Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message.
To enable TLS communication with Avaya Aura® Communication Manager, one must first enable TLS link-encryption on Communication Manager using the change media-gateway SAT Command.
In addition, the following X.509 certificates must be installed on Communication Manager:
Communication Manager's Identity certificate.
Gateway's Root-CA certificate, only if mutual-authentication is enabled on Communication Manager.
Additionally, the following X.509 certificates must be installed on the gateway:
Communication Manager's Root CA certificate. This must be done for each Communication Manager in the gateway's MGC list that would like to use TLS. This is accomplished using either the copy scp root-ca h248reg or copy usb root-ca commands.
Gateway's Identity certificate.
This must be installed only if mutual-authentication is enabled on Communication Manager.
This is accomplished using either the copy scp gw-identity-cert h248reg or copy usb gw-identity-cert commands.
OCSP Responder's Root CA certificate.
This must be installed only if OCSP validation is enabled and must be done for each OCSP responder.
This is accomplished using either the copy scp root-ca.
Finally, one can fine-tune the gateway's certificate validation policy, for example certification expiration or revocation using the certificate-options CLI command.
The show mgc CLI command can be used to display whether TLS is currently being used for H.248 communication with Communication Manager.
