(3.11+) Installing with SSL/TLS

The IVG setup wizard allows for the enablement or disablement of Secure Socket Layer (SSL) and Transport Layer Security (TLS). SSL/TLS can also be enabled or disabled post-installation with the tls-setup parameter in the ./ivginstaller file script.

Note:

We recommend installing IVG with TLS disabled in order to verify call processing functions as required. The tls-setup parameter can then be used to enable SSL/TLS.

The tls-setup parameter can be used to enable or disable SSL/TLS post-installation by using the IVG setup wizard to generate a new install-ivg.cfg file, and then running the ./ivginstaller file with the tls-setup parameter.

Enabling or disabling SSL/TLS

To run the IVG TLS install:

  • Run the IVG setup wizard.
  • Select Load an existing configuration file radio button and select the installation location of the current install.ivg.cfg file.
  • On the SSL/TLS enablement screen, choose to either enable or disable SSL/TLS.
  • Complete the IVG setup wizard and save the install.ivg.cfg file.
  • Copy the new install.ivg.cfg file to the IVG server where TLS needs to be enabled or disabled.
  • Copy the ./ivginstaller file to the IVG server where TLS needs to be enabled or disabled.
  • Open a Linux shell script and run the following command to change the permissions:

chmod a+x ivginstaller- xxxx

  • Enter the following command to execute the compatibility prerequisite check:

./ivginstaller- xxxx tls-setup | tee install_ mmddyy .txt

Where mmddyy is the date TLS was executed. This saves a dated installation log of the TLS setup.

  • Repeat steps 1-8 on each IVG server in the deployment to enable or disable TLS.

Enabling SSL/TLS process

The tls-setup process performs the following activities to enable SSL/TLS:

  • Verifies OS compatibility to determine what IP tables and firewalls are need to open the required ports.
  • Opens the following ports in the Firewall (for Linux 7.x systems) OR opens the following IP tables (for Linux 6.9 systems):
    • siplistenport
    • siplistenport2
    • tlslistenport
    • tlslistenport2
  • Updates the following parameters in the voice platform:
    • siptransport - UDP,TCP,TLS
    • siplistenport - 5060
    • siplistenport2 - 5070
    • tlslistenport - 5061
    • tlslistenpor2 - 5071
    • srtpsupport - 2
    • sslcipher - HIGH:MD5:AES256-SHA256
    • sslverify - 1
    • ssloptions - no_sslv2,no_sslv3,no_tlsv1,no_tlsv1_1
Note:

The voice platform default SSL/TLS parameter values are used unless configured otherwise in the IVG setup wizard.Note:

Disabling SSL/TLS process

The tls-setup process performs the following activities to disable SSL/TLS:

  • Verifies OS compatibility to determine what IP tables and firewalls are needed to open the required ports.
  • Opens the following ports in the Firewall (for Linux 7.x systems) OR opens the following IP tables (for Linux 6.9 systems):
    • 5060
    • 5061
  • Updates the following parameters in the voice platform:
    • siptransport - UDP
    • siplistenport - 5060
    • siplistenport2 - 5061
    • tlslistenport - 0
    • tlslistenpor2 - 0
    • srtpsupport - 0
    • sslcipher - null
    • sslverify - 0
    • ssloptions - null