User`s guide

ManualsBrandsReal Tone Technologies ManualsComputer equipmentRS530

201

202

203

204

205

206

207

208

209

210

Security

Polycom, Inc. 8–31

not enabled, browsers can connect to the HDX web server through an

unsecured IP address. If you don’t use a secure address (HTTPS), certificates

are not exchanged. With validation enabled, the HDX web server rejects

connection attempts from browsers that don't present a valid certificate.

The Always Validate Peer Certificates from Servers setting controls how all

of the other SSL-enabled applications on HDX system, such as LDAP or

provisioning behave. When this setting is enabled, these applications attempt

to validate the server certificate when they connect via SSL/TLS to a server.

The connection will be rejected if the server does not present a valid certificate.

Validation might fail for other reasons, such as certificate expiration or

revocation. The HDX system can check revocation status by using certificate

revocation lists (CRLs) or the online certificate status protocol (OCSP). A CRL

is a list of certificates that have been revoked by the CA. An OCSP responder

is a network server that provides real-time certificate status through a

query/response message exchange.

Configure the HDX system to use the same method that is used by the CA. You

must get CRL data files from the CA.

To add CRLs on the Polycom HDX web interface:

1 Go to Admin Settings > General Settings > Security > Revocation.

2 Configure the following settings on the Revocation screen:

You can also remove a CRL from the list by clicking Remove.

If you use OCSP, you might need to install one or more additional CA certificates on

the HDX system, for validation of the OCSP response messages.

The Polycom HDX system supports HTTP-based OCSP transactions.

Setting Description

Revocation Method Specifies whether to use CRL or OSCP for

revocation.

Allow Incomplete

Revocation Checks

When this field is enabled, specifies whether a

certificate in the chain is verified without a

revocation status check if no corresponding CRL is

installed.

The HDX system assumes that the lack of a CRL

means the certificate is not revoked. If all required

CRLs are installed, the system performs revocation

checks when validating the certificate.

Add a Certificate

Revocation List (CRL)

1 Click Browse to search for and select a CRL.

2 Click Add to add the CRL to the list.