A Security certificate contains encryption keys. Once you accept a security certificate, all data that is transmitted between the server and your browser is encrypted to prevent unauthorized users from intercepting and viewing it (for example, passwords or other sensitive information).
Types of Avaya security certificates
Security alerts for server certificates and how to resolve them
About security certificates
The Avaya media server uses two kinds of security certificates:
A Root certificate establishes Avaya Inc. as a trusted Certificate Authority (CA). You must install the root certificate after you log in. See Related Topics for the procedure.
A Server certificate verifies identity of a server. The server certificate changes every time the server is reconfigured. If the server's name is changed, you might see a security alert the next time you log in.
The Avaya media server provides two server certificates. One certificate is for service technicians who must log in to many servers. The certificate for service technicians is issued to the services Ethernet interface address (184.108.40.206) and identifies the certificate authority as the Avaya Call Server. The other certificate is issued to the site-specific server name after the server is configured.
You must accept or store the server certificate before you can log in to the Avaya media server. Ensure that you have a secure connection to the server. See Server security certificate for acceptance guidelines and procedures.
Occasionally, a Security Alert screen might appear when you try to log in. This screen may indicate problems with the server security certificate.
Company not trusted. This alert appears if Avaya Inc. is not included on the browser's list of trusted authorities. This warning does not appear after you install the Avaya root certificate on your browser.
Certificate date not valid. This alert does not appear under normal circumstances because a security certificate is valid many years. Do not accept the certificate if you see this alert.
Server name check or mismatch warning. This alert message indicates that the name of the web server on the security certificate does not match the server name in the browser's Address or Location field. This error can occur in the following cases:
If a certificate is issued based on the server name and if you try to access the Web interface using the server's IP address, you will see this alert. Conversely, if the certificate is issued based on the server's IP address and you try to access it by name, you will also see this alert. It is okay to accept the server certificate in this case.
On-site technicians log into the Avaya media server from the services interface using IP address 220.127.116.11. Because this is the only active interface on a new Avaya server or on a replacement media server that has been reset to default values, the original security certificate lists 18.104.22.168 as the server name. Technicians should install the Avaya root certificate to stop this alert from appearing again.
A replacement server that was previously configured for another location may present a security certificate with the name of the server at the previous location. Technicians should accept this certificate for the current session in order to log in and reset to default values. Do not accept the certificate if you are logging in over the Internet and the server name is not the one that this company has assigned to their Avaya media server.
Additional problems with the security certificate include: browser> encountered bad data from the server. You may see this error if someone else updates the security certificate for the media server while you are accessing the web interface. If this happens:
Exit the browser (close the application).
Open the browser again, then log back in to the Avaya media server.
You must accept the new certificate to access the server again.
A security certificate is a file that a web server and your browser exchange. You use a security certificates to:
Verify that the authenticity of the Web site with which you are communicating. That is a security certificate ensures that a hacker did not steal the site's identity.
Exchange numbers known as encryption keys encode the messages that a Web server with your browser. Encryption prevents unauthorized viewers from accessing important information such as passwords
Certificates depend on a technology known as public key encryption (PKI). PKI uses two encryption keys. One key is called the public key and the other key is called the private key. A message that is encrypted with one of the keys can be decrypted only with the other key. If a Web server encrypts a message, and your browser recognizes the corresponding public key, (which is made public by the web site), your browser can decrypt the message sent by the web server. If your browser can decrypt the message, you that the message the message was encrypted with the corresponding private key. Therefore, the only server that recognizes this key is the Web site with which it is communicating.
A browser receives the public key in the security certificate sent by the Web site. The browser recognizes only the certificate from this site because it is cryptographically signed by a company, known as a Certificate Authority (CA). The company delivers its browser software with a series of certificates from companies such as Verisign or Thawte (certificate authorities). The certificate from the Web server indicates the signee to the browser. The browser searches for a list of certificates to check if the signee (certificate authorities) is listed. If listed, the browser automatically checks the signature of the incoming certificate, and accepts the correct certificate. However, if the certificate is not found, you are prompted to accept the incoming certificate.
The certificates offered by the Avaya media server are signed by Avaya. Browser manufacturers do not include an Avaya Certificate Authority type of certificate with their browsers, because Avaya does not sign certificates for web sites in general. Avaya only signs the certificates for its media server which are only used in this context. Therefore you must incorporate the Avaya certificate yourself.
The two types of certificates are 1) a server certificate and 2) a Certificate Authority (CA) certificate. The server certificate is automatically sent by the Web site for each Web session. The CA certificate must be loaded into the browser manually, if not already present.
Example. On Internet Explorer, the Security Alert dialog box is a notice of a server certificate arrival. The browser has made three checks of the arriving server certificate. (These are the three security alerts listed under Security alerts for server certificates.) A yellow triangle next to the first check indicates that the browser does not have the CA certificate that was used to sign the arriving server certificate. The browser cannot validate the authenticity of the arriving certificate and you must make the decision yourself. The second check should show a green circle, to indicate that the arriving server certificate has not expired. The third check should also show a green circle, to indicate that the value in the browser's address window matches the address that is contained in the arriving certificate (or a triangle in the case of a server name mismatch). If all three checks would result in a green circle, this screen would not appear. If you install the CA certificate from Avaya, you do not receive security alert warnings. You can install the Avaya CA (root) certificate after you log in; without a CA certificate accept the certificate manually to log in.