Avaya Solution & Interoperability Test Lab

Application Notes for Avaya Aura® Experience Portal and Avaya Aura® Application Enablement Services for Transport Layer Security (TLS) using Third-Party Certification Authority TLS Certificates and Secure Realtime Transport Protocol (SRTP) - Issue 1.1 Abstract These Application Notes describe the steps to configure Avaya Aura® Experience Portal and Avaya Aura® Application Enablement Services to utilize Transport Layer Security to secure communications with Avaya Aura® Session Manager when using third-party Certification Authority certificates in situations where default Avaya certificates must be replaced. The default product identification certificates and trusted root certificates are replaced with versions signed by a customer’s Certification Authority server or by third-party Certificate Authority servers. Avaya Aura® Experience Portal can be configured to authenticate service requests to further enhance security. In addition, security is further enhanced by configuring Secure Realtime Transport Protocol to encrypt media streams. These application notes are intended for customers who intend to configure Avaya Aura® Experience Portal and Avaya Aura® Application Enablement Services to use TLS and SRTP. Information in these Application Notes has been obtained through Solution Integration compliance testing and additional technical discussions. Testing was conducted at the Avaya Solution and Interoperability Test Lab.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

1 of 41 AAEP_AES

Table of Contents 1. 2. 2.1. 2.2. 3. 4. 5. 5.1. 5.2. 6. 6.1. 6.2. 6.3. 6.4. 7. 7.1. 7.2. 8. 9. 10. 11. 12. 13. 14.

Introduction....................................................................................................................... 3 General Test Approach and Results ................................................................................. 4 Test Description and Coverage ......................................................................................... 4 Test Results and Observations .......................................................................................... 4 Reference Configuration ................................................................................................... 5 Equipment and Software Validated .................................................................................. 6 Configure Avaya Aura® Experience Portal for TLS/SRTP ............................................. 7 Configure TLS on Avaya Aura® Experience Portal ........................................................ 7 Installing a Third-Party Trusted Root Certificate in Avaya Aura® Experience Portal .. 11 Install a new TLS identity certificate in Avaya Aura® Experience Portal Media Processing Platform ........................................................................................................ 15 Generate a Certificate Signing Request for AAEP ......................................................... 15 Sign the AAEP Certificate Request ................................................................................ 17 Import the signed certificate into AAEP ........................................................................ 18 Export the self-signed AAEP certificate......................................................................... 21 Install Third-Party Signed TLS and Trusted Root CA Certificates in Avaya Aura® Application Enablement Services ................................................................................... 22 Install a Trusted Root CA Certificate ............................................................................. 22 Install a new Server Identity Certificate ......................................................................... 25 Configure TLS on Avaya Aura® Application Enablement Services ............................. 29 TLS/SRTP Configuration on the ASR/TTS Server link................................................. 31 Configure an ASR/TTS server (Nuance) for TLS/SRTP ............................................... 33 Export the AAEP Certificate as a Trusted Root Certificate ........................................... 36 Verify Avaya Aura® Application Enablement Services and Avaya Aura® Experience Portal (with ASR/TTS) TLS operation ........................................................................... 37 Conclusion ...................................................................................................................... 39 Additional References .................................................................................................... 40

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

2 of 41 AAEP_AES

1. Introduction These Application Notes describe the configuration of Avaya Aura® Experience Portal (AAEP) and Avaya Aura® Application Enablement Services (AES) with Transport Layer Security (TLS) and Secure Realtime Transport Protocol (SRTP) using default Avaya certificates or using thirdparty Certificate Authority (CA) certificates. Avaya Aura® Experience Portal provides organizations with a single point of orchestration for all automated, multimedia, self service and integrated voice response (IVR) applications across inbound phone or video, as well as outbound phone, email, or SMS applications. Avaya Aura® Enablement Services is a solution that provides a set of telephony Application Programming Interfaces (APIs), protocols, and Web Services. Avaya Aura® Application Enablement Services makes the capabilities of Avaya communication solutions accessible to developers and Systems Integrators. To enable TLS, certificates are required to validate a servers’ identity prior to initiating secure network transactions. Server identification certificates are either self-signed or signed by a trusted root Certification Authority. Clients are offered the servers’ identity certificate during initial communications; clients verify the certificate and proceed to secure the communication channel. Activating TLS on AAEP and AES requires a corresponding activation on clients that require services. Identity validation may be a one-way or two-way process. One-way validation occurs when the client verifies the server’s identity and then both proceed to secure communications. Two-way (also known as Mutual Authentication) occurs when the server requires the client to present a certificate of identity. Authentication requires a root CA certificate be installed on the client and server. This certificate provides verification of the AAEP and AES server’s identity certificate. If default Avaya certificates are replaced with third-party certificates, both the Avaya product identification certificate and the Avaya trusted root CA certificate must be replaced. Note; servers and clients can have only one identity certificate, but may have several trusted root CA certificates. For enhanced security, only install a single trusted root CA certificate and ensure mutual authentication is activated (where possible). Activation of SRTP will encrypt media streams between endpoints, preventing eavesdropping and recording of conversations. For enhanced security, SRTP is enforced so that endpoints which are incapable of SRTP are unable to negotiate connections. These Application Notes will concentrate on securing AAEP and AES with TLS and SRTP, and the necessary steps to activate TLS/SRTP on both AAEP and AES.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

3 of 41 AAEP_AES

2. General Test Approach and Results Prior to commencing configuring Avaya Aura® Experience Portal and Avaya Aura® Application Enablement Services for TLS/SRTP, base software must be installed and the installations configured with network addresses and user accounts. Intended users of these Applications Notes should be familiar with AAEP and AES installation procedures and necessary operational procedures. It is desirable to carry out these procedures during a maintenance window as some procedures require restarting services and functions which may impact service on live sites. When services may be affected, this will be explained in the text.

2.1. Test Description and Coverage Test cases include calls between PSTN callers and AAEP which was configured with front-end and back-end applications; using SRTP for media. CTI integration with AACC was tested with AES converting TR/87 messages into DMCC protocol and controlling SIP telephones used as AACC agent endpoints. A suite of traditional telephony operations and features such as extension dialing, hold/resume, transfer (supervised and unsupervised) and conferencing were tested. Contact center features such as agent observe, supervisor barge-in were also tested.

2.2. Test Results and Observations All test cases were successful, with the following observations. On Avaya Aura® Experience Portal it is currently not possible to actively modify the Media Processing Platform TLS certificate installed at build time. This certificate is signed by the AAEP trusted root certificate (which can be altered), therefore the AAEP identity certificate must be installed as a trusted root CA certificate on any endpoint which connects to AAEP. In addition, AAEP 6.x only supports a self-signed identity cert for EPM which is loaded during AAEP software installation. Chained certs are supported in AAEP 7.0 onwards. AAEP does not offer a TLS certificate to the ARS/TTS when setting up a secure TLS link. In this scenario, AAEP is the client; ARS/TTs server asks for a client certificate, AAEP responds with a certificate of size 0 (i.e., no certificate data). The Nuance Speech Server version 5.0 used in these Application Notes cannot be configured to perform mutual authentication. It does provide a TLS identity certificate to the client, but does not insist on the client providing a certificate. It does log an error but still sets up the TLS connection.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

4 of 41 AAEP_AES

3. Reference Configuration Figure 1 illustrates an example communications system installation. In the example, an Avaya Aura® Communication Manager (CM) with associated Media Gateway is connected to an Avaya Aura® Contact Center (AACC). SIP call routing is managed by the Avaya Aura® Session Manager (proxy server). Callers to the contact center are provided with an Interactive Voice Response (IVR) service, with AAEP providing voice prompts and collecting digits. Speech services and speech recognition are provided by an associated Automatic Speech Recognition/Text to Speech (ARS/TTS) server. AAEP may operate in front-end or back-end mode. TLS and SRTP can be configured when AAEP connects directly to a proxy server (AAEP is operating as a SIP endpoint) or when AAEP is operating as a service (AAEP and AACC operate without using a SIP proxy). Media between the callers and AAEP and between AAEP and the ARS/TTS server are encrypted using SRTP. Contact center agents have a desktop client to control phone operations using the standard TR87 interface protocol. CM does not support this protocol; conversion is performed by the AES. TR87 messages are secured using TLS between AACC and AES.

Figure 1: AAEP/AES example installation

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

5 of 41 AAEP_AES

4. Equipment and Software Validated The following equipment and software were used for the reference configuration Equipment/Software

Release/Version

Avaya Aura® Agent Desktop running on a HP Compaq 6000 pro MT PC

8.3.0.510

Avaya Aura® Contact Center Manager Server running on a Dell Poweredge R610 Avaya Aura® Contact Center Manager Administration running on a Dell Poweredge R610 Avaya Aura® Contact Center Communication Control Toolkit running on a Dell Poweredge R610 Avaya Aura® Contact Center Manager Multi Media running on a Dell Poweredge R610 Avaya Media Server running on a Dell Poweredge R610

Avaya Aura® Application Enablement Services Avaya Aura® Experience Portal

GOR; Reviewed: SPOC 10/14/2014

(installed on Microsoft Windows XP [Version 5.1.2600] Service Pack 3 and Windows 7 [Version 6.1] service Pack 1) AvayaAura_CCMS_6.3.210.0-0677_ServicePack AvayaAura_CCMS_6.3.210.1-1084_Patch AvayaAura_CCMS_6.3.210.500-0156_Patch AvayaAura_CCMS_6.3.210.501-1098_Patch AvayaAura_CCMA_6.3.210.0-0716_ServicePack AvayaAura_CCMA_6.3.210.1-0689_Patch

AvayaAura_CCT_6.3.210.0-0644_ServicePack AvayaAura_CCT_6.3.210.1-0300_Patch

AvayaAura_CCMM_6.3.210.0-0670_ServicePack AvayaAura_CCMM_6.3.210.1-0481_Patch

Avaya Media Server - v.7.5.0.1014 Contact Center Services for AMS - v.6.3.0.113 Linux version 2.6.18-194.el5PAE ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Tue Mar 16 22:00:21 EDT 2010 6.3 (aka 6.2 FP2) 6.3.0.0.212-06.3.0.0.18002 2.6.18-348.1.1.AV4.domU.el5xen 6.2 6.3.0.124 (Sys Plat 6.3.0.0.18002) 2.6.18-348.1.1.AV4.domU.el5xen

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

6 of 41 AAEP_AES

5. Configure Avaya Aura® Experience Portal for TLS/SRTP Avaya Aura® Experience Portal is pre-configured with self-signed certificates generated at software install time and uses Avaya product certificates as root certificates. If these certificates are acceptable, they can be used for TLS sessions with other Avaya equipment (e.g., Avaya Aura® Contact Center servers) or they can be changed for customer generated certificates which are signed by a third-party root certificate authority.

5.1. Configure TLS on Avaya Aura® Experience Portal Using a web browser (e.g., Microsoft Internet Explorer), enter the following URL: https://FQDN_of_AAEP_server/ Where FQDN_of_AAEP_server is the Fully Qualified Domain Name (FQDN) or IP address of AAEP server. The logon dialog box appears. Type the name of a user who has administration privileges. Click the Submit button. A new Password text edit box appears, type the password and click on the Logon button (not shown, replaces Submit button in the dialog).

admin

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

7 of 41 AAEP_AES

The web page refreshes and shows the AAEP home page. The two main components of AAEP are Experience Portal Manager (EPM) and Media Processing Platform (MPP). These may be coresident on a single server or can be installed on multiple servers. EPM and MPP run on Avaya Enterprise Linux or Red Hat Enterprise Linux 6.0. EPM contains the web interface for administration and configuration, and an Application Interface web service to route calls between external SIP endpoints and the MPP. MPP uses VoIP to communicate with other SIP servers, runs Voice eXtensible Markup Language (VoiceXML) speech applications and Call Control eXtensible Markup Language (CCXML) applications deployed on the application server. MPP communicates with speech servers using Media Resource Control Protocol (MRCP) protocol. Configuration for TLS operation requires modification of the VoIP settings, Click on the System Configuration  VoIP Connections menu.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

8 of 41 AAEP_AES

The VoIP Connections page opens. Click the Add button.

The Add SIP Connection page opens. Enter values in the area enclosed by the red box as follows: Name: Proxy Transport: Proxy Servers

Listener Port: SIP Domain

The SIP connection name (usually the Session Manager hostname). Choose TLS from the list box. Click the radio button and type the IP address of the Session Manager. Port must be 5061, assign a priority (lower number = higher priority). Click the Additional Proxy Server link to add another Session Manager if there is more than one in the network. Set to 5061 Your SIP domain (e.g., silstack.com)

192.168.1. 66 192.168.1. 64

Click the radio button for All Calls can be either inbound or outbound.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

9 of 41 AAEP_AES

In the SRTP section, configure parameters with values that match those used in other elements of your communications system. Typical examples are: Enable: Encryption Algorithm: Authentication Algorithm: RTCP Encryption Enabled: RTP Encryption Enabled:

Click the Yes radio button. Choose AES_CM_128 Choose HMAC_SHA1_80 Choose No Choose Yes

Click on the Add button; the chosen values are added to the Configured SRTP List. Click the Apply and then click the Save buttons to complete TLS/STRP configuration.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

10 of 41 AAEP_AES

5.2. Installing a Third-Party Trusted Root Certificate in Avaya Aura® Experience Portal Replacement of default Avaya product certificates with new customer generated certificates or certificates signed by a third-party Certification Authority will require the installation of a new trusted root CA certificate. Trusted root certificates are used to authenticate endpoints; the endpoints’ identity certificate is signed by a trusted CA server, AAEP will use the trusted root CA servers’ identity certificate (the trusted root CA certificate) to validate the endpoint. If a common trusted CA is not in use throughout the communications system, more than one trusted root CA certificate can be installed in AAEP. Obtain a copy of the trusted root CA certificate from your system administrator or use the following procedure to directly retrieve one from a root CA server. (The following procedure uses a Microsoft certificate authority server). Using a web browser, logon to the root CA server, a typical URL might be https:///certsrv If you have not logged in previously, an access error occurs and you are required to enter your Active Directory administrative level login credentials in a Windows Security dialog box. Press the OK button when ready. http://FQDN_of_server/certsrv

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

11 of 41 AAEP_AES

The CA server home page opens. Click on the Download a CA certificate, certificate chain or CRL link.

On the next page, click the Base 64 radio button and then on the Download CA certificate link. A file save dialog box opens (not shown); save the file.

Current (CA Server)

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

12 of 41 AAEP_AES

Logon to AAEP (see Section 5.1) and use the side menu to navigate to Security  Certificates (not shown). The Certificates page opens with the Trusted Certificate tab selected. Click on the Upload button.

The Upload Trusted Certificate page opens. For Name: type some text to describe the certificate. For Type: select SIP Connection from the drop down list. Click on the Choose File button; a file selector dialog opens (not shown). Navigate to the folder where the downloaded CA certificate resides, select the file and click OK. Click on the Continue button when ready.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

13 of 41 AAEP_AES

A new page opens showing the recently uploaded certificate details. Click the Save button to enter this certificate to AAEP’s trusted certificate store.

trustedCAserv er

Owner: CN=trustedCA,DC=somewhere,DC=com Issuer: CN=trustedCA,DC=somewhere,DC=com Serial Number: 5af132ad78524194445fe55ab9596801 Valid from: May 15, 2013 1:00:23 PM IST until May 15, 2018 1:10:21 PM IST Certificate fingerprints MD5: e7:b5:ba:31:79:a6:46:98:70:8a:ea:4d:aa:0f:7e:ac SHA: b8:9a:e1:27:87:1c:af:cc:04:a4:ab:7e:55:b0:1f:0a:c7:5c:c1:39

A new page opens and shows the installed trusted certificates. This completes installing a thirdparty root CA certificate.

Owner: CN=trustedCA,DC=somewhere,DC=com Issuer: CN=trustedCA,DC=somewhere,DC=com Serial Number: 5af132ad78524194445fe55ab9596801 Valid from: May 15, 2013 1:00:23 PM IST until May 15, 2018 1:10:21 PM IST Certificate fingerprints MD5: e7:b5:ba:31:79:a6:46:98:70:8a:ea:4d:aa:0f:7e:ac Owner: CN=nuance,DC=somewhere,DC=com SHA: Issuer: CN=nuance,DC=somewhere,DC=com b8:9a:e1:27:87:1c:af:cc:04:a4:ab:7e:55:b0:1f:0a:c7:5c:c1:3 Serial Number: 5af132ad78524194445fe55ab9596801 9 Valid from: May 15, 2013 1:00:23 PM IST until May 15, 2018 1:10:21 PM IST Certificate fingerprints MD5: e6:b5:ba:31:79:a6:46:98:70:8a:ea:4d:ca:0f:7e:ac SHA: b8:9a:a1:27:87:1c:af:cc:04:a4:ab:7e:55:b0:1f:0a:c7:5c:c1:3 9

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

14 of 41 AAEP_AES

6. Install a new TLS identity certificate in Avaya Aura® Experience Portal Media Processing Platform A Media Processing Platform (MPP) server runs the Experience Portal MPP software. MPP uses a default self-signed root certificate (generated at software install time) which is used as a TLS certificate for SIP connections. This root certificate may be replaced by a third-party signed identity certificate if required. Replacement of the self-signed certificate will require installing a trusted root CA certificate. Currently, the only way to add a new trusted root CA certificate is to upload a PKCS#12 certificate bundle to AAEP.

6.1. Generate a Certificate Signing Request for AAEP Connect to the AAEP server using a SSH client (e.g., Putty). Logon with a valid userid and password. Once logged in successfully, issue the command su – sroot. Enter the sroot password.

A Certificate signing request (CSR) must be generated using openssl application. As the signed certificate will be later added to a PKCS#12 certificate bundle, a private key is also required. Both of these can be generated at the same time. AAEP requires its identity certificate to be a root certificate as it is used to sign the defaultMPP certificate. AAEP’s certificate will be designated a subordinate CA authority by the root CA server and the CSR must be tagged as such. As this requires use of X.509 Version 3 extensions, the basic openssl configuration will need to be edited. The unmodified openssl configuration file is located in /etc/pki/tls/openssl.cnf. Make a backup copy of this file in the /home/sroot folder by using the following command: cp /etc/pki/tls/openssl.cnf /home/sroot/openssl.cnf Use vi to edit /home/sroot/openssl.cnf. Locate the [ v3_req ] section. Under the line beginning with # Extensions, add the following lines: basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement extendedKeyUsage=serverAuth, clientAuth GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

15 of 41 AAEP_AES

The edited lines will look similar to the following screenshot. When the edit is complete, save the file and exit vi.

In the SSH client window, enter the following command to generate a CSR and Private Key: openssl req -out AAEP_srvr.csr -new -newkey rsa:2048 -nodes -keyout AAEP_srvr.key config /home/sroot/openssl.cnf You are prompted for necessary information during file generation; ensure you have the correct information to hand before commencing this step. Example responses are in bold. Generating a 2048 bit RSA private key ..............+++ ..............................................+++ writing new private key to ' AAEP_srvr.key ' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [GB]: US State or Province Name (full name) [Berkshire]: Colorado Locality Name (eg, city) [Newbury]: Denver Organization Name (eg, company) [My Company Ltd]: Avaya Organizational Unit Name (eg, section) []: SIL Common Name (eg, your name or your server's hostname) []: aaep.silstack.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: Avayaaaep An optional company name []:

This procedure generates a CSR file called AAEP_srvr.csr which uses a 2048 bit length key and a private key file called AAEP_srvr.key in the /home/sroot directory.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

16 of 41 AAEP_AES

6.2. Sign the AAEP Certificate Request Copy the file AAEP_srvr.csr from AAEP to a local PC using SFTP or a USB key drive. Several variants of root CA servers exist; the following procedure uses a Microsoft root CA server. Using a web browser, logon to the root CA server; a typical URL might be as follows: https:///certsrv If you have not logged in previously, an access error occurs and you are required to enter your login credentials in a Windows Security dialog box. Press the OK button when ready.

The CA server home page opens. Click on the Request a certificate link.

On the next page (not shown), click the advanced certificate request link, a new page opens. Open AAEP_srvr.csr using Notepad and paste the contents into the Saved Request: text edit box ensuring all text is copied. In the Certificate Template: area, select Subordinate Certificate Authority from the drop-down menu. Click the Submit > button.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

17 of 41 AAEP_AES

After successful validation and certificate signing by the Microsoft Certificate Authority server, a new web page will open (see below). Select the Base 64 encoded radio button and click on the Download certificate hyperlink. Save the file with a new name, e.g., save as “certAAEPSsigned.cer”.

6.3. Import the signed certificate into AAEP Logon to AAEP using a SSH client (see Section 6.1) and navigate to the /home/root directory. Copy the signed AAEP certificate (certAAEPSsigned.cer) to directory /home/root using SFTP protocol or a USB key drive. At the AAEP command line, enter the following: openssl pkcs12 -export -out aaep.p12 -inkey AAEP_srvr.key -in certAAEPSsigned.cer Enter a password when requested, take note of this password. A PKCS#12 file called aaep.p12, containing the signed AAEP identity certificate and the private key will be saved to the /home/root directory. Copy this file to a local PC using SFTP protocol or a USB key drive. GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

18 of 41 AAEP_AES

Logon to AAEP (see Section 5.1) using a web browser (Microsoft Internet Explorer version 6 SP2 supported). Navigate to the Security  Certificates page. Click on the Root Certificate tab; the default root certificate is shown. Click on the Choose File button; navigate to the location of aaep.p12, click OK.

Owner: CN=epm,DC=somewhere,DC=com Issuer: CN=epm,DC=somewhere,DC=com Serial Number: 5af732ad78524134445fe55ab9596801 Valid from: May 15, 2013 1:00:23 PM IST until May 15, 2018 1:10:21 PM IST Certificate fingerprints MD5: e7:c5:ba:31:79:a6:46:98:70:8a:ea:4d:aa:0f:77:ac SHA: b8:9a:e1:27:67:1c:af:cc:04:a4:ab:7e:55:d0:1f:0a:c7:5c:c1: 39

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

19 of 41 AAEP_AES

Click on the Install button.

Warning: you must restart all the MPPs before the changes will take effect

Owner: CN=epm,DC=somewhere,DC=com Issuer: CN=trustedCA,DC=somewhere,DC=com Serial Number: 5af732ad78524134445fe55ab9596801 Valid from: May 15, 2013 1:00:23 PM IST until May 15, 2018 1:10:21 PM IST Certificate fingerprints MD5: e7:c5:ba:31:79:a6:46:98:70:8a:ea:4d:aa:0f:77:ac e: \aaep.p12 SHA: b8:9a:e1:27:67:1c:af:cc:04:a4:ab:7e:55:d0:1f:0a:c 7:5c:c1:39

Navigate to System Management  MPP Manager. The following page appears. Select the check box next to the Server Name and click the Restart button.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

20 of 41 AAEP_AES

6.4. Export the self-signed AAEP certificate AAEP generates a self-signed certificate at install time. This certificate is used to sign the Media Processing Platform TLS identity certificate. The self-signed AAEP certificate is presented by MPP as its trusted Certificate Authority, but as AAEP is technically an Intermediate CA, it should also include a copy of the trusted root CA certificate (as installed in Section 5.2). There is a problem with AAEP software builds prior to build 7.0.1.13, the trusted root CA certificate is not included in the certificate chain offered during TLS negotiations. This results in SIP endpoints rejecting MPP with an ‘unknown CA’ error. To resolve this issue, a copy of the self-signed certificate must be installed on every SIP endpoint that MPP communicates with. To obtain a copy of the self-signed certificate, logon to the AAEP server as sroot (see Section 6.1) and navigate to the following directory:/opt/Avaya/ExperiencePortal/MPP/web/mpp.crt Locate the file called cert.pem and copy this file using SFTP or a USB pen drive. Rename the file to better identify the certificate (e.g., aaep.crt). If AAEP is a SIP entity associated with an Avaya Aura® Session Manager, this certificate must be installed in the Avaya Aura® System Manager, in the trusted certificates store. See Section 6.4 in the document referenced by item [9] in Section 14 of this document for details. Similarly, if AAEP interfaces with an Avaya Aura® Contact Center, this certificate must be placed in the AACC SGM certificate store as a trusted root certificate. See Section 5.4 of the document referenced by item [10] in Section 14 of this document for more information. Comparable procedures exist for other SIP endpoint types, details are outside this documents scope.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

21 of 41 AAEP_AES

7. Install Third-Party Signed TLS and Trusted Root CA Certificates in Avaya Aura® Application Enablement Services Avaya Aura® Application Enablement Services (AES) offers a suite of telephone API’s and web services to developers, leveraging Avaya’s communications systems to provide customized solutions. The following procedure focuses on configuring AES for secure TLS communication with an Avaya Aura® Contact Center.

7.1. Install a Trusted Root CA Certificate Logon to AES using a web browser (Mozilla Firefox supported) using the following URL:https:// Click the Continue To Login link.

The Management Console screen opens. Log in using an administrative account; click the Login button when ready.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

22 of 41 AAEP_AES

The Home screen opens. In the side menu, click on Security, then click Certificate Management and CA Trusted Certificates (Not Shown).

The CA Trusted Certificates page opens. Existing trusted root certificates were installed during AES software initialization. Certificates may be examined by clicking the radio button next to the certificate alias and then clicking the View button. More than one trusted root certificate may be installed. To install a new trusted root certificate (e.g., the one obtained in Section 5.2) click on the Import button.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

23 of 41 AAEP_AES

The Trusted Certificate Import page opens. Click the Choose File button; a file selector dialog opens (not shown). Navigate to the location of the trusted root CA certificate; click the Open button (not shown). The certificate name appears beside the Choose file button. For the Certificate Alias*; type some text to identify the certificate. Click the Apply button when ready.

trustedCA.c er

The page refreshes and shows the installed trusted root certificates.

trustedCA

GOR; Reviewed: SPOC 10/14/2014

trustedCA

trustedCA

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

24 of 41 AAEP_AES

7.2. Install a new Server Identity Certificate AES uses default identity certificates which were activated during software install. This procedure changes the default aeservices certificate (offered to SIP endpoints) and server certificate (offered to web browsers). Log in to AES (see Section 7.1) and navigate to Security  Certificate Management  Server Certificates. The Server Certificates page opens; click the Add button.

The Add Server Certificate page opens. Select parameter values as in the following screenshots. Passwords should be recorded for later use.

The Certificate Validity* value can be adjusted to meet your organizations security requirements. Distinguished Name must be in LDAP format and must match the values required by your CA server, A typical example is:cn=aes.example.com,ou=mydept,o=mycorp,L=Denver,ST=Colorado,C=US

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

25 of 41 AAEP_AES

cn=aes.example.com,ou=mydept,o=m ycorp,L=D

Ensure Key Usage: and Extended Key Usage: values are as in the screenshot (hold down the shift key to enable multiple selections. SCEP Parameters are unused. Click the Apply button.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

26 of 41 AAEP_AES

A new page opens showing the encrypted certificate signing request (CSR). Copy ALL the text in the edit window and using the procedure in Section 6.2, submit the CSR for signing. When the signed certificate is available; click the Import button.

Click the Choose file button, navigate to the signed CSR, and click Open (Not shown). Click the Apply button.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

27 of 41 AAEP_AES

A warning message appears, indicating the new certificate will not enter service until the AE Services restarts. Click the Apply button. This completes installing a new web certificate.

Repeat Section 7.2 but this time choose aeservices for the Certificate Alias*.

Navigate to Maintenance  Service Controller and click on Restart Service.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

28 of 41 AAEP_AES

8. Configure TLS on Avaya Aura® Application Enablement Services AACC connects to AES using SIP TR87 protocol, secured with TLS encryption. TLS connections on AES require hosts to be added to the trusted hosts database and the service setting set to enforce this requirement. Log in to AES and in the side menu; navigate to Security  Host AA  Trusted Hosts. Click on the Add button.

The Add Trusted Host page opens. Type the host FQDN in the Certificate CN or SubAltName edit box. Service type* is set to TR/87. The remaining values are defaults. Click the Apply Changes button when ready.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

29 of 41 AAEP_AES

Navigate to Security  Host AA  Service Settings. The setting Authenticate Client Cert with Trusted Certs is pre-selected. Ensure the Require trusted Host Entry checkbox is ticked. Click the Apply Changes button when ready.

Navigate to Security  Host AA  Trusted Hosts and confirm the newly added host is present. This completes AACC-AES TLS configuration. To ensure the connection uses TLS, restart the server connecting to AES (aacc.somewhere.com).

aacc.somewhere.co m

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

30 of 41 AAEP_AES

9. TLS/SRTP Configuration on the ASR/TTS Server link Avaya Aura® Experience Portal routes callers to external Automated Speech Recognition/Text To Speech servers to assist with decoding DTMF or Interactive Voice Response. SIP connections to ASR/TTS servers may be secured with TLS and SRTP. Logon to AAEP (see Section 5.1) and navigate to System Configuration  Speech Servers and click on the Add button.

The Add ASR page opens. Type some text for the ASR server Name. Select the Engine Type from the list (Nuance is chosen). Type the ASR server IP address in the Network Address box. Base Port should be 5061, enter a value for the number of Licensed ASR resources. New Connection per Session is set to No. Select the required languages.

Configure the MRCP settings as shown. For SRTP, choose the Authentication Algorithm that matches what is used throughout your communication system (AES_CM_128 chosen). When SRTP configuration is completed, click the Add button to copy the settings to the Configured SRTP List. When finished, click the Save button. GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

31 of 41 AAEP_AES

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

32 of 41 AAEP_AES

10. Configure an ASR/TTS server (Nuance) for TLS/SRTP The AST/TTS server establishes a communications link with AAEP; this link can be secured with TLS and SRTP to enhance call security. This is of particular importance when callers’ private details or account numbers are sent over the link and data is rendered into speech. The ASR/TTS server used in this example is Nuance Speech Server 5.0. Several others are supported; contact your nearest Avaya distributer for details or browse to support.avaya.com for more information. Nuance Speech Server software is installed on a Microsoft Windows 2008 Server. Log in to the Nuance server. Using Windows Explorer, navigate to the Nance software install folder; typically “C:\Program Files (x86)\Nuance\Speech Server 5.0\server\config”. Open the file called NSSserver.cfg with a text editor (e.g., Notepad).Locate the following section: ###################### SIP configuration ##################### Modify the text so it looks like this: #server.mrcp2.sip.transport.tcp.port #server.mrcp2.sip.transport.udp.port server.mrcp2.sip.transport.tls.port server.mrcp2.sip.transport.tls.keyDir server.mrcp2.sip.transport.tls.keyPassword server.mrcp2.sip.maxCountOfSession #server.mrcp2.sip.transport.tcp.maxCountOfConnections #server.mrcp2.sip.transport.tls.maxCountOfConnections

VXIInteger VXIInteger VXIInteger VXIString VXIString VXIInteger VXIInteger VXIInteger

5060 5060 5061 (NSSSVRSDK)/certs Avaya123$ 964095 4095 4095

Locate the following section: ###################### MRCPv2 configuration ##################### Modify it so it looks like this: #server.mrcp2.transport.tcp.port server.mrcp2.transport.timeout server.mrcp2.transport.tls.port server.mrcp2.transport.tls.keyDomain server.mrcp2.transport.tls.keyDir server.mrcp2.transport.tls.keyPassword

VXIInteger VXIInteger VXIInteger VXIString VXIString VXIString

6075 20 6076 localdomain (NSSSVRSDK)/certs Nuance

Save the file.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

33 of 41 AAEP_AES

The default Nuance speech Server uses self-signed root CA certificates and identity certificates. These need to be replaced with a certificate signed by a third-party root CA server and a copy of the root CA server certificate. Nuance does not include any tools to generate a certificate signing request. Microsoft DOS tools can be used to generate a CSR, or openssl can be used to do the same task. Openssl was used in this procedure. Use the procedure in Section 6.1 to logon to AAEP. In the AAEP SSH client window, enter the following command to generate a CSR and Private Key: openssl req -out nuance.csr -new -newkey rsa:2048 -nodes -keyout nuance.key /home/sroot/openssl.cnf You are prompted for necessary information during file generation; ensure you have the correct information to hand before commencing this step. Example responses are on the right in bold. Generating a 2048 bit RSA private key ..............+++ ..............................................+++ writing new private key to ' AAEP_srvr.key ' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [GB]: US State or Province Name (full name) [Berkshire]: Colorado Locality Name (eg, city) [Newbury]: Denver Organization Name (eg, company) [My Company Ltd]: Avaya Organizational Unit Name (eg, section) []: SIL Common Name (eg, your name or your server's hostname) []: nuance Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: Nuance An optional company name []:

This procedure generates a CSR file called nuance.csr which uses a 2048 bit length key and a private key file called nuance.key in the /home/sroot directory. Follow the procedure in Section 6.2 to sign the CSR (nuance.csr).Copy the signed certificate file (now called nuance.cer) and the private key file (nuance.key) to the Nuance Speech Server using SFTP protocol or a USB key drive. Save the files to the certificates folder; typically C:\Program Files (x86)\Nuance\Speech Server 5.0\server\certs. Rename nuance.cer to _cert.pem. Rename nuance.key to _key.pem.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

34 of 41 AAEP_AES

Restart the Nuance Speech server by using the taskbar Log off  Restart function.

Nuance Speech Server does not require any configuration for SRTP. Specifically, Nuance detects that SRTP is configured via the SDP that is sent in the INVITE request. This is defined in RFC 4568, Security Descriptions for Media Streams (http://www.ietf.org/rfc/rfc4568.txt?number=4568). In particular, Nuance uses the SDP attribute "crypto" as an indicator the media is to be encrypted.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

35 of 41 AAEP_AES

11. Export the AAEP Certificate as a Trusted Root Certificate AAEP’s signed certificate is used to sign the MPP certificate offered during SIP transactions. SIP endpoints will require a trusted root certificate for TLS to succeed. Exporting the AAEP certificate to other SIP endpoints and installing the certificate will resolve this issue. Log in to AAEP (see Section 5.1) and navigate to Security  Certificates. Click on the Root Certificate tab then click on the Export icon. A file (sipCA.pem) is downloaded into the browser download folder.

CN=aaep, DC=somewhere.com,DC=com CN=trustedCA,DC=somewhere.com,DC=com

This file should be installed in the SIP endpoint(s) (to which AAEP connects to) trusted root certificate stores. Instructions to perform these steps are outside the scope of these Applications Notes and may be obtained from additional Applications Notes [1] and [2] in the Additional Reference section of this document.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

36 of 41 AAEP_AES

12. Verify Avaya Aura® Application Enablement Services and Avaya Aura® Experience Portal (with ASR/TTS) TLS operation To verify successful configuration of TLS with AES, logon to AES (see Section 7.1) and using the side menu, navigate to Status  Status and Control  DMCC Service Summary. Examine the Session information presented; Connection Type shows TR-87 Encrypted.

Log in to AAEP (see Section 5.1) and navigate (using the side menu) to System monitor. Click on aaep.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

37 of 41 AAEP_AES

A new page opens. Click on the Service Menu link.

A new window opens. Click on Diagnostics.

A new page opens, click on Check connections to servers.

A new page opens showing server connections. Note the successful ICMP Check* reports.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

38 of 41 AAEP_AES

192.168.1. 39 192.168.1. 39

192.168.1. 66

13. Conclusion These Application Notes describe how to configure Avaya Aura® Experience Portal and Avaya Aura® Application Enablement Services to use Transport Layer Security and Secure Real-time Transport Protocol as a security enhancement for networks that require high immunity from message interception and modification.

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

39 of 41 AAEP_AES

14. Additional References Further Avaya Product documentation relevant to these Application Notes may be available at http://support.avaya.com. [1] Application Notes for configuring Transport Layer Security (TLS) with Third-Party Certification Authority Certificates and Secure Real-Time Transport Protocol (SRTP) on Avaya Aura® Contact Center 6.3 Service Pack 10. [2] Configuring Avaya Aura® System Manager 6.2 FP2 and Avaya Aura® Session Manager 6.2 FP2 to use Third-Party Security Certificates for Transport Layer Security. [3] Avaya Aura® Contact Center Server Administration Release 6.3 NN44400-610 Issue 04.02 May 2013 [4] Avaya Aura® Contact Center Installation Release 6.3 NN44400-311 Issue 04.02 May 2013 [5] Avaya Aura® Contact Center Fundamentals Release 6.3 NN44400-110 Issue 04.02 May 2013 [6] Administering Avaya Aura® System Manager Release 6.3 07 Oct 2013 [7] Administering Avaya Aura® Experience Portal 06 Jun 2013 [8] Avaya Aura® Application Enablement Services Administration and Maintenance Guide 04 Oct 2013 [9] Configuring Avaya Aura® System Manager 6.2 FP2 and Avaya Aura® Session Manager 6.2 FP2 to use Third-Party Security Certificates for Transport Layer Security – Issue 1.0 [10] Configuring Avaya Aura® System Manager 6.2 FP2 and Avaya Aura® Session Manager 6.2 FP2 to use Third-Party Security Certificates for Transport Layer Security – Issue 1.0 [11] RFC 5246 - The Transport Layer Security (TLS) Protocol - available from http://www.ietf.org/

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

40 of 41 AAEP_AES

©2014

Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected]

GOR; Reviewed: SPOC 10/14/2014

Solution & Interoperability Test Lab Application Notes ©2014 Avaya Inc. All Rights Reserved.

41 of 41 AAEP_AES