Avaya Knowledge - AES - How To Create A Certificate Authority CA From SMGR For AES and Test With TSAPI and DMCC SDKs PDF

10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with
om SMGR for AES and test with TSAPI and DMCC SDKs
Avaya Support Website Help
AES: How to create a Certificate Authority CA from SMGR for AES

and test with TSAPI and DMCC SDKs
Doc ID: SOLN284619
Version: 81.0
Status: Published
Published date: 25 Feb 2016
Updated: 05 May 2020
Author: David Barnhart
Details
Avaya has discontinued the use of self-signed certificates; therefore a fresh installation of AES 7.x no longer provides the certificate authority for clients to connect to
AES.
This article details and walks though the steps provided in PSN004561u (attached) using System Manager 7.0 as the CA and demonstrate testing with a TSAPI client
using a secure TLINK and the DMCC7.0 dot NET framework SDK dashboard. Possible Alarm certificates expiration.
How to create a Certificate Authority (CA) from.
***REPLACING AES CERTIFICATE CAN RESULT IN 3RD PARTY APPLICATION FAILURE IF A SECURE CONNECTION IS USED - FOR EXAMPLE THE AVAYA
CONTACT RECORDER (ACR) WILL NEED THE NEW AES CA CERTIFICATE EXPORTED TO THE ACR KEYSTORE AS IT USES A SECURE TSAPI
CONNECTION - IF NOT ALL CALL RECORDING WILL FAIL - ENSURE ALL APPLICATIONS CONNECTING TO THE AES DOCUMENTATION IS REVIEWED
AND OR CONTACT PRODUCT SUPPORT (AVAYA DOES NOT HAVE INSTRUCTIONS FOR UPDATING 3RD PARTY APPLICATIONS WITH NEW CERTIFICATES
CONTACT THE PRODUCT MANUFACTURER)***
Problem Clarification
AES 7.X and higher does not deploy with the default Avaya self-signed certificate authority as previous versions have done. It is the responsibility of the
Business Partner or customer to perform this task. Regarding the attached PSN, there is more than one way to generate a new CA certificate; this article
demonstrates this using System Manager 7.0 for trust management.
***NOTE: This method has also been tested with SMGR 6.3.20. The method is the same but some of the screens and fields may slightly differ. Also the
SMGR 6.3.x provided a SHA1 CA certificate.***
If the default AES 7.x or higher certificate expires Avaya proprietary application such as Elite Multi Channel (EMC), ACR, CRM Connector, and any other application
requiring a secure TSAPI or DMCC connection will fail to establish a connection resulting in loss of CTI functionality.
An AES certificate shall expire and no impact is experienced by the CTI applications using a secure TSAPI/DMCC connection until such time as the connection is
broken at which time client applications will fail to login with a failed SSL error such as:"SECURITY:FYI:SecurePeerAcceptor::accept():TSAPI Service: accept()
failed for client 127.0.0.1 and driver service AVAYA#SWITCH1#CSTA-S#AESA"
This article is helpful to generate new certificates using System Manager. see the following article for more details on updating EMC with the new CA certificates:
https://kb.avaya.com/kb/index?page=content&id=SOLN284527&actp=SEARCH&actp=search&viewlocale=en_US&searchid=1501520623118 (https://kb.avaya.com/kb/index?
page=content&id=SOLN284527&actp=SEARCH&actp=search&viewlocale=en_US&searchid=1501520623118)
Cause
Avaya no longer provides a default self-signed CA for AES, leaving the customer responsible to implement them.
AES 6.3.3 and lower default certificate will be expired Jan 6 2018.
Solution
For testing purposes, the following test software will be used to demonstrate functionality to simulate a third party application connections:
- Avaya Aura AE Services TSAPI Client MS Windows 7.0: https://support.avaya.com/downloads/download-details.action?
contentId=C20158211650417170_0&productId=P0358&releaseId=7.0.x (https://support.avaya.com/downloads/download-details.action?contentId=C20158211650417170_0&productId=P0358&releaseId=7.0.x)
- Avaya Aura AE Services IP Communications DMCC dot Net SDK 7.0: https://support.avaya.com/downloads/download-details.action?
contentId=C20158211557548970_5&productId=P0358 (https://support.avaya.com/downloads/download-details.action?contentId=C20158211557548970_5&productId=P0358)
Note: for a list of all available SDKs, see the AES 7.0 Release Notes: https://downloads.avaya.com/css/P8/documents/101014420 (https://downloads.avaya.com/css/P8/documents/101014420)
Make sure all TLS versions are enabled on AES to avoid compatibility issues with other components.
Refer to PSN004561u https://downloads.avaya.com/css/P8/documents/101014585 (https://downloads.avaya.com/css/P8/documents/101014585) The steps below reference the section: "System
Manager Trust Management." a very rare case that System manager 7.0 is still using the demo cert that only provide SHA1 Root CA,
Please use any System Manager Release 7.0.X to run following step. the CN is default in Demo CA, a new self signed SMGR ROOT CA is using System manager
CA for CN.
1. Log into System Manager and navigate to "Security (under Services) > Certificates > Authority > Add End Entity (under RA functions).
https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 1/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs
2. Select INBOUND_OUTBOUND_TLS from the End Entity Profile

3. Select a username and a password that will be used to encrypt the P12 trust store file
4. Complete the required fields noted in Steps 4-8 of the PSN
Note: For step 4b enter the Fully Qualified Domain Name (FQDN) of the AES server. This information can be found on the AES OAM web pages under
Networking > Network Configure. Note, the example below is from a lab server.
Sample completed "Add Entity" form:
Clicking "Save" will show a message similar to below:
Creating the AE Services Server Certificate

This section continues with the steps outlined in the PSN.
1. Using the SMGR web console, navigate to "Security (under Services) > Certificates >Authority".
2. In the left hand navigation pane near the bottom of the screen, click on "Public Web"
3. On the "Public Web" screen click on "create key store"
3a. Enter the user name and password of the "End Entity" and click "OK"
3b,c and d.
Once "Enroll" is clicked, the new certificate store is downloaded with a ".p12" extension.
Downloading the SMGR CA certificate that signed the AE Services server certificate
1. Using the SMGR web console navigate to the "Public Web" page (as described in the above step) and click on "Fetch CA certificates"
2. Click on "Download PEM chain" on the line starting with "CA certificate chain"
3. Save the CA certificate to a known location
Import the SMGR CA certificate into the AE Services server

1. Using the AE Services Management Console navigate to "Security > Certificate Management > Trusted Certificates"
2. Click on the "Import" button and upload the SMGR CA certificate you downloaded above. Give it an alias name (e.g. caSMGR)
3. Click Apply
The new Certificate Authority is added
Import the new AE Services server certificate into the AE Services server
1. Using the AE Services Management Console navigate to "Security > Certificate Management > Server Certificates"
2. Click on the Import button and upload the new AE Services server certificate you created above (this will be the .p12 file). Select an alias (server)
from the drop down menu
3. Click the "Apply" button.
Follow the directions from the screenshot above to restart the AE Server services.
This completes the steps outlined in the PSN. The next section provides testing with the TSAPI and DMCC client
applications. For installation and usage instructions please see the relevant attached guides.
Testing a secure TSAPI connection to the AES with the newly installed SMGR CA certificate
The following setup steps will need to be performed:
1. Download and install the TSAPI client from the link noted at the beginning of the article
2. Export the System Manager CA from the AES and save it locally
3. Edit the TSLIB.ini file to reference the new certificate and the AES credentials for the test application to connect to.
4. Make a test call with the TSAPI application
Step 1
For TSAPI client installation instructions, please see Chapter 3 of Application Enablement Services TSAPI and CVLAN Client and SDK Installation Guide:
https://downloads.avaya.com/css/P8/documents/101014061 (https://downloads.avaya.com/css/P8/documents/101014061)
Step 2
To export the System Manager CA from the AES perform the following:
1. From the AES webpages navigate to Security > Certificate Management > CA Trusted Certificates
2. Select the certificate with the "Issued To" field of System Manager CA
3. Click "Export"
4. Highlight all of the text in the text box under "Certificate PEM" and copy this to a Notepad/text editor file and save it as something that is easily associated with
its purpose
Configuring the TSAPI test Application

Note: for the TSAPI test application to connect to the AES a valid CTI username and password is required. If this needs be created, please see Administering and
Maintaining Avaya Aura Application Enablement Services 7.0 Guide page 96 to add a user and page 147 to configure the CTI
user. https://downloads.avaya.com/css/P8/documents/101014048 (https://downloads.avaya.com/css/P8/documents/101014048)
Step 1: Editing the TSLIB.ini file

1. Find the TSLIB.ini file by clicking Click Start > All Programs > Avaya AE Services > Edit TSLIB.ini
2. Ensure that the IP address is correct and uncommented (the ";" is removed from the beginning of the line)
3. Ensure that the highlighted "Trusted CA File=" is uncommented and points to your new certificate created earlier
4. Save the file and exit
Step 2: Launching and testing the secure connection with the TSAPI Test application
1. Click Start > All Programs > Avaya AE Services > TSAPI Test.
1. When the TSAPI Test application starts it will show the available TLINKs. To test the secure connection, select the TLINK that contains "CSTA-S" (S for
secure) in the TLINK name.
2. Enter a valid CTI username and password

3. Enter two extensions that will be used for a third-party Make Call event
Note: In this example, these stations do not exist and we would expect an "invalid CSTA device identifier 12" error.
4. Open the TSpy application to view the TSAPI logging information for the test call. Click Start > All Programs > Avaya AE Services/TSAPI Client/TSAPI
Spy. Ensure that Tracing is enabled
5. Click Dial on the TSAPI Test application
Although there was an "Invalid Device Identifier" message, the test worked. From the TSAPI Spy, the log shows the following:
0000: [02/25/16 15:07:20.349]

0000: FROM LIBRARY:
0000: InvokeID 0
0000: ACSNameSrvRequest ::=
0000: {
0000: streamType stCsta
0000: }
0000: [02/25/16 15:07:21.083]

0000: RECEIVED FROM TSERVER:
0000: ACSNameSrvReply
0000: Application not notified (internal event)
0000: [02/25/16 15:07:21.083]

0000: FOR LIBRARY:
0000: InvokeID 0
0000: ACSNameSrvReply ::=
0000: {
0000: more FALSE,
0000: list
0000: {
0000: {
0000: serverName "AVAYA#CM7110#CSTA#CTIAESVE7REF13",
0000: serverAddr '0200041A0A8249460000000000000000'H
0000: },
0000: {
0000: serverName "AVAYA#CM7110#CSTA-S#CTIAESVE7REF13",
0000: serverAddr '0200042A0A8249460000000000000000'H
0000: }
0000: }
0000: }
37117880: [02/25/16 15:07:22.361]

37117880: ESTABLISHED CONNECTION TO TSERVER:
37117880: AVAYA#CM7110#CSTA-S#CTIAESVE7REF13
37117880: Login: Dave Application Name: TSTest Server Connection ID: 0
37117880: [02/25/16 15:07:22.362]

37117880: FROM LIBRARY:
37117880: InvokeID 0
37117880: ACSKeyRequest ::=
37117880: {
37117880: loginID "Dave"
37117880: }
37117880: Private Data ::=
37117880: {
37117880: vendor "WINNTTCP"
37117880: length 10
37117880: data
37117880: {
37117880: 80 01 01 01 03 01 01 04 01 01
37117880: }
37117880: }
37117880: [02/25/16 15:07:22.705]

37117880: FOR LIBRARY:
37117880: ACSAuthReplyTwo ::=
37117880: {
37117880: objectID 0,
37117880: key '5371A62F4C5E9809'H,
37117880: authInfo
37117880: {
37117880: authType needLoginIdAndPasswd,
37117880: authLoginID "Dave"
37117880: },
37117880: encodeType winNtLocal,
37117880: pipe ""
37117880: }
37117880: [02/25/16 15:07:22.705]

37117880: ACSAuthReplyTwo
37117880: [02/25/16 15:07:22.696]

37117880: RECEIVED FROM APPLICATION:
37117880: ACSOpenStream ::= < - Application requesting a TSAPI stream with AES
37117880: {
37117880: streamType stCsta,
37117880: serverID "AVAYA#CM7110#CSTA-S#CTIAESVE7REF13", < - Requesting secure TLINK
37117880: loginID "Dave",
37117880: cryptPass '44A1B2D9FED6C2A6EE66E6C64E331FA6EE66E6C64E331FA6EE66E6C64E331FA6EE66E6C64E331FA6'H,
37117880: applicationName "TSTest",
37117880: level acsLevel1,
37117880: apiVer "TS1-2",
37117880: libVer "AES7.0.0 Build 131",
37117880: tsrvVer ""
37117880: }
37117880: [02/25/16 15:07:22.963]

37117880: ACSClientHeartbeatEvent
37117880: [02/25/16 15:07:22.964]

37117880: FOR LIBRARY:
37117880: ACSClientHeartbeatEvent ::=
37117880: {
37117880: null NULL
37117880: }
37117880: [02/25/16 15:07:22.970]
37117880: ACSOpenStreamConfEvent < - TSAPI stream request confirmed from AES
37117880: Application not notified (notifyAll == FALSE)
37117880: [02/25/16 15:07:22.970]

37117880: DELIVERED TO APPLICATION:
37117880: ACSOpenStreamConfEvent ::=
37117880: {
37117880: apiVer "ST2",
37117880: libVer "AES7.0.0 Build 131", < - SDK library versions exchanged
37117880: tsrvVer "7.0.0 Build 138",
37117880: drvrVer "7.0.0 Build 138"
37117880: }
37117880: [02/25/16 15:07:22.971]

37117880: CSTAMakeCall ::= < - Make Call action (from clicking Dial)
37117880: {
37117880: callingDevice "70001",
37117880: calledDevice "70002"
37117880: }
37117880: [02/25/16 15:07:23.399]

37117880: DELIVERED TO APPLICATION:
37117880: UniversalFailureConfEvent ::=
37117880: {
37117880: error invalidCstaDeviceIdentifier < - Station does not exist on the CM
37117880: }
37117880: [02/25/16 15:07:23.399]

37117880: UniversalFailureConfEvent
37117880: Application not notified (notifyAll == FALSE)
37117880: [02/25/16 15:07:23.401]

37117880: ACSAbortStream ::= < - TSAPI Test application requesting the stream be closed
37117880: {
37117880: null NULL
37117880: }
Testing a secure DMCC connection to the AES with the newly installed SMGR CA certificate
The following setup steps will need to be performed:
1. Download and install the DMCC client SDK from the link noted at the beginning of the article
2. Import the exported certificate from AES into the Windows keystore
Note: By default, AES has port 4722 enabled for secure DMCC connections. Please reference the AES Administration Guide linked earlier in this article for further
information.
3. Open the DMCC Dashboard
Step 1: Download and install the DMCC client SDK

Step 2: Importing the exported certificate from AES into the Windows keystore
1. Double click the AESserverCert.cer file that was created from Notepad earlier and the following screen will appear. Click "Install Certificate".
2. Select "Next"
3. Select "Place all certificates in the following store" and choose "Browse"
4. Click "Trusted Root Certifiicaton Authorities" and click OK.
5. Click Next
6. Click Finish
7. Click OK on the "Import Successful" message
8. Click OK
Step 3: Open the DMCC Dashboard

1. Refer to the install location chosen during the DMCC SDK installation
2. Open the folder Dashboard
3. Double-click dashboard.exe
Note: There is a DasboardUserGuideV6.doc in the Dashboard directory
4. Populate the fields outlined in red

5. Click "Start Application Session"
6. Click "Get Device ID"
7. Click "Start Monitors"
Note: Starting a successful DMCC session indicates that the certificate is working
-Also can refer to the document of Administering Avaya Aura @ System Manager.
SOLN284619
Attachment File
PSN004561u.pdf
289K • < 1 minute @ 56k, < 1 minute @ broadband
+ Additional Relevant Phrases
Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy
About Avaya Contacts Careers Site Map Terms of Use Privacy Statement
© 2020 Avaya Inc.

Avaya Knowledge - AES - How To Create A Certificate Authority CA From SMGR For AES and Test With TSAPI and DMCC SDKs PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Avaya Knowledge - AES - How To Create A Certificate Authority CA From SMGR For AES and Test With TSAPI and DMCC SDKs PDF

Uploaded by

Copyright:

Available Formats

10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with

Avaya Support Website Help

AES: How to create a Certificate Authority CA from SMGR for AES

2. Select INBOUND_OUTBOUND_TLS from the End Entity Profile

Clicking "Save" will show a message similar to below:

Creating the AE Services Server Certificate

3. On the "Public Web" screen click on "create key store"

Import the SMGR CA certificate into the AE Services server

The new Certificate Authority is added

Configuring the TSAPI test Application

Step 1: Editing the TSLIB.ini file

2. Enter a valid CTI username and password

5. Click Dial on the TSAPI Test application

0000: [02/25/16 15:07:20.349]

0000: [02/25/16 15:07:21.083]

0000: [02/25/16 15:07:21.083]

37117880: [02/25/16 15:07:22.361]

37117880: [02/25/16 15:07:22.362]

37117880: [02/25/16 15:07:22.705]

37117880: [02/25/16 15:07:22.705]

37117880: [02/25/16 15:07:22.696]

37117880: [02/25/16 15:07:22.963]

37117880: [02/25/16 15:07:22.964]

37117880: [02/25/16 15:07:22.970]

37117880: [02/25/16 15:07:22.971]

37117880: [02/25/16 15:07:23.399]

37117880: [02/25/16 15:07:23.399]

37117880: [02/25/16 15:07:23.401]

3. Open the DMCC Dashboard

Step 1: Download and install the DMCC client SDK

4. Click "Trusted Root Certifiicaton Authorities" and click OK.

Step 3: Open the DMCC Dashboard

Note: There is a DasboardUserGuideV6.doc in the Dashboard directory

4. Populate the fields outlined in red

+ Additional Relevant Phrases

You might also like