M4 STIR/SHAKEN

From Kolmisoft Wiki
Revision as of 11:51, 30 January 2024 by Ricardass (talk | contribs)
Jump to navigationJump to search

About

M4 supports STIR/SHAKEN authentication (constructing the SIP Identity header).

Requirements

  • Kamailio 5.7 (or later)
  • Private key (.pem file, encoded in ES256 algorithm, without password)
  • Public certificate (.pem file or URL to certificate)

Kolmisoft does not provide private key and public certificates. These should be acquired from STIR/SHAKEN certificate authorities.

Installation

STIR/SHAKEN authentication service is not installed by default and should be installed manually, depending on OS:

On CentOS 7: 

/usr/src/m4/kamailio/stirshaken/stirshaken_install.sh

On Rocky 9 

/usr/src/m4/kamailio/stirshaken/stirshaken_install_r9.sh

Configuration

After the installation, STIR/SHAKEN should be configured on Kamailio server. Configuration is done in /etc/m2/system.conf.

The following settings should be added to conf file: 

stirshaken_enabled = 1
stirshaken_x5u = http://xxx.xxx.xxx.xxx/billing/cert.pem
stirshaken_attest_level = C
stirshaken_private_key = /path/to/my/private_key.pem

Here:

  • stirshaken_enabled - controls if STIR/SHAKEN should be enabled or not.
  • stirshaken_x5u - URL to public certificate.
  • stirshaken_attest_level - the default attestation level (used when specific attestation level is not set in Termination Point settings).
  • stirshaken_private_key - path to private key.

After configuration is set, Kamailio needs to be reconfigured with the new settings: 

/usr/src/m4/kamailio/kamailio_cfg_update.sh

The following output should be visible during Kamailio configuration update: 

               Starting Stirshaken configure script v1.0.1
OK             Stirshaken is enabled in /etc/m2/system.conf
OK             Stirshaken x5u header: http://xxx.xxx.xxx.xxx/billing/cert.pem
OK             Stirshaken attestation level: C
OK             Stirshaken private key: /path/to/my/private_key.pem

In case of an error, STIR/SHAKEN will be disabled.

Kamailio restart is required for changes to take effect: 

systemctl restart kamailio

Enabling STIR/SHAKEN

STIR/SHAKEN authentication should be enabled in Termination Point settings.

Tp stir shaken settings.png

  • Add STIR/SHAKEN Identity - should we add the SIP Identity header when calling to this Termination Point?
  • STIR/SHAKEN Attestation Level - set attestation level. A, B, C or Default (use stirshaken_attest_level from /etc/m2/system.conf).
Retrieved from "https://wiki.kolmisoft.com/index.php?title=M4_STIR/SHAKEN&oldid=29307"