tls-profile
The tls-profile configuration element holds the information required to run SIP over TLS.
Constraints
This configuration element is not RTC supported for MSRP Online Certificate Status Protocol. To support MSRP OCSP, you must reboot after configuring cert-status-check and cert-status-profile-list.
Parameters
- name
- Enter the name of the TLS profile
- end-entity-certificate
- Enter the name of the entity certification record
- trusted-ca-certificates
- Enter the names of the trust CA Certificate records
- cipher-list
- Enter a list of supported ciphers or retain the default value, DEFAULT. For
a comprehensive list of ciphers supported by the SBC, see the Oracle Communications Session
Border Controller Release Notes.
- Default: DEFAULT
- verify-depth
- Enter the maximum depth of the certificate chain that will be
verified
- Default: 10
- Values: Min: 0 / Max: 10
- mutual-authenticate
- Enable or disable the mutual authentication of clients that
connect to the SBC.
- Default: disabled
- Values: enabled | disabled
- tls-version
- Enter the TLS version you want to use with this TLS profile
- Default: tlsv13
- Values:
- tlsv12
- tlsv13
- compatibility — When the SBC negotiates on TLS, it
starts with the highest TLS version and works its way down
until it finds a compatible version and cipher that works
for the other side.
Note:
The security-config > sslmin option works in conjunction with the tls-profile's tls-version parameter when it is set to compatibility. For profiles that negotiate to compatible versions, the sslmin option specifies the lowest TLS version allowed.
- cert-status-check
- Enable or disable OCSP in conjunction with an existing TLS
profile.
- Default: disabled
- Values: enabled | disabled
- cert-status-profile-list
- Select an object from the cert-status-profile parameter. In
order to enable this parameter, this list must not be empty. If multiple
cert-status-profile objects are assigned to cert-status-profile-list, the
Oracle Communications Session Border Controller will use a hunt method
beginning with the first object on the list.
- Values: Any valid certificate status profile from cert-status-profile parameter
- ignore-dead-responder
- Allows local certificate based authentication by the SBC in the event of an unreachable
Session Router.
- Default: disabled
- Values: enabled | disabled
- allow-self-signed-cert
- Allows self-signed certificate for Message Session Relay
Protocol.
- Default: disabled
- Values: enabled | disabled
Path
tls-profile is an element under the security path. The full path from the topmost prompt is: