About

M4 supports STIR/SHAKEN authentication (constructing the SIP Identity header).

Requirements

• Kamailio 5.7 (or later)
• Private key (.pem file, encoded in 'ES256' algorithm, without password)
• Public certificate (.pem file or URL to certificate)

Kolmisoft does not provide private key and public certificates. These should be acquired from STIR/SHAKEN certificate authorities.

Installation

STIR/SHAKEN authentication service is not installed by default and should be installed manually, depending on OS:

On CentOS 7:

/usr/src/m4/kamailio/stirshaken/stirshaken_install.sh

On Rocky 9

/usr/src/m4/kamailio/stirshaken/stirshaken_install_r9.sh

Configuration

After the installation, STIR/SHAKEN should be configured on Kamailio server. Configuration is done in /etc/m2/system.conf.

The following settings should be added to conf file:

stirshaken_enabled = 1
stirshaken_x5u = http://example.com/path/to/cert.pem
stirshaken_attest_level = C
stirshaken_private_key = /path/to/my/private_key.pem

Here:

• stirshaken_enabled - controls if STIR/SHAKEN should be enabled or not.
• stirshaken_x5u - URL to public certificate.
• stirshaken_attest_level - the default attestation level (used when specific attestation level is not set in Termination Point settings).
• stirshaken_private_key - path to private key.

After configuration is set, Kamailio needs to be reconfigured with the new settings:

/usr/src/m4/kamailio/kamailio_cfg_update.sh

The following output should be visible during Kamailio configuration update:

               Starting Stirshaken configure script v1.0.1
OK             Stirshaken is enabled in /etc/m2/system.conf
OK             Stirshaken x5u header: http://xxx.xxx.xxx.xxx/billing/cert.pem
OK             Stirshaken attestation level: C
OK             Stirshaken private key: /root/private_key.pem

In case of an error, STIR/SHAKEN will be disabled.

Kamailio restart is required for changes to take effect:

systemctl restart kamailio