The Diameter protocol communication can be protected by using Transport Layer Security, TLS.
TLS Configuration
TLS requires a keystore file that is generated by using the Java standard command keytool. For further information about the keytool command, see the JDK product documentation.
| Info |
|---|
| title | Example - TLS Configuration |
|---|
|
To Create a keystore: | Code Block |
|---|
| $ keytool -genkey -keyalg RSA -keystore MZstack.jks |
Keytool prompts for required information such as identity details and password. Note that the keystore password must be the same as the key password.
Generate the certificate: | Code Block |
|---|
| $ keytool -export -keystore MZstack.jks -file ./MZstack.cer |
The certificate file can now be distributed to the other peers.
Install a diameter node certificate in the MZstack keystore: | Code Block |
|---|
| $ keytool -import -alias "peerTLS" -file peerTLS.cer -keystore MZstack.jks |
Enter the keystore path and the keystore password in the Diameter Stack configuration.
From the Peer Table, in the Diameter Routing profile configuration select the TCP/TLS protocol for the peer with which you want to establish a secure connection.
|
TLS Configuration Properties
You can control the handling of unrecognized certificates by setting the Execution Context property mz.diameter.tls.accept_all.
| Info |
|---|
| title | Example - Handling of unrecognized certificates |
|---|
|
On a specific EC/ECSA: | Code Block |
|---|
$ mzsh topo set topo://container:<container>/pico:<pico>/val:config.properties.mz.diameter.tls.accept_all true |
On cell level: | Code Block |
|---|
mzsh topo set topo://cell:default/val:common.config.properties.mz.diameter.tls.accept_all true |
|
...
