Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
SMGR moving away from default certs. 2
- Thread starter Saiyan656
- Start date
-
1
- #2
oh god no. you'll break everything. SMGR's web apps to SMGR's db are cert protected. SM's mgmt interface to SMGR too. all down the line you'll make life hell.
You can make SMGR a sub-CA of MS and re-enroll everything. That way everything would chain up to the head-end MS CA anyway.
Or, you can put specific MS certs on the interfaces that'll talk to your clients - like the SM interfaces, or the Presence Server, etc.
Depending how much stuff you got - AADS/AMM/PS/SM/SBC/etc/etc/etc, doing it the 'Avaya way' with SMGR first might be best. That doesn't preclude you from using SMGR as a sub-CA to MS and still having everything chain up to SMGR. Just depends how much of your hair you wanna pull out.
You can make SMGR a sub-CA of MS and re-enroll everything. That way everything would chain up to the head-end MS CA anyway.
Or, you can put specific MS certs on the interfaces that'll talk to your clients - like the SM interfaces, or the Presence Server, etc.
Depending how much stuff you got - AADS/AMM/PS/SM/SBC/etc/etc/etc, doing it the 'Avaya way' with SMGR first might be best. That doesn't preclude you from using SMGR as a sub-CA to MS and still having everything chain up to SMGR. Just depends how much of your hair you wanna pull out.
- Thread starter
- #3
Ok so make SMGR as the intermediate and have all interfaces sm,aam,sbc,aes,aaep either be signed by SMGR or MS? Install the MS signed xyz.net root into SMGR? So SMGR trust xyz.net and also the interfaces? I want Endpoint/clients to have MS certs and interfaces to have MS or SMGR certs, I also want to be alerted of certs expiration in SMGR. Is this possible?
I know its a complicated process, just trying to get the gist of it / building blocks![[bigsmile]](/data/assets/smilies/bigsmile.gif "[bigsmile] [bigsmile]")
I know its a complicated process, just trying to get the gist of it / building blocks
find as many white papers about this as you can
- Thread starter
- #5
-
1
- #6
jimbojimbo
Vendor
My personal position is System Manager should be a subordinate CA to your Enterprise CA. In Microsoft speak it makes it extremely easy to publish the System Manager CA to all the Windows clients.
For Hardphones SCEP using NDES works great however you need to research on how to set NDES to provide a single reusable password.
For the Equinox Client you can use the individuals certificate (assuming you have configured auto-enrollment for users in your AD domain).
Endpoints receive their trusted certificates via the 46xxsettings.txt file using the TRUSTCERTS parameter. The phone will need to initially connect via HTTP before you can connect via HTTPS since it will not trust anything when first installed.
There are also ways to use PKCS12 files to deliver identity certificates to endpoints.
In System Manager 8.x there is a Manage Certificates webpage which provides you the status of issued certificates (including validity).
Getting an "alert" can mean different things. Most applications will generate alarms or warnings when certificates are about to expire or expired. Converting them to an "alert" may require separate managment tools or software development.
There are numerous nuances to establishing the PKI infrastructure within the Avaya environment. I would strongly suggest you engage someone who has significant experience in both lab and production.
For Hardphones SCEP using NDES works great however you need to research on how to set NDES to provide a single reusable password.
For the Equinox Client you can use the individuals certificate (assuming you have configured auto-enrollment for users in your AD domain).
Endpoints receive their trusted certificates via the 46xxsettings.txt file using the TRUSTCERTS parameter. The phone will need to initially connect via HTTP before you can connect via HTTPS since it will not trust anything when first installed.
There are also ways to use PKCS12 files to deliver identity certificates to endpoints.
In System Manager 8.x there is a Manage Certificates webpage which provides you the status of issued certificates (including validity).
Getting an "alert" can mean different things. Most applications will generate alarms or warnings when certificates are about to expire or expired. Converting them to an "alert" may require separate managment tools or software development.
There are numerous nuances to establishing the PKI infrastructure within the Avaya environment. I would strongly suggest you engage someone who has significant experience in both lab and production.
- Status
Similar threads