Siemens V1.2.33 manual Use of TLS by an IP Phone, Operating the XML Management Interface over TLS

Page 85

Deployment Tool with TLS

Use of TLS by an IP Phone

An IP Phone contains both a TLS server and a TLS client. The TLS server is used with the phone's webserver and the phone's XML management in- terface. The TLS client is used with the phone's telephony client. (The PC's telephony server contains a TLS server, while the PC's web client and XML management client are TLS clients). As discussed above, a TLS server re- quires its own key material (private key and public key certificate chain). A TLS client does not require certificates, if server authentication is not re- quired.

Key material is hard-coded into the phone software to allow the phone's TLS server to work by default. The default key material has a two certificate chain consisting of the end-entity certificate and a self-signed CA certifi- cate. Since the certificate chain is transported to the client during the TLS handshake, the client can decide to trust the self-signed certificate, and store it locally for subsequent authentication of other phones, if the client software permits. Key material does not normally include the trusted cer- tificate: the phone's default key material does, as a means of distributing it.

By default, the phone's TLS client is configured not to perform server au- thentication, and has no default trusted certificate.

For improved security, the user can transfer their own server key material and client trusted certificates to the phone, using the XML management interface. The phone will use the new key material and trusted certificates, in preference to the defaults. If the user supplies client trusted certificates, the phone's TLS client will perform server authentication, which must be successful to establish a TLS connection.

The key material is transferred in a single file, containing a private key and matching public key certificate chain. The trusted certificates are trans- ferred in a separate, single file, as an aggregate, not a chain. The phone supports only one server key material file and one client trusted certifi- cates file. The XML management interface allows the user to read back the files, and delete them from the phone. The files are transferred over XML in unencrypted PKCS#12 format.

Instructions for using the Deployment Tool with TLS

The Deployment Tool is a PC application for configuring batches of IP Phones using the XML management interface.

Operating the XML Management Interface over TLS

The Deployment Tool is a TLS client, and authenticates the identity of the TLS servers on the phones it configures. For this, it requires a subject DN and a trusted CA certificate to validate the certificate chains received from the phones during the TLS handshake. Once this is specified, no further action is required to configure either TLS or non-TLS phones. The Tool it- self determines whether or not to use TLS from the type of phone being configured.

85

Image 85
Contents Administrator Manual Contents OptiPoint types Configuration TabHelp Functions Parameters Deployment Tool with TLSSupported Phones IntroductionIntroduction FTP Service Screen ResolutionRequirements Operating SystemInstalling the Program Installing and Running the ProgramInstalling and Running the Program Click Start Installer for WindowsListing Connected IP Phones Listing Connected IP PhonesDevice List window Icons and Buttons For the function Configure selected devicesIcons in the DeviceList window Icons in the Operations windowCTRL+A or Creating a Device ListHiding List Columns Specifying the Number of ScansEditing a Device List Column ContentsMoving List Columns Starting a ScanStatus AddressMAC address 164Stopping a Scan Resetting the Scan ResultDevice type Selecting a Device Group Deleting an Entry from the Device ListSaving a Deployment File CTRL+O or Loading the Deployment FileConfiguration ConfigurationConfiguration PreparationFile Transfer tab Starting ConfigurationDialogs for optiPoint telephones Editing a Configuration CTRL+S or Saving settingsTransfer file Administrator password Transferring a ConfigurationMinutes for Minutes for optiPoint 300 advanceStopping transfer Starting transferLog file VerificationSaving Device Groups Saving and Loading Device GroupsCtrl+B Loading Device Groups Configuration OptiPoint 400 standard H450 OptiPoint typesOptiPoint 400 economy HFA OptiPoint 400 standard HFADevice type 400 standard SIP OptiPoint 400 standard SIPOptiPoint types Device type 400standardSIP OptiPoint 410 standard HFA, 410 advance HFA OptiPoint 410 entry HFA, 410 economy HFADevice type 410entryHFA, 410economyHFA Device type 410standardHFA, 410advanceHFAOptiPoint 600 officeUP0/E OptiPoint 600 office HFADevice type 600officeHFA Device type 600officeUP0/EDevice type 600officeSIP OptiPoint 600 office SIPChecking the Status Help FunctionsHelp Functions Following status messages may appear Status MessagesLog File Alert Indications Configuration TabAudio/Visual Indications ContactsDialling Codes Country & LanguageDial Plan Dial Plan 400 standard SIP V2.4, 600 office SIPFile Transfer 400 standard H450, 400 standard SIP 2.x/SIP File TransferFile Transfer 410 standard HFA, 410 advance HFA Parameter Setting Key 1 to 10 or Http SettingsFunction Keys Instant MessagingIP Routing 400 standard H450 IP RoutingDefault gateway Route Gateway Mask DNS server address Kerberos 400 standard SIP KerberosKeyset Operations Messaging ServicesKey & Lamp Module 1/2 Keyset Operations 400 standard SIP V2.4, 600 office SIPPasswords 600 office HFA, 600 office UP0/E, 600 office SIP PasswordsMiscellaneous Miscellaneous 410 standard HFA, 410 advance HFAPresence Personal DirectoryPresence 400 standard SIP Quality of Service 600 office UP0/E Quality of ServiceSecurity Security 400 standard SIP V2.4/SIP V3.0, 600 office SIPSelectedDialing SIP Feature ConfigurationSpeech parameters Telephony Configuration 400 standard H450 Telephony ConfigurationTelephony Configuration 400 standard HFA, 400 economy HFA Parameter Setting PBX/Gateway AddressTelephony Configuration 600 office HFA, 600 office UP0/E WAP TimeDescription ParametersBeep On SIP Server Error Audio ModeCancel mobility password Area codeCodec Config filename prefixCompression Codec Connection typeDhcp FTP password External access codeDSM application filename Emergency numberFTP username H450 featuresGatekeeper address Gatekeeper discovery addressImport personal directory IM Session TimerInternational dial prefix Java midlet filenameLayer 3 Voice/Signaling Layer 2 Voice/SignalingLayer 2 Default LAN/PC port modeLayer 2 Priority Line Key action modeLdap Server Addr Ldap template nameOperating mode New Domain PasswordLoge filename MaskPBX/Gateway Address Proximity TimerPermit Decline Call Port NumberPstn acces code Registration TimerQoS L2/L3 RealmRing Seen Timer Ring No Reply TimerRollover type RouteSecurity profile Session TimerSecurity window seconds Server typeSIP Registrar Address Snmp PasswordSIP Registrar Port SIP Routing ModelSnmp Trap IP Address Subscriber PasswordSnmp Trap Port Sntp Server IP AddressTag System typeTerminating line preference TimeUser Change Password Unused TimerTrusted Certificates File Management WAP Mode User passwordVlan Id Vlan MethodAbbreviations and Technical Terms Default RouteDial Plan DNSFTP EpidHttp HFAKDC Ldap LANLCD LEDMAC PasswordMCU MIBPing PBXPstn RAMSIP ROMSnmp SntpURI UDPURL VlanWAP VoIPWSP Configuring an FTP Server Administration ScenariosInstallation and Configuration Administration ScenariosAdministration Scenarios Public Key Asymmetric Cryptography Deployment Tool with TLSCertificates Deployment Tool with TLSCertificate File Formats TLSOperating the XML Management Interface over TLS Use of TLS by an IP PhoneConfiguring the Deployment Tool for TLS TLS Handshake Failure Installing the Deployment ToolTransferring Certificates to Phones Selecting a File for Transfer Transferring a Server Key Material File Transferring a Client Trusted Certificates File Ref. No. A31003-A2056-A105-63-76A9