Secure SIP

Secure SIP support is enabled by configuring a TLS listening point as described in SIP Listening Point Configuration Options

If BVR is receiving incoming calls, or it is making outbound calls to endpoints which use client authentication, the certificate of the BVR system should be added to a keystore and the keystore referenced using the following configuration options:

keystore_file
keystore_password
keystore_key_alias

as described in Security Configuration Options

How to set up a keystore is described here Setting up a Keystore.

How to get a CA signed certificate is described here Getting a certificate signed by a Certificate Authority.

BVR can authenticate the client when receiving incoming calls by setting the client_auth option as described in SIP Security Configuration Options. If enabled then a CA certifcate may have to be added to the truststore if the certificate supplied by the client is not signed by certificate authorities already present in the trust store. How to do this is described here Adding a Certificate Authority to a Truststore (or Keystore).

A truststore which includes a long list of trusted certificate authorities is shipped with BVR. This is installed as:

/opt/blueworx/vr/security/truststore.jks

with password set to "changeit".

The trust store is referenced using the following configuration options:

truststore_file
truststore_password

as described in Security Configuration Options

This truststore can have CA certificates added, if not already present, to enable secure SIP on outbound calls. How to do this is described here Adding a Certificate Authority to a Truststore (or Keystore).

Some useful commands for manipulating keystores and truststores are described here Useful Keystore/Truststore related commands.