P-Certificate-Subject-Common-Name to REGISTER Messages

Most Enterprises use revocation servers to authenticate certificates when user equipment registers with the Oracle Enterprise Session Border Controller. For high security enterprises, such as government organizations, user equipment, such as a cell phone, may have a certificate installed. If the user equipment is stolen, for example, the thief could use the equipment to register with theOracle Enterprise Session Border Controller and logon to the system before the certificate is revoked from the server.

The Oracle Enterprise Session Border Controller allows you to enable or disable the addition of a User certificate in the incoming REGISTER message header. This provides an additional layer of security when the user equipment registers with the Oracle Enterprise Session Border Controller. When the feature is enabled, the individual user certificate must match the user’s identity during Registration.

You can enable or disable this feature using the “verify-certificate-info-register” parameter under the existing enforcement-profile object in session-router. in the ACLI. When enabled, and a REGISTER message is encountered, the Oracle Enterprise Session Border Controller adds the User certificate information to the message header. The header is then used in validating the Request-URI Based on certificate information.

Configure the P-Certificate-Subject-Common-Name From the ACLI

Use the following procedure to configure the P-Certificate-Subject-Common-Name on the Oracle Enterprise Session Border Controller (Enterprise SBC).

To configure the P-Certificate-Subject-Common-Name:

  1. In Superuser mode, type configure terminal, and press Enter. 
    ORACLE# configure terminal
ORACLE(configure)#
  2. Type session-router , and press Enter. 
    ORACLE(configure)# session-router
ORACLE(session-router)#
  3. Type enforcement-profile, and press Enter. 
    ORACLE(session-router)# enforcement-profile
ORACLE(enforcement-profile)#
  4. add-certificate-info—Enter sub-common name for the certificate attribute names to enable TLS certificate information caching, and for the inserting of cached certificate information into customized SIP INVITEs. Default: blank. Valid values:

    • sub-common name

    • sub-alt-name-DNS

  5. certificate-ruri-check—Enable this parameter if you want the Enterprise SBC to cache TLS certificate information and use it to validate Request-URIs. Enabling this parameter allows the Enterprise SBC to cache the TLS certificate information in a customized SIP INVITE. Default: disabled. Valid values:

    • enabled

    • disabled

  6. verify-certificate-info-register —Select whether or not to allow the Enterprise SBC to add certificate information to the header of a REGISTER message for verifying a ruri against certificate attributes. Default: disabled. Valid values:

    • enabled

    • disabled

  7. Type done, and press Enter. 
    ORACLE(enforcement-profile)# done
ORACLE(enforcement-profile)#
  8. Type exit, and press Enter. 
    ORACLE(enforcement-profile)# exit
ORACLE(session-router)#
  9. Save the configuration.