WebSphere brand IBM WebSphere IP Multimedia Subsystem Connector, Version 6.2

Channel security

Diameter Enabler supports IPsec or transport layer security (TLS) on each connection in the channel chain. If TLS is enabled, then the signer certificates on the WebSphere® Application Server must support the inbound signer key certificate.

You may use IPsec or TLS to secure Diameter connections between the WebSphere Diameter Enabler and its peers. Implement IPsec as either the operating system configuration or an external device that encrypts and decrypts the encoded messages. In this capacity, IPsec usage is invisible to the WebSphere Diameter Enabler. If you are using IPsec, configure the Diameter connections in the Diameter_Rf.properties, Diameter_Ro.properties, and Diameter_Sh.properties to PROHIBIT_TLS, because it is unnecessary in an IPsec environment. If you do not have IPsec, configure the connections to be secured through TLS. Otherwise, Diameter Enabler will send Diameter messages through an unsecure network.

IPsec is the default security protocol that Diameter Enabler will look for when establishing a connection. If IPsec is not present and security has been configured in the properties file, then a secure channel will be used. IPsec is implemented using either the operating system configuration, or an external device that encrypts and decrypts the encoded messages.

In order for the SecureDiameterChain to work properly, the peer and the application server must exchange signer certificates. According to RFC 3588, the Diameter nodes must mutually authenticate. This means that the client authentication parameter in the SSL configuration must be set to Required. Diameter Enabler nodes must support the following cipher suites:

Both ends of the connection must supply certificates so that authentication is performed in both directions. This is handled through the SSL channel configuration. If TLS is used, it must be supported by all the Diameter Enabler devices. If TLS is used, both the WebSphere Diameter Enabler and the Diameter peer that it is connecting to should be configured for TLS.




Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.