Problem Details:

When logging in to Manager you are presented with the following error message:

“The security certificate will expire in XXX days.”

You may also see error messages appear on the screens of some 9600 series handsets.

Cause:

When an IP500 V2 system is first booted and doesn’t have a time reference, it will adopt a default time and date of 1st January 2011, 00:00. Further to this, as a part of the start-up sequence, each system will check for the presence of an Identity Certificate. If it is not there, like in the case
for a new system, it will create a default self-signed certificate.

The life of this default self-signed certificate is 7 years. So any system that did not have a time reference and has not had an externally
generated certificate loaded to it, or had its Security Settings reset which will regenerate the certificate, will expire at the end of 2017.

Regardless of the type of certificate, IP Office manager provides an advanced warning (180 days by default) of the IP Office identity
certificate expiry so that the Administrator or Maintainer can take appropriate action.

Best practice for a new installation is to make sure that there is a time server available when powering up the unit initially, or to
regenerate the certificate (explicitly or reset the security settings) after setting the time and date.

Solution:

You will need to carry out a security reset on the system before the timer runs out (details of problems that might be experienced are described in the section below) as follows:

Open Manager and navigate to the following location:

File -> Advanced -> Security Settings

From here navigate to:

System -> Certificates

Under Certificates, at the top will be a section for Identity Certificate. Depending on the version of IPO you are running you will either see the following buttons in this section:

Set | View | Delete

or

Set | View | Regenerate

The button we want to press here is either Delete or Regenerate (depending on your version). Both do the same thing which is delete the default Identity Certificate and regenerate a new one. It is also important to press the OK button to confirm the regeneration process is alright to start.

NOTE: It is highly recommended that this is carried out either out of hours, or during a quiet time on the phone system if an out of hours procedure is not possible. This is due to the regeneration task being quite computationally intensive and may impact functionality of the system during this time (which is generally a couple of minutes).

Once regenerated the error message should clear from Manager but may remain on the phone. To clear this, you should first try rebooting the handsets to see if this clears down the error initially. Otherwise a CLEAR on the handset will be required to remove the old certificate, by using the MUTE + CRAFT command and selecting CLEAR from the menu.

Possible Side Effects:

If the regeneration is not carried out, you may encounter problems with your system in the following areas:

Manager – If the certificate expires and is not regenerated/renewed, Manager may give you an error as follows:

“Certificate error detected (IP Office certificate date(s) are invalid). Please try using ‘None’ certificate check option in Preference.”

To stop seeing this message, you can change the preference for checking certificates on Manager, but you should still really regenerate the certificate when possible.

Web Based Applications – Most browsers today will give you a warning if the supplied certificate has expired. Some will allow you to continue access but others block access. The web based applications this applies to are as follows:

  • Web Manager and related applications (Web Control Panel)

The following use the Server Edition/Apps Server Certificate. So they are not applicable for the IP500v2 certificate expiry, but will apply if the Server certificate expires.

  • WebRTC clients – not applicable to the IP500v2 certificate. The Server Edition/Apps
  • Server Certificate is offered
  • Web Collaboration
  • One-X Portal for IP Office
  • Integrated Contact Recorder

Avaya Feature Phones – The 96×1 family phones (9608, 9611, 9621, and 9641) are provided with the IP Office certificate in the auto created provisioning file. When the phones are used with the default TCP connection, it displays a warning that the user can ignore.

Once the certificate is refreshed, re-boot the phone to download the new one.

96×1 H323 and SIP, plus other Avaya SIP phones (like the J129) using TLS and HTTPS, any HTTPS connection will fail and the TLS will not re-connect after a TLS link fails or re-keying, leaving the user with no service. To recover, the phone must be cleared using the CLEAR service procedure and re-commissioned.

For 96×1 H323, it is possible to manage the process for getting the new certificate to the phones without clearing and recommissioning. But it must be performed prior to the expiry.

IP Office Line, Web Socket, High Security – An IP Office line using Web Sockets and set to High security will fail to connect/re-connect after certificate expiry.

SIP or SM Trunks using TLS – There are many permutations but most likely the trunk will fail, on rekeying or at re-connect.

one-X Mobile Applications – They will present an error message relating to the certificate expiry. Information on ignoring the error is given.

Avaya Communicator for iPad – This will not connect. A new certificate is required.

IP Office Contact Center (IPOCC) and Avaya Contact Center Select (ACCS) – It will fail to connect to the IP Office and must be provisioned with a new certificate.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s