Using secure SIP relies on a complicated
setup of the underlying X.509 certificates. If you have a problem,
follow this process.
- When Blueworx Voice Response is first starting, it tests the security setup
that it has. The output of these checks is made
in $OAM_LOG_PATH/DTstatus.out. You can find the output
of those checks underneath the line:
NM: Secure SIP (TLS) is Enabled
If
Secure SIP is not enabled in the Blueworx Voice Response configuration,
the following line is generated:NM: Secure SIP (TLS) is not Enabled
Check
the setup messages under those lines for errors and logs.
- Confirm the presence of the database files keyring.db, keyring.rdb, keyring.crl,
and keyring.sth in the $SYS_DIR/voip directory. If these files are not present, see Create the keyring.db database. Also, ensure
that these files are owned by the user that Blueworx Voice Response is configured
to be run by (default dtuser) and that this user
has read and write permissions for the database files.
- Run the following command:
wvrcert -cert -list -db $SYS_DIR/voip/keyring.db -stashed
Output
similar to the following is generated: Certificates found
* default, - personal, ! trusted
! Trusted_CA
- wvr_server_certificate
Ensure
that you have a wvr_server_certificate listed with
a dash next to it. If you cannot see the label, or it does not have
a dash next to it, you have not configured the Blueworx Voice Response server
certificate correctly. For more information, see Configure the Blueworx Voice Response server certificate.
- You must ensure that for every certificate in your
database, you have all the certificates in the CA chain that signed
that entity’s certificate. You must also check that your certificates
have not expired. You can check this by running the following command,
replacing my_label with your certificate label:
wvrcert -cert -validate -label "my_label" -db $SYS_DIR/voip/keyring.db -stashed
If
all the necessary CA certificates are in the database and the certificate
has not expired, an OK message is generated.
- The labels that you add to your certificates are
for your own convenience. It is possible to add a misleading label
to a certificate accidentally, for example, to label a non-self-signed
certificate "self_signed". You can check the details
of your certificate with the following command, replacing my_label with
your certificate label:
wvrcert -cert -details -label "my_label" -db $SYS_DIR/voip/keyring.db -stashed
Output
similar to the following is generated:
Label : wvr_server_certificate
Key Size : 1024
Version : X509 V3
Serial : 382ec01d0cfa4e9a
Issuer : CN=MY_CA
Subject : CN=example-machine.ibm.com
Not Before : 1 November 2013 09:57:16 GMT-87:39:25
Not After : 21 October 2023 09:57:16 GMT-87:39:25
Public Key
30 ...... 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
D8 ...... 00
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
57 ...... 19
Trust Status : Enabled
- If you have recently made any configuration changes, restart Blueworx Voice Response. Secure
configuration changes will come into effect only on restart.
- Restore the original ciphers.ini.
If you modified ciphers.ini in the $SYS_DIR/voip directory,
try using the original file that is stored as $SYS_DIR/voip/ciphers.ini.orig.
Mistakes in ciphers.ini can lead to errors.
- Errors can also be displayed in the Blueworx Voice Response errorlog
in $OAM_LOG_PATH.