Configuring TLS on the Web Server
The Web GUI supports the use of HTTP over Transport Layer Security (TLS) using the TLS Protocol. TLS is a cryptographic protocol that provides communication security over the Internet. It encrypts the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.
Note:
For more information about setting up security on the Oracle® Enterprise Session Border Controller (E-SBC), see the chapter on security in this guide.To use TLS with SIP Monitor and Trace, you must configure a TLS certificate and a TLS profile using the ACLI at the path
. This configuration stores the information required to run SIP over TLS.If you enable TLS on the active E-SBC, the Web-based GUI interface on the standby system is disabled.
Process Overview
In summary, you need to take the following steps to enable the Oracle® Enterprise Session Border Controller (E-SBC) for TLS.
- Make sure that the E-SBC has the appropriate hardware installed and that you have obtained an enabled the licenses related to TLS support.
- Configure certificates.
- Configure the specific parameters related to TLS.
Certificate Configuration Process
The process for configuring a certificate on the Oracle® Enterprise Session Border Controller (E-SBC) requires the following steps.
- Configure a certificate record on the E-SBC. See "Configure a Certificate Record."
- Generate a certificate request by the E-SBC. See "Generate a Certificate Request."
- Import the certificate into the E-SBC. See "Import a Certificate."
- Reboot the system.
Configure a Certificate Record
Use the certificate-record object to add a certificate record to the Oracle® Enterprise Session Border Controller (E-SBC). The certificate record configuration represents either the end-entity or the Certificate Authority (CA) certificate on the E-SBC.
When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use when you generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.
- If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
- If this certificate record is created to hold a CA certificate or certificate in PKCS12 format, a private key is not required.
To verify a certificate record, see "Security" in the ACLI Configuration Guide.
Generate a Certificate Request
Using the ACLI generate-certificate-request <record-name> command allows you to generate a private key and a certificate request in PKCS10 PEM format.
Note:
You can only perform this task after you configure a certificate record.The Oracle® Enterprise Session Border Controller (E-SBC) stores the private key that is generated in the certificate record configuration in 3DES encrypted form with an internally generated password. The E-SBC displays the PKCS10 request in PEM (Base64) form.
You use this command for certificate record configurations that hold end-entity certificates. If you have configured the certificate record to hold a CA certificate, then you do not need to generate a certificate request because the CA publishes its certificate in the public domain. You import a CA certificate by using the ACLI import-certficate <certficate-record-name> command.
The generate-certificate-request command sends information to the CA to generate the certificate, but you cannot have Internet connectivity from the E-SBC to the Internet. You can access the Internet through a browser such as Internet Explorer if it is available, or you can save the certificate request to a disk and then submit it to the CA.
To run the applicable command, you must use the value you entered in the name parameter of the certificate record configuration. You run the command from the main Superuser mode command line, and then save and activate the configuration.
ACMEPACKET# security certificate request acmepacket
Generating Certificate Signing Request. This can take several
minutes....
-----BEGIN CERTIFICATE REQUEST-----
MIIB2jCCAUMCAQAwYTELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH
EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzEMMAoGA1UECxMDYWJj
MQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOMLHo8
/qIOddIDVuqot0Y72l/BfH8lolRKmhZQ4e7sS+zZHzbG8phzmzhfOSECnZiA2bEo
f+Nti7e7Uof4lLwiYl9fvhURfzhENOKThAPKPiJCzBBglTITHTYal00Cq2fj5A8B
ZcuAHj7Vp5wP2zpz6EUTFpqTDMLVdwJGJrElAgMBAAGgOTAMBgNVHRExBRMDZGVm
MCkGA1UdDzEiEyBkaWdpdGFsU2lnbmF0dXJlLGtleUVuY2lwaGVybWVudDANBgkq
hkiG9w0BAQUFAAOBgQAtel4ZSLI8gqgMzodbYwgUHUGqTGeDzQDhJV5fKUXWeMFz
JsTmWn5Gy/kR4+Nq274G14fnk00fTAfMtgQ5aL3gM43TqaPOTZjJ6qgwuRKhoBPI
7hkovkgAxHge7wClghiAp/ELdl7tQ515k04BMd5f/fxG7nNiu8iEg7PO0OIBgg==
-----END CERTIFICATE REQUEST-----
WARNING: Configuration changed, run "save-config" command.
ACMEPACKET# save config
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz
copying file /code/config/tmp/editing/dataDoc.gz ->
/code/config/dataDoc.gz
Save complete
ACMEPACKET# activate config
activate complete
Import a Certificate Using the ACLI
For an end-entity certificate, after a certificate is generated using the ACLI security certificate request command, submit the request to a CA for generation of a certificate in PKCS7 or X509v3 format. When the certificate has been generated, you can import it into the Oracle® Enterprise Session Border Controller (E-SBC) using the security certificate import command.
The syntax is:
ACMEPACKET # security certificate import [try-all | pkcs7 | pkcs12 |
x509] [certificate-record file-name]
To import a certificate:
Import a Certificate Using SFTP
You can put the certificate file in the directory /ramdrv and execute the import-certificate command, or you can paste the certificate in PEM/Base64 format into the ACLI. If you paste the certificate, you may have to copy and paste it a portion at a time, rather than pasting the whole certificate at once.
PKCS #12 Container Import and Export Capability
The Oracle® Enterprise Session Border Controller (E-SBC) supports Public Key Cryptography Standard (PKCS) #12 for bundling a private key with the associated X.509 public key certificate in a file for archiving, importing, and exporting. The E-SBC does not support bundling all members of the chain of trust.
Note:
The SBC only supports PKCS12 files that are bundled with either RSA or ECDSA private keys and their X.509 certificates.Note:
The E-SBC supports this functionality only by way of the ACLI.Export to a PKCS #12 File
You can export a local entity certificate from the Oracle® Enterprise Session Border Controller (E-SBC) to a PKCS #12 file by way of the ACLI. You cannot do so from the Web GUI.
Use the following syntax on the ACLI.
Note:
When prompted for password and passphrase, use the ones that you entered in system-config.Where
- Certificate-record-name—the name of the local entity certificate record that you want to export.
- Pkcs12-file-name—the name of the target PKCS #12 file. The system creates the export file in the /opt directory. Use either .pfx or .p12 for the file extensions.
The following example shows the system display when exporting a certificate record named localCert to a PKCS #12 file from the E-SBC.
sd225v# export-pkcs12 localCert.p12
Creating pkcs12 for certificate-record: (localCert)
A certificate key found for making pkcs12 "localCert"
PKCS12 Certificate(s) exported successfully
Import a PKCS #12 File
You can import a PKCS #12 key and certificate file that was generated elsewhere into the Oracle® Enterprise Session Border Controller (E-SBC) by way of the ACLI.
Use the following syntax on the ACLI.
import-certificate <pkcs#12> <Certificate-record-name> [pkcs 12-file-name]
Where
- Certificate-record-name—must be a new name that does not exist as PKCS #12. This is different from other certificate imports, where the certificate record must already exist in the target destination.
- Pkcs12-file-name—the name of the PKCS #12 file that you want to import. Import the file to /opt.
The following example shows the system display when importing a PKCS #12 file named localRecordCert.p12 into the E-SBC.
sd225v# import-certificate pkcs12 localCert localRecordCert.p12
The specified certificate-record (localCert) does not exist
Creating one...
Enter import password:
Certificate imported successfully...
Warning: Configuration changed. run 'save-config' and 'activate-config' commands to commit the changes.
Securing Communications Between the E-SBC and SDM with TLS
You can use the Transport Layer Security (TLS) protocol to secure the communications link between the Oracle® Enterprise Session Border Controller (E-SBC) and the Oracle Communications Session Delivery Manager (SDM). Note that the systems use Acme Control Protocol (ACP) for this messaging.
- Configure a TLS profile. The tls-profile object is located under security, where you add certificates, select cipher lists, and specify the TLS version for each profile.
- Configure system-config element's acp-tls-profile parameter to specify this TLS profile.
Note:
This feature requires SDM version 8.1 and above.