HTTPS on Utility Server

[bankingguy]

I requested my vendor to upgrade my J169 phone to upgrade to latest SIP firmware using my Utility Server 7.1.3. I requested to test HTTPS (which is ON by default) but did not work at all. Vendor enabled the http sh script via cli, after that it started working. I have read that 96xx models has limitations to work on HTTPS which Avaya said working as designed. But it seems even the latest phone models??? Any comments?

 

[gwebster]

Do you have certificates in place to support HTTPS? You may need to do an HTTP connection first to get the certificate into the phone before it can use HTTPS.

 

[cal3500]

is there a way on the 242 option to set groups for phones and also get certificates prior to using the AADS or utility server?

 

[bankingguy]

@gwebster - thank you for the reply. Yes, I have a root CA, but I'm not so sure if it can be of help. HTTP is not a secure port and it can't be open because our security team will put this as a risk. If I will configure HTTP IP address on the phone, it will definitely continue to use port 80 all the way till it upgrade itself, so it doesn't make any sense.

I think what you are trying to say, is I will upgrade it first by using HTTP port, when it grabs the Root CA, then on the next firmware upgrade I will use HTTPS. But next question is, if the phone reboots will it still retain the Root CA? I can see some loop holes on this.

@cal3500 not sure of AADS, never use it before as Utility server. I cannot set group its because it is mandatory to use HTTPS.

 

[jimbojimbo]

The CA certs are non-volatile and survive a reboot. You can use a dedicated HTTP server for initial provisioning then put the phone into production and use HTTPS. We routinely do this for 802.1x configurations where the phone must first get an identity cert using SCEP before it can be let onto the network.

 

[bankingguy]

The CA certs are non-volatile and survive a reboot. You can use a dedicated HTTP server --- was a bit lost on this.

Are you saying that once the IP Phone picked up the Root CA by using HTTP port, regardless how many times the phone reboots, the Root CA will still be there?

 

[Wanebo]

Yes, that is exactly what he is saying. You have to either reset the phone to default or perform a special reload of the settings file to wipe the certs from the set once it has them.

 

[jimbojimbo]

@Wanebo, yes the CA certs remain on the phone unless you do a clear. A reboot of the phone will not delete the certificate files.

 

[bankingguy]

What if i completely unplug the phone (no power at all) - then after 5 mins, plug it again, Still there? I'm sorry, i just want to make this clear. I don't have much time to test and my project manager is just rediculous.

 

[Wanebo]

Yes. They will still be there. We used to load phones in the office on a mass basis for projects, unplug them and put them in boxes with all the required parts and instructions, stack them up and send them out to at home users up to a year later and they still had the certs.

Like has been said, you have to either clear the set (and per Avaya engineers I have spoken to that doesn't always work) or you have to use a specially formatted TRUTCERTS section of the 46xxsettings.txt file to clear them.

 

[kyle555]

hey Wanebo...

You mean SET TRUSTCERTS "" is what you need to do to clear them if CLEAR doesn't work?

 

[Wanebo]

That is correct Kyle.