Professional Documents
Culture Documents
ASBCE: Remote Worker not able to register using TLS with 3rd
Party Certificates
Is this relevant for you?
Doc ID SOLN287755 Yes No
Version: 19.0
Status: Published Is this useful to you?
Published date: 30 Oct 2020
Yes No
Created Date: 20 Apr 2016
Author: Anis Momin
Details
Remote users cannot register over TLS using 3rd Party Certificates
How to set up setup new a server certificates between ASM and ASBCE
Problem Clarification
Customer trying to register Remote Worker using TLS mode to SBCE with 3rd Part Certificates.
Cause
Errors seen on the SBCE was "Could not read private key and TLS Handshake Failure"
Customer needs to generate the private key using the Generate CSR in TLS Management > Certificates > Generate CSR
The customer needs to provide a certificate and key for SBC along with root CA cert.
1 of 4 4/1/2022, 3:07 PM
Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...
-----BEGIN CERTIFICATE-----
MII... Is this relevant for you?
Lcw=
-----END CERTIFICATE----- Yes No
-----BEGIN CERTIFICATE-----
MII...DhA= Is this useful to you?
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Yes No
MII...rQ8
-----END CERTIFICATE-----
Solution
Run a validateSBCE or validateSBCE.customer to make sure no steps with the Certificate installation may have been missed.
-> First step is to create a Trust Chain with all these CA certificates except the identity cert.
cat IntermediateCertificateAuthority.crt > TrustChain.pem
cat USERTrustRSAAddTrustCA.crt >> TrustChain.pem
cat AddTrustExternalCARoot.crt >> TrustChain.pem
-> vi the TrustChain.pem file and check all the 3 certs are added in it.
(if you see the result is OK, it means the combined CA able to authenticate it correctly).
-> Check the key provided by the customer is correct with the Identity cert :
[root@SBC-MU ]# openssl rsa -noout -modulus -in TrustChain.key | openssl md5 --> Have the Passphrase from the customer to enter when it asks in next step.
Enter pass phrase for TrustChain.key:
(stdin)= a30e7392b084ad889ec3b3e1de62eaea
If you see the same result (stdin) for above two commands, it means the private key fit that identity certificate.
-> Login to SBCE GUI, go to TLS Management -> Certificates -> Install
Type : Certificate
2 of 4 4/1/2022, 3:07 PM
Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...
Name: 3rdParty
Certificate File : Identity.crt
Trust Chain File : TrustChain.pem
Key: Upload Key -> Key provided by customer
Once the Trust Chain and Identity Cert is installed , then install the Root CA cert.
TLS Management -> Certificates -> Install
Type: CA Certificate
Name: 3rdPartyCA
Certificate File : AddTrustExternalCARoot.crt
Is this relevant for you?
-> In TLS Management -> Client PRofile -> Add Profile for the 3rd Party Cert
Yes No
Profile Name: 3rdParty
Certificate : 3rdParty.crt Is this useful to you?
Peer Verification: Required
Peer Certificate Authorities: 3rdPartyCA.crt Yes No
-> Add Server Profile for 3rd Party Cert
-> In Device Specific Settings -> Select the Interface for the Remote WOrker on the Public side -> TLS Profile -> 3rdParty
-> In Device Specific Settings -> End Point Flows -> Edit the Flow Name -> TLS Client Profile -> 3rdParty
vi /usr/local/ipcs/etc/cert/certificate/3rdParty.crt
You will see the certificate in order and only once starting with identity certificate and ending with ROOT CA
-> Now Encrypt the private key provided by the customer and which was installed through GUI
Go to directory /usr/local/ipcs/cert/key
Type enc_key key file name passphrase, where passphrase is the passphrase you
used while generating the CSR.
enc_key is command used for Standalone SBC System , "certsync" and certinstall are commands used for HA System (where EMS and SBC are separated).
3 of 4 4/1/2022, 3:07 PM
Avaya Knowledge - ASBCE: Remote Worker not able to register using TLS with 3rd Party Cert... https://support.avaya.com/ext/index?page=content&id=SOLN287755&pmv=print&impression...
Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy
• About Avaya • Contacts • Careers • Site Map • Terms of Use • Privacy Statement
• © 2022 Avaya Inc.
4 of 4 4/1/2022, 3:07 PM