In this article:
The configuration steps described in this article are examples.
Ribbon recommends referring to the SBC and PSX product documentation for detailed information on the commands, parameters, and flags used in the configuration examples of this guide.
Process the steps in the same order as described in this article.
This article describes configuring the SBC for TLS to deploy with MS Teams.
Before executing the steps below, ensure the following:
- You installed OpenSSL on your local machine.
- OpenSSL is available from the command prompt or terminal application.
Generate a CSR with OpenSSL
To generate a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names, execute the steps below.
Create an OpenSSL configuration file (text file) on the local computer, and edit the following fields:
NoteIn this example, the name of the configuration file is "
req.conf
".The "
req_extensions
" puts the subject alternative names in a CSR. Ribbon recommends using the "x509_extensions
" when creating an actual certificate file.Ensure that there are no whitespace characters at the end of the lines.
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.com DNS.2 = company.com DNS.3 = www.company.net DNS.4 = company.net
To create a CSR and a new key file, execute the following command:
openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.key.temp -config req.conf
To verify the CSR, execute the following command:
openssl req -text -noout -verify -in company_san.csr
Obtain a signed certificate from a Certificate Authority (CA) in the
.crt
format, which is convertable to other formats using OpenSSL.Most CAs provide two or more certificates – one for the SBC certificate, and the others for the CA root and intermediate certificates.
Ribbon recommends using Baltimore's Root Certificate (
http://certificate.fyicenter.com/319_Root_CA_Baltimore_CyberTrust_Root_CyberTrust_Baltimore_IE.html
). It is available in the.pem
format.Convert it to the
.cer
format using the followingopenssl
command:openssl x509 -outform der -in Baltimore_cert.pem -out Baltimore_cert.cer
NoteIn the above example, the certificate is generated with the below command using a "
.cer
" extension; however,opesssl
also accepts the ".der
" extension.- Convert the certificates into SBC-readable formats. Ensure that the SBC certificate is in
.pem
or.p12
format, and the root certificate is in.cer
or.der
formats.For the SBC certificate, convert
.crt
to.pem
using the following command:openssl x509 -in sbc_cert.crt -out sbc_cert.der -outform DER openssl x509 -in sbc_cert.der -inform DER -out sbc_cert.pem -outform PEM
After generating the
sbc_cert.pem
file, convert it to.p12
format using following command:NoteBefore executing the command below, download the file
/opt/sonus/csrkey.key
from the SBC, and place it in the directory of the local machine from which you are executing theopenssl
commands.openssl pkcs12 -export -out sbc1_cert.p12 -in sbc_cert.pem -inkey /opt/sonus/csrkey.key
For the CA's root and intermediate certificates, convert
.crt
to.cer
using the following command:openssl x509 -in root_cert.crt -out root_cert.cer -outform DER
- Upload the converted certificates to the SBC directory:
/opt/sonus/external
.
Generate Required Certificates
Execute the following steps in the SBC:
Create Crypto Suite Profile.
% set profiles security cryptoSuiteProfile CRYPT_PROF entry 1 cryptoSuite AES-CM-128-HMAC-SHA1-80
Import the Public CA Root Certificate into the database.
% set system security pki certificate CA_ROOT_CERT type remote fileName root_cert.cer state enabled
Import Baltimore Certificate to the database.
% set system security pki certificate BALTIMORE_CERT type remote fileName Baltimore_cert.cer state enabled
Import Public CA Certified SBC Server Certificate to the database.
% set system security pki certificate SBC_CERT filename sbc1_cert.p12 passPhrase <Password defined during CSR generation> state enabled type local
Create a TLS Profile.
% set profiles security tlsProfile TLS_PROF clientCertName SBC_CERT serverCertName SBC_CERT cipherSuite1 tls_ecdhe_rsa_with_aes_256_cbc_sha384 cipherSuite2 tls_ecdhe_rsa_with_aes_128_cbc_sha authClient true allowedRoles clientandserver acceptableCertValidationErrors invalidPurpose % set profiles security tlsProfile TLS_PROF v1_1 enable % set profiles security tlsProfile TLS_PROF v1_0 disable % set profiles security tlsProfile TLS_PROF v1_2 enable % commit
Attach TLS Profile to SIP Signaling Port
To attach the TLS Profile to the SIP Signaling Port, execute the following commands:
% set addressContext default zone Teams_ZONE sipSigPort 4 state disabled mode outOfService % commit
% set addressContext default zone Teams_ZONE sipSigPort 4 tlsProfileName TLS_PROF % commit
% set addressContext default zone Teams_ZONE sipSigPort 4 state enabled mode inService % commit
A few scenarios result in a TLS negotiation issue, such as assigning an incorrect port.
To avoid negotiation issues, verify/configure the following:
MS Teams listens on port number 5061 (default setting).
Configure port number 5060 on MS Teams' IP-Peer, as the SBC increments the port by 1 when the transport protocol is TLS.
For tenant's SBC configuration on MS Teams, use the same port number that is configured under the SBC's SIP Signaling Port.
Continue to: Configure SBC Towards PSTN