Security Basics
Data at Rest
Every software installation (from X8.11) has a unique root of trust. Each Expressway system has a unique key that is used to encrypt data local to that system. This improves the security of data at rest in the following ways:
-
The new key is created when you upgrade a pre-X8.11 version to X8.11 or later, and is used to encrypt all data on the first restart.
-
Only this key can be used to decrypt data from this system. No other Expressway key can decrypt this system's data.
-
The key is never exposed on the UI, and it is never logged--locally or remotely.
TLS and Certificates
For TLS encryption to work successfully in a connection between a client and server:
-
The server must have a certificate installed that verifies its identity, which is signed by a Certificate Authority (CA).
-
The client must trust the CA that signed the certificate used by the server.
Expressway lets you install a certificate that can represent the Expressway as either a client or a server in TLS connections. Expressway can also authenticate client connections (typically from a web browser) over HTTPS. You can upload certificate revocation lists (CRLs) for the CAs used to verify LDAP server and HTTPS client certificates. Expressway can generate server certificate signing requests (CSRs), so there is no need to use an external mechanism to do this.
Note |
For all secure communications (HTTPS and SIP/TLS), we recommend that you replace the Expressway default certificate with a certificate generated by a trusted CA. |
In connections... |
The Expressway acts as... |
---|---|
To an endpoint. |
TLS server. |
To an LDAP server. |
Client. |
Between two Expressway systems. |
Either Expressway may be the client. The other Expressway is the TLS server. |
Over HTTPS. |
Web browser is the client. Expressway is the server. |
Note |
We also recommend using a third-party LDAP browser to verify that your LDAP server is correctly configured for TLS. |
TLS can be difficult to configure. So if using it with an LDAP server, for example, we recommend verifying that the system works correctly over TCP, before you attempt to secure the connection with TLS.
Caution |
Certificates must be RFC-compliant. Do not allow CA certificates or CRLs to expire, as this may cause certificates signed by those CAs to be rejected. |
Certificate and CRL files are managed via the web interface, and cannot be installed using the CLI.