TRUSTCERTS

String

null string

Yes

Specifies file names of trusted certificates to be used for authentication. The parameter supports both root and intermediate certificates. Avaya Vantage™ supports certificates both in the PEM and DER file formats.

If you are providing several file names, use commas to separate them. You can upload up to 100 trusted certificates on Avaya Vantage™. The maximum length of the parameter value is 4000 characters.

For provisioning, use:

• The SET command in the 46xxsettings.txt file.

• The settings file received from Avaya Aura® Device Services.

Example:

SET TRUSTCERTS SMGRCA.cer,Entrust.cer,Digicert.cer

If you configure TRUSTCERTS in the 46xxsettings.txt file and provide relative file paths in the value, Avaya Vantage™ downloads the certificate files from the HTTP or HTTPS file server defined in FILE_SERVER_URL, HTTPSRVR, or TLSSRVR.

If you define TRUSTCERTS in Avaya Aura® Device Services, you must provide absolute URLs to the certificate files.

TRUSTCERTS configuration using Avaya Aura® Device Services gets a higher precedence than 46xxsettings.txt.

When using Avaya Aura® Device Services, you must ensure that the TRUSTCERTS parameter value defined in the 46xxsettings.txt file has the same set of certificates as the value defined in Avaya Aura® Device Services. However, the syntax does not need to be the same. The certificate file paths or the order of the certificates in the list need not be the same in the parameter value in the 46xxsettings.txt file and Avaya Aura® Device Services. Also, you must include the root CA of the Avaya Aura® Device Services server identity certificate in the TRUSTCERTS parameter value.

MYCERTURL

String

null string

Yes

Specifies the URL for the Simple Certificate Enrollment Protocol (SCEP) server. Avaya Vantage™ attempts to contact the server if the parameter value is not the default.

A valid URL must start with http://.

For provisioning, use the SET command in the 46xxsettings.txt file.

MYCERTCN

String

$SERIALNO

Yes

Specifies the Common Name (CN) for SUBJECT in a SCEP certificate request.

If the parameter value contains the $SERIALNO string, Avaya Vantage™ replaces this string with the device serial number.

If the parameter value contains the $MACADDR string, Avaya Vantage™ replaces that string with the device MAC address.

For provisioning, use the SET command in the 46xxsettings.txt file.

MYCERTDN

String

null string

Yes

Specifies the common part of SUBJECT in a SCEP certificate request. This value defines the part of SUBJECT that is common for requests from different devices, such as Organizational Unit, Organization, Location, State, and Country.

The parameter value must start with the slash (/) symbol.

For example: /C=US/ST=CA/L=MILPITAS/O=Avaya

For provisioning, use the SET command in the 46xxsettings.txt file.

MYCERTKEYLEN

Integer

2048

Yes

Specifies the RSA private key length in bits. The private key is used on the device for certificate enrollment. Avaya Vantage™ only supports keys with a length of 2048 bits.

For provisioning, use the SET command in the 46xxsettings.txt file.

MYCERTCAID

String

CAIdentifier

Yes

Specifies the Certificate Authority Identifier (CAI).

Certificate Authority servers might require a specific CAI string in order to accept GetCA requests. If Avaya Vantage™ works with such a Certificate Authority, the CA identifier string must be set through this parameter.

For provisioning, use the SET command in the 46xxsettings.txt file.

SCEPPASSWORD

String

$SERIALNO

Yes

Specifies a password to use with SCEP.

The non-null value of SCEPPASSWORD is included in a challengePassword attribute in SCEP certificate signing requests.

If the value contains $SERIALNO, $SERIALNO is replaced with the value of SERIALNO. If the value contains $MACADDR, $MACADDR is replaced with the value of MACADDR without the colon separators.

MYCERTREPLACE

Numeric

90

Yes

Specifies the period of the certificate's validity interval. This period is specified as a percentage. Avaya Vantage™ uses this percentage to calculate the date of the certificate replacement before its expiration. When the configured period is over, Avaya Vantage™ tries to download the newest version of the certificate from the SCEP server.

The range is from 1 to 99.

For provisioning, use the SET command in the 46xxsettings.txt file.

ENABLE_PUBLIC_CA_CERTS

Integer

0

Yes

Specifies whether embedded Android trusted certificates are used by application services, such as Avaya Aura® Device Services, PPM, 802.1x EAP-TLS, SCEP, and file downloads using HTTPS.

You can assign one of the following values:

• 0: The services do not use embedded Android trusted certificates.

• 1: The services use embedded Android trusted certificates.

In the following cases, this parameter is enforced to 1 even if it was configured as 0:

• When Avaya Vantage™ is installed in a Device Enrollment Services environment.

• When Avaya Vantage™ obtains the provisioning server address from a redirect from Device Enrollment Services.

• When Device Enrollment Services was used before and no private CA is retrieved from Device Enrollment Services.

For provisioning, use the SET command in the 46xxsettings.txt file.

CA_CERT_BLACKLIST

String

null string

Yes

Specifies a list of comma-separated SHA-1 signatures of Android embedded trusted certificates, which must be blocked.

Use this parameter to disable specific trusted certificates due to certificate revocation or if you do not trust the certificate. Only add certificates that are not already disabled in Android. You can find the list of these certificates in the /data/misc/keychain/pubkey_blacklist.txt file.

This parameter can contain up to 1024 characters.

For provisioning, use the SET command in the 46xxsettings.txt file.

For example: SET CA_CERT_BLACKLIST 410f36363258f30b347d12ce4863e433437806a8,c4f9663716cd5e71d6950b5f33ce041c95b435d1

PKCS12URL

String

null string

Yes

Specifies the URL to be used to download a PKCS #12 file. This file contains an identity certificate and its private key.

The parameter value can contain up to 255 ASCII characters.

For example: An Avaya Vantage™device has the 00-24-D7-E4-2E-98 MAC address. The URL of the PKCS file is specified as http://<path_to_the_file>/pkc12file_$MACADDR.cer. In this case, the PKCS file for the device must have the pkc12file_0024D7E42E98 name.

For provisioning, use the SET command in the 46xxsettings.txt file.

PKCS12PASSWORD

String

null string

Yes

Specifies a PKCS #12 file password.

PKCS12_PASSWD_RETRY

String

3

Yes

Specifies the number of failed attempts to enter the password for the PKCS#12 file. If the user fails to enter the correct password, Avaya Vantage™ will not install the PKCS#12 file.

The range is from 0 to 100, where 0 means that the user cannot retry to enter the password.

For provisioning, use the SET command in the 46xxsettings.txt file.

ID_CERT_APPLICATION_LIST

String

all

Yes

Specifies which applications can access the identity certificate stored on Avaya Vantage™. Assign one of the following values:

• all: All applications can access certificates.

• Null string: No application can access certificates. The exception is an active phone application defined in ACTIVE_CSDK_BASED_PHONE_APP.

• A list of comma-separated application package names: Only the specified applications can access certificates. For example: SET ID_CERT_APPLICATION_LIST flare.avaya.com,vantage.basic.avaya.com

For provisioning, use the SET command in the 46xxsettings.txt file.

DELETE_MY_CERT

String

0

Yes

CERT_WARNING_DAYS

Numeric

60

Yes

Specifies the number of days before the certificate expiry date when Avaya Vantage™ starts to display certificate expiration warning messages. Avaya Vantage™ displays the warning message every seven days. This parameter relates to trusted certificates, EASG certificates, and the identity certificate. This parameter does not affect EASG certificates.

The range is from 0 to 99. If the value set to 0, Avaya Vantage™ does not display certificate expiration warning messages.

For provisioning, use the SET command in the 46xxsettings.txt file.

EASG_SITE_CERTS

String

null string

Yes

Specifies EASG site certificate file names. These certificates are used by technicians when they do not have access to the Avaya network to generate EASG responses for SSH login.

The value of the parameter is a list of file names separated by commas without any spaces between entries. The value can contain up to 255 ASCII characters.

To delete the EASG trusted certificate from the device, remove the corresponding file name from EASG_SITE_CERTS.

For provisioning, use the SET command in the 46xxsettings.txt file.

EASG_SITE_AUTH_FACTOR

String

null string

Yes

Specifies the EASG site authentication factor code associated with the EASG site certificate. The value of the parameter can contain from 10 to 20 alphanumeric characters.

For provisioning, use the SET command in the 46xxsettings.txt file.

KEYUSAGE_REQUIRED

Numeric

1

Specifies whether Avaya Vantage™ requires the presence of a Key Usage extension in the server identity certificate.

Assign one of the following values:

• 0: Avaya Vantage™ does not check for the presence of the Key Usage extension in the server identity certificate.

• 1: Avaya Vantage™ checks for the presence of the Key Usage extension in the server identity certificate. If the extension is missing, the server certificate is rejected.

  The server identity certificate and all certificates in the chain, up to the root certificate, must include the Key Usage extension.

For provisioning, use the SET command in the 46xxsettings.txt file.

BLOCK_CERTIFICATE_WILDCARDS

Numeric

0

Specifies whether Avaya Vantage™ accepts server identity certificates with wildcards.

Assign one of the following values:

• 0: Avaya Vantage™ accepts wildcards in certificates.

• 1: Avaya Vantage™ does not accept wildcards in certificates.

For provisioning, use the SET command in the 46xxsettings.txt file.