Call processor setup

Kamailio configuration

You need to create a /etc/kamailio/tls.cfg configuration file for reference see here

Enable kamailio tls with:

echo '#!define WITH_TLS' >> /etc/kamailio/kamailio-local.cfg

Restart kamailio with:

systemctl restart kamailio

Check kamailio is active:

systemctl status kamailio

Media processor setup

Asterisk configuration

Create directory to store keys and certificates.

mkdir /etc/asterisk/keys

Download asterisk helper script for certificate generation from here and save it on /usr/local/bin/ast_tls_cert on Media processor node.

Run it to generate the required certificate (a passphrase password will be asked many times during the process):

/usr/local/bin/ast_tls_cert -C <ipaddress of media processor> -O "My Company" -d /etc/asterisk/keys -b 2048

Make sure all files are owned by asterisk user with:

chown asterisk.asterisk -R /etc/asterisk/keys

Add a section in /etc/asterisk/pjsip.conf for tls:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=sslv23

In the SRE endpoint configuration section in /etc/asterisk/pjsip.conf add the media_encryption setting:

[SRE]
type=endpoint
context=from-external
disallow=all
allow=alaw,ulaw
media_encryption=sdes

You can choose a different method, see asterisk configuration here

Restart asterisk with:

systemctl restart asterisk

Check asterisk is active with:

systemctl status asterisk

The choosen media_encryption setting must be present also in /opt/sre/etc/sre.cfg in the asterisk section like this:

[asterisk]
...
media_encryption=sdes

Restart the media-processor process to re-read the setting:

/opt/sre/bin/supervisorctl restart sre-media-processor

GUI Configuration

Sip-agent status via TLS

To check health status of a tls endpoint, in the System->SIP agents monitoring page make sure protocol is set to TLS.

Service logic peculiarities

Relay to Media node

If you need to encrypt calls between Call processor and Media proccessor, when using the relay to media node use the following entry for destination: [address]:5061;trasport=tls.

TIP

[address] is expanded by the node you should not put an actual address here.

Media originate call node

If you need to originate calls to TLS endpoints set Call target to something like +12345@host:port;transport=tls

Troubleshooting

Media processor node

You can connect to asterisk instance with:

asterisk -rvvv

at the CLI prompt enter this command to see all SIP packets in clear:

CLI> pjsip set logger on

Call processor setup ​

Kamailio configuration ​

Media processor setup ​

Asterisk configuration ​

GUI Configuration ​

Sip-agent status via TLS ​

Service logic peculiarities ​

Relay to Media node ​

Media originate call node ​

Troubleshooting ​

Media processor node ​