159
D14049.05
February 2009
Grey Headline
(continued)
TANDBERG
VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Introduction
Getting started
Overview and
status
System
configuration
VCS
configuration
Zones and
neighbors
Call
processing
Bandwidth
control
Firewall
traversal
Appendices
Applications
Maintenance
Security
For extra security, you may wish to have the VCS communicate
with other systems (e.g. servers such as LDAP servers, neighbor
VCSs, or clients such as SIP endpoints) using TLS encryption.
For this to work successfully in a connection between a client
and server:
the server must have a certificate installed that verifies its
•
identity. This certificate must be signed by a Certificate
Authority (CA).
the client must trust the CA that signed the certificate used
•
by the server.
The VCS allows you to install appropriate files so that it can act
as either a client or a server in connections using TLS.
For an endpoint to VCS connection, the VCS will be the
TLS server. For a VCS to LDAP server connection, the
VCS will be a client. For a VCS to VCS connection either
VCS may be the client with the other VCS being the TLS server.
Overview
To enable security using the web interface:
Maintenance > Security
•
.
You will be taken to the
Security
page.
The files that enable secure connections over TLS are
installed using the web interface. They cannot be
installed using the CLI.
Trusted CA certificate
The
Select the file containing trusted CA certificates
field allows
you to upload a PEM file that identifies the list of Certificate
Authorities trusted by the VCS. The VCS will only accept
certificates signed by a CA on this list. If you are connecting to an
LDAP database using TLS encryption, the certificate used by the
LDAP database must be signed by a CA on this list.
After you have selected the file, click
Upload CA certificate
to
upload it.
If a CA certificate has already been uploaded, the
Show CA
certificate
button will be visible. Clicking on this shows you the
currently uploaded PEM file.
Server certificate data
Select the server private key file
Allows you to upload a PEM file that identifies the private key
used to encrypt the server certificate used by the VCS.
This private key must not be password protected.
Select the server certificate file
Allows you to upload a PEM file that contains the server
certificate used for HTTPS connections to the VCS from user or
administrator web browsers, and by SIP endpoints or servers
connecting to the VCS over TLS.
Show server certificate
Click here to view the currently uploaded PEM file containing the
certificate used by the VCS to identify itself to SIP and HTTPS
clients when communicating over SSL/TLS.
Upload server certificate data
Click here once you have selected both the private key and
certificate files to upload them.
Reset to default server certificate
Click here to replace the current server certificate with the
default certificate that shipped with the VCS.
Enabling security