Enable secure signalling and media on SIP side

Introduction.

CaféX Fusion Client SDK solution uses secure media while communicating with WEBRTC client by default. More details on WEBRTC client Security can be found here:

https://support.cafex.com/hc/en-us/articles/206781559-User-Interfaces-Encryption-of-Voice-and-Video

However some deployments look to enable end to end encryption by securing the SIP side too.

This article provide steps to enable secure signaling on the SIP network as well as Secure (encrypted) media with SIP endpoint.

Step 1 : Configure Secure Connection to Outbound SIP Server

FCSDK Solution communicates with the SIP network via an outbound proxy setting at Web Plugin Framework.

Visit : https:/<your-fcsdk-server>:8443/web_plugin_framework/webcontroller/admin/

Navigate to Gateway -> General Administration to configure "Outbound SIP servers" , 

Secure SIP Address to outbound SIP Server can be configured using one of the following example:

  • sip:192.168.8.78;transport=tls
  • sips:192.168.8.78;transport=tls

 

Step 2 : Import Trusted Certificate Chain

To allow a TLS handshake between FAS (Fusion Application Server) and the configured Outbound SIP Server, it is required that the complete chain of Trusted Certificates are imported in the FAS truststore.  Instructions on how to import certificate in FAS truststore can be found here:

https://support.cafex.com/hc/en-us/articles/201828321-Managing-Trust-Certificates

NOTE : Ensure that each certificate in certificate chain is imported individually as shown in screenshot below:

 

Step 3: Enable Media Broker for Secure Media

  • ssh into Media Broker server.
  • Navigate to your Media Broker (MB) directory, e.g.
    /opt/cafex/FCSDK-X.X.X/media_broker/  
  •  Update  /opt/cafex/FCSDK-X.X.X/media_broker/proxy.properties, to enable SRTP by changing  'srtp.enabled' property from 'false' to 'true' and also enable video/audio encryption according to the requirement, see example below:

srtp.enabled=true
srtp.video.encrypted=true
srtp.audio.encrypted=true
srtcp.enabled=true
srtp.rtp.protocol=SAVP

  • Restart media broker

          service fusion_media_broker restart

Have more questions? Submit a request

Comments

Powered by Zendesk