Section 18.3.2. Activation / Deactivation of SPE for Gateways with AMO CGWB

18.3.2. Activation / Deactivation of SPE for Gateways with AMO CGWB

Activation of SPE on the gateways will encrypt communication between the endpoints with TLS / SRTP. For information on certificate distribution / activation on the /gateways, please see Chapter 6, “Distribution of Certificates with the WBM of the Gateway”.

IMPORTANT:

The key material for trunking and HFA is exchanged for gateways in an Access Point/OpenScape 4000 SoftGate via the HSR connection. If the HSR connection is not encrypted, the key material will be displayed in plain text. SPE must therefore also be activated for Access Points/OpenScape 4000 SoftGate (see Section 3.5, “Activation / Deactivation of SPE for Access Points” or Section 3.6, “OpenScape 4000 SoftGate SPE Activation / Deactivation”).

All components should be time synchronized otherwise activation of SPE between components may fail.

For better protection against errors in case of losing certificates, a backup server should be configured for each board and also a backup should be made for every new certificate that is installed on the board by means of the customary "Backup&Restore" mechanism (logical DATA Backup).

The following steps have to be performed for activating SPE on a gateway:

Deploy certificates for each board that need to be secure. Bootstrapping should be made (in case DLS is used for deployment of certificates) before the distribution of the certificates. For more information, please refer to Chapter 7, “Distribution of Certificates to Gateways” For information on connection options with gateways, please refer to Section 2.8, “Connecting Gateway”.

Activation of SPE for trunks and IP subscribers. For more information, please refer to Chapter 3, “Trunk SPE Activation / Deactivation” and Chapter 3, “Subscriber SPE Activation / Deactivation”.
Activation of SPE for gateways with AMO ZANDE.

Activation / deactivation of SPE for gateways:

CHANGE-ZANDE:TYPE=SECURITY,SPESUPP=YES;

If parameter SPESUPP is set to YES, SPE is enabled!

Parameters:

SPESUPP (YES/NO):

Activates SPE for this system.

IMPORTANT:

You must perform a hard restart on the system after you have activated SPE. Do not forget to make an update of the system before the restart EXEC-UPDAT:UNIT=BP,SUSY=ALL;. If you have a duplex system you have to perform the following command on both processors simultaneously (at the same time). This means all LTUs and APs will restart! EXEC-REST:TYPE=UNIT,UNIT=BP,RSLEVEL=HARD;

A default security level that is used when configuring new trunks or stations can be defined with AMO ZANDE:

CHA-ZANDE:TYPE=SECURITY,SECTDMSB=<sec_level_subs_TDM>,

SECTDMTR=<sec_level_trunks TDM>,SECIPSB=<sec_level_ip_subs>,

SECIPTR=<sec_level_IP_trunks>;

Parameters:

SECTDMSB (TRADITIO/SECURE):	Security level for TDM subscribers. Default value : TRADITIO
SECTDMTR (TRADITIO/EXTSECUR):	Security level for TDM trunks Default value : TRADITIO
SECIPSB (STANDARD/SECURE/CIPHER):	Security level for IP subscribers Default value : SECURE:
SECIPTR (TRADITIO/STANDARD/SECURE/EXTSECUR):	Security level for IP trunks Default value : SECURE:
SECLVDSP YES / NO	Security terminal display Default value : N

${DocTitle}, ID: ${DocID}

© 03/2026 Mitel Networks Corporation. All rights reserved. Mitel and the Mitel logo are trademark(s) of Mitel Networks Corporation. Unify and associated marks are trademarks of Unify Software and Solutions GmbH & Co. KG. All other trademarks herein are the property of their respective owners.