Ribbon Documentation Portal will be unavailable Thursday February 2nd 2023 between 2:00 PM EST ~ 12:00 PM. More Info
Page tree
Skip to end of metadata
Go to start of metadata

In this article:

Tip

The configuration steps described in this article are examples.

Ribbon recommends referring to the SBC and PSX product documentation for detailed information on the commands, parameters, and flags used in the configuration examples of this guide.

Process the steps in the same order as described in this article.

This article describes configuring the SBC for TLS to deploy with MS Teams.

Tip

Before executing the steps below, ensure the following:

  • You installed OpenSSL on your local machine.
  • OpenSSL is available from the command prompt or terminal application.

Generate a CSR with OpenSSL

To generate a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names, execute the steps below.

  1. Create an OpenSSL configuration file (text file) on the local computer, and edit the following fields:

    Note

    In this example, the name of the configuration file is "req.conf".

    The "req_extensions" puts the subject alternative names in a CSR. Ribbon recommends using the "x509_extensions" when creating an actual certificate file.

    Ensure that there are no whitespace characters at the end of the lines.

    [req]
    		distinguished_name = req_distinguished_name
    		req_extensions = v3_req
    		prompt = no
    		[req_distinguished_name]
    		C = US
    		ST = VA
    		L = SomeCity
    		O = MyCompany
    		OU = MyDivision
    		CN = www.company.com
    		[v3_req]
    		keyUsage = keyEncipherment, dataEncipherment
    		extendedKeyUsage = serverAuth
    		subjectAltName = @alt_names
    		[alt_names]
    		DNS.1 = www.company.com
    		DNS.2 = company.com
    		DNS.3 = www.company.net
    		DNS.4 = company.net
     
  2. To create a CSR and a new key file, execute the following command:

    openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.key.temp -config req.conf
  3. To verify the CSR, execute the following command:

    openssl req -text -noout -verify -in company_san.csr
  4. Obtain a signed certificate from a Certificate Authority (CA) in the .crt format, which is convertable to other formats using OpenSSL.

    Most CAs provide two or more certificates – one for the SBC certificate, and the others for the CA root and intermediate certificates.

    Ribbon recommends using Baltimore's Root Certificate (http://certificate.fyicenter.com/319_Root_CA_Baltimore_CyberTrust_Root_CyberTrust_Baltimore_IE.html). It is available in the .pem format.

    Convert it to the .cer format using the following openssl command:

    openssl x509 -outform der -in Baltimore_cert.pem -out Baltimore_cert.cer
    Note

    In the above example, the certificate is generated with the below command using a ".cer" extension; however, opesssl also accepts the ".der" extension.

  5. Convert the certificates into SBC-readable formats. Ensure that the SBC certificate is in .pem or .p12 format, and the root certificate is in .cer or .der formats.
    1. For the SBC certificate, convert .crt to .pem using the following command:

      openssl x509 -in sbc_cert.crt -out sbc_cert.der -outform DER
      openssl x509 -in sbc_cert.der -inform DER -out sbc_cert.pem -outform PEM
    2. After generating the sbc_cert.pem file, convert it to .p12 format using following command:

      Note

      Before executing the command below, download the file /opt/sonus/csrkey.key from the SBC, and place it in the directory of the local machine from which you are executing the openssl commands.

      openssl pkcs12 -export -out sbc1_cert.p12 -in sbc_cert.pem -inkey /opt/sonus/csrkey.key
    3. For the CA's root and intermediate certificates, convert .crt to .cer using the following command:

      openssl x509 -in root_cert.crt -out root_cert.cer -outform DER
  6. Upload the converted certificates to the SBC directory: /opt/sonus/external.

 

Generate Required Certificates

Execute the following steps in the SBC:

  1. Create Crypto Suite Profile.

    % set profiles security cryptoSuiteProfile CRYPT_PROF entry 1 cryptoSuite AES-CM-128-HMAC-SHA1-80
  2. Import the Public CA Root Certificate into the database.

    % set system security pki certificate CA_ROOT_CERT type remote fileName root_cert.cer state enabled
  3. Import Baltimore Certificate to the database.

    % set system security pki certificate BALTIMORE_CERT type remote fileName Baltimore_cert.cer state enabled
  4. Import Public CA Certified SBC Server Certificate to the database.

    % set system security pki certificate SBC_CERT filename sbc1_cert.p12 passPhrase <Password defined during CSR generation> state enabled type local
  5. Create a TLS Profile.

    % set profiles security tlsProfile TLS_PROF clientCertName SBC_CERT serverCertName SBC_CERT cipherSuite1 tls_ecdhe_rsa_with_aes_256_cbc_sha384 cipherSuite2 tls_ecdhe_rsa_with_aes_128_cbc_sha authClient true allowedRoles clientandserver acceptableCertValidationErrors invalidPurpose
    % set profiles security tlsProfile TLS_PROF v1_1 enable
    % set profiles security tlsProfile TLS_PROF v1_0 disable
    % set profiles security tlsProfile TLS_PROF v1_2 enable
    % commit

 

Attach TLS Profile to SIP Signaling Port

To attach the TLS Profile to the SIP Signaling Port, execute the following commands:

% set addressContext default zone Teams_ZONE sipSigPort 4 state disabled mode outOfService
% commit
% set addressContext default zone Teams_ZONE sipSigPort 4 tlsProfileName TLS_PROF
% commit
% set addressContext default zone Teams_ZONE sipSigPort 4 state enabled mode inService
% commit
Caution

A few scenarios result in a TLS negotiation issue, such as assigning an incorrect port.

 To avoid negotiation issues, verify/configure the following:

  • MS Teams listens on port number 5061 (default setting).

  • Configure port number 5060 on MS Teams' IP-Peer, as the SBC increments the port by 1 when the transport protocol is TLS.

  • For tenant's SBC configuration on MS Teams, use the same port number that is configured under the SBC's SIP Signaling Port.

 

 

  • No labels