![]() |
With AE Services 7.0, the AE Services Transport service will enforce validation of the Communication Manager identity certificate for all administered switch connections.
The connection to the Communication Manager is rejected if the AE Services server does not contain the CA certificate for Communication Manager. You can import the CA certificate used for Communication Manager by using the Management Console screen, Security > Certificate Management > CA Trusted Certificates. This new validation enforcement will affect all AE Services offer types regardless if secure mode with FIPS is enabled or disabled.
When in secure mode with FIPS, the AE Services server and Communication Manager exchange identity certificates and mutually authenticate the other side certificate.
If the AE Services server is not configured to send an identity certificate to Communication Manager and y option in the TLS Mutual Authentication for H.323 stations field is selected, Communication Manager will not accept the security profile, H323TLS, in the Gatekeeper Confirmation (GCF).
If AE Services attempts to set up a TLS connection, Communication Manager will reject the TLS request. If the AE Services server is not configured to send an identity certificate to Communication Manager and n option in the TLS Mutual Authentication for H.323 stations field is selected, Communication Manager will allow the TLS connection to AE Services for H.323 registrations to proceed without an identity certificate.
The Provide AE Services certificate to switch field is used to configure the AE Services Transport service. The AE Services Transport services respond with a valid identity certificate to a Certificate Request message during the TLS handshake with Communication Manager. The first installed AE Services identity certificate associated with the alias cmtls, aeservices, or server is used as the identity certificate.