Configuring TLS on the Web Server
The Web GUI supports the use of HTTP over Transport Layer Security (TLS) using the TLS Protocol. TLS is a cryptographic protocol that provides communication security over the Internet. It encrypts the segments of network connections at the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.
Note:
For more information about setting up security on the Oracle® Enterprise Session Border Controller (ESBC), see the chapter on security in this guide.To use TLS with SIP Monitor and Trace, you must configure a TLS certificate and a TLS profile using the ACLI at the path
. This configuration stores the information required to run SIP over TLS.If you enable TLS on the active ESBC, the Web-based GUI interface on the standby system is disabled.
Process Overview
In summary, you need to take the following steps to enable the Oracle® Enterprise Session Border Controller (ESBC) for TLS.
- Configure certificates.
- Configure the specific parameters related to TLS.
Configure TLS Certificates for the OCSBC
The process for configuring a certificate on the Oracle Communications Session Border Controller (OCSBC) requires the following steps.
- Configure a certificate record on the SBC. See Configure a Certificate Record.
- Generate a certificate request by the SBC. See Generate a Certificate Request.
- Import the certificate into the SBC. See Import a Certificate Using SFTP or Import a Certificate Using the ACLI.
- Reboot the system.
Configure a Certificate Record
Use the certificate-record object to add a certificate record to the Oracle® Enterprise Session Border Controller (ESBC). The certificate record configuration represents either the end-entity or the Certificate Authority (CA) certificate on the ESBC.
When you configure a certificate for the E-SBC, the name that you enter must be the same as the name that you use when you generate a certificate request. If configuring for an end stations CA certificate for mutual authentication, the certificate name must be the same name used during the import procedure.
- If this certificate record is used to present an end-entity certificate, associate a private key with this certificate record by using a certificate request.
- If this certificate record is created to hold a CA certificate or certificate in PKCS12 format, a private key is not required.
To verify a certificate record, see "Security" in the ACLI Configuration Guide.
Generate a Certificate Request
Using the ACLI generate-certificate-request <record-name> command allows you to generate a private key and a certificate request in PKCS10 PEM format.
Note:
You can only perform this task after you configure a certificate record.The Oracle® Enterprise Session Border Controller (ESBC) stores the private key that is generated in the certificate record configuration in 3DES encrypted form with an internally generated password. The ESBC displays the PKCS10 request in PEM (Base64) form.
You use this command for certificate record configurations that hold end-entity certificates. If you have configured the certificate record to hold a CA certificate, then you do not need to generate a certificate request because the CA publishes its certificate in the public domain. You import a CA certificate by using the ACLI import-certficate <certficate-record-name> command.
The generate-certificate-request command sends information to the CA to generate the certificate, but you cannot have Internet connectivity from the ESBC to the Internet. You can access the Internet through a browser such as Internet Explorer if it is available, or you can save the certificate request to a disk and then submit it to the CA.
To run the applicable command, you must use the value you entered in the name parameter of the certificate record configuration. You run the command from the main Superuser mode command line, and then save and activate the configuration.
ACMEPACKET# security certificate request acmepacket
Generating Certificate Signing Request. This can take several
minutes....
-----BEGIN CERTIFICATE REQUEST-----
MIIB2jCCAUMCAQAwYTELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH
EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzEMMAoGA1UECxMDYWJj
MQwwCgYDVQQDEwNhYmMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOMLHo8
/qIOddIDVuqot0Y72l/BfH8lolRKmhZQ4e7sS+zZHzbG8phzmzhfOSECnZiA2bEo
f+Nti7e7Uof4lLwiYl9fvhURfzhENOKThAPKPiJCzBBglTITHTYal00Cq2fj5A8B
ZcuAHj7Vp5wP2zpz6EUTFpqTDMLVdwJGJrElAgMBAAGgOTAMBgNVHRExBRMDZGVm
MCkGA1UdDzEiEyBkaWdpdGFsU2lnbmF0dXJlLGtleUVuY2lwaGVybWVudDANBgkq
hkiG9w0BAQUFAAOBgQAtel4ZSLI8gqgMzodbYwgUHUGqTGeDzQDhJV5fKUXWeMFz
JsTmWn5Gy/kR4+Nq274G14fnk00fTAfMtgQ5aL3gM43TqaPOTZjJ6qgwuRKhoBPI
7hkovkgAxHge7wClghiAp/ELdl7tQ515k04BMd5f/fxG7nNiu8iEg7PO0OIBgg==
-----END CERTIFICATE REQUEST-----
WARNING: Configuration changed, run "save-config" command.
ACMEPACKET# save config
copying file /code/config/dataDoc.gz -> /code/config/dataDoc_3.gz
copying file /code/config/tmp/editing/dataDoc.gz ->
/code/config/dataDoc.gz
Save complete
ACMEPACKET# activate config
activate complete
Import a Certificate Using the ACLI
For an end-entity certificate, after a certificate is generated using the ACLI security certificate request command, submit the request to a CA for generation of a certificate in PKCS7 or X509v3 format. When the certificate has been generated, you can import it into the Oracle® Enterprise Session Border Controller (ESBC) using the security certificate import command.
The syntax is:
ACMEPACKET # security certificate import [try-all | pkcs7 | pkcs12 |
x509] [certificate-record file-name]
To import a certificate:
Import a Certificate Using SFTP
You can put the certificate file in the directory /ramdrv and execute the import-certificate command, or you can paste the certificate in PEM/Base64 format into the ACLI. If you paste the certificate, you may have to copy and paste it a portion at a time, rather than pasting the whole certificate at once.
PKCS #12 Container Import and Export Capability
The ESBC supports Public Key Cryptography Standard (PKCS) #12 for bundling a private key with the associated X.509 public key certificate in a file for archiving, importing, and exporting. The ESBC does not support bundling all members of the chain of trust.
Note:
The SBC only supports PKCS12 files that are bundled with RSA private keys and their X.509 certificates.Note:
The ESBC supports this functionality only by way of the ACLI.Export to a PKCS #12 File
You can export a local entity certificate from the Session Border Controller (SBC) to a PKCS #12 file by way of the ACLI. For the enterprise SBC, you cannot do so from the Web GUI.
Note:
When prompted for password and passphrase, use the ones that you entered in system-config.Import a PKCS #12 File
You can import a PKCS #12 key and certificate file that was generated elsewhere into the Oracle® Enterprise Session Border Controller (ESBC) by way of the ACLI.
-descert
flag or the -keypbe
and -certpbe
options. If
rsa.key
is a private key and cert.crt
is an X.509
certificate, either of the following commands generates a PKCS#12
file.# generate using -descert
openssl pkcs12 -export -in cert.crt -inkey rsa.key -out my_pkcs12.pfx -name "Test Cert" -descert
# generate using -keypbe and -certpbe options
openssl pkcs12 -export -in cert.crt -inkey rsa.key -out my_pkcs12.pfx -name "Test Cert" -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
Securing Communications Between the ESBC and SDM with TLS
You can use the Transport Layer Security (TLS) protocol to secure the communications link between the Oracle® Enterprise Session Border Controller (ESBC) and the Oracle Communications Session Delivery Manager (SDM). Note that the systems use Acme Control Protocol (ACP) for this messaging.
- Configure a TLS profile. The tls-profile object is located under security, where you add certificates, select cipher lists, and specify the TLS version for each profile.
- Configure system-config element's acp-tls-profile parameter to specify this TLS profile.
You must reboot OCSBC after configuring ACP over TLS.
Note:
This feature requires SDM version 8.1 and above.HTTP Server
Use the http-server configuration element to enable the REST API or the web interface.
- Run one HTTP server for the REST API only.
- Run one HTTP server for the web interface only.
- Run one HTTP server for both the REST API and the web interface, using the same TLS profile and the same port.
- Run two HTTP servers, one for the REST API and one for the web interface, using the same TLS profile and separate ports.
- Run two HTTP servers, one for the REST API and one for the web interface, each with their own TLS profile and separate ports.
- Run two HTTP servers, one for the REST API with a TLS profile and one for the web interface without a TLS profile.
Enable the HTTP Server
This example describes how to enable HTTPS traffic on port 8443 for the web interface.
ORACLE(http-server)# name webgui
ORACLE(http-server)# state enabled
ORACLE(http-server)# http-state disabled
ORACLE(http-server)# https-state enabled
ORACLE(http-server)# https-port 8443
ORACLE(http-server)# http-interface-list GUI
ORACLE(http-server)# tls-profile tls-webgui
ORACLE(http-server)# done
http-server
name webgui
state enabled
realm
ip-address
http-state disabled
http-port 80
https-state enabled
https-port 8443
http-interface-list GUI
http-file-upload-size 0
tls-profile tls-webgui
auth-profile
last-modified-by admin@10.0.0.1
last-modified-date 2020-04-22 15:46:30
ORACLE(http-server)#
Secure Browsing with the HSTS Header
The HTTP Strict Transport Security (HSTS) header informs browsers to never access a site using HTTP and to automatically convert all attempts to access a site using HTTP to HTTPS requests instead.
Suppose a website accepts a connection through HTTP and redirects to HTTPS. The visitor might initially communicate with the unencrypted version of the site before being redirected, for example, when the visitor types http://www.company.com/ or just company.com. This scenario creates an opportunity for a man-in-the-middle attack where a bad actor can redirect visitors to a malicious site instead of the secure one.
The first time someone accesses your site using HTTPS with the HSTS header enabled, it returns the HSTS header. The browser records this information, so that future attempts to load the site using HTTP automatically use HTTPS instead.
- When HSTS and HTTP are enabled and HTTPS is not enabled, the system displays the following error message: Please enable HTTPS to enable HSTS.
- When HSTS and HTTPS are enabled and HTTP is not enabled, the system displays the following error message: You must enable HTTP for HSTS to redirect HTTP requests.
- When HSTS, HTTP, and HTTPS are enabled and the Web GUI is not enabled, the system displays the following error message: The HSTS policy you enabled applies only when using the Web GUI.
- When HSTS, HTTP, and HTTPS are enabled and the port numbers are other than 80 and 443, the system displays an error message: HSTS supports only HTTP port 80. HSTS supports only HTTPS port 443.
Enable the HSTS Header
You must enable the HTTP Strict Transport Security (HSTS) header before the browser can direct HTTP traffic to HTTPS sites.
- Access the http-server configuration: Configuration, System, http-server.
- Select an existing configuration or add a new one.
- In the http-server configuration dialog, enable HTTP State, HTTP Strict Transport Security Policy, and HTTPS State.
- Confirm that the HTTP Port is set to 80 and the HTTPS Port is set to 443.
- Click OK.