Unified Communications

 View Only

  • 1.  The Best Way to Understand Avaya PKI Certificates

    Posted 11-12-2019 05:38 PM

    So I am at my wits end here... we have had Avaya in our environment for a very long time, and I have been extremely comfortable with almost everything they have thrown our way.

    But a few years ago, we introduced SIP in our environment, and at that time we were introduced to the PKI Certificates that make up the new security strategy. No one in my telecom group, including myself, knew anything about PKI Certificates other than it made the HTTPS websites work... so as a last result the BP installed Demo Certs and went on their mary way.

    Now we are faced with some hurdles, that my PKI Feeble mind can't seem to figure out. How do we path our way out of the Demo Certs, and into another PKI Strategy that makes sense for us? Right now, we have lost the ability to use Equinox Clients on iOS because as of iOS release 13, the Demo Cert is no longer supported (And I totally get why). So what are the next steps here?

    And that is what I am struggling with is, what is the next steps? We don't have a in-house CA (We use 3rd Party CAs for outward facing connections, and self signed for internal server to server connections). So that seems to lead us to using the SMGR as the Self Signing CA, but I have not figured out how to do that and use it in that manner. 

    I was hoping that the new Avaya Class of 20940W would help me, but it just confused me more.

    So I am hoping someone here can water this down, and use crayons for me to paint me a picture on what the next steps look like.

    Anyone else here in the same struggle? Has anyone here overcame this struggle, and would be willing to share some pointers and feedback, maybe even hold a running dialog here?

    Thanks,



    ------------------------------
    James Davis
    Voice and Data Senior Engineer
    University of Nebraska Medical Center
    Omaha NE
    ------------------------------


  • 2.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 11-13-2019 07:44 AM
    Sorry to hear your pain -- it's the same story I've heard from at least a dozen members from our own local IAUG chapter, let alone people I've meet elsewhere.

    SIP in the Avaya world is pretty much another phone system.  You now need to introduce a bunch of additional components for signaling (Session Manager), programming (System Manager), and security (SBC), just to get going.  

    So, first questions first -- do you have the Avaya Session Border Controller (or another brand) in place yet?  If you are dealing with mobile devices or softphones, you really should point them through that.  You /technically/ can point these devices directly to your Session Managers, but I will say it will get difficult and fast (mostly dealing with the certs piece).  Putting an SBC in place allows you to set a demarcation point between devices you own (like SIP hardphones and media gateweays) and devices you don't (iOS, Android, and Windows devices).  Even if your org owns those devices -- pretend you don't, because updates are pushed from the stores and features are generally derived from the devices and not your policies. 

    The easiest path to getting those devices connecting to your system is via a 3rd party certificate that the devices already trust.  You can get certs from Network Solutions, for example (I don't recommend them, but their certs are widely deployed and trusted everywhere already).  Pretty much any place you can buy an SSL cert should be fine.  Expect to spend between $30 - $100 a year, depending on the vendor.  1,000ft view, you create a CSR in the Certificates section of the SBCE, give that CSR file to your SSL cert vendor, they generate a certificate for you, and you then import that into the SBCE.  On the SBCE you would then assign that certificate to the signaling and media interfaces that your clients are connecting to.  Once you have that in place, you shouldn't need to do anything else to have your iOS/Android/Windows/Mac devices connect to you securely.

    On the inside, you can technically still use the demo certs (since you control the devices 100%).  I wouldn't recommend it, since I can walk into your network, and in about 6 seconds start to decrypt and listen to all your voice calls.  Even better, I could redirect calls to automated recorders, etc.... you get the idea.  The path of least resistance on the "inside" of your network is to use the "CA" or Certificate Authority portion of System Manager to generate certs.  1,000ft view of that is :  you setup the CA on SMGR.  You deploy the "root" cert on /ALL/ SIP aware devices (you need to do this first, and it's not service affecting). You then go around to each device, generate a CSR, upload that to SMGR's CA function, and it spits out the cert that is trusted.  You then switch out the demo cert on each device with the one that SMGR generated for that device (that part is service affecting, but only to that device).  Once that's done, you set a calendar entry for 5 years from now to do the same process over again.  

    Now you don't have to use SMGR to generate the certs -- you can use 3rd party certs for all of your internal stuff ($$$$), you can have your IT department generate internal certs using Windows, Linux or really any other way they do it (a lot more pieces involved), or I'm sure there is some other method I'm not thinking about right now.  By the way, if you don't use an SBCE, you really only have two options -- deploy 3rd party certs on ALL of your internal devices ($$ x devices x years), or you can load your internal root cert on all of your BYOD devices -- which is not for the faint of heart.  

    So -- 1,000ft view to get you started.  If you want more info, let us know.  I'll also be doing a 3-4 hour bootcamp at the 2020 IAUG conference in February, where I will cover all the stuff above, plus some configuration steps to get you to the point you are deploying certs.

    ------------------------------
    Nick Kwiatkowski
    Michigan State University
    ------------------------------

    Original Message


  • 3.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 11-13-2019 08:59 AM
    Thank you Nick for your response on this... 

    Yeah it's been quite a trip for us, we moved from an old G3r, to CM Platform, then 6 years ago was forced to do SMGR/SM for some internal SIP Servers (i.e. IVRs, etc.) and we have dabbled in SIP endpoints. Now we find ourselves needing to go all in with SIP, and that is where our headache started.

    So for us, we are getting an Avaya SBC online to do both Remote Worker and SIP Trunking from a provider. Totally understand the need for certs for those connections, and we have been kicking around the idea of 3rd party for the Remote Worker endpoints.

    In the mean time, we have had a need come up for some sort of WiFi phone, that can be deployed on a inexpensive Android (or iOS) device, the game plan was to use One-X Mobile (This was before Avaya pulled it), then we shifted gears to Equinox. All seemed to work fine, until the iOS device was updated to release 13, and it no longer accepted the Demo Cert. We just found out that Equinox will ignore the TCP setting internally if it received via PPM a TLS setting, and turning off TLS on the Session Manager is not in the cards for us (Which it should be anyway).

    We were hoping (still are) to maintain this in house WiFi phone directly on our Session Managers, and not include the SBC, but we have to get over the cert issue.

    So now we are trying to figure out all the pieces of this puzzle, and really coming up short. Avaya documents are scattered about on this topic, they offer a class now (Web based) and it's not that good IMO. We talk to our IT Security folks and Server teams, and although they know and do a good job with their Certificates, they seem to look at us like we have 3 heads when we ask their advise for doing certificates on the Avaya platform, basically the whole "I don't know telecom stuff"... and don't even get me started with SCEP, that seems like a great idea for SIP Hardphones, but who is the foremost expert at setting that up?

    So your bootcamp, is that one of the Pre-Conference workshops? I would be interested in going, and even more so picking your brain on some of these topics if you are willing?

    Thanks again!

    ------------------------------
    James Davis
    Voice and Data Senior Engineer
    University of Nebraska Medical Center
    Omaha NE
    ------------------------------

    Original Message


  • 4.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 11-13-2019 09:53 AM
    https://downloads.avaya.com/css/P8/documents/101058238Avaya SupportI would still highly recommend putting your iOS devices though the SBCE, if at all possible. The SBCE has the ability to manipulate headers, sanitize traffic, etc., all stuff that will get you out of a jam if and when Avaya makes a change to the client (and you aren't on the absolute latest and greatest CM version to match).  The other thing is because the SBCE can proxy all the traffic, you only have to manage one public cert -- meaning you can do that one cert the "right" way and be insulated from new rules Apple puts out on a whim, without changing your whole infrastructure. 

    I was consulting with an insurance company that decided to directly register all of their softphones to ASM.  Apple made a change in one of their monthly updates that blacklisted one of the crypto-algorithms that was included in a cert they were using for all of their Avaya equipment.  Over a weekend they had to touch every device and swap out the certs with new ones because their softphones would not accept traffic from the old ones.  (Meaning some calls worked, some didn't, sometimes they got just dead air).

    As far as getting your infrastructure to use System Manager as the "Certificate Authority", there are quite a few steps involved :
     - Setup SMGR as a new CA
     - Distribute your new root certificate to ALL of your devices that speak SIP.  This is done automatically for SMGR, ASM and Breeze.  It's a manual process for all others, including AES, CM, Voicemail, IVRs, SBCs, and endpoints.
     - One-by-one, enroll devices into your Certificate Authority.  This involves generating a CSR at each device, importing that CSR into System Manager, downloading the cert from System Manager, pushing it to each device, and then telling each device to start to use that cert.  

    A good video that shows steps 2 and 3 for the AES is here : https://www.youtube.com/watch?v=7iC76XvyVu4   (similar process for all other devices -- just how you generate the CSR and import the certs is slightly different).    
    Step one can be done by page 1189 on https://downloads.avaya.com/css/P8/documents/101058238 

    As far as the bootcamp, it is one of the pre-conference workshops.

    ------------------------------
    Nick Kwiatkowski
    Director of Design and Engineering
    Michigan State University
    ------------------------------

    Original Message


  • 5.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 11-13-2019 10:57 AM

    @Nick Kwiatkowski, when you say set a calendar entry for five years out, I thought the new Apple and Android OS's won't trust certs that are have expirations further out than two years, or some such?

    @James Davis, I hear you. This stuff has become a major headache for us traditional telecom types. Yes, the job has changed, and we need to change with it, and most of us (around IAUG at least) have absolutely done so. But you may be like me: a *very* small team managing lots of users and lots of projects. I just don't have an uninterrupted week to dive into this. This is where the business partners should come into play. If you hit me up offline I'll send you the name of the one we use for precisely these issues. They are a small outfit that subcontract with many of the large Avaya BP's. You'll pay them, of course, but this honestly has been our only solution. ​


    Original Message


  • 6.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 11-13-2019 12:08 PM
    Chip -- Certificate Authorities that are automatically trusted by the browsers (like Network Solutions, GoDaddy, Namecheap, etc), are not allowed to issue certs for more than 2 years.  You can always issue your own, but you need to manually import it.  Those should be trusted for the length of the cert, assuming that it doesn't become blacklisted, or one of the crypto-algorithms that it contains becomes blacklisted.

    ------------------------------
    Nick Kwiatkowski
    Michigan State University
    ------------------------------

    Original Message


  • 7.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 01-17-2020 05:48 PM
    Edited by Adam Schuyler 01-18-2020 08:21 AM
    James,

    Admittedly this one was a tough one for me too. Ultimately we decided to go with 3rd part certs across the board for a few reasons...

    - Our security teams didn't want another CA in the Enterprise.
    - We get unlimited 3rd party certs with our agreement with our external CA so cost was not a factor.

    It's a big leap to adopt a cert strategy, but once you get your head around it's not as bad as it seems.​

    For me personally I think the three most attractive options in order of my personal preference are:

    1. Use 3rd party certs across the board. The pro is here all iOS and Windows devices internally and externally will have the trusted chain so you won't have to worry about pushing your internal CA cert to mobile devices or desktops. The other nice thing with this option is you can use the same identity certificate for all of the functions on the other applications (Apache/Web, SIP, etc). The first go around is a little rough, but be heavily involved if you use a business partner and make sure you learn and understand the process end to end. 

    2. Use System Manger internally and an external 3rd party cert on the SBCE (note you would have to be allowed to push the SMGR CA Cert to all windows PCs via group policy). The benefit here is the Avaya systems auto renewal (Session Manager, but you will still have to push the CA cert phones and endpoint when it expires).

    3. Use your company internal PKI on the inside and 3rd party on the SBCE.

    In any scenario wouldn't want the headache of trying to maintain pushing any internal CA certs (SMGR or internal PKI) to mobile devices, so no matter what patch you choose use an externally issued cert from one of the major CAs (Go Daddy, Digicert, etc.).

    DO NOT USE THE DEMO CERTS!

    Nick knows this stuff inside and out so his bootcamp is probably the best education you're going to find out there... Nick I agree with your statement in that when running SIP on Avaya you're almost running two phone systems. Once I realized the "SIP trunk" field on System Manager Communication Profile is adding an Off Premise Station Mapping in CM that became quite evident :) 

    Hope that helps from another perspective. I forced myself to go over and over the certificate implementation in my lab until it made sense from end to end. It is painful in the beginning and on the first renewal, but my opinion is we're at a point on the Aura platform where it's no longer optional to learn this stuff. Certificates aren't going away and I wouldn't be surprised if the Go Daddy and Digicert CAs of the world move to 12 month identity certificate validity in the next few years.

    Good luck gents!

    Adam

    ------------------------------
    Adam Schuyler
    Telecom Engineer
    Science Applications International Corporation
    Orlando FL
    ------------------------------

    Original Message


  • 8.  RE: The Best Way to Understand Avaya PKI Certificates

    Posted 01-17-2020 05:58 PM
    Also check out this webinar from David Lover, I think when I watched this is when the idea of the cert management really "clicked".

    https://www.youtube.com/watch?v=vl4zlkUzT5Q

    Adam

    ------------------------------
    Adam Schuyler
    Telecom Engineer
    Science Applications International Corporation
    Orlando FL
    ------------------------------

    Original Message