The configuration steps described in this article are examples.
Process the steps in the same order as described in this article.
This article describes configuring the SBC for TLS to deploy with MS Teams.
Before executing the steps below, ensure the following:
- You installed OpenSSL on your local machine.
- OpenSSL is available from the command prompt or terminal application.
Generate a CSR with OpenSSL
To generate a Certificate Signing Request (CSR) and key file for a Subject Alternative Name (SAN) certificate with multiple subject alternate names, execute the steps below.
Create an OpenSSL configuration file (text file) on the local computer, and edit the following fields:Note
In this example, the name of the configuration file is "
req_extensions" puts the subject alternative names in a CSR. Ribbon recommends using the "
x509_extensions" when creating an actual certificate file.
Ensure that there are no whitespace characters at the end of the lines.
To create a CSR and a new key file, execute the following command:
To verify the CSR, execute the following command:
Obtain a signed certificate from a Certificate Authority (CA) in the
.crtformat, which is convertable to other formats using OpenSSL.
Most CAs provide two or more certificates – one for the SBC certificate, and the others for the CA root and intermediate certificates.
Ribbon recommends using Baltimore's Root Certificate (
). It is available in the
Convert it to the
.cerformat using the following
In the above example, the certificate is generated with the below command using a "
.cer" extension; however,
opessslalso accepts the "
- Convert the certificates into SBC-readable formats. Ensure that the SBC certificate is in
.p12format, and the root certificate is in
For the SBC certificate, convert
.pemusing the following command:
After generating the
sbc_cert.pemfile, convert it to
.p12format using following command:Note
Before executing the command below, download the file
/opt/sonus/csrkey.keyfrom the SBC, and place it in the directory of the local machine from which you are executing the
For the CA's root and intermediate certificates, convert
.cerusing the following command:
- Upload the converted certificates to the SBC directory:
Generate Required Certificates
Execute the following steps in the SBC:
Create Crypto Suite Profile.
Import the Public CA Root Certificate into the database.
Import Baltimore Certificate to the database.
Import Public CA Certified SBC Server Certificate to the database.
Create a TLS Profile.
Attach TLS Profile to SIP Signaling Port
To attach the TLS Profile to the SIP Signaling Port, execute the following commands:
A few scenarios result in a TLS negotiation issue, such as assigning an incorrect port.
To avoid negotiation issues, verify/configure the following:
MS Teams listens on port number 5061 (default setting).
Configure port number 5060 on MS Teams' IP-Peer, as the SBC increments the port by 1 when the transport protocol is TLS.
For tenant's SBC configuration on MS Teams, use the same port number that is configured under the SBC's SIP Signaling Port.