Security certificates overview
A Security certificate contains encryption keys. Once you accept a security
certificate, all data that is transmitted between the server and your
browser is encrypted to prevent unauthorized users from intercepting and
viewing it (for example, passwords or other sensitive information).
Types of Avaya security certificates
Security alerts and resolutions
for server certificates
About security certificates
Types of Avaya security
certificates
The Avaya media server uses two kinds of security certificates:
- A Root certificate establishes Avaya Inc. as a trusted
Certificate Authority (CA). You must install the root certificate after
you log in. See Related Topics
for the procedure.
- A Server certificate verifies identity of a server.
The server certificate changes every time the server is reconfigured.
If the server's name is changed, you might see a security alert the next
time you log in.
- The Avaya media server provides two server certificates.
One certificate is for service technicians who must log in to many servers.
The certificate for service technicians is issued to the services Ethernet
interface address (192.11.13.6) and identifies the certificate authority
as the Avaya Call Server. The other certificate is issued to the site-specific
server name after it is configured.
- You must accept or store the server certificate before
you can log in to the Avaya media server. Ensure
that you have a secure connection to the server. See Server security certificate
for acceptance guidelines and procedures.
Security alerts for
server certificates
Occasionally, a Security Alert screen might appear when you log in.
This screen may indicate problems with the server security certificate.
- Company not trusted. This alert appears if Avaya
Inc. is not included on the browser's list of trusted authorities. This
warning does not appear after you install
the Avaya root certificate on your browser.
- Certificate date not valid.
This alert does not appear
under normal circumstances because a security certificate is valid many
years. Do not accept
the certificate if you see this alert.
- Server name check or mismatch warning.
This alert message indicates that the name of the web server on the security
certificate does not match the server name in the browser's Address or
Location field. This error can occur in the following cases:
- If a certificate is issued based on the server name
and if you try to access the Web interface using the server's IP address,
you will see this alert. Conversely, if the certificate is issued based
on the server's IP address and you try to access it by name, you will
also see this alert. It is okay to accept the server certificate in this
case.
- On-site technicians log into the Avaya media server
from the services interface using IP address 192.11.13.6. Because this
is the only active interface on a new Avaya server or on a replacement
media server that has been reset to default values, the original security
certificate lists 192.11.13.6 as the server name. Technicians should install
the Avaya root certificate to stop this alert from appearing again.
- A replacement server that was previously configured
for another location may present a security certificate with the name
of the server at the previous location. Technicians should accept this
certificate for the current session in order to log in and reset
to default values. Do not
accept the certificate if you
are logging in over the Internet and the server name is not the one that
this company has assigned to their Avaya media server.
Additional problems with the security certificate include:
browser> encountered bad data from
the server. You may see
this error if someone else updates the security certificate for the media
server while you are accessing the web interface. If this happens:
- Exit the browser (close the application).
- Open the browser again, then log back in to the Avaya
media server.
- You must accept the new certificate to access the
server again.
About security certificates
A security certificate is a file that a web server and your browser
exchange. You
use a security certificates to:
- Verify that the authenticity of the Web site with
which you are communicating. That
is a security certificate ensures that a hacker did not steal the site's
identity.
- Exchange numbers known as encryption keys encode
the messages that a Web server with your browser. Encryption prevents
unauthorized viewers from accessing important information such as passwords
- Certificates depend on a technology known as public
key encryption (PKI).
PKI uses two
encryption keys. One key is called the public key and the other key is
called the private key. A message that is encrypted with one of the keys
can be decrypted only with the other key. If a Web server encrypts a message,
and your browser recognizes the corresponding public key, (which is made
public by the web site), your browser can decrypt the message sent by
the web server. If your browser can decrypt the message, you that the
message the message was encrypted with the corresponding private key.
Therefore,
the only server that recognizes this key is the Web site with which it
is communicating.
- A browser receives the public key in the security
certificate sent by the Web site. The browser recognizes only the certificate
from this site because it is cryptographically signed by a company, known
as a Certificate Authority (CA). The
company delivers its browser software with a series of certificates from
companies such as Verisign
or Thawte (certificate
authorities). The certificate from the Web server indicates the signee
to the browser. The
browser searches for a list of certificates to check if the signee (certificate
authorities) is listed. If listed, the browser automatically checks the
signature of the incoming certificate, and accepts the correct certificate.
However, if the certificate is not found, you are prompted to accept the
incoming certificate.
- The certificates offered by the Avaya media server
are signed by Avaya. Browser manufacturers do not include an Avaya Certificate
Authority type of certificate with their browsers, because Avaya does
not sign certificates for web sites in general. Avaya only signs the certificates
for its media server which are only used in this context. Therefore you
must incorporate the Avaya certificate yourself.
- The two types of certificates are 1) a server certificate
and 2) a Certificate Authority (CA) certificate. The server certificate
is automatically sent by the Web site for each Web session. The CA certificate
must be loaded into the browser manually, if not already present.
- Example.
On Internet Explorer, the Security Alert dialog box is a notice of a server
certificate arrival. The browser has made three checks of the arriving
server certificate. (These are the three security alerts listed under
Security alerts for server certificates.) A yellow triangle next to the
first check indicates that the browser does not have the CA certificate
that was used to sign the arriving server certificate. The browser cannot
validate the authenticity of the arriving certificate and you must make
the decision yourself. The second check should show a green circle, to
indicate that the arriving server certificate has not expired. The third
check should also show a green circle, to indicate that the value in the
browser's address window matches the address that is contained in the
arriving certificate, or a triangle in the case of a server name mismatch.
If all
three checks results in a green circle, this screen would not appear.
If you
install the CA certificate from Avaya, you do not receive security alert
warnings. You can install the Avaya CA (root) certificate after you log
in; without a CA certificate accept the certificate manually to log in.