for Transport Layer Security (TLS) packet analysis and network troubleshooting, or to share with another E-SBC or other device. The keys and certificates are packaged together and exchanged in the PKCS #12 archive file format.

Note:

The E-SBC supports this functionality only by way of the ACLI.

Export to a PKCS #12 File

You can export a local entity certificate from the Oracle® Enterprise Session Border Controller (E-SBC) to a PKCS #12 file by way of the ACLI. You cannot do so from the Web GUI.

Use the following syntax on the ACLI.

Note:

When prompted for password and passphrase, use the ones that you entered in system-config.

export-certificate <pkcs#12> <Certificate-record-name> [pkcs 12-file-name]

Where

• Certificate-record-name—the name of the local entity certificate record that you want to export.
• Pkcs12-file-name—the name of the target PKCS #12 file. The system creates the export file in the /opt directory. Use either .pfx or .p12 for the file extensions.

The following example shows the system display when exporting a certificate record named localCert to a PKCS #12 file from the E-SBC.

sd225v# export-pkcs12 localCert.p12

Creating pkcs12 for certificate-record: (localCert)

A certificate key found for making pkcs12 "localCert"

PKCS12 Certificate(s) exported successfully

Import a PKCS #12 File

You can import a PKCS #12 key and certificate file that was generated elsewhere into the Oracle® Enterprise Session Border Controller (E-SBC) by way of the ACLI.

Use the following syntax on the ACLI.

import-certificate <pkcs#12> <Certificate-record-name> [pkcs 12-file-name]

Where

• Certificate-record-name—must be a new name that does not exist as PKCS #12. This is different from other certificate imports, where the certificate record must already exist in the target destination.
• Pkcs12-file-name—the name of the PKCS #12 file that you want to import. Import the file to /opt.

The following example shows the system display when importing a PKCS #12 file named localRecordCert.p12 into the E-SBC.

sd225v# import-certificate pkcs12 localCert localRecordCert.p12

The specified certificate-record (localCert) does not exist

Creating one...

Enter import password:

Certificate imported successfully...

Warning: Configuration changed. run 'save-config' and 'activate-config' commands to commit the changes.

Securing Communications Between the E-SBC and SDM with TLS

You can use the Transport Layer Security (TLS) protocol to secure the communications link between the Oracle® Enterprise Session Border Controller (E-SBC) and the Oracle Communications Session Delivery Manager (SDM). Note that the systems use Acme Control Protocol (ACP) for this messaging.

To configure the E-SBC to use TLS for this ACP messaging:

1. Configure a TLS profile. The tls-profile object is located under security, where you add certificates, select cipher lists, and specify the TLS version for each profile.
2. Configure system-config element's acp-tls-profile parameter to specify this TLS profile.

The acp-tls-profile parameter is empty by default, which means that ACP over TLS is disabled. When ACP over TLS is disabled, the SDM establishes a TCP connection with the E-SBC. When the acp-tls-profile parameter specifies a valid TLS profile, the E-SBC negotiates a TLS connection with SDM.

Note:

This feature requires SDM version 8.1 and above.

Configuring a TLS Profile

To configure a TLS profile:

1. In Superuser mode, type configure terminal and press Enter.

   ACMEPACKET# configure terminal

2. Type security and press Enter to access the security-related objects.

   ACMEPACKET(configure)# security

3. Type tls-profile and press Enter to access the TLS profile-related parameters.

   ACMEPACKET(security)# tls-profile
   ACMEPACKET(tls-profile)#

   name—Enter the name of the TLS profile. This parameter is required; you cannot leave it empty.

   ACMEPACKET(tls-profile)# name tls-prof1

   end-entity-certificate—Enter the name of the entity certification record.

   ACMEPACKET(tls-profile)# end-entity-certificate cert1

   trusted-ca-certificates—Enter the names of the trusted CA certificate records.

   ACMEPACKET(tls-profile)# trusted-ca-certificates cert1

   Note:

   To create and import certificate records to be used on the Web Server, see Configuring Certificates.

   cipher-list—Not supported for SIP Monitor and Trace. The Session Director ignores any value you enter for this parameter.

   • AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA) - Firefox (version 12) and Chrome (version 19.0.1084.46m) only

   • AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA) - Firefox (version 12) and Chrome (version 19.0.1084.46m) only

   • DES-CBC-SHA (SSL_RSA_WITH_DES_CBC_SHA or TLS_RSA_WITH_DES_CBC_SHA) - Internet Explorer (Version 9) only

   verify-depth—Not supported for SIP Monitor and Trace

   mutual-authenticate—Not supported for SIP Monitor and Trace

   tls-version—Enter the TLS version you want to use with this TLS profile. Default is compatibility. Valid values are:

   • TLSv1

   • SSLv3

   • compatibility (default)

   ACMEPACKET(tls-profile)# tls-version TLSv1

   cert-status-check—Not supported for SIP Monitor and Trace

   cert-status-profile-list—Not supported for SIP Monitor and Trace

   ignore-dead-responder—Not supported for SIP Monitor and Trace

   allow-self-signed-cert—Not supported for SIP Monitor and Trace

4. Enter done to save the tls-profile configuration.

   ACMEPACKET(tls-profile)# done

5. Enter exit to exit the TLS profile configuration.

   ACMEPACKET(tls-profile)# exit

6. Enter exit to exit the security configuration.

   ACMEPACKET(security)# exit
   ACMEPACKET(configure)#

7. Enter exit to exit the configure mode.

   ACMEPACKET(configure)# exit

8. Enter save-config to save the configuration.

   ACMEPACKET# save-config

9. Enter activate-config to activate as the current configuration.

   ACMEPACKET# activate-config