Diameter Transport Security
- Kevin Wu
The Diameter protocol communication can be protected by using Transport Layer Security, TLS.
TLS Configuration
TLS requires a keystore file that is generated by using the Java standard command keytool. For further information about the keytool command, see the JDK product documentation.
Example - TLS Configuration
To Create a keystore:
$ keytool -genkey -keyalg RSA -keystore MZstack.jks
Keytool prompts for required information such as identity details and password. Note that the keystore password must  be the same as the key password.
Generate the certificate:
$ keytool -export -keystore MZstack.jks -file ./MZstack.cer
The certificate file can now be distributed to the other peers.
Install a diameter node certificate in the MZstack keystore:
$ keytool -import -alias "peerTLS" -file peerTLS.cer -keystore MZstack.jks
Enter the keystore path and the keystore password in the Diameter Stack configuration.
ÂFrom the Peer Table, in the Diameter Routing profile configuration select the TCP/TLS protocol for the peer with which you want to establish a secure connection.Â
TLS Configuration Properties
You can control the handling of unrecognized certificates by setting the Execution Context property mz.diameter.tls.accept_all.
Example - Handling of unrecognized certificates
On a specific EC:
$ mzsh topo set topo://container:<container>/pico:<pico>/val:config.properties.mz.diameter.tls.accept_all true
On cell level:
mzsh topo set topo://cell:default/val:common.config.properties.mz.diameter.tls.accept_all true
If the property is set to false (default), the Diameter Stack agent does not accept any non-trusted certificates. If it is set to true, the Diameter Stack agent accepts any certificate.
In either case any unrecognized certificate will be logged in an entry in the System Log (in PEM format).
Check the certificate. If you trust it, import it into the keystore by using the Java standard keytool command. For further information, see the standard Java documentation.