1. ACLI Reference Guide
  2. ACLI Configuration Elements N-Z
  3. tls-profile

tls-profile

The tls-profile configuration element holds the information required to run SIP over TLS.

Constraints

This configuration element is not RTC supported for MSRP Online Certificate Status Protocol. To support MSRP OCSP, you must reboot after configuring cert-status-check and cert-status-profile-list.

Parameters

name
Enter the name of the TLS profile
end-entity-certificate
Enter the name of the entity certification record
trusted-ca-certificates
Enter the names of the trust CA Certificate records
global-trusted-root-ca-list
Enter one or more trusted-root-ca element names for use on this tls-profile.

Enter multiple entries by listing entries within parenthesis, (), and separating them with a space. You can also add or remove a single entry to an existing list by prefixing the applicable name with a plus sign (+) to add, and a minus sign (-) to remove.

cipher-list
Enter a list of supported ciphers or retain the default value, DEFAULT. For a comprehensive list of ciphers supported by the OCSBC, see the Oracle Communications Session Border Controller Release Notes.
  • Default: DEFAULT
verify-depth
Enter the maximum depth of the certificate chain that will be verified
  • Default: 10
  • Values: Min: 0 / Max: 10
mutual-authenticate
Enable or disable the mutual authentication of clients that connect to the SBC.
  • Default: disabled
  • Values: enabled | disabled
tls-version
Enter the TLS version you want to use with this TLS profile
  • Default: tlsv13
  • Values:
    • tlsv12
    • tlsv13
    • compatibility — When the OCSBC negotiates on TLS, it starts with the highest TLS version and works its way down until it finds a compatible version and cipher that works for the other side.

      Note:

      The security-config > sslmin option works in conjunction with the tls-profile's tls-version parameter when it is set to compatibility. For profiles that negotiate to compatible versions, the sslmin option specifies the lowest TLS version allowed.
cert-status-check
Enable or disable OCSP in conjunction with an existing TLS profile.
  • Default: disabled
  • Values: enabled | disabled
cert-status-profile-list
Select an object from the cert-status-profile parameter. In order to enable this parameter, this list must not be empty. If multiple cert-status-profile objects are assigned to cert-status-profile-list, the Oracle Communications Session Border Controller will use a hunt method beginning with the first object on the list.
  • Values: Any valid certificate status profile from cert-status-profile parameter
ignore-dead-responder
Allows local certificate based authentication by the Oracle Communications Session Border Controller in the event of unreachable OCSRs
  • Default: disabled
  • Values: enabled | disabled
allow-self-signed-cert
Allows self-signed certificate for Message Session Relay Protocol.
  • Default: disabled
  • Values: enabled | disabled

Path

tls-profile is an element under the security path. The full path from the topmost prompt is: configure terminal , and then security , and then tls-profile