Issuing ID certs to 96xx handsets 2

[mattKnight]

Hi,

I'm going to need to deploy ID certs to each handset in our environment in the future and I'm trying to figure out the process.

I understand the principles of SCEP and how this can be employed to generate certs etc.

I thought that part of System Manager's EBJCA functions is to act as a SCEP server.... Is this right? If so, does anyone have any documentation links that would point me in the direction of how to configure the session manager side?

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[kyle555]

I thought the SCEP part of SMGR was primarily for security enrollment of Session Managers and other servers.

The 46xxsettings file does have parameters for each phone to request a certificate through SCEP, though I'm unfamiliar with whether this is the traditional "enrollment password" in SMGR, or something else configured in the EJBCA.

In any case, I'd think the Session Managers would allow TLS from any cert that chains up to the SMGR CA that signed the SM's certificate.
Or, you could use some other CA and load a cert from it as a trusted cert in SM to permit SM to let phones with certs from a Microsoft CA for example.

Otherwise, as a side question... Why would you subject yourself to this?

 

[mattKnight]

I thought the SCEP part of SMGR was primarily for security enrollment of Session Managers and other servers.

That's what I was beginning to wonder if that was the case... The complete dearth (or at least I can't find it - my google fu is weak) of documentation about using Sysman / EJBCA to create handset certs kind of confirms this.

The 46xxsettings file does have parameters for each phone to request a certificate through SCEP

It does but the sample SCEP URL "smells" like it is aimed at a MS SCEP server (I don't think that EJBCA supports DLLs)

though I'm unfamiliar with whether this is the traditional "enrollment password" in SMGR, or something else configured in the EJBCA

I'd expect it to be a different password, but who knows!

Why would you subject yourself to this

I just love certs? Because it is there? Masochism?

Actually, our network team is implementing a network access solution based on Cisco ISE and this means that the ISE has to identify the handsets in some way. There are many ways to skin this particular cat and we have a preference for certificate based ID rather than profiling the device etc.


Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[jimbojimbo]

I've talked with Avaya about using System Manager for SCEP and was given a resounding NO (even though the Prime Key EJBCA supports it).

I have set it up with Microsoft Certificate Server. Avaya has some documentation on how to do it although it is not completely accurate. You should also look at enabling NDES on the Microsoft Tech site. You will need to pay close attention to the registry modifications for multiple use of a single password and password never expires. SCEP parameters in the 46xxsettings.txt file will get you there. Of course you will need to use a HTTP server first on a port without 802.1x to provide the phones their certificate initially. Due to some strange constraints you will want to modify the default for the MYCERTCN to just $MACADDR (think it was due to the SLAMON server).

Additionally, if you are using the Avaya Utility server you have another problem to overcome which is not really documented anywhere. The Utility Server certificate is dependent on the Authentication File downloaded from RFA (must make sure the proper host name is input when submitting the AFS request). No, there is no replacing the certificate through a manual process. You must use a AFS file. You will therefore need to make sure you have the rootCA (Avaya default product cert) and intermediate CA (RFA CA) loaded on the Utility Server and enabled in the 46xxsettings.txt file. The Product Root CA comes with the Hardphone firmware but not the RFA CA (don't ask me why). If properly setup, when the phone first boots you will see the CA files get downloaded.

Okay, here are three puzzles I won''t solve for you....

1. You need to put the CA files on the server with the correct suffix. Look it up.
2. The phone will only hold so many CA certificates. Look it up.
3. You better test the certificate re-enrollment. Only works on certain versions of phone firmware. For testing I set my cert validity for 24 hours with a 90% renewal. You need to test each type (SIP-96x0, H.323-96x0, SIP-96x1, H.323-96x1). Don't forget some older IP phones are no longer supported by Avaya.

 

[mattKnight]

I've talked with Avaya about using System Manager for SCEP and was given a resounding NO (even though the Prime Key EJBCA supports it).

A really cursory skate through the EJBCA documentation shows that the SCEP configuration menus etc are not in place in Sysman. I think its a bit dumb that they've crippled System Manager, but it is, what it is". Did Avaya give you a reason for this?

Thanks for the pointers on the Windows server - food for thought. And We don't currently use utility server in this environment!

The other puzzles, I'll keep in mind

Thanks to you both!

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.