(3.10) IVG security guide

Genesys SSL/TLS setup

Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

IMPORANT

Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

IMPORTANT

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

Enabling SIPS/SRTP for IVG Genesys requires:

  • Creating a certificate in Microsoft Management Console (mmc)
  • Enabling TLS on the Genesys SIP Server
  • Copying the IVG certificate to Genesys
  • Enabling SIPS/SRTP in the voice platform

Creating the self-signed certificate

Use the following instructions to generate the certificate on the Genesys SIP Server.

  • Open the mmc console by navigating to Run and typing mmc.
  • In the Windows mmc console, navigate to File > Add/Remove Snap-in.
  • Select Certificates from the Available snap-ins panel, and press Add.
  • On the Certificates snap-in screen, select the Computer account radio button and press Next.
  • On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
  • The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
  • Press Okay.

Enrolling the certificate

  • Expand the Certificates folder.
  • Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
  • Click Next on the Before you begin screen.
  • On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
  • On the Custom request screen, keep the default values selected and press Next.
  • On the Certificate information screen, expand Details and press the Properties button.
  • Enter the following information for Certificate Properties:
TabFieldInstructions
GeneralFriendly nameEnter a friendly name to reflect server and purpose.
(Optional) DescriptionEnter a description of the certificate
SubjectSubject name > TypeSelect Common name from the dropdown.
Subject name > Value
  • Enter the IP address of the server
  • Press Add
Alternative name > TypeSelect DNS from the dropdown.
Alternative name > Value
  • Enter the server name.
  • Press Add.
ExtensionsExtended key usage
  • Select Server Authentication
  • Press Add.
  • Select Client Authentication.
  • Press Add.
Private KeyKey options
  • Select 1024 from the Key options dropdown.
  • Enable the Make private key exportable checkbox.
Select Hash AlgorithmSelect sha1 from the Select Hash Algorithm dropdown.
  • Press Apply and then press OK.
  • Press Next on the Certificate information screen.
  • Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
  • Press Finish.

Verifying the certificate enrollment

  • Expand the Certificates folder.
  • Expand the Certificate Enrollment Requests folder.
  • Select Certificates.
  • Verify the certificate displays in the center panel.

Adding the certificate to Trusted Root Authority

  • Right-click on the certificate and select Copy.
  • Expand Trusted Root Certification Authorities.
  • Right-click Certificates and select Paste.
  • Expand Personal.
  • Right-click Certificates and select Paste.
  • Double-click the certificate.
  • Open the Certification Path tab and verify the Certificate Status is OK.

Enabling SIPS/SRTP on the Genesys SIP Server

  • Update the TLS port in Configuration Manager by navigating to SIP Server and opening Options > TServer.
    • Locate tls-mutual and verify it is set to False.
    • Locate sip-tls-certand enter the certificate thumbprint.
      • Locate the thumbprint in mmc under the Details tab of the certificate
    • Locate the sip-port-tls and update the value to the TLS port number. The IVG installer automatically opens port 5061. If another port is used, it will need to be opened manually.

NOTE

The sip-tls-cipher-list should be supplied by the client.

  • Locate the IVG Trunk in the Genesys strategy.
    • Navigate to Annex >TServer > Options
      • In the Contact field, add FQDN:Port:transport=tls

Copying the voice platform certificate to SIP Server

The IVG installer generates a self-signed certificate for IVG named certificate.pem and places it in the /home/holly/etc directory.

To copy the IVG certificate to the Genesys SIP Server:

  • Copy IVG certificate from home/holly/etc, and rename with the .crt file extension.
  • Import the certificate to the Genesys SIP Server using mmc.
  • Navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Vertificates.
  • Right-click Certificates and navigate to All tasks > Import.
  • Click Next to open the File to Import screen where you can browse for the location where the IVG certificat.crt was saved.
  • Finish the Certificate Import Wizard, and verify the certificate displays in the Trusted Root Authority > Certificates folder.

Enabling SIPS and SRTP in the voice platform

After adding a certificate file, enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

IMPORTANT

Without restarting IVG, the SIPS and SRTP protocols are not enabled

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:

ParameterKeyValue
httpscertificatefilenamecertificate.pemserver.cert
httpsprivatekeyfilenameprivatekey.pemserver.key

Copying and adding the SIP Server certificate file to the voice platform

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
  • ContactCenterSIPServer - the IP address of the SIP Server
  • ContactCenterPortNumber - the port number of the contact center server
  • Copy the contents of certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pem - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from Step 4.

Avaya SSL/TLS setup

Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

NOTE

Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

IMPORTANT

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

Enabling SIPS/SRTP for IVG Avaya requires:

  • Creating a certificate in Microsoft Management Console (mmc)
  • Copying the IVG certificate to Avaya Session Manager
  • Enabling SIPS/SRTP in the voice platform

Creating the self-signed certificate

Use the following instructions to generate the certificate on the Avaya Session Manager server.

  • Open the mmc console by navigating to Run and typing mmc.
  • In the Windows mmc console, navigate to File > Add/Remove Snap-in.
  • Select Certificates from the Available snap-ins panel, and press Add.
  • On the Certificates snap-in screen, select the Computer account radio button and press Next.
  • On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
  • The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
  • Press Okay.

Enrolling the certificate

  • Expand the Certificates folder.
  • Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
  • Click Next on the Before you begin screen.
  • On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
  • On the Custom request screen, keep the default values selected and press Next.
  • On the Certificate information screen, expand Details and press the Properties button.
  • Enter the following information for Certificate Properties:
TabFieldInstructions
GeneralFriendly nameEnter a friendly name to reflect server and purpose.
(Optional) DescriptionEnter a description of the certificate
SubjectSubject name > TypeSelect Common name from the dropdown.
Subject name > Value
  • Enter the IP address of the server
  • Press Add
Alternative name > TypeSelect DNS from the dropdown.
Alternative name > Value
  • Enter the server name.
  • Press Add.
ExtensionsExtended key usage
  • Select Server Authentication
  • Press Add.
  • Select Client Authentication.
  • Press Add.
Private KeyKey options
  • Select 1024 from the Key options dropdown.
  • Enable the Make private key exportable checkbox.
Select Hash AlgorithmSelect sha1 from the Select Hash Algorithm dropdown.
  • Press Apply and then press OK.
  • Press Next on the Certificate information screen.
  • Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
  • Press Finish.

Verifying the certificate enrollment

  • Expand the Certificates folder.
  • Expand the Certificate Enrollment Requests folder.
  • Select Certificates.
  • Verify the certificate displays in the center panel.

Adding the certificate to Trusted Root Authority

  • Right-click on the certificate and select Copy.
  • Expand Trusted Root Certification Authorities.
  • Right-click Certificates and select Paste.
  • Expand Personal.
  • Right-click Certificates and select Paste.
  • Double-click the certificate.
  • Open the Certification Path tab and verify the Certificate Status is OK.

Enabling SIPS/SRTP in Avaya Session Manager

Copying the voice platform certificate to Session Manager

  • On the home page of the System Manager web console, click Services > Inventory > Manage Elements.
  • Select a Session Manager instance.
  • Click More Actions > Managed Trusted Certificates.
  • On the Trusted Certificates page, click Add.
  • To import a certificate from a file:
    • Select the Import from file radio button.
    • Click Browse and locate the file.
    • Click Retrieve Certificate.
    • Click Commit.
  • To import a certificate in the PEM format:
    • Select the Import as PEM Certificate radio button.
    • Locate the PEM certificate.
    • Open the certificate using Notepad.
    • Copy the entire contents of the file. You must include the start and end tags: "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE----".
    • Paste the contents of the file in the box provided.
    • Click Commit.

Enabling SIPS and SRTP in the voice platform

Enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

IMPORTANT

Without restarting IVG, the SIPS and SRTP protocols are not enabled.

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:

ParameterKeyValue
httpscertificatefilenamecertificate.pemserver.cert
httpsprivatekeyfilenameprivatekey.pemserver.key

IMPORTANT

New IVG installations must add the newly generated voice platform certificate to Session Manager.

Copying and adding the Session Manager certificate file to the voice platform

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
  • ContactCenterSIPServer - the IP address of the Session Manager server
  • ContactCenterPortNumber - the port number of the contact center server
  • Copy the contents of certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pem - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from Step 4.

Cisco SSL/TLS setup

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) and the SIP Secure (SIPS) and Secure RTP (SRTP) are enabled and configured in the Interactive Voice Gateway (IVG) installer process. SSL and TLS can also be enabled post-installation through the voice platform.

After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

Escape the separator (,) when listing multiple ssloptions using a backslash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

The SIP Secure (SIPS) and Secure RTP (SRTP) protocols should be configured.

Configuring SIPS and SRTP in the platform management system

After adding a certificate file, enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

Without restarting IVG, the SIPS and SRTP protocols are not enabled.

Adding the voice platform and contact center certificates

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are referenced in the values for the httpscertificatefilename and httpsprivatekeyfilenam parameters.

Copying and adding a certificate file to the voice platform

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
  • ContactCenterSIPServer - the IP address of the contact center server
  • ContactCenterPortNumber - the port number of the contact center server
  • Copy the contents of certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pemins - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from St