The Gateway maintains two certificate stores to hold TLS CA and Identity certificates for the following applications:
h248regUsed for H.248 Media Gateway TLS communication with Communication Manager operating in the following modes:
Enterprise: The default mode of the gateway in which the gateway operates with the local enterprise IP address and is connected to the Communication Manager.
Edge: Media Gateway uses h248reg certificate store to set up a TLS connection with Avaya SBC. Edge gateway mode operates with the NATed IP address.
Media Gateway uses this connection to send the H.248 signaling messages to Avaya SBC H.248 proxy server application, which forwards the messages to Communication Manager.
In the Edge gateway mode, MGSBC management link uses h248reg certificate store and TCP port 2946 to create a TLS connection with Avaya SBC.
slaFor providing diagnostic information to the SLA Monitor Server.
syslogFor syslog certificates.
webFor HTTPS data transfers to and from web servers.
Note:
The HTTP or HTTPS upload and download commands use the web trust store. For more information about the HTTPS commands, see Avaya Branch Gateway G430 CLI Reference and Avaya Branch Gateway G450 CLI Reference.
Note:
TLS connections can only be established if valid certificates are installed on both the gateway and the server it communicates with. Specifically, TLS communication on the gateway requires the following:
A CM Identity certificate must be installed on Communication Manager, and a corresponding CM CA certificate must be installed on the Gateway.
To use SLA Monitor Agent, a SLA Monitor Server Identity certificate must be installed on the SLA Monitor Server and a corresponding SLA Monitor CA certificate must be installed on the Gateway.
When the gateway is operating in the Edge mode and therefore connected to Avaya SBC, it is recommended to use an identity certificate.
If an Identity certificate is installed on the Gateway, a corresponding Gateway CA certificate must be installed on CM.
Note:
A Gateway Identity certificate needs to be installed if mutual authentication is set to Required on the Communication Manager Media Gateway form.
The commands used to copy, show, and erase certificates on the Gateway are provided through the Gateway CLI interface. For more information, see Avaya Branch Gateway G430 CLI Reference and Avaya Branch Gateway G450 CLI Reference.
The forms and commands used to copy, show, and erase certificates on CM and the ADS SLA Monitor Server are available in their corresponding administration guides.
Monitoring Certificate Expiration shall be extended to include the user provided certificates in the Web Trust store as follows:
When the certificate expiration date reaches 60 days before expiration, Media Gateway shall raise a minor trap alarm.
When the certificate expiration date is reached, Media Gateway shall raise a major trap alarm.
