TLS - Configuration

Overview:

License Installation.

  1. To configure TLS, a new license file must be copied into the license directory. This license file must include a Secure Communications license. Copy and paste the new license file into /opt/dialogic/common/license directory.

Create Logical and Physical IMG.

  1. Right Click on IMG EMS and select New Logical IMG. Click on Logical IMG link for more information.
  2. Right Click on Logical IMG and select New Physical IMG. Click on Physical IMG link for more information.

 

Create VoIP Interfaces and Facilities:

  1. Right Click on the Physical IMG created IMG Name: and select New Network. See Network Interfaces link for more information

  2. Right Click on IP Network and select New IP Address. This will be the VoIP interface for the VoIP modules. See Configuring VoIP link for more information.

  3. Right Click on the Physical IMG again and select New Facility. See Facility link for more information.

  4. Right Click on the Facility object and select New Bearer - IP. This will create the VoIP ports connected to the VoIP module created above. See Configuring VoIP link again for bearer-ip information.

 

Create a Certificate Database which will contain the TLS Certificate Entries:

  1. Right Click on the IMG EMS object and select New Certificate Database. This will be the Database that will contain the individual Certificate Entries or Trust ID's. See Certificate Database link for more information.

  2. Right Click on Certificate Database object and select New Certificate Entry. There should be a separate Certificate Entry for each entity using different TLS credentials. For example, two external gateways belonging to the same carrier could share the same TLS credentials. See Certificate Entry link for more information.

 

Note: The Certificate Entry is also referred to as the Trust ID.

 

Create the Secure Profiles, IP Profiles, and SIP SGP Profile:

Creating the Secure Profile will allow you to assign a Trust ID to a remote IP element such as a Gateway

  1. Right Click on IMG EMS and select New Profiles. This will create a database that will contain the different secure profiles that will get created.

  2. Right Click on Profiles object and select New Secure Profile. In the pane that appears you will be able to select which Certificate Entry will be assigned to this Secure Profile. Select the number of the Trust ID from the Trust ID field drop down menu. Click on the following pop up (Secure Profile Pane). For more information on Secure Profiles click on the following link. Secure Profiles.

  3. Create the IP Bearer profiles that the channel groups will use. Right Click on Profiles Object and select New IP Bearer Profile. See the IP Bearer Profile Link for more information on configuring this pane.

  4. Create the SIP SGP Profile by right clicking on the Profiles object and selecting New SIP SGP. If configuring TLS and want to either enable or disable SIPS, select True or False from the drop down menu in the SIPS field. Click on the following pop up. (SIP_Prof_SIPS)

 

Create the SIP Signaling Object and assign Secure Profiles etc:

  1. Right click on the Physical IMG object in the object tree and select New Signaling. A signaling pane will appear. See Signaling Pane for more information

  2. Right Click on The Signaling object and select New SIP. A SIP Signaling Pane will appear. Optionally in the Default Transport Type field, select TLS from the drop down menu. This transport type is used when the current IMG is used as an external gateway by another IMG. Once TLS is selected, this will highlight the Secure Profile field. Select from drop down menu which Secure Profile that will be used. Click on the following pop-up (SIPSignaling_SecureProfile).

  3. The Default port that the IMG will use to communicate withe the external gateways when TLS is enabled will be 5061 as shown in the 'Local TLS Port' field of the SIP signaling object. The port number can be changed by clicking in the Local TLS Port field and entering a different port number.

  4. The Default Secure Profile field is used when a SIP call comes in over the Secure Profile Port but the external gateway sending the call is not using TLS security. If the field is set to 'Not Used' the call will be rejected. There is a drop down menu of all the secure profiles created in this field as well. Select a profile so the calls will not get rejected. See the SIP Signaling Link for more information on the SIP Signaling Pane.

 

Create SIP Channel Group and assign.

  1. Right Click on IMG EMS and select New Routing Configuration. The Channel Groups can be created under this object. See Routing Configuration link for more information.

  2. Right Click on Routing Configuration and select New Channel Groups. This creates a database which will hold all channel groups created. See Channel Groups link for more information.

  3. Right Click on the Channel Group object just created and select New Channel Group. Enter a unique name to identify this Channel Group. Select SIP from the Signaling Type Field drop down menu. See the Channel Group Link for more information on Channel Group Pane.

 

Create External Gateways:

Create external gateways that will communicate with the IMG using TLS security.

 

  1. Right Click on IMG EMS and select New External Network Elements. Under this object the external Gateways can get created. See External Network Elements link for more information on this object.

  2. Right Click on External Gateways object and select New External Gateways. This object will create a database of all the gateways configured. See External Gateways link for more information.

  3. Right Click on External Gateways link and select New External Gateway. In the Name field give this gateway a unique name that identifies it.

  4. In the Gateway Signaling Field select SIP from the Drop Down Menu.

  5. If the IMG will be communicating using TLS, select TLS from the drop down menu in the Gateway Transport Type field. At this point a new Secure Profile field will appear. Select the Secure Profile that will be used to communicate with this specific gateway. Click on the following pop up to display the Gateway Transport Type field selections. (External_SIP_Gateway_TLS)

  6. You can create multiple gateways communicating with IMG using TLS and each gateway can have a different Secure Profile.

 

Configuring SIPS (Optional):

SIPS is configured using the SIP SGP Profile. Once SIPS is configured in the SIP SGP Profile, the profile can then be assigned to a specific gateway.

  1. To configure SIPS you must first have a SIP SGP profile configured. The SIP SGP profile was already configured above under the heading "Create the Secure Profiles, IP Profiles, and SIP SGP Profile:" Step 4.

  2. To enable SIPS on this individual profile, scroll down to the Enable SIPS field. Click in the field and a drop down menu will offer the selections True and False. The Default is True. See SIP Profile link for more information. The following pop up displays the SIPS selections within the SIP SGP profile. (SIPS_Enable)

 

Configure Routing:

  1. Configure Routing and Translations as needed to route gateways to IMG.

 

 

Troubleshooting Section:

The simple troubleshooting tips below solve some problems that could arise during the configuration of TLS over SIP. Read through the list below and verify each bulleted item has been executed and is configured correctly. If the list below doesn't solve your issue, Dialogic Support Personnel can assist you to get your configuration working.