Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...

Avaya Support Website Help

ASBCE: Remote Worker not able to register using TLS with 3rd
Party Certificates
Is this relevant for you?
Doc ID SOLN287755 Yes No
Version: 19.0
Status: Published Is this useful to you?
Published date: 30 Oct 2020
Yes No
Created Date: 20 Apr 2016
Author: Anis Momin

Details
Remote users cannot register over TLS using 3rd Party Certificates

ASBCE : Any versions

How to set up setup new a server certificates between ASM and ASBCE

Problem Clarification
Customer trying to register Remote Worker using TLS mode to SBCE with 3rd Part Certificates.

Error seen as "Alert : FATAL UNKNOWN CA"

Cause
Errors seen on the SBCE was "Could not read private key and TLS Handshake Failure"

Error seen on the phone report issues with VoIP.

Customer needs to generate the private key using the Generate CSR in TLS Management > Certificates > Generate CSR

The customer needs to provide a certificate and key for SBC along with root CA cert.

Customer provided 4 certs -> Identity Cert, Intermediate CA, 2 Root CA

Here are the 4 certs provided by the customer:

identity.crt , IntermediateCertificateAuthority.crt , USERTrustRSAAddTrustCA.crt and AddTrustExternalCARoot.crt

Chaining certs in linux causes problems when concatenating:

1 of 4 4/1/2022, 3:07 PM
Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

This causes error:

error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:802:

Separate the END and BEGIN:

-----BEGIN CERTIFICATE-----
MII... Is this relevant for you?
Lcw=
-----END CERTIFICATE----- Yes No
-----BEGIN CERTIFICATE-----
MII...DhA= Is this useful to you?
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Yes No
MII...rQ8
-----END CERTIFICATE-----

Solution
Run a validateSBCE or validateSBCE.customer to make sure no steps with the Certificate installation may have been missed.

-> First step is to create a Trust Chain with all these CA certificates except the identity cert.
cat IntermediateCertificateAuthority.crt > TrustChain.pem
cat USERTrustRSAAddTrustCA.crt >> TrustChain.pem
cat AddTrustExternalCARoot.crt >> TrustChain.pem

-> vi the TrustChain.pem file and check all the 3 certs are added in it.

-> Verify the result of the CA with the identity cert

[root@SBC-MU ]# openssl verify -verbose -CAfile TrustChain.pem identity.crt

identity.crt: OK

(if you see the result is OK, it means the combined CA able to authenticate it correctly).

-> Check the key provided by the customer is correct with the Identity cert :

[root@SBC-MU ]# openssl x509 -noout -modulus -in identity.crt | openssl md5

(stdin)= a30e7392b084ad889ec3b3e1de62eaea

[root@SBC-MU ]# openssl rsa -noout -modulus -in TrustChain.key | openssl md5 --> Have the Passphrase from the customer to enter when it asks in next step.
Enter pass phrase for TrustChain.key:
(stdin)= a30e7392b084ad889ec3b3e1de62eaea

If you see the same result (stdin) for above two commands, it means the private key fit that identity certificate.

-> Login to SBCE GUI, go to TLS Management -> Certificates -> Install

Type : Certificate

2 of 4 4/1/2022, 3:07 PM
Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...

Name: 3rdParty
Certificate File : Identity.crt
Trust Chain File : TrustChain.pem
Key: Upload Key -> Key provided by customer

Once the Trust Chain and Identity Cert is installed , then install the Root CA cert.
TLS Management -> Certificates -> Install

Type: CA Certificate
Name: 3rdPartyCA
Certificate File : AddTrustExternalCARoot.crt
Is this relevant for you?
-> In TLS Management -> Client PRofile -> Add Profile for the 3rd Party Cert
Yes No
Profile Name: 3rdParty
Certificate : 3rdParty.crt Is this useful to you?
Peer Verification: Required
Peer Certificate Authorities: 3rdPartyCA.crt Yes No
-> Add Server Profile for 3rd Party Cert

Profile Name : 3rdParty

Certificate: 3rdParty.crt
Peer Verification: None

-> In Device Specific Settings -> Select the Interface for the Remote WOrker on the Public side -> TLS Profile -> 3rdParty

-> In Device Specific Settings -> End Point Flows -> Edit the Flow Name -> TLS Client Profile -> 3rdParty

-> Now login to SBC Cli

vi /usr/local/ipcs/etc/cert/certificate/3rdParty.crt
You will see the certificate in order and only once starting with identity certificate and ending with ROOT CA

-> Now Encrypt the private key provided by the customer and which was installed through GUI

Go to directory /usr/local/ipcs/cert/key

Type enc_key key file name passphrase, where passphrase is the passphrase you
used while generating the CSR.
enc_key is command used for Standalone SBC System , "certsync" and certinstall are commands used for HA System (where EMS and SBC are separated).

For IX client issue. Please refer https://kb.avaya.com/resources/sites/AVAYA/content/live/SOLUTIONS/345000/SOLN345327/en_US

/Planning%20and%20admin%20guide.pdf (https://kb.avaya.com/resources/sites/AVAYA/content/live/SOLUT IONS/345000/SOLN345327/en_US/Planning%20and%20admin%20guide.pdf) ->Chapter 5: Security and certificate
configuration

Restart the SBCE Server.

+ Additional Relevant Phrases

3 of 4 4/1/2022, 3:07 PM
Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...

Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy

• About Avaya • Contacts • Careers • Site Map • Terms of Use • Privacy Statement
• © 2022 Avaya Inc.

Is this relevant for you?

Yes No
Is this useful to you?
Yes No

4 of 4 4/1/2022, 3:07 PM