Configure TLS

 

The information below describes the configuration process required to configure TLS on the IMG 2020. Before starting the configuration, there are three certificate files that must get downloaded to the IMG 2020. To accomplish this, load the three files displayed below into the same directory that the IMG 2020 system software binary file was initially copied to. The three files are the:

  • privateKey.pem

  • publickey.pem

  • CAList.pem

Example:

If the IMG 2020's system software binary file is being downloaded to the IMG 2020 from the SD Card, then the certificate files need to be loaded onto the SD Card. If the IMG 2020 binary is being downloaded from a server using the DHCP service then the three certificate files need to be loaded into the directory that the binary file is loaded. This is typically the /home/dialogic/ftpBuilds directory

Initial Configuration

Before configuring, the IMG 2020 must have an initial configuration created on it. Follow the procedure before proceeding onto configuring TLS on the IMG 2020.

Create a Certificate Database which will contain the TLS Certificate Entries

  • Right click on the Dialogic object and select New Security. The Security object is a parent or container object and no configuration is required in this object. Refer to the Security topic for more information on this object.

  • Right click on the Security object and select New Certificate Database. This will be the Database that will contain the individual Certificate Entries or Trust ID's. The certificate database object is a container or parent object and no configuration is needed here. Refer to the Certificate Database topic for more information on this object.

  • Right click on Certificate Database object and select New Certificate. There will be a separate Certificate for each entity which uses different TLS credentials. For example, two external gateways belonging to the same carrier could share the same TLS credentials. Refer to the Certificate topic for more information on configuring the individual fields.

Note: The Certificate is also referred to as the Trust ID.

Create the Secure Profiles

Creating the Secure Profile will allow the user to assign a Trust ID to a remote IP Network Element such as an external gateway.

  • Right click on the Dialogic object and select New Profiles. The Profiles object is a container or parent object. No configuration is needed here. Refer to the Profiles topic for more information on this object.

  • Right click on Profiles object and select New Secure Profiles. This will create a database that will contain the different secure profiles that will get created. The Secure Profile object is a container object also and no configuration is needed. Refer to the Secure Profiles topic for more information on this topic.

  • Right click on the Secure Profiles object and select New Secure Profile. In the object pane that appears either enter a name in the Name field that describes this profile or accept the default name which is Secure_Profile_<x> where x is a numerical value.

  • Select from the drop down menu of the Certificate field which Certificate will be used. The Certificate field displays all the certificates created under the Certificate Database object configured above. Refer to the Secure Profile object for more information on each of the individual fields in the object.

Create SIP Profile

Create the SIP Profile object. This object will be linked to the external gateway object being configured later in this procedure.

  • Right click on the Profiles object and select New SIP Profiles. The SIP Profiles object is a container object and no configuration is needed here. Refer to the SIP Profiles topic for more information on this object.

  • Right click on the SIP Profiles object and select New SIP Profile. The first SIP Profile created is the default SIP Profile and all the fields will be shaded green. In the Default SIP Profile, the fields cannot be modified. Disregard this profile.

  • Right click on the SIP Profiles object again and select New SIP Profile again. In the SIP Profile object that appears, either enter a name that identifies this SIP Profile or accept the default name already entered. In this example the name SIP_Profile_TLS was entered. Refer to the SIP Profile - SGP topic for more information on this object.

Optional: Secure SIPS

SIPS is configured using the SIP Profile. Once SIPS is configured in the SIP Profile, the profile can then be assigned to a specific gateway.

  • Right click on the SIP Profile object just created and select New SIP Advanced Settings. If configuring TLS and want to either enable or disable SIPS, select Enabled or Disabled from the drop down menu in the Secure SIP (SIPS) field. For more information on the SIP Advanced Settings object, refer to the SIP Profile - Advanced Settings topic.

Create the SIP Signaling Object and assign Secure Profiles etc

  • Right click on the IMG 2020 object and select New Signaling. A signaling pane will appear. The Signaling object is a parent or container object and no configuration is needed here. Refer to the Signaling topic for more information on this object.

  • Right click on the Signaling object and select New SIP. A SIP object will appear. At this point it should be decided whether the SIP stack will have one IP address servicing it or have multiple IP addresses servicing it. Select either Single IP or Multiple IP from the drop down menu. Refer to the SIP Signaling - SIP object for more information on configuring the remaining fields in this object.

  • Right click on the SIP object and select New SIP IP Address. In the Transport Type field, select TLS from the drop down menu. This transport type is used when the IMG 2020 is used as an external gateway by another gateway.

  • Once TLS is selected in the Transport Type field, the Secure Profile and Default Secure Profile fields will change from a shaded green color to a white background. This indicates the fields can now be modified. Select from drop down menu of these two fields which Secure Profiles will be used. Refer to screen capture below.

  • The Default port that the IMG 2020 will use to communicate with the external gateways when TLS is enabled will be 5061 as shown in the TLS Port field of the SIP signaling object. The port number can be modified by clicking in the Local TLS Port field and entering a different port number.

  • The Default Secure Profile field is used when a SIP call comes in over the Secure Profile Port but the external gateway sending the call is not using TLS security. There is a drop down menu of all the secure profiles created in this field as well. Select a profile.

Refer to the SIP Signaling - IP Address topic for more information on the SIP Signaling object. 

Create SIP Channel Group and assign

  • Right click on the Dialogic object and select New Routing Configuration. The Routing Configuration object is a container object and no configuration is needed in this object. Refer to the Routing Configuration topic for more information on this object.

  • Right click on Routing Configuration and select New Channel Groups. This creates a database which will hold all channel groups created. The Channel Groups object is a parent object also and no configuration is needed here either. Refer to the Channel Groups topic for more information on this object.

  • Right click on the Channel Groups object and select New Channel Group. Enter a Name in the Name field that will identify the channel group being created.

  • Select SIP from the drop down menu of the Signaling Type field.

  • Select the IP Profile that will be associated with this SIP Channel Group from the Incoming and Outgoing IP Profile fields. Refer to the Channel Group topic for more information on configuring the remaining fields in this object.

  • Once the channel group configuration is complete, it then needs to be sent to the IMG 2020. The channel group icon will now have a yellow exclamation point added to it. This indicates the configuration has not been sent to the IMG 2020. Click on this object and click on the Download Resource Tables button in this object. The channel group configuration will get sent to the IMG 2020.

Create External Gateways

Create external gateways that will communicate with the IMG 2020 using TLS security.

  • Right click on the Dialogic object and select New External Network Elements. Under this object the individual external gateways can be created and configured. This object is a container parent object and no configuration is needed here. Refer to the External Network Elements topic for more information on this object.

  • Right click on External Network Elements object and select New External Gateways. This object will create a database of all the gateways configured. This object is a container parent object and no configuration is needed here either. Refer to the External Gateways topic for more information on this object.

  • Right click on External Gateways link and select New External Gateway. In the Name field enter a Name that will identify the external gateway on the network that the IMG 2020 will communicate with.

  • Select SIP from the drop down menu of the Protocol field.

  • In the Gateway IP Address field, enter the IP address of the external gateway that the IMG 2020 will be communicating with using TLS security.

  • Select the SIP Profile created earlier from drop down menu of the SIP Profile field.

  • Select TLS from the drop down menu of the Transport Type field. At this point, the Secure Profile field will change from shaded green to white which indicates the field can now be modified. Select the Secure Profile that will be used to communicate with this specific gateway. Refer to screen capture below.

  • Multiple gateways can be created which will communicate with the IMG 2020 using TLS and each gateway can have a different Secure Profile.

Configure Routing

  • Configure Routing and Translations as needed to route gateways to IMG 2020.

  • At this point the channel group icon will now have a yellow exclamation point added to it again. This indicates the channel group configuration has been updated but not sent to the IMG 2020. Click on this object and click on the Download Resource Tables button in this object. The channel group configuration will get sent to the IMG 2020.

HTTPS Cipher Strings Configuration

Options for users to specify the cipher suites to be allowed for the HTTPS service. Those options are available on the IP Network Interface object configuration page.
Users MUST save the configuration and reboot the IMG2020 every time the cipher configuration is changed in order to take effect on the system.

The system uses option "HIGH:!aNULL:!eNULL" by default which is the most strict cipher suite accepting key lenght larger than 128bits only.

Refer to the IP Network Interface object configuration page for a complete description of all other options.

Troubleshooting Section

The simple troubleshooting tips below solve some problems that could arise during the configuration of TLS over SIP. Read through the list below and verify each bulleted item has been executed and is configured correctly. If the list below doesn't solve your issue, Sangoma Support Personnel can assist you to get your configuration working.

  • The use of certificates requires that the clock on the IMG 2020 be synchronized with the network time to ensure proper validation of certificates. To configure clock see Configure SNTP.

  • If a self signed certificate is created, all clients that connect to the server that the certificate is loaded on must be configured to trust the signer of this certificate. Because the signature is self signed, the signature is not likely to be in the clients trust file so it must be added.

  • If a certificate expires while a call is in progress this will have no impact on the call answered state. When call is released a BYE will be rejected and call will remain in answered state. The SIP Profile - Session Timer would need to be configured to release the call.

  • When an outbound call fails to establish a TLS session a cause code of 41 will be returned to the outbound leg.

  • Verify the port configured in the SIP signaling pane is correct. Default = Port 5061

  • When creating an external gateway, the Remote Port in the Remote Port Field defaults to Port 5060. This can be modified as required.

Return to Documentation Home I Return to Sangoma Support