Following on from last week’s introduction to the Asterisk AMI, here we are with part 2 on enabling and configuring your Asterisk IP PBX manager interface.
Getting Started with the Asterisk AMI
Before starting with configuring your Asterisk Manager Interface, it is important to understand the security issues surrounding enabling the Asterisk AMI and precautions that you should take.
Therefore, if you have not already done so, please refer to our theoretical intro to the AMI in the last tutorial.
Enabling the Asterisk AMI
The Asterisk AMI is disabled per default due to the security risks enabling can open your system to. In order to check which ports are open, you can use the command
netstat - lpn
This will provide you a list of ports which are open such as those used for SIP, AJAX and so on. To enable the Asterisk AMI, simply edit the manger.conf:
Scroll down to the security notice which warns you to neverenable the Asterisk AMI on a public IP address without security protocols in place. Asterisk themselves recommend using SSL connections or VPN tunnels if you wish to use Asterisk AMI through the internet.
If you are connecting to the Asterisk AMI via your local network, then this is of course safer but it is still advisable to implement username and password protocols as well as restricting authenticated access to only permitted IP addresses, i.e. that of your CRM or ERP systems.
Under the security notice you will find a context named [
general] which you can edit in order to enable the AMI as shown below:
The above is the classical AMI enabling option, which will open a TCP socket allowing you to read and write via the socket. Per default, the AMI port is set to 5038 and the bind address (
bindaddr) is set to 0.0.0.0. The webenabled option above is similar to the classic enabling option, however it will require the Asterisk web server to be enabled as it allows you to read and write entries via HTTP.
Adding an Asterisk AMI User
Scroll down further and you will come across an example user named [mark] and this is where you can create your AMI user. When naming the user, it is recommended to label it with a recognisable name according to the purpose it will server for example CRM, ERP or Dialer.
In our case, we kept it simple as we are only using it for demo purposes;
[mathias] secret=1234568 deny=0.0.0.0/0.0.0.0 permit=192.168.100.55/255.255.255.0
If you have configured ACL authentication, you can also use these auth settings here. If you haven’t, you can do so via the
acl.conf although for single user and testing purposes it is not necessary.
Setting AMI Permissions
Before moving forward, it is important to understand that the Asterisk AMI has two types of permissions; read and write. These are the applied to a number of classes as shown below. It is also important to note that if you do not allow permissions to a class then it is automatically denied.
; Read authorization permits you to receive asynchronous events, in general. ; Write authorization permits you to send commands and get back responses. The ; following classes exist: ; ; all - All event classes below (including any we may have missed). ; system - General information about the system and ability to run system ; management commands, such as Shutdown, Restart, and Reload. ; call - Information about channels and ability to set information in a ; running channel. ; log - Logging information. Read-only. (Defined but not yet used.) ; verbose - Verbose information. Read-only. (Defined but not yet used.) ; agent - Information about queues and agents and ability to add queue ; members to a queue. ; user - Permission to send and receive UserEvent. ; config - Ability to read and write configuration files. ; command - Permission to run CLI commands. Write-only. ; dtmf - Receive DTMF events. Read-only. ; reporting - Ability to get information about the system. ; cdr - Output of cdr_manager, if loaded. Read-only. ; dialplan - Receive NewExten and VarSet events. Read-only. ; originate - Permission to originate new calls. Write-only. ; agi - Output AGI commands executed. Input AGI command to execute. ; cc - Call Completion events. Read-only. ; aoc - Permission to send Advice Of Charge messages and receive Advice ; - Of Charge events. ; test - Ability to read TestEvent notifications sent to the Asterisk Test ; Suite. Note that this is only enabled when the TEST_FRAMEWORK ; compiler flag is defined.
If you are configuring this on a productive system, then only allow “read” rights to avoid any potential risks. For demonstration purposes, we are going to allow read and write permissions for all classes:
[mathias] secret=1234568 deny=0.0.0.0/0.0.0.0 permit=192.168.100.55/255.255.255.0 read=all write=all
However, you can refine your setup to allow read and write permissions in more detail as shown below:
Lastly, you will need to restart your Asterisk services in order to apply the new configurations. Once the service has restarted, you can check to see if the Asterisk AMI port is opened using the netstat command above.
Next time around, Mathias will test his setup so join us then.
VoIP Guys on Ideascale
If you have an Asterisk phone system question and would like us to do a tutorial on it, then let us know on Ideascale:
pascom are the developers of the enterprise grade mobydick VoIP phone system software. As an open standards IP PBX, mobydick offers a cost effective alternative to proprietary solutions which provides businesses with a fully featured Unified Communications solution to boost productivity, increase mobility and reduce costs.
For more on our mobydick phone system or to arrange a personalised demo, give us a call on +49 991 29691 200 / +44 203 1379 964. Alternatively, contact us via our website or take mobydick for a test spin with our free community download and find out how your business can benefit.
Until next time – Happy VoIPing!