Difference between revisions of "M4 STIR/SHAKEN"

From Kolmisoft Wiki
Jump to navigationJump to search
Line 91: Line 91:
  chmod 650 /path/to/my/private_key.pem
  chmod 650 /path/to/my/private_key.pem


If the CRT file was located in GUI server, update it as well. The location should be /var/www/html/public/ on GUI server.
If the CRT file was located in GUI server, update it as well. The location should be /var/www/html/public/ on GUI server. Make sure the URL is working by accessing the updated CRT file in the browser https://xxx.xxx.xxx.xxx/billing/cert.pem


Update the /etc/m2/system.conf with new file name/location:
Update the /etc/m2/system.conf with new file name/location:

Revision as of 08:02, 3 March 2025

About

M4 supports STIR/SHAKEN authentication (constructing the SIP Identity header).

Requirements

  • Kamailio 5.7 (or later)
  • Private key (.pem file, encoded in ES256 algorithm, without password)
  • Public certificate (.pem file or URL to certificate)

Kolmisoft does not provide private key and public certificate. These should be acquired from STIR/SHAKEN certificate authorities.

Installation

STIR/SHAKEN authentication service is not installed by default and should be installed manually, depending on OS:

On CentOS 7:

/usr/src/m4/kamailio/stirshaken/stirshaken_install.sh

On Rocky 9

/usr/src/m4/kamailio/stirshaken/stirshaken_install_r9.sh

Configuration

After the installation, STIR/SHAKEN should be configured on Kamailio server. Configuration is done in /etc/m2/system.conf.

The following settings should be added to conf file:

stirshaken_enabled = 1
stirshaken_x5u = https://xxx.xxx.xxx.xxx/billing/cert.pem
stirshaken_attest_level = C
stirshaken_private_key = /path/to/my/private_key.pem

Here:

  • stirshaken_enabled - controls if STIR/SHAKEN should be enabled or not.
  • stirshaken_x5u - URL to public certificate.
  • stirshaken_attest_level - the default attestation level (used when specific attestation level is not set in Termination Point settings).
  • stirshaken_private_key - path to private key.

After configuration is set, Kamailio needs to be reconfigured with the new settings:

/usr/src/m4/kamailio/kamailio_cfg_update.sh

The following output should be visible during Kamailio configuration update:

               ...
               ...
               Starting Stirshaken configure script v1.0.1
OK             Stirshaken is enabled in /etc/m2/system.conf
OK             Stirshaken x5u header: https://xxx.xxx.xxx.xxx/billing/cert.pem
OK             Stirshaken attestation level: C
OK             Stirshaken private key: /path/to/my/private_key.pem
               ...
               ...

In case of an error, STIR/SHAKEN will be disabled.

Kamailio restart is required for changes to take effect:

systemctl restart kamailio

Enabling STIR/SHAKEN

STIR/SHAKEN authentication should be enabled in Origination or Termination Point Advanced settings:

Tp stir shaken settings.png

  • Add STIR/SHAKEN Identity - should we add the SIP Identity header when calling to this Termination Point?
  • STIR/SHAKEN Attestation Level - set attestation level. By TP (only for Origination Point) A, B, C or Default (use stirshaken_attest_level from /etc/m2/system.conf).

Testing

To check if the Identity header was added, sngrep could be used to inspect the outgoing Invite header:

INVITE sip:11111111@example.com:5060 SIP/2.0
Via: SIP/2.0/UDP example.com:5060
From: <sip:22222222@5.6.7.8:5060>;tag=123456789
To: <sip:11111111@1.2.3.4:5060>
Call-ID: 1-12345@5.6.7.8
CSeq: 1 INVITE
Max-Forwards: 70
Identity:  eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuZXhhbXBsZS5jb20vMTIzNDU2Nzg5LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxODAwMTIzNDU2NyJdfSwiaWF0IjoxNTQ4ODU5OTgyLCJvcmlnIjp7InRuIjoiMTQwNDUyNjYwNjAifSwib3JpZ2lkIjoiM2E0N2NhMjMtZDdhYi00NDZiLTgyMWQtMzNkNWRlZWRiZWQ0In0.S_vqkgCk88ee9rtk89P6a6ru0ncDfSrdb1GyK_mJj-10hsLW-dMF7eCjDYARLR7EZSZwiu0fd4H_QD_9Z5U2bg;info=<https://xxx.xxx.xxx.xxx/billing/cert.pem>alg=ES256;ppt=shaken

Certificate files update

Upload new private key file to Kamailio server. It is recommended to upload to the same location where the current key is installed. It can be checked in /etc/m2/system.conf file, line stirshaken_private_key.

Make sure file permissions are correct:

chmod 650 /path/to/my/private_key.pem

If the CRT file was located in GUI server, update it as well. The location should be /var/www/html/public/ on GUI server. Make sure the URL is working by accessing the updated CRT file in the browser https://xxx.xxx.xxx.xxx/billing/cert.pem

Update the /etc/m2/system.conf with new file name/location:

stirshaken_private_key = /path/to/my/private_key.pem

and also update the Cert file URL in

stirshaken_x5u = https://xxx.xxx.xxx.xxx/billing/cert.pem

After configuration is set, Kamailio needs to be reconfigured with the new settings:

/usr/src/m4/kamailio/kamailio_cfg_update.sh

Stop M4 core on Radius server:

m2 stop

Restart Kamailio on Kamailio server:

service kamailio restart

Restart M4 core on Radius server:

service radiusd restart

See also