User's Manual

ManualsBrandsAvaya ManualsIP phonesSIP Software 3.1 for 1100 Series

231

232

233

234

235

236

237

238

239

240

must be installed on the IP Deskphone and stored in the IP Deskphone trusted store for the

following reasons:

• to verify the identity of the various servers that the IP

Deskphone can attempt to establish

secure connections with, such as TLS and HTTPS

• to authenticate the signatures on software and configuration files that are downloaded

onto the IP Deskphone.

Trusted root certificate installation

ou can install one or more customer root certificates on the IP Deskphone by using the

configuration file 11xxeSIP.cfg.

• The [USER_KEYS] section is added to the configuration file 11xxeSIP.cfg to download a

customer root certificate from a provisioning server. For example:

[USER_KEYS]

DOWNLOAD_MODE AUTO

PROTOCOL HTTPS

FILENAME custroot.pem

The PROTOCOL attribute of the [USER_KEYS] section can be assigned to one of the IP

Deskphone supported protocols, such as HTTP, TFTP, HTTPS, and FTP.

The FILENAME attribute of the [USER_KEYS] section points to the file name of a

customer root certificate in Privacy Enhanced Mail (PEM) format.

• After the configuration file is downloaded and parsed by the IP Deskphone, the

[USER_KEYS] section is processed and the root certificate is downloaded to the IP

Deskphone.

• After the certificate file is downloaded, you must authenticate the contents of the certificate

file before installing it on the IP Desklphone. There are two possible situations.

- If there are no existing customer root certificates on the IP Deskphone, a fingerprint

(SHA1 hash) for the file is computed. Depending on the value that is configured in

the Security Policy parameter, CUST_CERT_ACCEPT, the user can either be

prompted to accept this fingerprint (CUST_CERT_ACCEPT = VAL_MANUAL_A,) or

prompted to enter the fingerprint for verification (CUST_CERT_ACCEPT =

VAL_MANUAL_B).

- If there is one or more customer root certificate on the IP Deskphone, the certificate

file must be digitally signed with a signing certificate. In this case, there is no

interaction with the user. The signature is internally verified and the signing certificate

is verified to be issued by a customer root certificate that is already installed on the

IP Deskphone.

Trusted root certificate installation

SIP Software for Avaya 1100 Series IP Deskphones-Administration November 2012 233