Print

CVLAN client and certificate management

The CVLAN client can use Transport Layer Security (TLS) to encrypt data exchanged between the CVLAN client and the AE Services Server. When the CVLAN client requests a secure connection to the AE Services Server, the CVLAN Service sends a certificate to the CVLAN client that allows the client to verify the server's identity. This process is known as server certificate authentication.

The CVLAN Service may be configured to request a certificate from the client so that the AE Services Server can verify the client's identity. This process is known as client certificate authentication.

For server certificate authentication up to AE Services 6.3.3, you may either use the Avaya Product Root Certificate Authority (CA) certificate as the server certificate, or a CA certificate issued by a trusted in-house or third-party certificate authority. This certificate is also referred to as your own certificate.

A fresh install does not have an Avaya signed default certificate. A self-signed certificate is created during install time to be used as the Default. It is recommended to replace the self-signed certificate with a proper certificate.

The self-signed certificate on the AE Services 7.1.2 server can be exported and saved for the CVLAN client to use for development and testing purposes to an AE Services 7.1.2 server. The self-signed certificate should not be used in production environment.

The Avaya Product Root CA certificate is installed on the CVLAN client in the following location:
If you choose to use your own certificates, a file in Privacy Enhanced Mail (PEM) format that contains the certifcate(s) for your trusted CA must be installed in the following location:

Note that this file may contain several certificates.

For client certificate authentication, AE Services does not provide a default certificate. You must provide and install your own certificates for client certificate authentication.

The default location for the PKCS12 (Public-Key Cryptography Standards #12) keystore containing the client certificate for client certificate authentication is:

If you choose to use a different file for the client keystore, the environment variable CLIENT_KEYSTORE must contain the full path name of the keystore. Otherwise, this environment variable must not be set.

If the client keystore is password protected, then the environment variable KEYSTORE_PWD must contain the password for the keystore. Otherwise, this environment variable must not be set.

For more information about certificates, see Certificates management.