SIP digest authentication settings
To configure Session Initiation Protocol (SIP) digest authentication settings; these settings allow the SIP container to authenticate secured applications.
To view this admin console page, click Security > Global Security > Authentication > Web and SIP Security > SIP digest authentication .
- Enable digest authentication integrity
Authentication integrity (auth-int) quality of protection (QOP) for digest authentication. Digest authentication defines two types of QOP: auth and auth-int. By default, basic authentication (auth) is used. If the value is set to True, the auth-int QOP is used, which is the highest level of protection.
Data type Boolean Default False
- Enable SIP basic authentication
Authentication (auth) quality of protection (QOP) for digest authentication. Digest authentication defines two types of QOP: auth and auth-int. By default, basic authentication (auth) is used. If the value is set to True, basic authentication will be performed. It will not be processed by the Trust Association Interceptor.
Data type Boolean Default True
- Enable multiple use of nonce
Whether to enable multiple uses of the same nonce. If we use the same nonce more than once, then less system resources are required, however, the system is not as secure.
Data type Boolean Default False
- Enable nonce maximum age
Amount of time, in milliseconds, for which a nonce is valid. If the value is set to 1, then the amount of time is considered to be infinite.
Data type Integer Default 1
- LDAP cache clean intervals
Amount of time that must expire, in minutes, before the LDAP cache is cleaned.
Data type Integer Default 120
- LDAP password attribute name
Specifies the LDAP attribute name that stores the user password .
Data type String Default userpassword
- User cache clean intervals
Amount of time that must expire, in minutes, before the security subject cache is cleaned.
Data type Integer Default 15
- Digest password server class
Java class name that implements the PasswordServer interface.
Data type String Default LdapPasswordServer
- Hashedcredentials
Name of the LDAP field that contains the hashed credentials. If a value is specified for this setting, then this setting overrides the pws_atr_name setting.
LDAP servers automatically provide password support. Unless you enable the LDAP server to use hashed values, the LDAP server stores user passwords and then the request processing component uses these passwords to validate a request. Because this method of authentication exposes user passwords to potential internet theft, you should enable the use of hashed credentials to authenticate a request.
When you enable the use of hashed credentials, the LDAP server stores a hash value for the user, password and realm information. The SIP container then requests this hash value from the LDAP server instead of asking for a user password. This methodology protects the passwords even if the hash data is compromised through internet theft. However, this methodology has the following limitations:
- The LDAP attribute must store a byte value or a string value. Other attribute types are not supported.
- All of the applications must share the same realm, or define a different attribute for each realm.
- The hash function might be different than MD5. In this situation, the SIP container sends a algorithm that is different from the calculated value for the attribute. When this situation occurs, user authentication might fail even if the user provided the proper credentials.
To enable the LDAP server to use hashed credentials, define the following two settings:
- Hashedcredentials=value, where value is the name of LDAP attribute that stores the hash value for user, password, and realm.
- Hashedrealm=value, where value is the realm, on which the hashed value is calculated.
Data type String Default empty string
- Hashedrealm
Realm for hashed credentials, if the hashed credentials setting is enabled.
Data type String Default empty string
Related tasks
Set the SIP container
Set security for the SIP container
Set digest authentication for SIP