No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSpace 8950 IP Phone V200R003C00 Administrator Guide

Provides information about deployment, operate and maintain the Video Phone.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Multi-certificate Support

Multi-certificate Support

This section describes how to apply for, import, and view certificates.

Context

eSpace 8950 can apply for certificates from the certificate server in either Proprietary Protocol or SCEP mode. You can also import certificates on the phone web page. eSpace 8950 supports a maximum of five root certificates and one device certificate.
  • A root certificate is used to verify the identity of other devices that interact with eSpace eSpace 8950.
    NOTE:
    The root certificate of eSpace 8950 needs to be compatible with eSight and eSpace EMS; therefore, sha1 and RSA encryption algorithms are required for the root certificate.
  • A device certificate shows the identity of eSpace 8950 during phone authentication.
    NOTE:
    To ensure the security of your IP phone, replace the root certificate and device certificate in time after installing your IP phone.
NOTE:
The phone system time must be within the certificate validity period. It is recommended that you configure the NTP server for time accuracy.

Applying for a Certificate Using the Proprietary Protocol

You can download a device certificate or root certificate in proprietary protocol mode using any of the methods described in the following table.
Table 5-14  Certificate download

Method

Details

eSight

When the IP phone fails to be authenticated using EAP-TLS for network access, it automatically obtains the new device certificate and key from the CA server.

DHCP Option 246

Upload the required certificate to the server, and deliver the certificate to the IP phone using DHCP Option 246.

Web

  1. On the phone web page, choose Advanced > Server and fill out the CA server address and port number on the page that is displayed.
    NOTE:
    The IP addresses of the active and standby CA servers can be obtained in SRV mode according to the CA server domai name.
  2. Choose Advanced > Certificates, select Proprietary Protocol, and click Apply for Certificate.

LCD

Tap and choose APPLICATIONS > Settings. choose Advanced > Server > CA Server and fill out the CA server address and port number on the page that is displayed.

Tap and choose APPLICATIONS > Settings. Choose Advanced > Network Security > Proprietary Protocol and set related parameters on the page that is displayed.

Applying for a Certificate Using SCEP

Downloading a Device Certificate

You can download a device certificate in SCEP mode using any of the methods described in the following table.

Table 5-15  Device certificate download

Method

Details

eSight

Automatically applying for a device certificate: On the eSight management portal, choose Configuration > IP Phone Management > Certificate Authority Management, modify the parameters related to automatic device certificate application (see Table 5-16 for detailed parameter descriptions), and deliver the configuration file to the IP phone.

DHCP Option 246

Automatically applying for a device certificate: Set parameters related to automatic device certificate application in the configuration file and deliver the new configuration file to the IP phone.

Web

  1. On the phone web page, choose Advanced > Server and fill out the CA server address and port number on the page that is displayed.
  2. Choose Advanced > Certificates, select SCEP, set Account and Password, and click Apply for Certificate.

LCD

Tap and choose APPLICATIONS > Settings. Choose Advanced > Network Security > SCEP and set related parameters on the page that is displayed.

Table 5-16  Parameter description

Parameter

Description

How to Set

How to Modify the Configuration File

CA Server

CA Server

Indicates the IP address of the server that issues certificates.

Enter the IP address of the CA server.

Parameters: addr, port and mode

Location: Device > ComCfg > CASERVER

Setting:
  • Set addr to the address of the CA server.

    Default: capf.company.com

  • Set port to the port number of the CA server.

    Default: 8089

  • Set mode to the certificate application mode.
    Value: 0 or 1
    • 0: proprietary protocol (capf)
    • 1: scep

    Default: 0

Example: addr="192.168.1.237" port="8089" mode="0"

Port

Indicates the port of the server that issues certificates.

Enter the port number of the CA server.

Automatic Upgrade

Auto Apply

Indicates whether to enable automatic certificate application. If this function is enabled, the IP phone automatically applies for a certificate. The IP phone can obtain a device certificate and the corresponding root certificate.

-

Parameter: isAutoApply

Location: Device > ComCfg > CertApply

Value: 0 or 1
  • 0: The IP phone does not automatically apply for a certificate.
  • 1: The IP phone automatically applies for a certificate after it is connected to the network.

Setting: Set isAutoApply to 1 when a lot of IP phones are involved for easier operation.

Example: isAutoApply="1"

Account

Indicates the account used for authentication when applying for a certificate.

Set this parameter to a value in format of Domain name\User name. The user corresponding to the user name must be in the domain corresponding to the domain name and also must be in the local IIS_USES group. Obtain the domain name and user name from the CA server administrator.

Parameter: domainAccount

Location: Device > ComCfg > CertApply

Example: domainAccount="SCEP\zhangsan"

Password

Indicates the password used for authentication when applying for a certificate.

Obtain the password from the CA server administrator.

Parameter: password

Location: Device > ComCfg > CertApply

Example: password="zhangsan123//"

Downloading a Root Certificate

You can download a root certificate using any of the methods described in the following table.
NOTE:
Obtain the root certificate from the corresponding device administrator.
Table 5-17  Root certificate download

Method

Details

eSight

Download the root certificate using eSight-assisted unified upgrade.

On the eSight management portal, choose Configuration > IP Phone Management > IP Phone Upgrade Management > Version Management and deliver a root certificate to the IP phone. For more information, see .

DHCP Option 246

Upload the root certificate to the server, and deliver the certificate to the IP phone using DHCP Option 246. For more information, see .
NOTE:

On the DHCP server, you can directly enter the address of the file server where the certificate file is stored.

  • If the file server does not require authentication, the address format is capf.address=http://File server IP address:Port number/Certificate file directory/Certificate file name, for example, capf.address=http://10.166.102.110:80/directory/CA.pem.
  • If the file server requires authentication, the address format is capf.address=http://User name:Password@File server IP address:Port number/Certificate file directory/Certificate file name, for example, capf.address=http://username:passwd@10.166.102.110:80/directory/CA.pem.

Importing a Certificate on the Web Page

On the phone web page, you can directly import the locally stored device certificate, root certificate, and device key to the IP phone.
  1. Choose Advanced > Certificates.
  2. Import the locally stored device certificate, root certificate, and device key.
    NOTE:
    • Encrypted device certificates and device keys cannot be imported.
    • The file name cannot contain such characters as ; / ? : @ & # ' = + $ ,.

Viewing Root and Device Certificates

You can view the version, SN, issuer, owner, effective period (start date and end date), and key about the device certificate and root certificate on the Certificates page.

Deleting a Root Certificate

You can delete a selected root certificate using the corresponding button on the phone web page.
NOTE:
The default root certificates (Huawei Enterprise UC&C ProductLine CA and ucems.company.com ) cannot be deleted.
Translation
Download
Updated: 2018-09-12

Document ID: EDOC1000067158

Views: 46710

Downloads: 1808

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next