3Com® VCX V7111 VoIP Gateway User Guide 337To install a client certificate:1 Before continuing, set HTTPSOnly = 0 to ensure you have a method of accessing thedevice in case the client certificate does not work. Restore the previous setting aftertesting the configuration.2 Open the Certificates screen (Advanced Configuration menu > Security Settingssubmenu > Certificates option); the Certificates screen is displayed (Figure 128).3 To load the Trusted Root Certificate file locate the trusted root certificate loading section.4 Click Browse and navigate to the file, and then click Send File.5 When the operation is completed, set the ini file parameter,HTTPSRequireClientCertificates = 1.6 Save the configuration (see e Saving Configuration) and restart the V7111 gateway.When a user connects to the secure Web server: If the user has a client certificate from a CA listed in the Trusted Root Certificate file, theconnection is accepted and the user is prompted for the system password. If both the CA certificate and the client certificate appear in the Trusted Root Certificatefile, the user is not prompted for a password (thus providing a single-sign-on experience -the authentication is performed using the X.509 digital signature). If the user does not have a client certificate from a listed CA, or does not have a clientcertificate at all, the connection is rejected.• The process of installing a client certificate on your PC is beyond the scope ofthis document. For more information, see your Web browser or operating systemdocumentation, and/or consult your security administrator.• The root certificate can also be loaded using ini file using the parameterHTTPSRootFileName.SRTPThe gateway supports Secured RTP (SRTP) according to RFC 3711. SRTP is used toencrypt RTP and RTCP transport since it is best-suited for protecting VoIP traffic.SRTP requires a Key Exchange mechanism that is performed according to mmusic-sdescriptions-12>. The Key Exchange is executed by adding a Crypto attribute tothe SDP. This attribute is used (by both sides) to declare the various supported cipher suitesand to attach the encryption key to use. If negotiation of the encryption data is successful,the call is established.Use the parameter MediaSecurityBehaviour (described in Table 64) to select the gatewaysmode of operation: Must or Prefer. These modes determine the behavior of the gateway ifnegotiation of the cipher suite fails. Mandatory = the call is terminated. Incoming calls that do not include encryptioninformation are rejected.