Manuals / Polycom / Home Audio / Speaker System

Polycom SIP 3.1 manual Encrypting Configuration Files

Models: SIP 3.1

1 347
Download 347 pages 532 b
Page 296
Image 296
Encrypting Configuration Files

Administrator’s Guide SoundPoint IP / SoundStation IP

Polycom endeavors to maintain a built-in list of the most commonly used CA Certificates. Due to memory contraints, we cannot keep as thorough a list as some other applications (for example, browsers). If you are using a certificate from a commercial Certificate Authority not in the list above, you may submit a Feature Request for Polycom to add your CA to the trusted list by visiting https://jira.polycom.com:8443//secure/CreateIssue!default.jspa?os_username=jirag uest&os_password=polycom. At this point, you can use the Custom Certificate method to load your particular CA certificate into the phone (refer to “Technical Bulletin 17877: using Custom Certificates on SoundPoint IP Phones“ at http://www.polycom.com/usa/en/support/voice/soundpoint_ip/VoIP_Technical_Bulle tins_pub.html).

Encrypting Configuration Files

The phone can recognize encrypted files, which it downloads from the boot server and it can encrypt files before uploading them to the boot server. There must be an encryption key on the phone to perform these operations. Configuration files (excluding the master configuration file), contact directories, and configuration override files can be encrypted.

A separate SDK, with a readme file, is provided to facilitate key generation and configuration file encryption and decrypt on a UNIX or Linux server. The utility is distributed as source code that runs under the UNIX operating system. For more information, contact Polycom Technical Support.

A key is generated by the utility and must be downloaded to the phone so that it can decrypt the files that were encrypted on the server. The device.sec.configEncryption.key configuration file parameter is used to set the key on the phone. The utility generates a random key and the encryption is Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode. An example key would look like this:

Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d534120006;

If the phone doesn't have a key, it must be downloaded to the phone in plain text (a potential security hole if not using HTTPS). If the phone already has a key, a new key can be downloaded to the phone encrypted using the old key (refer to Changing the Key on the Phone on page C-5). At a later date, new phones from the factory will have a key pre-loaded in them. This key will be changed at regular intervals to enhance security

It is recommended that all keys have unique descriptive strings in order to allow simple identification of which key was used to encrypt a file. This makes boot server management easier.

After encrypting a configuration file, it is useful to rename the file to avoid confusing it with the original version, for example rename sip.cfg to sip.enc. However, the directory and override filenames cannot be changed in this manner.

C - 4

Page 295 Page 297
Page 296
Image 296
Polycom SIP 3.1 manual Encrypting Configuration Files, Crypt=1KeyDesc=companyNameKey1Key=06a9214036b8a15b512e03d534120006
Page 295 Page 297