1. Configuration Guide
  2. Web Server TLS Configuration
  3. Configuring TLS on the Web Server

Configuring TLS on the Web Server

The Web GUI supports the use of HTTP over Transport Layer Security (TLS) using the TLS Protocol. TLS is a cryptographic protocol that provides communication security over the Internet. It encrypts the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

Note:

For more information about setting up security on the Oracle® Enterprise Session Border Controller (ESBC), see the chapter on security in this guide.

To use TLS with SIP Monitor and Trace, you must configure a TLS certificate and a TLS profile using the ACLI at the path Configure Terminal, and then Security. This configuration stores the information required to run SIP over TLS.

If you enable TLS on the active ESBC, the Web-based GUI interface on the standby system is disabled.

Process Overview

In summary, you need to take the following steps to enable the Oracle® Enterprise Session Border Controller (ESBC) for TLS.

  1. Configure certificates.
  2. Configure the specific parameters related to TLS.

Certificate Configuration Process

The process for configuring a certificate on the Oracle Session Border Controller (SBC) requires the following steps.

  1. Configure a certificate record on the SBC. See "Configure a Certificate Record."
  2. Generate a certificate request by the SBC. See "Generate a Certificate Request."
  3. Import the certificate into the SBC. See "Import a Certificate."
  4. Reboot the system.

Configure a Certificate Record

Use the certificate-record object to add a certificate record to the Oracle® Enterprise Session Border Controller (ESBC). The certificate record configuration represents either the end-entity or the Certificate Authority (CA) certificate on the ESBC.

When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use when you generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.

  • If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
  • If this certificate record is created to hold a CA certificate or certificate in PKCS12 format, a private key is not required.
  1. Access the certificate-record configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# certificate record
ORACLE(certificate-record)#
  2. Do the following:

    name—Enter the name of the certificate record. Required.

    country—Enter the name of the country. Default: U.S.

    state—Enter the name of the state of for the country. Default: MA.

    locality—Enter the name of the locality for the state. Default: Burlington.

    organization—Enter the name of the organization holding the certificate. Default: Engineering.

    unit—Enter the name of the unit for the holding the certificate within the organization.

    common-name—Enter the common name for the certificate record.

    key-size—Enter the size of the key for the certificate. Default:1024 Valid values: 512 | 2048 | 4096.

    alternate-name—Enter the alternate name of the certificate holder.

    key-usage-list—Enter the usage extensions you want to use with this certificate record. This parameter can be configured with multiple values, and it defaults to the combination of digitalSignature and keyEncipherment. For a list of possible values and their descriptions, see "Key Usage Control."

    extended-key-usage-list—Enter the extended key usage extensions you want to use with this certificate record. Default: serverAuth. For a list of possible values and their descriptions, see "Key Usage Control."

  3. Type done to save your configuration.

To verify a certificate record, see "Security" in the ACLI Configuration Guide.

Generate a Certificate Request

Using the ACLI generate-certificate-request <record-name> command allows you to generate a private key and a certificate request in PKCS10 PEM format.

Note:

You can only perform this task after you configure a certificate record.

The Oracle® Enterprise Session Border Controller (ESBC) stores the private key that is generated in the certificate record configuration in 3DES encrypted form with an internally generated password. The ESBC displays the PKCS10 request in PEM (Base64) form.

You use this command for certificate record configurations that hold end-entity certificates. If you have configured the certificate record to hold a CA certificate, then you do not need to generate a certificate request because the CA publishes its certificate in the public domain. You import a CA certificate by using the ACLI import-certficate <certficate-record-name> command.

The generate-certificate-request command sends information to the CA to generate the certificate, but you cannot have Internet connectivity from the ESBC to the Internet. You can access the Internet through a browser such as Internet Explorer if it is available, or you can save the certificate request to a disk and then submit it to the CA.

To run the applicable command, you must use the value you entered in the name parameter of the certificate record configuration. You run the command from the main Superuser mode command line, and then save and activate the configuration. 

ACMEPACKET# security certificate request acmepacket 
Generating Certificate Signing Request. This can take several 
minutes.... 

-----BEGIN CERTIFICATE REQUEST----- 

MIIB2jCCAUMCAQAwYTELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH 
EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzEMMAoGA1UECxMDYWJj 
MQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOMLHo8 
/qIOddIDVuqot0Y72l/BfH8lolRKmhZQ4e7sS+zZHzbG8phzmzhfOSECnZiA2bEo 
f+Nti7e7Uof4lLwiYl9fvhURfzhENOKThAPKPiJCzBBglTITHTYal00Cq2fj5A8B 
ZcuAHj7Vp5wP2zpz6EUTFpqTDMLVdwJGJrElAgMBAAGgOTAMBgNVHRExBRMDZGVm 
MCkGA1UdDzEiEyBkaWdpdGFsU2lnbmF0dXJlLGtleUVuY2lwaGVybWVudDANBgkq 
hkiG9w0BAQUFAAOBgQAtel4ZSLI8gqgMzodbYwgUHUGqTGeDzQDhJV5fKUXWeMFz 
JsTmWn5Gy/kR4+Nq274G14fnk00fTAfMtgQ5aL3gM43TqaPOTZjJ6qgwuRKhoBPI 
7hkovkgAxHge7wClghiAp/ELdl7tQ515k04BMd5f/fxG7nNiu8iEg7PO0OIBgg== 
-----END CERTIFICATE REQUEST----- 
WARNING: Configuration changed, run "save-config" command. 
ACMEPACKET# save config 
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
copying file /code/config/tmp/editing/dataDoc.gz -> 
/code/config/dataDoc.gz 
Save complete 
ACMEPACKET# activate config 
activate complete

Import a Certificate Using the ACLI

For an end-entity certificate, after a certificate is generated using the ACLI security certificate request command, submit the request to a CA for generation of a certificate in PKCS7 or X509v3 format. When the certificate has been generated, you can import it into the Oracle® Enterprise Session Border Controller (ESBC) using the security certificate import command.

The syntax is: 

ACMEPACKET # security certificate import [try-all | pkcs7 | pkcs12 |
x509] [certificate-record file-name]

To import a certificate:

  1. When you use the import-certificate <certificate-record-name> command, you can specify whether you want to use PKCS7, PKCS12, X509v3 format, or try all. In the command line, you enter the command, the format specification, and the name of the certificate record. The ESBC prompts you to enter the certificate in PEM format. Paste the certificate in the ACLI. For example: 
    ACMEPACKET# security certificate import try-all acmepacket
The following displays:
Please enter the certificate in the PEM format.
Terminate the certificate with ";" to exit.......
-----BEGIN CERTIFICATE----
VMIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
-----END CERTIFICATE-----;
Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.
  2. Enter save-config to save the configuration. 
    ACMEPACKET# save-config
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz 
copying file /code/config/tmp/editing/dataDoc.gz -> 
/code/config/dataDoc.gz 
Save complete
  3. Enter activate-config to activate as the current configuration. 
    ACMEPACKET# activate-config
activate complete

    Note:

    For importing a certificate using SFTP, see the Security section of the ACLI Configuration Guide for your ESBC model.

Import a Certificate Using SFTP

You can put the certificate file in the directory /ramdrv and execute the import-certificate command, or you can paste the certificate in PEM/Base64 format into the ACLI. If you paste the certificate, you may have to copy and paste it a portion at a time, rather than pasting the whole certificate at once.

  1. SFTP the certificate file to the Oracle® Enterprise Session Border Controller (ESBC) (directory /ramdrv). For the following example, suppose the name of the certificate file is cert.pem.
  2. When the certificate is successfully transferred to the ESBC, run the import-certificate command.

    The syntax is: 

    ACMEPACKET# import-certificate [try-all|pkcs7|x509] [certificate-record file-name]

    Example results: 

    ACMEPACKET# import-certificate try-all acme cert.pem
Certificate imported successfully....
WARNING: Configuration changed, run "save-config" command.
  3. Save the configuration. 
    ACMEPACKET# save-config
Save-Config received, processing.
waiting 1200 for request to finish
Request to 'SAVE-CONFIG' has Finished,
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.
  4. Synchronize and activate the configurations. 
    ACMEPACKET# activate-config
Activate-Config received, processing.
waiting 120000 for request to finish
Add LI Flows
LiSysClientMgr::handleNotifyReq
H323 Active Stack Cnt:  0
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete
ACMEPACKET#

PKCS #12 Container Import and Export Capability

The ESBC supports Public Key Cryptography Standard (PKCS) #12 for bundling a private key with the associated X.509 public key certificate in a file for archiving, importing, and exporting. The ESBC does not support bundling all members of the chain of trust.

Note:

The SBC only supports PKCS12 files that are bundled with RSA private keys and their X.509 certificates.
ESBC customers often need to use keys and certificates stored in the ESBC for Transport Layer Security (TLS) packet analysis and network troubleshooting, or to share with another ESBC or other device. The keys and certificates are packaged together and exchanged in the PKCS #12 archive file format.

Note:

The ESBC supports this functionality only by way of the ACLI.

Export to a PKCS #12 File

You can export a local entity certificate from the Session Border Controller (SBC) to a PKCS #12 file by way of the ACLI. For the enterprise SBC, you cannot do so from the Web GUI.

Note:

When prompted for password and passphrase, use the ones that you entered in system-config.
  1. Run the export-certificate command. 
    export-certificate <pkcs#12> <certificate-record-name> [pkcs-12-file-name]
    where
    • Certificate-record-name—the name of the local entity certificate record that you want to export.
    • pkcs12-file-name—the name of the target PKCS #12 file. The system creates the export file in the /opt directory. Use either .pfx or .p12 for the file extensions. 
    ORACLE# export-pkcs12 masterca certificate.pfx
Creating pkcs12 for certificate-record: (masterca)
PKCS12 Certificate(s) exported successfully....
ORACLE#

    This command is supported only when using the RSA key exchange, not when using the Diffie-Hellman key exchange.

Import a PKCS #12 File

You can import a PKCS #12 key and certificate file that was generated elsewhere into the Oracle® Enterprise Session Border Controller (ESBC) by way of the ACLI.

Make sure that your PKCS#12 file was generated either with the -descert flag or the -keypbe and -certpbe options. If rsa.key is a private key and cert.crt is an X.509 certificate, either of the following commands generates a PKCS#12 file.
# generate using -descert
openssl pkcs12 -export -in cert.crt -inkey rsa.key -out my_pkcs12.pfx -name "Test Cert" -descert
# generate using -keypbe and -certpbe options
openssl pkcs12 -export -in cert.crt -inkey rsa.key -out my_pkcs12.pfx -name "Test Cert" -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
  1. Copy the PKCS#12 file to the /opt directory using SFTP.
  2. Run the import-certificate command. 
    import-certificate <pkcs#12> <certificate-record-name> [pkcs-12-file-name]
    where
    • certificate-record-name—must be a new name that does not exist as PKCS #12. This is different from other certificate imports, where the certificate record must already exist in the target destination.
    • pkcs12-file-name—the name of the PKCS #12 file that you want to import. 
    ORACLE# import-certificate pkcs12 newKey2 my2_pkcs12.pfx
The specified certificate-record: (newKey2) does not exist.
Creating one...
Enter Import Password: 
Importing ee: newKey2
Certificate(s) imported successfully....

----------------------------------------------
WARNING:
Configuration changed, run 'save-config' and 
'activate-config' commands to commit the changes.
----------------------------------------------
ORACLE#

    Note:

    512-bit keys are not supported.

Securing Communications Between the ESBC and SDM with TLS

You can use the Transport Layer Security (TLS) protocol to secure the communications link between the Oracle® Enterprise Session Border Controller (ESBC) and the Oracle Communications Session Delivery Manager (SDM). Note that the systems use Acme Control Protocol (ACP) for this messaging.

To configure the ESBC to use TLS for this ACP messaging:
  1. Configure a TLS profile. The tls-profile object is located under security, where you add certificates, select cipher lists, and specify the TLS version for each profile.
  2. Configure system-config element's acp-tls-profile parameter to specify this TLS profile.
The acp-tls-profile parameter is empty by default, which means that ACP over TLS is disabled. When ACP over TLS is disabled, the SDM establishes a TCP connection with the ESBC. When the acp-tls-profile parameter specifies a valid TLS profile, the ESBC negotiates a TLS connection with SDM.

You must reboot OCSBC after configuring ACP over TLS.

Note:

This feature requires SDM version 8.1 and above.

Configuring a TLS Profile

To configure a TLS profile:

  1. In Superuser mode, type configure terminal and press Enter. 
    ACMEPACKET# configure terminal
  2. Type security and press Enter to access the security-related objects. 
    ACMEPACKET(configure)# security
  3. Type tls-profile and press Enter to access the TLS profile-related parameters. 
    ACMEPACKET(security)# tls-profile
ACMEPACKET(tls-profile)#

    name—Enter the name of the TLS profile. This parameter is required; you cannot leave it empty. 

    ACMEPACKET(tls-profile)# name tls-prof1

    end-entity-certificate—Enter the name of the entity certification record. 

    ACMEPACKET(tls-profile)# end-entity-certificate cert1

    trusted-ca-certificates—Enter the names of the trusted CA certificate records. 

    ACMEPACKET(tls-profile)# trusted-ca-certificates cert1

    Note:

    To create and import certificate records to be used on the Web Server, see Configuring Certificates.

    cipher-list—Not supported for SIP Monitor and Trace. The Session Director ignores any value you enter for this parameter.

    • AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA) - Firefox (version 12) and Chrome (version 19.0.1084.46m) only

    • AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA) - Firefox (version 12) and Chrome (version 19.0.1084.46m) only

    • DES-CBC-SHA (SSL_RSA_WITH_DES_CBC_SHA or TLS_RSA_WITH_DES_CBC_SHA) - Internet Explorer (Version 9) only

    verify-depth—Not supported for SIP Monitor and Trace

    mutual-authenticate—Not supported for SIP Monitor and Trace

    tls-version—Enter the TLS version you want to use with this TLS profile. Default is compatibility. Valid values are:

    • TLSv1

    • SSLv3

    • compatibility (default) 

    ACMEPACKET(tls-profile)# tls-version TLSv1

    cert-status-check—Not supported for SIP Monitor and Trace

    cert-status-profile-list—Not supported for SIP Monitor and Trace

    ignore-dead-responder—Not supported for SIP Monitor and Trace

    allow-self-signed-cert—Not supported for SIP Monitor and Trace

  4. Enter done to save the tls-profile configuration. 
    ACMEPACKET(tls-profile)# done
  5. Enter exit to exit the TLS profile configuration. 
    ACMEPACKET(tls-profile)# exit
  6. Enter exit to exit the security configuration. 
    ACMEPACKET(security)# exit
ACMEPACKET(configure)#
  7. Enter exit to exit the configure mode. 
    ACMEPACKET(configure)# exit
  8. Enter save-config to save the configuration. 
    ACMEPACKET# save-config
  9. Enter activate-config to activate as the current configuration. 
    ACMEPACKET# activate-config

HTTP Server

Use the http-server configuration element to enable the REST API or the web interface.

To configure the ESBC using either the web interface or the REST API over HTTPS, first create a TLS profie and then enable the HTTP server with that TLS profile. The REST API requires a TLS connection, but the web interface may run over unencrypted HTTP. Because the http-server element is a multi-instance object that supports REST or GUI or both, any of the following configurations are possible:
  • Run one HTTP server for the REST API only.
  • Run one HTTP server for the web interface only.
  • Run one HTTP server for both the REST API and the web interface, using the same TLS profile and the same port.
  • Run two HTTP servers, one for the REST API and one for the web interface, using the same TLS profile and separate ports.
  • Run two HTTP servers, one for the REST API and one for the web interface, each with their own TLS profile and separate ports.
  • Run two HTTP servers, one for the REST API with a TLS profile and one for the web interface without a TLS profile.

Enable the HTTP Server

This example describes how to enable HTTPS traffic on port 8443 for the web interface.

Create a TLS profile for the web interface called tls-webgui.
  1. Access the http-server configuration element.
    ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# http-server 
ORACLE(http-server)#
  2. name—Enter the name of this HTTP server.
  3. state—Enable this HTTP server.
  4. http-state—Set to disabled to block unencrypted HTTP traffic.
  5. https-state—Enable HTTPS traffic.
  6. https-port—Enter the port number you want to listen on for HTTPS traffic.
  7. http-interface-list—Enter GUI to use this port only for the web interface.
    You may also use +GUI to add GUI to the existing list or -GUI to remove GUI from the existing list.
  8. tls-profile—Enter the name of the TLS profile you previously configured for the web interface.
  9. Type done to save your work.
ORACLE(http-server)# name webgui
ORACLE(http-server)# state enabled 
ORACLE(http-server)# http-state disabled 
ORACLE(http-server)# https-state enabled 
ORACLE(http-server)# https-port 8443
ORACLE(http-server)# http-interface-list GUI
ORACLE(http-server)# tls-profile tls-webgui
ORACLE(http-server)# done
http-server
        name                                    webgui
        state                                   enabled
        realm                                   
        ip-address                              
        http-state                              disabled
        http-port                               80
        https-state                             enabled
        https-port                              8443
        http-interface-list                     GUI
        http-file-upload-size                   0
        tls-profile                             tls-webgui
        auth-profile                            
        last-modified-by                        admin@10.0.0.1
        last-modified-date                      2020-04-22 15:46:30

ORACLE(http-server)#

Secure Browsing with the HSTS Header

The HTTP Strict Transport Security (HSTS) header informs browsers to never access a site using HTTP and to automatically convert all attempts to access a site using HTTP to HTTPS requests instead.

Suppose a website accepts a connection through HTTP and redirects to HTTPS. The visitor might initially communicate with the unencrypted version of the site before being redirected, for example, when the visitor types http://www.company.com/ or just company.com. This scenario creates an opportunity for a man-in-the-middle attack where a bad actor can redirect visitors to a malicious site instead of the secure one.

The first time someone accesses your site using HTTPS with the HSTS header enabled, it returns the HSTS header. The browser records this information, so that future attempts to load the site using HTTP automatically use HTTPS instead.

When you enable HSTS, you must also enable HTTP, HTTPS, and the Web GUI. Use only port 80 for HTTP and port 443 for HTTPS. The system displays error messages in the following scenarios:
  • When HSTS and HTTP are enabled and HTTPS is not enabled, the system displays the following error message: Please enable HTTPS to enable HSTS.
  • When HSTS and HTTPS are enabled and HTTP is not enabled, the system displays the following error message: You must enable HTTP for HSTS to redirect HTTP requests.
  • When HSTS, HTTP, and HTTPS are enabled and the Web GUI is not enabled, the system displays the following error message: The HSTS policy you enabled applies only when using the Web GUI.
  • When HSTS, HTTP, and HTTPS are enabled and the port numbers are other than 80 and 443, the system displays an error message: HSTS supports only HTTP port 80. HSTS supports only HTTPS port 443.

Enable the HSTS Header

You must enable the HTTP Strict Transport Security (HSTS) header before the browser can direct HTTP traffic to HTTPS sites.

Use the following procedure to enable HSTS in existing and new http-server configurations.
  1. Access the http-server configuration: Configuration, System, http-server.
  2. Select an existing configuration or add a new one.
  3. In the http-server configuration dialog, enable HTTP State, HTTP Strict Transport Security Policy, and HTTPS State.
  4. Confirm that the HTTP Port is set to 80 and the HTTPS Port is set to 443.
  5. Click OK.