Telestax Blog

Testing Secure Signalling with RestcommONE SIP Servlets

RestcommONE Sip Servlets platform uses Jain SIP as the sip stack and recent development on the Jain SIP project provides TCP and TLS implementation on top of Java NIO that allows Jain SIP to scale and handle many thousands of concurrent connections efficiently.

In this blog post will provide instructions for how to setup RestcommONE Sip Servlets container for testing using sipp over TLS.

1. Compile sipp with support for TLS transport

For most Linux distributions, the stock sipp that is provided from the OS repositories, doesn’t support TLS transport and thus we need to compile sipp for that.

The requirements to compile sipp with TLS support are:

  • C++ Compiler
  • curses or ncurses library
  • For TLS support: OpenSSL >= 0.9.8

I am using sipp 3.4.1 and the source code can be found here https://github.com/SIPp/sipp/archive/v3.4.1.tar.gz

After you download and extract the archive, execute the following steps:

  • cd SIPP_FOLDER
  • ./configure –with-openssl
  • make
  • make install (this step might require to be run with sudo)

The last step will install sipp at /usr/local/bin/sipp so we need one more step to create a symlink to /usr/bin

  • sudo ln -s /usr/local/bin/sipp /usr/bin/sipp

To verify that sipp is installed and working correct issue the command sipp -v. The output should be:

SIPp v3.4.1-TLS-RTPSTREAM built Jul 30 2014, 14:20:24.

 2. Generate a public/private key pair and a self signed certificate for the secure signalling

In order to configure TLS you will have to obtain a public/private key, a X.509 certificate, add those to the Java keystore and optionally add certificates from a known CA (certicate authority).

The entire process can be confusing but in order to get a basic setup for testing purposes up and running with minimal effort, this section starts off with a simple quick start.

However, for production environment you need to obtain an officially signed certificate from a known CA and that process is outlined in section RestcommONE Sip Servlets documentation Section 8.2.2, “Production Setup”.

The first step is to  generate a new public and private key, generate a self-signed certificate and add it all to the Java keystore. We will use Java command keytool for that:

keytool -genkeypair -alias myserver -keyalg RSA -keysize 1024 -keypass secret -validity 365 -storetype jks -keystore myserver.jks -storepass secret -v -dname “CN=James Smith, OU=Engineering, O=My Company, L=My City, S=My State, C=US”

The above command will generate the proper keys and certificate and will produce a file myserver.jks which you will use later to point RestcommONE Sip Servlet container to use as truststore and keystore.

Sipp also requires a private key and a certificate to work over TLS. Sipp expects to find cacert.pem and cakey.pem file at the same directory or you can specify the directory and name of the files using properties.

For sipp we will generate a new private key and certification.

  • openssl genrsa 1024 > cakey.pem
  • openssl req -x509 -new -key cakey.pem >> cacert.pem

Then we need to import the generated certificate the keystore so Sip Servlet can establish a connection with sipp client. Use the following command and when you asked for password provide “secret” which is the one we set when we generated the keystore.

  • keytool -importcert -file cacert.pem -keystore myserver.jks

3. Prepare for the test

Since we prepared the necessary keystore, private key and certificate for the container and the sipp we are ready to start testing.

We will need a sipp script and also a sip servlet application to deploy. Sipp will act as a UAC and sip servlet application as UAS.

You will find attached the sip servlet application and the sipp script in a zip file SipServlets_TLS_Test.

To deploy the sip servlet application, copy the war file at $SIPSERVLETS_HOME/standalone/deployments.

An important note here is that by default Sip Servlet container is coming with the click2call application but you need to remove it before deploying the new sip servlet app since they are using the same sip application name and you will get an exception. So you need to delete the file  $SIPSERVLETS_HOME/standalone/deployments/click2call.war.

Last make sure that you modify the dar file configuration at $SIPSERVLETS_HOME/standalone/configuration/dars/mobicents-dar.properties to contain only this line:

ALL=(“org.mobicents.servlet.sip.example.SimpleApplication”,”DAR:From”,”ORIGINATING”,””,”NO_ROUTE”,”0″)

Last, download the sipp script to a folder and later you will use it to start the sipp.

4. Start the testing secure signaling

We are now ready to start testing so we need to start Sip Servlets and sipp.

4.1 Start Sip Servlets

To start Sip Servlet container use the following:

  • cd SIPSERVLET_FOLDER/bin
  • ./standalone.sh -Djavax.net.ssl.keyStorePassword=secret -Dgov.nist.javax.sip.TLS_CLIENT_AUTH_TYPE=Disabled -Djavax.net.ssl.keyStore=/path/to/the/keystore/myserver.jks -Djavax.net.ssl.trustStorePassword=secret -Djavax.net.ssl.trustStore=/path/to/the/keystore/myserver.jks -Djavax.net.debug=ssl -Dgov.nist.javax.sip.TLS_CLIENT_PROTOCOLS=TLSv1

Important to note here are the following:

  • -Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore points to the keystore file we generated before
  •  -Djavax.net.ssl.keyStorePassword provides the password we used when we generated the keystore
  • -Djavax.net.debug=ssl will provide some extra debugging information for the SSL
  • -Dgov.nist.javax.sip.TLS_CLIENT_PROTOCOLS=TLSv1 this is important because sipp supports only TLSv1 and so we need to restrict the protocols only to that.

During the container startup you will get the following error:

16:43:07,146 ERROR [stderr] (Thread-73) javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

You can safely ignore that for now as this is because we provided a custom keystore.

4.2 Start sipp

To start sipp, change to the folder where you copy the sipp script and issue the following command:

sipp 127.0.0.1:5081 -s yousendbye -sf ./performance-uac.xml -t ln  -l 150 -r 25 -timeout 50000  -i 127.0.0.1 -p 5051 -max_socket 1024

  • 127.0.0.1:5081 Tells sipp to generate traffic to this host/port. For Sip Servlets the TLS connector listen at port 5081
  • -s yousendbye instructs sipp to use “yousendbye” as username part of the Request URI. This is needed for the sip servlet application we deployed.
  • -sf ./performance-uac.xml this points sipp to the script file
  • -t ln instructs sipp to use TLS multi socket
  • -l 150 Set the maximum number of simultaneous calls to 150
  • -r 25 Sets the rate of calls per second to 25

5. Conclusion

After sipp script starts, you will see traffic going over TLS between sipp and Sip Servlets container. If you provided -Djavax.net.debug=ssl at the Sip Servlets container console you will be able to see the SSL handshake and traffic and of course the SIP Messages.

Contact us for moving to the RestcommONE Sip Servlets with CommercialGrade Support.

Existing customers can download the new version binaries from the Premium Content section in our support portal.

Get awesome content in your inbox every week.

Give it a try. It only takes a click to unsubscribe.