Sorry to hear your pain -- it's the same story I've heard from at least a dozen members from our own local IAUG chapter, let alone people I've meet elsewhere.
SIP in the Avaya world is pretty much another phone system. You now need to introduce a bunch of additional components for signaling (Session Manager), programming (System Manager), and security (SBC), just to get going.
So, first questions first -- do you have the Avaya Session Border Controller (or another brand) in place yet? If you are dealing with mobile devices or softphones, you really should point them through that. You /technically/ can point these devices directly to your Session Managers, but I will say it will get difficult and fast (mostly dealing with the certs piece). Putting an SBC in place allows you to set a demarcation point between devices you own (like SIP hardphones and media gateweays) and devices you don't (iOS, Android, and Windows devices). Even if your org owns those devices -- pretend you don't, because updates are pushed from the stores and features are generally derived from the devices and not your policies.
The easiest path to getting those devices connecting to your system is via a 3rd party certificate that the devices already trust. You can get certs from Network Solutions, for example (I don't recommend them, but their certs are widely deployed and trusted everywhere already). Pretty much any place you can buy an SSL cert should be fine. Expect to spend between $30 - $100 a year, depending on the vendor. 1,000ft view, you create a CSR in the Certificates section of the SBCE, give that CSR file to your SSL cert vendor, they generate a certificate for you, and you then import that into the SBCE. On the SBCE you would then assign that certificate to the signaling and media interfaces that your clients are connecting to. Once you have that in place, you shouldn't need to do anything else to have your iOS/Android/Windows/Mac devices connect to you securely.
On the inside, you can technically still use the demo certs (since you control the devices 100%). I wouldn't recommend it, since I can walk into your network, and in about 6 seconds start to decrypt and listen to all your voice calls. Even better, I could redirect calls to automated recorders, etc.... you get the idea. The path of least resistance on the "inside" of your network is to use the "CA" or Certificate Authority portion of System Manager to generate certs. 1,000ft view of that is : you setup the CA on SMGR. You deploy the "root" cert on /ALL/ SIP aware devices (you need to do this first, and it's not service affecting). You then go around to each device, generate a CSR, upload that to SMGR's CA function, and it spits out the cert that is trusted. You then switch out the demo cert on each device with the one that SMGR generated for that device (that part is service affecting, but only to that device). Once that's done, you set a calendar entry for 5 years from now to do the same process over again.
Now you don't have to use SMGR to generate the certs -- you can use 3rd party certs for all of your internal stuff ($$$$), you can have your IT department generate internal certs using Windows, Linux or really any other way they do it (a lot more pieces involved), or I'm sure there is some other method I'm not thinking about right now. By the way, if you don't use an SBCE, you really only have two options -- deploy 3rd party certs on ALL of your internal devices ($$ x devices x years), or you can load your internal root cert on all of your BYOD devices -- which is not for the faint of heart.
So -- 1,000ft view to get you started. If you want more info, let us know. I'll also be doing a 3-4 hour bootcamp at the 2020 IAUG conference in February, where I will cover all the stuff above, plus some configuration steps to get you to the point you are deploying certs.
------------------------------
Nick Kwiatkowski
Michigan State University
------------------------------
Original Message:
Sent: 11-12-2019 06:38 PM
From: James Davis
Subject: The Best Way to Understand Avaya PKI Certificates
So I am at my wits end here... we have had Avaya in our environment for a very long time, and I have been extremely comfortable with almost everything they have thrown our way.
But a few years ago, we introduced SIP in our environment, and at that time we were introduced to the PKI Certificates that make up the new security strategy. No one in my telecom group, including myself, knew anything about PKI Certificates other than it made the HTTPS websites work... so as a last result the BP installed Demo Certs and went on their mary way.
Now we are faced with some hurdles, that my PKI Feeble mind can't seem to figure out. How do we path our way out of the Demo Certs, and into another PKI Strategy that makes sense for us? Right now, we have lost the ability to use Equinox Clients on iOS because as of iOS release 13, the Demo Cert is no longer supported (And I totally get why). So what are the next steps here?
And that is what I am struggling with is, what is the next steps? We don't have a in-house CA (We use 3rd Party CAs for outward facing connections, and self signed for internal server to server connections). So that seems to lead us to using the SMGR as the Self Signing CA, but I have not figured out how to do that and use it in that manner.
I was hoping that the new Avaya Class of 20940W would help me, but it just confused me more.
So I am hoping someone here can water this down, and use crayons for me to paint me a picture on what the next steps look like.
Anyone else here in the same struggle? Has anyone here overcame this struggle, and would be willing to share some pointers and feedback, maybe even hold a running dialog here?
Thanks,
------------------------------
James Davis
Voice and Data Senior Engineer
University of Nebraska Medical Center
Omaha NE
------------------------------