10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with

om SMGR for AES and test with TSAPI and DMCC SDKs

Avaya Support Website Help

AES: How to create a Certificate Authority CA from SMGR for AES

and test with TSAPI and DMCC SDKs
Doc ID: SOLN284619
Version: 81.0
Status: Published
Published date: 25 Feb 2016
Updated: 05 May 2020
Author: David Barnhart

Details
Avaya has discontinued the use of self-signed certificates; therefore a fresh installation of AES 7.x no longer provides the certificate authority for clients to connect to
AES.

This article details and walks though the steps provided in PSN004561u (attached) using System Manager 7.0 as the CA and demonstrate testing with a TSAPI client
using a secure TLINK and the DMCC7.0 dot NET framework SDK dashboard. Possible Alarm certificates expiration.
How to create a Certificate Authority (CA) from.

***REPLACING AES CERTIFICATE CAN RESULT IN 3RD PARTY APPLICATION FAILURE IF A SECURE CONNECTION IS USED - FOR EXAMPLE THE AVAYA
CONTACT RECORDER (ACR) WILL NEED THE NEW AES CA CERTIFICATE EXPORTED TO THE ACR KEYSTORE AS IT USES A SECURE TSAPI
CONNECTION - IF NOT ALL CALL RECORDING WILL FAIL - ENSURE ALL APPLICATIONS CONNECTING TO THE AES DOCUMENTATION IS REVIEWED
AND OR CONTACT PRODUCT SUPPORT (AVAYA DOES NOT HAVE INSTRUCTIONS FOR UPDATING 3RD PARTY APPLICATIONS WITH NEW CERTIFICATES
CONTACT THE PRODUCT MANUFACTURER)***

Problem Clarification
AES 7.X and higher does not deploy with the default Avaya self-signed certificate authority as previous versions have done. It is the responsibility of the
Business Partner or customer to perform this task. Regarding the attached PSN, there is more than one way to generate a new CA certificate; this article
demonstrates this using System Manager 7.0 for trust management.

***NOTE: This method has also been tested with SMGR 6.3.20. The method is the same but some of the screens and fields may slightly differ. Also the
SMGR 6.3.x provided a SHA1 CA certificate.***
If the default AES 7.x or higher certificate expires Avaya proprietary application such as Elite Multi Channel (EMC), ACR, CRM Connector, and any other application
requiring a secure TSAPI or DMCC connection will fail to establish a connection resulting in loss of CTI functionality.
An AES certificate shall expire and no impact is experienced by the CTI applications using a secure TSAPI/DMCC connection until such time as the connection is
broken at which time client applications will fail to login with a failed SSL error such as:"SECURITY:FYI:SecurePeerAcceptor::accept():TSAPI Service: accept()
failed for client 127.0.0.1 and driver service AVAYA#SWITCH1#CSTA-S#AESA"
This article is helpful to generate new certificates using System Manager. see the following article for more details on updating EMC with the new CA certificates:

https://kb.avaya.com/kb/index?page=content&id=SOLN284527&actp=SEARCH&actp=search&viewlocale=en_US&searchid=1501520623118 (https://kb.avaya.com/kb/index?
page=content&id=SOLN284527&actp=SEARCH&actp=search&viewlocale=en_US&searchid=1501520623118)

Cause
Avaya no longer provides a default self-signed CA for AES, leaving the customer responsible to implement them.
AES 6.3.3 and lower default certificate will be expired Jan 6 2018.

Solution
For testing purposes, the following test software will be used to demonstrate functionality to simulate a third party application connections:
- Avaya Aura AE Services TSAPI Client MS Windows 7.0: https://support.avaya.com/downloads/download-details.action?
contentId=C20158211650417170_0&productId=P0358&releaseId=7.0.x (https://support.avaya.com/downloads/download-details.action?contentId=C20158211650417170_0&productId=P0358&releaseId=7.0.x)
- Avaya Aura AE Services IP Communications DMCC dot Net SDK 7.0: https://support.avaya.com/downloads/download-details.action?
contentId=C20158211557548970_5&productId=P0358 (https://support.avaya.com/downloads/download-details.action?contentId=C20158211557548970_5&productId=P0358)
Note: for a list of all available SDKs, see the AES 7.0 Release Notes: https://downloads.avaya.com/css/P8/documents/101014420 (https://downloads.avaya.com/css/P8/documents/101014420)

Make sure all TLS versions are enabled on AES to avoid compatibility issues with other components.

Refer to PSN004561u https://downloads.avaya.com/css/P8/documents/101014585 (https://downloads.avaya.com/css/P8/documents/101014585) The steps below reference the section: "System
Manager Trust Management." a very rare case that System manager 7.0 is still using the demo cert that only provide SHA1 Root CA,
Please use any System Manager Release 7.0.X to run following step. the CN is default in Demo CA, a new self signed SMGR ROOT CA is using System manager
CA for CN.

1. Log into System Manager and navigate to "Security (under Services) > Certificates > Authority > Add End Entity (under RA functions).

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 1/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 2/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

2. Select INBOUND_OUTBOUND_TLS from the End Entity Profile

3. Select a username and a password that will be used to encrypt the P12 trust store file
4. Complete the required fields noted in Steps 4-8 of the PSN

Note: For step 4b enter the Fully Qualified Domain Name (FQDN) of the AES server. This information can be found on the AES OAM web pages under
Networking > Network Configure. Note, the example below is from a lab server.

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 3/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs
Sample completed "Add Entity" form:

Clicking "Save" will show a message similar to below:

Creating the AE Services Server Certificate

This section continues with the steps outlined in the PSN.

1. Using the SMGR web console, navigate to "Security (under Services) > Certificates >Authority".
2. In the left hand navigation pane near the bottom of the screen, click on "Public Web"

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 4/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

3. On the "Public Web" screen click on "create key store"

3a. Enter the user name and password of the "End Entity" and click "OK"

3b,c and d.

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 5/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

Once "Enroll" is clicked, the new certificate store is downloaded with a ".p12" extension.

Downloading the SMGR CA certificate that signed the AE Services server certificate
1. Using the SMGR web console navigate to the "Public Web" page (as described in the above step) and click on "Fetch CA certificates"
2. Click on "Download PEM chain" on the line starting with "CA certificate chain"
3. Save the CA certificate to a known location

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 6/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

Import the SMGR CA certificate into the AE Services server

1. Using the AE Services Management Console navigate to "Security > Certificate Management > Trusted Certificates"
2. Click on the "Import" button and upload the SMGR CA certificate you downloaded above. Give it an alias name (e.g. caSMGR)
3. Click Apply

The new Certificate Authority is added

Import the new AE Services server certificate into the AE Services server
1. Using the AE Services Management Console navigate to "Security > Certificate Management > Server Certificates"
2. Click on the Import button and upload the new AE Services server certificate you created above (this will be the .p12 file). Select an alias (server)
from the drop down menu
3. Click the "Apply" button.

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 7/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

Follow the directions from the screenshot above to restart the AE Server services.

This completes the steps outlined in the PSN. The next section provides testing with the TSAPI and DMCC client
applications. For installation and usage instructions please see the relevant attached guides.
Testing a secure TSAPI connection to the AES with the newly installed SMGR CA certificate
The following setup steps will need to be performed:

1. Download and install the TSAPI client from the link noted at the beginning of the article
2. Export the System Manager CA from the AES and save it locally
3. Edit the TSLIB.ini file to reference the new certificate and the AES credentials for the test application to connect to.
4. Make a test call with the TSAPI application

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 8/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs
Step 1
For TSAPI client installation instructions, please see Chapter 3 of Application Enablement Services TSAPI and CVLAN Client and SDK Installation Guide:
https://downloads.avaya.com/css/P8/documents/101014061 (https://downloads.avaya.com/css/P8/documents/101014061)

Step 2
To export the System Manager CA from the AES perform the following:

1. From the AES webpages navigate to Security > Certificate Management > CA Trusted Certificates
2. Select the certificate with the "Issued To" field of System Manager CA
3. Click "Export"

4. Highlight all of the text in the text box under "Certificate PEM" and copy this to a Notepad/text editor file and save it as something that is easily associated with
its purpose

Configuring the TSAPI test Application

Note: for the TSAPI test application to connect to the AES a valid CTI username and password is required. If this needs be created, please see Administering and
Maintaining Avaya Aura Application Enablement Services 7.0 Guide page 96 to add a user and page 147 to configure the CTI

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 9/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs
user. https://downloads.avaya.com/css/P8/documents/101014048 (https://downloads.avaya.com/css/P8/documents/101014048)

Step 1: Editing the TSLIB.ini file

1. Find the TSLIB.ini file by clicking Click Start > All Programs > Avaya AE Services > Edit TSLIB.ini
2. Ensure that the IP address is correct and uncommented (the ";" is removed from the beginning of the line)
3. Ensure that the highlighted "Trusted CA File=" is uncommented and points to your new certificate created earlier
4. Save the file and exit

Step 2: Launching and testing the secure connection with the TSAPI Test application
1. Click Start > All Programs > Avaya AE Services > TSAPI Test.
1. When the TSAPI Test application starts it will show the available TLINKs. To test the secure connection, select the TLINK that contains "CSTA-S" (S for
secure) in the TLINK name.

2. Enter a valid CTI username and password

3. Enter two extensions that will be used for a third-party Make Call event

Note: In this example, these stations do not exist and we would expect an "invalid CSTA device identifier 12" error.
4. Open the TSpy application to view the TSAPI logging information for the test call. Click Start > All Programs > Avaya AE Services/TSAPI Client/TSAPI
Spy. Ensure that Tracing is enabled

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 10/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

5. Click Dial on the TSAPI Test application

Although there was an "Invalid Device Identifier" message, the test worked. From the TSAPI Spy, the log shows the following:

0000: [02/25/16 15:07:20.349]

0000: FROM LIBRARY:
0000: InvokeID 0
0000: ACSNameSrvRequest ::=
0000: {
0000: streamType stCsta
0000: }

0000: [02/25/16 15:07:21.083]

0000: RECEIVED FROM TSERVER:
0000: ACSNameSrvReply
0000: Application not notified (internal event)

0000: [02/25/16 15:07:21.083]

0000: FOR LIBRARY:
0000: InvokeID 0
0000: ACSNameSrvReply ::=
0000: {
0000: more FALSE,
0000: list
0000: {
0000: {
0000: serverName "AVAYA#CM7110#CSTA#CTIAESVE7REF13",
0000: serverAddr '0200041A0A8249460000000000000000'H
0000: },
0000: {
0000: serverName "AVAYA#CM7110#CSTA-S#CTIAESVE7REF13",
0000: serverAddr '0200042A0A8249460000000000000000'H
0000: }
0000: }
0000: }

37117880: [02/25/16 15:07:22.361]

37117880: ESTABLISHED CONNECTION TO TSERVER:
37117880: AVAYA#CM7110#CSTA-S#CTIAESVE7REF13
37117880: Login: Dave Application Name: TSTest Server Connection ID: 0

37117880: [02/25/16 15:07:22.362]

37117880: FROM LIBRARY:
37117880: InvokeID 0
37117880: ACSKeyRequest ::=
37117880: {
37117880: loginID "Dave"
37117880: }
37117880: Private Data ::=
37117880: {
37117880: vendor "WINNTTCP"
37117880: length 10

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 11/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs
37117880: data
37117880: {
37117880: 80 01 01 01 03 01 01 04 01 01
37117880: }
37117880: }

37117880: [02/25/16 15:07:22.705]

37117880: FOR LIBRARY:
37117880: InvokeID 0
37117880: ACSAuthReplyTwo ::=
37117880: {
37117880: objectID 0,
37117880: key '5371A62F4C5E9809'H,
37117880: authInfo
37117880: {
37117880: authType needLoginIdAndPasswd,
37117880: authLoginID "Dave"
37117880: },
37117880: encodeType winNtLocal,
37117880: pipe ""
37117880: }

37117880: [02/25/16 15:07:22.705]

37117880: RECEIVED FROM TSERVER:
37117880: ACSAuthReplyTwo
37117880: Application not notified (internal event)

37117880: [02/25/16 15:07:22.696]

37117880: RECEIVED FROM APPLICATION:
37117880: InvokeID 0
37117880: ACSOpenStream ::= < - Application requesting a TSAPI stream with AES
37117880: {
37117880: streamType stCsta,
37117880: serverID "AVAYA#CM7110#CSTA-S#CTIAESVE7REF13", < - Requesting secure TLINK
37117880: loginID "Dave",
37117880: cryptPass '44A1B2D9FED6C2A6EE66E6C64E331FA6EE66E6C64E331FA6EE66E6C64E331FA6EE66E6C64E331FA6'H,
37117880: applicationName "TSTest",
37117880: level acsLevel1,
37117880: apiVer "TS1-2",
37117880: libVer "AES7.0.0 Build 131",
37117880: tsrvVer ""
37117880: }

37117880: [02/25/16 15:07:22.963]

37117880: RECEIVED FROM TSERVER:
37117880: ACSClientHeartbeatEvent
37117880: Application not notified (internal event)

37117880: [02/25/16 15:07:22.964]

37117880: FOR LIBRARY:
37117880: ACSClientHeartbeatEvent ::=
37117880: {
37117880: null NULL
37117880: }
37117880: [02/25/16 15:07:22.970]
37117880: RECEIVED FROM TSERVER:
37117880: ACSOpenStreamConfEvent < - TSAPI stream request confirmed from AES
37117880: Application not notified (notifyAll == FALSE)

37117880: [02/25/16 15:07:22.970]

37117880: DELIVERED TO APPLICATION:
37117880: InvokeID 0
37117880: ACSOpenStreamConfEvent ::=
37117880: {
37117880: apiVer "ST2",
37117880: libVer "AES7.0.0 Build 131", < - SDK library versions exchanged
37117880: tsrvVer "7.0.0 Build 138",
37117880: drvrVer "7.0.0 Build 138"
37117880: }

37117880: [02/25/16 15:07:22.971]

37117880: RECEIVED FROM APPLICATION:
37117880: InvokeID 0
37117880: CSTAMakeCall ::= < - Make Call action (from clicking Dial)
37117880: {
37117880: callingDevice "70001",
37117880: calledDevice "70002"
37117880: }

37117880: [02/25/16 15:07:23.399]

37117880: DELIVERED TO APPLICATION:
37117880: InvokeID 0
37117880: UniversalFailureConfEvent ::=
37117880: {
37117880: error invalidCstaDeviceIdentifier < - Station does not exist on the CM
37117880: }

37117880: [02/25/16 15:07:23.399]

37117880: RECEIVED FROM TSERVER:
37117880: UniversalFailureConfEvent
37117880: Application not notified (notifyAll == FALSE)

37117880: [02/25/16 15:07:23.401]

37117880: RECEIVED FROM APPLICATION:
37117880: InvokeID 0
37117880: ACSAbortStream ::= < - TSAPI Test application requesting the stream be closed
37117880: {
37117880: null NULL
37117880: }

Testing a secure DMCC connection to the AES with the newly installed SMGR CA certificate
The following setup steps will need to be performed:

1. Download and install the DMCC client SDK from the link noted at the beginning of the article
2. Import the exported certificate from AES into the Windows keystore

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 12/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs
Note: By default, AES has port 4722 enabled for secure DMCC connections. Please reference the AES Administration Guide linked earlier in this article for further
information.

3. Open the DMCC Dashboard

Step 1: Download and install the DMCC client SDK

Step 2: Importing the exported certificate from AES into the Windows keystore
1. Double click the AESserverCert.cer file that was created from Notepad earlier and the following screen will appear. Click "Install Certificate".

2. Select "Next"
3. Select "Place all certificates in the following store" and choose "Browse"

4. Click "Trusted Root Certifiicaton Authorities" and click OK.

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 13/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

5. Click Next
6. Click Finish
7. Click OK on the "Import Successful" message
8. Click OK

Step 3: Open the DMCC Dashboard

1. Refer to the install location chosen during the DMCC SDK installation
2. Open the folder Dashboard
3. Double-click dashboard.exe

Note: There is a DasboardUserGuideV6.doc in the Dashboard directory

4. Populate the fields outlined in red

5. Click "Start Application Session"
6. Click "Get Device ID"
7. Click "Start Monitors"

Note: Starting a successful DMCC session indicates that the certificate is working

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 14/15
10/5/2020 Avaya Knowledge - AES: How to create a Certificate Authority CA from SMGR for AES and test with TSAPI and DMCC SDKs

-Also can refer to the document of Administering Avaya Aura @ System Manager.

SOLN284619

Attachment File
PSN004561u.pdf
289K • < 1 minute @ 56k, < 1 minute @ broadband

+ Additional Relevant Phrases

Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy

About Avaya Contacts Careers Site Map Terms of Use Privacy Statement
© 2020 Avaya Inc.

https://support.avaya.com/ext/index?page=content&id=SOLN284619&pmv=print&impressions=false 15/15