Problem TLS CM R8 to SM R8 SIP TRUNK 1

[dsx3609]

Hello,

I have problems to certify the connection of CM to SM by TLS.

I have imported the .pem certificate from the R8 system manager in CM but it does not set the sip trunk in TLS correctly.

I don't know if I have to generate a separate certificate in the System manager:



A little help?.

4 │──────────────CHello──────────────►│ (T1) Client Hello
12:41:31.461 │◄──────────────SHello──────────────│ (T1) Server Hello
12:41:31.461 │◄───────────Cert, SKeyEx───────────│ (T1) Certificate, Server Key Exchange
12:41:31.461 │◄────Multiple Handshake Messages───│ (T1) Multiple Handshake Messages
12:41:31.462 │───────────────Alert──────────────►│ (T1) Fatal, Unknown CA

 

[avayaguy23]

Did you trust the root system manager ca cert in your cm and ess?

 

[dsx3609]

I have extracted the Session Manager certificate trust_ca.pem and I have extracted the System Manager certificate default.pem.

I have imported those 2 certificates into the CM and saved changes with CM restart.

That is what I have done.

I think the certificate is not good and I have to generate a new one.

I hope help and thanks for your response.

 

[avayaguy23]

What port is cm set up to use? Did you allow tcp 5061 in the allowed list in system manager?

 

[dsx3609]

Yes in setup TLS use port 5061 and allow in system manager, now stay update last version System Manager and Session Manager R8.1.1.

For the moment no found, i try other certificate in store trust Session Manager and not found.

Thank for help

 

[avayaguy23]

I have the procedures written down somewhere. I’ll find the procedures and post them.

 

[dsx3609]

Thank you very much I thank you, because I need it for TLS in CM and for endpoint.

What seems curious to me is the following: why does the Media Server with tls in the signal-group between CM to Media Server work correctly? If you have the default certificates of SIP-Product CA, it should be valid with System Manager & Session Manager.

But well, I'm going to see how about after the upgrade I'm doing right now.

I will be impatient of your procedure.

Thank you.

 

[avayaguy23]

So these are my procedures for AAM voicemail but the steps are pretty much similar when using CM. Hope this helps!
1. On System Manager navigate to Services>Security>Certificates>Authority>CA Functions>CA Structure & CRLs. Click Download Pem File.
2. On AAM AxC and the two APP servers Navigate to Administration>Server (Maintenance)>Miscellaneous>Download Files. You want to select the file you downloaded. Once selected, press download.
3. On AAM AxC and the two APP servers Navigate to Administration>Server (Maintenance)>Security>Trusted Certificates. Click on Add.
4. On AAM AxC and the two APP servers Enter in the filename you used (should be SystemManagerCA.cacert.pem). Click open
5. On AAM AxC and the two APP servers Enter in the filename you used(should be SystemManagerCA.cacert.pem). Check the box for Messaging and Web Server. Click Add.
6. On AAM AxC and the two APP servers Navigate to Administration>Server (Maintenance)>Security>Certificate Signing Request. Fill in the below information and generate request.
Country Name =x
Locality Name= x
Organization name =Avaya
Organization Unit = x
Common name = Enter the server DNS name
Signing Request =Sha512
RSA key size = 2048
This is a CA certificate = No

7. This next step is important for each of the servers (AxC and two app servers). You will need to copy the section starting at Begin certificate request all the way to the End certificate request. This will be used in a future step.
8. You will now need to go to system manager as it is the Certificate Authority to issue certificates. Navigate to Services>Security>Certificates>Authority>RA Functions> Add End Entity. You will have to do this process for the AxC and 2 APP servers. Add once the information has been filed out and verified. You should now have 3 entries. Notate the username and password as it will be used in the next step.
9. On System Manager Navigate to Services>Security>Certificates>Authority>Click on Public Web. You will be directed to the system Manger CA server. Navigate to Enroll and click on Create Certificate from CSR
10. The username/Enrollment code is what you assigned. In the box or pasted request you will need to copy the section starting at Begin certificate request all the way to the End certificate request. The result type should be Pem – full certificate chain. Click Ok.
11. The pem file should automatically download it.
12. On AAM AxC and the two APP servers Navigate to Administration>Server (Maintenance)>Miscellaneous>Download Files. You want to select the certificate file you downloaded in from system manager. Once selected press download.
13. On AAM AxC and the two app servers navigate to Administration>Server (Maintenance)>Security>Server/Application Certificates. Enter the full filename (with .pem extension) you downloaded to the server and the password. Click open.
14. Select Messaging. Click Add.
15. You can now reboot your AxC and two App servers. Navigate to Administration>Server (Maintenance)>Server>Shutdown Server. You have the option for delayed or immediate shutdown. In a production system you would want to do a delayed shutdown as it shuts it down gracefully. This process can take 10-15 minutes to complete. For lab purposes you can select immediate and ensure the restart server after shutdown is checked. This reboots the server immediately. Click Shutdown.

 

[dsx3609]

ohhhh thank you very much, I will carry out the process but for cm.

I tell you that such the result, after updating everything to r8.1.1 I remain the same.

We go with this procedure to wish me luck. XD

 

[dsx3609]

Hi. @avayaguy23, correctly done I had to create 3 and the third one worked correctly. Thank you very much for your help and TLS UP !!!!!

│──AppData─►│           │ (T1) Application Data
23:40:45.596 │           │◄───Alert──│           │ (T1) Encrypted Alert
23:40:45.596 │           │───PING───►│           │ PING from 172.16.30.221
23:40:46.603 │           │──CHello──►│           │ (T2) Client Hello
23:40:46.616 │           │◄──SHello──│           │ (T2) Server Hello
23:40:46.616 │           │◄──Cert, S─│           │ (T2) Certificate, Server Key Exchange, Multiple Handshake Messa
23:40:46.619 │           │──Cert, C─►│           │ (T2) Certificate, Client Key Exchange, Certificate Verify, Encr
23:40:46.622 │           │◄──EncHand─│           │ (T2) Encrypted Handshake Message
23:40:46.622 │           │──AppData─►│           │ (T2) Application Data
23:40:46.622 │           │──OPTIONS─►│           │ (9) sip:172.16.30.221
23:40:46.623 │           │◄──AppData─│           │ (T2) Application Data

Regards

 

[avayaguy23]

Awesome! Glad to hear. Just remember to notate when the cert expires. I would suggest putting a reminder 3 months prior to it expiring.

 

[dsx3609]

good idea. If you set an alarm or notification. Perfect happy worked