For subscriber access, the TLS (Transport Layer Security) support feature provides for secure signaling based on TCP and the TLS protocols.
The IETF's requirements for SIP signaling, which are defined in IETF RFC 3261, SIP: Session Initiation Protocol, indicate that TLS must be used to provide encryption and data integrity of the SIP signaling stream between proxies, redirect servers, and registrars. Lotus Sametime Unified Telephony also optionally supports TLS to protect the SIP signaling stream between Lotus Sametime Unified Telephony and SIP endpoints, which is an IETF recommendation but not a requirement. TLS should be used if the enterprise security policy requires encryption of the SIP signaling stream.
If TLS transport is in use to any SIP phones or endpoints, all endpoints (telephones and softclients) must be configured to register to node 1 of the cluster. This means that the system is operated in an active-standby configuration, with node 1 as the active node and node 2 as the standby node. This operation is distinct from that of an active-active configuration, in which approximately half the endpoints register to each of the two nodes during normal operation.
Lotus Sametime Unified Telephony supports the following stages of authentication:
When setting up the TLS connection from the SIP endpoint to Lotus Sametime Unified Telephony.
When responding to a 401 (or 407) challenge from Lotus Sametime Unified Telephony in response to any form of a SIP request, such as a SIP REGISTER or SIP INVITE.
Endpoint authentication is performed using HTTP digest authentication over the TLS-secured link. Within a single administrative domain, server authentication takes place when the TLS connection is established. In Lotus Sametime Unified Telephony, the SIP server is a proxy with a collocated registrar; because of this, the TLS connection between the SIP endpoint and the server is left open for the duration of the registration.
When TLS is used for SIP endpoint-server communication, a unilateral authentication is performed as part of the TLS handshake. On top of the established TLS connection, the SIP endpoint authenticates towards the server using HTTP digest authentication.
After authentication is successful, subsequent communication is done over an encrypted connection. The SIP endpoint uses this connection to attempt to register with the server (without credentials in the first instance). The user ID and password for HTTP digest authentication are stored in the database of the SIP endpoint device; therefore, the user does not manually supply the ID and password.
With TLS protection of SIP signaling, the SIP telephone takes on the role of a TLS client and Lotus Sametime Unified Telephony takes on the role of a TLS server. If the TLS connection fails, the TLS client detects and re-establishes the connection.
Parent topic: TLS (Transport Layer Security) Support
How to Configure Digest Authentication