Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SMGR moving away from default certs. 2

Status
Not open for further replies.
Saiyan656

Saiyan656

Vendor
Mar 6, 2009
335
0
0
US
I got fairly comfortable installing Microsoft certs on Windows and keystore applications and was wondering how would I go about changing SMGR and all other Avaya connected applications to use Microsoft PKI? I would assume I just upload some pem files and whalla [bigsmile]
 
Sort by date Sort by votes
oh god no. you'll break everything. SMGR's web apps to SMGR's db are cert protected. SM's mgmt interface to SMGR too. all down the line you'll make life hell.

You can make SMGR a sub-CA of MS and re-enroll everything. That way everything would chain up to the head-end MS CA anyway.

Or, you can put specific MS certs on the interfaces that'll talk to your clients - like the SM interfaces, or the Presence Server, etc.

Depending how much stuff you got - AADS/AMM/PS/SM/SBC/etc/etc/etc, doing it the 'Avaya way' with SMGR first might be best. That doesn't preclude you from using SMGR as a sub-CA to MS and still having everything chain up to SMGR. Just depends how much of your hair you wanna pull out.
 
Upvote 0 Downvote
Ok so make SMGR as the intermediate and have all interfaces sm,aam,sbc,aes,aaep either be signed by SMGR or MS? Install the MS signed xyz.net root into SMGR? So SMGR trust xyz.net and also the interfaces? I want Endpoint/clients to have MS certs and interfaces to have MS or SMGR certs, I also want to be alerted of certs expiration in SMGR. Is this possible?
I know its a complicated process, just trying to get the gist of it / building blocks [bigsmile]
 
Upvote 0 Downvote
My personal position is System Manager should be a subordinate CA to your Enterprise CA. In Microsoft speak it makes it extremely easy to publish the System Manager CA to all the Windows clients.

For Hardphones SCEP using NDES works great however you need to research on how to set NDES to provide a single reusable password.

For the Equinox Client you can use the individuals certificate (assuming you have configured auto-enrollment for users in your AD domain).

Endpoints receive their trusted certificates via the 46xxsettings.txt file using the TRUSTCERTS parameter. The phone will need to initially connect via HTTP before you can connect via HTTPS since it will not trust anything when first installed.

There are also ways to use PKCS12 files to deliver identity certificates to endpoints.

In System Manager 8.x there is a Manage Certificates webpage which provides you the status of issued certificates (including validity).

Getting an "alert" can mean different things. Most applications will generate alarms or warnings when certificates are about to expire or expired. Converting them to an "alert" may require separate managment tools or software development.

There are numerous nuances to establishing the PKI infrastructure within the Avaya environment. I would strongly suggest you engage someone who has significant experience in both lab and production.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bignose21
  • Locked
  • Question
SMGR 6.3 Log Viewer
Replies
2
Views
88
bignose21
bignose21
trilogy8
  • Locked
  • Question
SMGR and ASM identity certs
Replies
3
Views
70
phoneguy55
phoneguy55
SharkySeph
  • Locked
  • Question
Avaya SMGR API
Replies
2
Views
92
SharkySeph
SharkySeph
hcmbmt
  • Locked
  • Question
SMGR 6.3 Renew certificate failed
2
Replies
21
Views
534
serg0
serg0
Ed67879
  • Locked
  • Question
Unable to delete SIP users from Avaya SMGR after CM has been decommissioned
Replies
1
Views
82
ZeroZeroOne
ZeroZeroOne

Part and Inventory Search

Sponsor

Back
Top