Difference between revisions of "M4 STIR/SHAKEN"

From Kolmisoft Wiki
Jump to navigationJump to search
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
=About=
=About=


M4 supports STIR/SHAKEN authentication (constructing the SIP Identity header).
M4 supports STIR/SHAKEN authentication (construction of the SIP Identity header).


=Requirements=
=Requirements=
Line 30: Line 30:


  stirshaken_enabled = 1
  stirshaken_enabled = 1
  stirshaken_x5u = https://xxx.xxx.xxx.xxx/billing/cert.pem
  stirshaken_x5u = https://m4_host/billing/cert.pem
  stirshaken_attest_level = C
  stirshaken_attest_level = C
  stirshaken_private_key = /path/to/my/private_key.pem
  stirshaken_private_key = /path/to/my/private_key.pem
Line 37: Line 37:


* '''stirshaken_enabled''' - controls if STIR/SHAKEN should be enabled or not.
* '''stirshaken_enabled''' - controls if STIR/SHAKEN should be enabled or not.
* '''stirshaken_x5u''' - URL to public certificate.
* '''stirshaken_x5u''' - URL to public certificate. If the certificate is stored locally, it needs to be placed in GUI server in /var/www/html/public directory.
* '''stirshaken_attest_level''' - the default attestation level (used when specific attestation level is not set in Termination Point settings).
* '''stirshaken_attest_level''' - the default attestation level (used when specific attestation level is not set in Connection Point settings).
* '''stirshaken_private_key''' - path to private key.
* '''stirshaken_private_key''' - path to private key.


Line 51: Line 51:
                 Starting Stirshaken configure script v1.0.1
                 Starting Stirshaken configure script v1.0.1
  OK            Stirshaken is enabled in /etc/m2/system.conf
  OK            Stirshaken is enabled in /etc/m2/system.conf
  OK            Stirshaken x5u header: https://xxx.xxx.xxx.xxx/billing/cert.pem
  OK            Stirshaken x5u header: https://m4_host/billing/cert.pem
  OK            Stirshaken attestation level: C
  OK            Stirshaken attestation level: C
  OK            Stirshaken private key: /path/to/my/private_key.pem
  OK            Stirshaken private key: /path/to/my/private_key.pem
Line 83: Line 83:
  CSeq: 1 INVITE
  CSeq: 1 INVITE
  Max-Forwards: 70
  Max-Forwards: 70
  Identity:  eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuZXhhbXBsZS5jb20vMTIzNDU2Nzg5LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxODAwMTIzNDU2NyJdfSwiaWF0IjoxNTQ4ODU5OTgyLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiM2E0N2NhMjMtZDdhYi00NDZiLTgyMWQtMzNkNWRlZWRiZWQ0In0.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=<https://xxx.xxx.xxx.xxx/billing/cert.pem>alg=ES256;ppt=shaken
  Identity:  eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuZXhhbXBsZS5jb20vMTIzNDU2Nzg5LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxODAwMTIzNDU2NyJdfSwiaWF0IjoxNTQ4ODU5OTgyLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiM2E0N2NhMjMtZDdhYi00NDZiLTgyMWQtMzNkNWRlZWRiZWQ0In0.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=<https://m4_host/billing/cert.pem>alg=ES256;ppt=shaken


=Certificate update=
=Certificate update=
Line 95: Line 95:
For example:
For example:


  stirshaken_x5u = https://YOUR_SERVER_IP/billing/cert.pem
  stirshaken_x5u = https://YOUR_SERVER_HOST/billing/cert.pem


shows that STIR/SHAKEN certificate is stored locally in your server.
shows that STIR/SHAKEN certificate is stored locally in your server.


  stirshaken_x5u = https://SOME_EXTERNAL_ADDRESS/path/to/cert.pem
  stirshaken_x5u = https://SOME_EXTERNAL_HOST/path/to/cert.pem


shows that STIR/SHAKEN certificate is located in some external server.
shows that STIR/SHAKEN certificate is located in some external server.
Line 113: Line 113:
'''When certificate is stored externally'''
'''When certificate is stored externally'''


No changes are required if the URL for STIR/SHAKEN did not change. If URL changes (for example the name of certificate is changed), then Kamailio reconfigure is needed.
No changes are required if the URL for STIR/SHAKEN did not change. If the URL is changed (for example the name of certificate is changed), then Kamailio reconfigure is needed.


<br/>
<br/>

Latest revision as of 07:18, 22 April 2025

About

M4 supports STIR/SHAKEN authentication (construction of the SIP Identity header).

Requirements

  • Kamailio 5.7 (or later)
  • Private key (.pem file, encoded in ES256 algorithm, without password)
  • Public certificate (.pem file or URL to certificate)

Kolmisoft does not provide private key and public certificate. These should be acquired from STIR/SHAKEN certificate authorities.

Installation

STIR/SHAKEN authentication service is not installed by default and should be installed manually, depending on OS:

On CentOS 7: 

/usr/src/m4/kamailio/stirshaken/stirshaken_install.sh

On Rocky 9 

/usr/src/m4/kamailio/stirshaken/stirshaken_install_r9.sh

Configuration

After the installation, STIR/SHAKEN should be configured on Kamailio server. Configuration is done in /etc/m2/system.conf.

The following settings should be added to conf file: 

stirshaken_enabled = 1
stirshaken_x5u = https://m4_host/billing/cert.pem
stirshaken_attest_level = C
stirshaken_private_key = /path/to/my/private_key.pem

Here:

  • stirshaken_enabled - controls if STIR/SHAKEN should be enabled or not.
  • stirshaken_x5u - URL to public certificate. If the certificate is stored locally, it needs to be placed in GUI server in /var/www/html/public directory.
  • stirshaken_attest_level - the default attestation level (used when specific attestation level is not set in Connection Point settings).
  • stirshaken_private_key - path to private key.

After configuration is set, Kamailio needs to be reconfigured with the new settings: 

/usr/src/m4/kamailio/kamailio_cfg_update.sh

The following output should be visible during Kamailio configuration update: 

               ...
               ...
               Starting Stirshaken configure script v1.0.1
OK             Stirshaken is enabled in /etc/m2/system.conf
OK             Stirshaken x5u header: https://m4_host/billing/cert.pem
OK             Stirshaken attestation level: C
OK             Stirshaken private key: /path/to/my/private_key.pem
               ...
               ...

In case of an error, STIR/SHAKEN will be disabled.

Kamailio restart is required for changes to take effect: 

systemctl restart kamailio

Enabling STIR/SHAKEN

STIR/SHAKEN authentication should be enabled in Origination or Termination Point Advanced settings:

Tp stir shaken settings.png

  • Add STIR/SHAKEN Identity - should we add the SIP Identity header when calling to this Termination Point?
  • STIR/SHAKEN Attestation Level - set attestation level. By TP (only for Origination Point) A, B, C or Default (use stirshaken_attest_level from /etc/m2/system.conf).

Testing

To check if the Identity header was added, sngrep could be used to inspect the outgoing Invite header: 

INVITE sip:11111111@example.com:5060 SIP/2.0
Via: SIP/2.0/UDP example.com:5060
From: <sip:22222222@5.6.7.8:5060>;tag=123456789
To: <sip:11111111@1.2.3.4:5060>
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
Identity:  eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuZXhhbXBsZS5jb20vMTIzNDU2Nzg5LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxODAwMTIzNDU2NyJdfSwiaWF0IjoxNTQ4ODU5OTgyLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiM2E0N2NhMjMtZDdhYi00NDZiLTgyMWQtMzNkNWRlZWRiZWQ0In0.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=<https://m4_host/billing/cert.pem>alg=ES256;ppt=shaken

Certificate update

In general, STIR/SHAKEN certificate can be updated just by replacing old certificate with the new one.

Certificate can be stored locally or externally. Check /etc/m2/system.conf configuration file for variable stirshaken_x5u to determine if certificate is local or from external source.

For example: 

stirshaken_x5u = https://YOUR_SERVER_HOST/billing/cert.pem

shows that STIR/SHAKEN certificate is stored locally in your server. 

stirshaken_x5u = https://SOME_EXTERNAL_HOST/path/to/cert.pem

shows that STIR/SHAKEN certificate is located in some external server.


When certificate is stored locally

To update local STIR/SHAKEN certificate, upload your certificate to server defined in stirshaken_x5u parameter to directory /var/www/html/public/.

Note: keep the old certificate name, just overwrite the existing expired certificate - this will prevent the need to reconfigure Kamailio.


When certificate is stored externally

No changes are required if the URL for STIR/SHAKEN did not change. If the URL is changed (for example the name of certificate is changed), then Kamailio reconfigure is needed.


Kamailio reconfigure

If the new STIR/SHAKEN certificate is located in the same URL with the same name and private key was not changed during certificate update, then no additional actions are needed.

Otherwise, Kamailio needs to be reconfigured for new path defined in stirshaken_x5u and/or new private key defined in stirshaken_private_key.

Reconfigure Kamailio: 

/usr/src/m4/kamailio/kamailio_cfg_update.sh

Stop M4 core on Radius server: 

m2 stop

Restart Kamailio on Kamailio server: 

service kamailio restart

Restart M4 core on Radius server: 

service radiusd restart

If there are errors during the configuration update or Kamailio restart:

  • Check /var/log/syslog or /var/log/kamailio.log for details.
  • Ensure the certificate and private key paths are correct and accessible.
  • Verify that the certificate and private key are valid and properly formatted.

See also

Retrieved from "https://wiki.kolmisoft.com/index.php?title=M4_STIR/SHAKEN&oldid=30112"