• download the Reports App service from the App store and create a new instance
  
• create the App objects in the PBX and configure the appropriate URLs and flags so it is known how to access them
  
• assign the Apps to a user to make them available in myApps
  
  we have already done these steps before
  
  
• configure CDR delivery from the PBX to the Reports App service
  
• setup users so that they have the appropriate licenses for their calls to appear in Reports
  

• set User name to cdr
• set Password to ip411 (of course, in real life, etc. etc. )
  

• PBX / Config / General (our  master PBX)

• select HTTPS as Log Server Type
• use apps-dvl-ckl2.training.innovaphone.com as Address as this is the DNS name of your AP
  
• leave Port empty (which will use the https default port 443)
• select External (GET) as Method
• use /dvl-ckl2.net/reporting/cdr as Path
  Note that the prefix /dvl-ckl2.net/reporting is what has been  configured as Webserver path in your Reports instance while /cdr is a fixed part you always use to send CDRs to the Reports service instance
  
• configure User like you did on the server side before, which is cdr. Note that this user name will only be used to authenticate the delivery of CDRs to the Reports App service instance
  
• configure the Password like you did on the server side, which is ip411. Note that this password will again only be used to authenticate the delivery of CDRs to the Reports App service instance
  

•  start the calllist App from the ALL APPS area
  
  
• the App starts up empty.
  But when you
• lift the handset on the analog phone (which we have registered for John Doe before)
• call 14
• and hang up again,

you'll see  new entries appearing

•  start Reports to see if this works too
• Leave all fields as is in the selection criteria, so that we see todays calls for all users and hit  Show results
  

•  assign the Reporting license to John Doe
• call 14 again with the analog phone
  
• refresh the list of calls by  clicking on Show results again

• download the Users App service from the App store and create a new instance
• create the App objects in the PBX and configure the appropriate URLs and flags so it is known how to access them
  
• assign the Apps to a user to make them available in myApps
• configure the Profile App as the app to be linked from myApps burger menu
• configure user replication
  

• open the PBX Manager in myApps
• start the Christoph's AP app installer
• install the Users App service using version srInstall
  
  You now have  an instance called usersapp running and hence a  new Christoph's AP usersapp plugin in the PBX Manager (be sure to re-start the manager to see it)
  

• use the + Add app function of the Christoph's AP usersapp PbxManager plugin to  add the App objects for
• the Users App (Name Users, SIP users)
  
• the Users admin App (Name Users Admin, SIP users-admin)
• the Profile App (Name Profile, SIP profile)
• and the Users APIs API to the PBX (Name UsersApi, SIP users-apis)


• now we can  assign the users, profile and users-admin App as well as the users-apis to John Doe in his user record in the PBX
• then  start the Users Admin App from the ALL APPS area

WebSocket

Replicator properties

• the PBX Password (we had set that to ip411 in the PBX)
• and the PBX name (which is hq)

Now everyone is  happy

• set the password policy's Minimum length to 8 and
  
• Minimum number of categories to 1
  
  
• set the default settings - new user's Node to root (so far, there is no other node than root),
• PBX name to the name of the master PBX (which is hq),
• Default password (import) to password,
• Home screen apps to users,
• Template to Config User (which does not yet exist in our PBX but we'll create it later)

• when you click on Users configuration / Change configuration a drop-down will appear (admittedly, it doesn't look like one initially, but just trust me and click on it, you'll see a drop-down list).
  Select  your Christoph-IP411LEFT here (as it is the master PBX). It is the only choice at that moment
  
  
• you will see a dialog there which allows you to set the Profile app. Even more, it allows you to control some additional behavior in your PBX:
  
  
• can users register themselves?
• can users reset their password?
• can users delete their account?
  
  Just click on profile (this is the only profile editing app we have anyway). You can  select whatever you like for the other choices, but letting users register and delete themselves is a rather rare setting (unless you run a web-based public PBX)
  
  
• once you have saved the new settings, you will see the settings in PBX / Config / myApps  updated and the Edit profile link appears (you might have to re-open the profile though for the change to take effect)

• open the PBX Manager in myApps
• start the Christoph's AP app installer
• install the Contacts App service using version srInstall
  
  You now have  an instance called contacts running and hence a  new Christoph's AP contacts plugin in the PBX Manager (be sure to re-start the manager to see it)

• use the Christoph's AP contacts PbxManager plugin to add the App objects for
  
  
• Contacts (Name Contacts, SIP contacts)
• Contacts admin (Name Contacts Admin, SIP contacts-admin)
• Contacts API (name ContactsApi, SIP contacts-api)
  
  
• assign contacts, contacts-admin and contacts-api to John Doe
  
  
• start Contacts Admin
  
  
•  upload the  Sample contacts file (UTF8) in to the new instance
  
  
• type fen in to the search window
  you should see the  entry for Renée-François Fenêtre if everything went well.

• name resolution maps a name to a number (e.g. by looking up the name in a directory so the user can use it to dial out). As this is usually what a user expects to happen when he does an outgoing call, a.k.a. forward lookup
• number resolution does the opposite thing: it resolves a number to a name (e.g. to display the caller-id for an incoming call), a.k.a. reverse lookup

Directory Interfaces

• local
  The hard-phones feature a local directory list which can be edited by the end-user (on the phone)
• LDAP
  both the phone and the PBX can use LDAP to look in to a directory (which might be a Contacts App service instance, an external LDAP server or the PBX internal LDAP server)
• search-API provider
  myApps (and hence all the Apps running inside myApps) can use the com.innovaphone.search API. There are several providers for this API:
• the Users App service instances. Provides data for PBX User and Executive objects
• the Contacts App service instances. Provides data for the entries stored in their respective database
• the PBX LDAP objects. Provide proxy access to entries stored in a remote LDAP server. myApps can not talk LDAP directly. These objects are the way to provide access to LDAP entries for myApps.
• your local Outlook contacts. myApps for Windows will search your local Outlook contacts for a matching name.
  

Directories

• the  PBX User database
  these are the PBX objects that do not have the Hide from LDAP property set. They are made available both by the PBX's internal LDAP server (via LDAP obviously) and the Users App service instance as a com.innovaphone.search API provider to Apps running in myApps (however, limited to User and Executive objects only in the latter case)
• the directory entries uploaded to the  Contacts App service instances
  made available by the Contacts App service instances both via LDAP and as a com.innovaphone.search API provider
• contact entries stored in the user's own  Outlook installation (e.g. an Exchange contacts folder)
  made available by the myApps launcher as a com.innovaphone.search API provider
• directory entries stored in the user's own  hard-phone
  accessed locally and hence only available on a single phone
• directory entries stored in an LDAP compatible  3rd party directory server such as Estos' MetaDir, C4B's XPhone Virtual Directory or any OpenLDAP server
  made available both by the 3rd party's server (via LDAP obviously) and (optionally) by an LDAP type PBX object
  

• An external call comes in
  It is received by the PBX's signaling core. The signaling core now uses it's  configured Reverse Lookup URL and  performs a reverse lookup request (as to map the incoming number to a caller-id).
  The Reverse Lookup URL usually points towards a Contacts App service instance. However, it does not need to. If you decide to use an external directory system instead, you can do so (see  Concept Number Resolution and LDAP for some samples how to address other services)
  
  
• meanwhile,  the call is forwarded to both the hard-phone (using H.323) and to myApps (more precisely, to the phone App running in myApps, using the EpSignal WebSocket API)
  
  
• when a search result is received from Contacts, the PBX creates a name-identification from it (this could look like Christoph Künkel innovaphone AG for example) and sends it to the hard-phone and to the phone App (again using H.323 and EpSignal, respectively) which will display it to the user
  
  
• the phone App does an attempt to even do better and sends the name-id (Christoph Künkel innovaphone AG) to the search API available in myApps. myApps will  forward this request to all search API providers available:
  
  
• Contacts
• Users
• any PBX LDAP object available
• Outlook contacts

Each of them may or may not yield a result, however, the Contacts App service certainly will, as the name-id was constructed from its search result by the PBX in the first place. The difference now is, that the full directory information is available to the phone App which will use it to display a  nice vCard

Note that the hard-phone does not do any such attempt, as it relies on the PBX to do the reverse number lookup and also has no ability to display extended vCard information.
This behavior is controlled by the  Disable Phonenumber Look-up check-mark in the user's Phone configuration. For legacy installations (pre-V13), this is turned off (so that phone number lookup is done) because the PBX did not do the reverse lookup in these systems

Also note that reverse lookup is only performed for calls to user objects. For example, if you call a waiting queue with two agents, number resolution will be done for each agent separately (as there might be different results) but it will not be done for the waiting queue. SO when looking at a call report for the waiting queue, no resolved names will be seen.

• the call is sent from the endpoint (either hard-phone or phone App) to the PBX
• the PBX does the reverse lookup and sends back a name-id
• myApps attempts to display a vCard and sends a search request to the search API therefore

• if the number matches the Intl prefix (usually 000), the prefix is removed
  
  000497031730090 -> 497031730090
  
  
• otherwise, if the number matches the Ntl prefix (usually 00), the prefix is removed and the Country-Code (49 in our example) is prepended
  
  007031730090 -> 7031730090 -> 497031730090
  
  
• the resulting number (497031730090) is made available to the Reverse Lookup URL as variable %n
• in the default lookup URL
  
  ldap://apps.dvl-ckl2.net/dc=entries?givenname,sn,company?sub?(metaSearchNumber=+%n)?bindname=apps.dvl-ckl2.net\contacts
  
  you see the part metaSearchNumber=+%n. %n is replaced by 497031730090 as shown above. The URL also has a + (plus sign) in front of the %n, so the number actually looked up in the directory is
  
  +497031730090
  
  which is actually the full international format usually maintained in a directory (although it might be displayed with some decoration as in +49 (70317) 3009-0)

• the user types in a search string in the phone App
  
• the phone App will send the string to myApp's com.innovaphone.search API
• myApps will  forward the search request to all com.innovaphone.search providers, e.g.
  
  
• Outlook
• Users
• Contacts
• any available PBX object of type LDAP
  
  
• incoming results will be displayed to the user
• the user selects an entry (and the number within this entry, there might be multiple)
  
• the phone App  creates a call using the EpSignal API and sends the selected number with it
• the PBX  forwards the call to the users local phone and the remote peer (using either the appropriate trunk or a local PBX object)

Number normalization

type	input	dialed
international numbers	+49 (7031) 73009-123	00049703173009123
international numbers with full dialing prefixes	00049703173009123	00049703173009123
international numbers	0049703173009123	00049703173009123
national numbers	0703173009123	00703173009123
subscriber numbers	73009123	073009123
local extensions	123	123

• when the user types in a search string the phone would consult 3 different databases, depending on the  registered user's Phone/Directory configuration:
  
  
• the Local phone-book, which is stored in the phone's flash memory and can be maintained by the user itself directly on the phone
• the PBX phone-book, which lists all the PBX objects
• the External LDAP Server phone-book, which usually is configured to look in to the Contacts database
  

Except for the Local phone-book, they are  accessed using LDAP

• the call is then  sent to the PBX with H.323 and forwarded both to the remote peer (using SIP) and the phone App running in myApps (using EpSignal)

The full picture

•  use Contacts
• a single Contacts App service instance is used for forward- and reverse-lookup
• no PBX LDAP objects
  
  
•  use 3rd party directory
  
• Contacts is not used
• Instead, a 3rd party LDAP server is used in the PBX's Reverse Lookup URL property and in a single PBX LDAP object
  

• enable  all the com.innovaphone.search API providers in John Doe's PBX User object's Apps tab. These are
  
  
• contacts-api
  
• users-api

Note that there is no App check-mark for the Outlook search provider. This is available to myApps simply due to the fact that it is installed on the PC where myApps runs.

Also, if a user may search a directory (as allowed by enabling the search providers above) it obviously makes sense to give access to their respective UI too. So we also tick the

• contacts and
• users

check-marks.

• tick  the Local/Enable check-mark

To configure access to the PBX's objects (such as e.g. Users), you need to configure the LDAP access to your PBX in  the PBX section:

• tick the Enable and Use TLS check-marks
  
  
• leave the Server property empty. In this case, the server address found in the phone's registration configuration is used and this is most likely what you want
  
  
• leave the Port property empty. In this case, the LDAP (389) or LDAPS (636) default port is used, depending on your Use TLS setting. Again, this is probably what you want
  
  
• set the Username to a name in the domain\user format. The domain is your PBX's DNS (hq-dvl-ckl2.training.innovaphone.com in your case). We suggest to use ldap-guest as user. So in your case, you end up with hq-dvl-ckl2.training.innovaphone.com\ldap-guest
  
  
• set the Password to a secure password (yeah, you guessed it, in this course, you set it to ip411)
  
  
• leave the Gatekeeper Identifier property empty
  
  
• Leave the Name Attribute property as-is. You could set it to Display Name instead of Long Name. However, Display Names are not unique throughout the system, so you could get ambiguous results, which you probably don't want
  

• tick the Enable and Use TLS check-marks
  
• set the Server property to the DNS name of your App platform (apps-dvl-ckl2.training.innovaphone.com in your case)
  
  
• leave the Port property empty. In this case, the LDAP (389) or LDAPS (636) default port is used, depending on your Use TLS setting. This is probably what you want
  
  
• set the Username to a name in the domain\user format. domain is the DNS name of your App platform (dvl-ckl2.training.innovaphone.com in your case). user is the name of your Contacts App service (contacts). So in your case, you end up with apps-dvl-ckl2.training.innovaphone.com\contacts
  
  
• set the Password to a secure password (again, how boring, we use ip411 in the course)
  
  
• set Search Base to dc=entries (just don't ask this is a hard-wired value imposed by the Contacts app service)
  
  
• leave Mode as is (that is, basic). Again, this is a hard-wired value imposed by the Contacts app service
  
  
• leave Object Filter empty
  
  
• leave Sort Results un-ticked
  

• leave Name Attributes empty since it is a legacy option and not required to configure any longer.
  
  
• leave Number Attributes empty (remember: we do not use reverse lookup on the phone)
  
  
• set H323 ID Attribute to sip
  (this is the name of the attribute in the Contacts database which allows to be called like a phone number)
  
  
• set the Detail Attributes to title,company,street,postalCode,city,country,email,url
  This is something you may modify to your taste. It defines the way the phone would construct the display search result entry
  
  
• set the Meta Name Attribute to metaSearchText
  
  
• set the Meta Number Attribute to metaSearchNumber

• leave the Hold Server Connection property as is
  

• set Country Code to the country code of your trunk line, 49 in your case
  
  
• set Area Code to the area code of your trunk line
  
  If there are no area codes in your country, this field must be left empty. So for you, set it to
  
  621
  
  
• set National Prefix to the prefix you need to dial to access a national number but without the trunk access prefix (this is the difference to the setting in PBX/Config/General).
  
  So for you, set it to
  
  0
  
  
• set International Prefix to the prefix you need to dial to access a international number but without the trunk access prefix (this is the difference to the setting in PBX/Config/General).
  
  00
  
  
• set External Line to the trunk-access prefix of your trunk. In your case, this is 0
  
  
• leave Subscriber Numbers as-is (empty)
  
  
• set Max Internal Number Length to 7 (so it is consistent with the hard-coded limit implemented in the phone App)

PBX local LDAP server

• add a new User called hq-dvl-ckl2.training.innovaphone.com\ldap-guest with Password ip411
  This needs to be exactly the credentials you have configured in the  PBX settings of the PBX User record in the last section!
  
  
• make sure you tick the Apply Hide check-mark for this new user
  
  
• optionally delete the existing ldap-guest user. This legacy setting is there by default but is not suitable for remote access to the PBX LDAP (that is, access through a reverse proxy)
  

Contacts LDAP server

• open the PbxManager in myApps
• click on the Christoph's AP contacts plugin
• click on Change configuration

• type a secure password in to the Password (LDAP) field
  In this course, as usual, use ip411
  
• tick the Enable LDAP check-mark to start the LDAP server

Reverse lookup

• set the  Reverse Lookup URL in PBX / Config / General to
  
  ldaps:// DNS-name-of-your-AP /dc=entries?givenname,sn,company?sub?(metaSearchNumber=+%n)?bindname= ldap user configured in your Contacts instance
  
  
  The ldap user would be what you have configured as User (LDAP) in the Christoph's AP contacts PBX Manager plugin.
  
  In your case, this is
  
  ldaps://apps-dvl-ckl2.training.innovaphone.com/dc=entries?givenname,sn,company?sub?(metaSearchNumber=+%n)?bindname=apps-dvl-ckl2.training.innovaphone.com\contacts
  
  
• set the Password to what is configured as User (LDAP) in the Christoph's AP contacts PBX Manager plugin. In your case (as usual) ip411
  
  
• make sure  Prefix for Intl/Ntl/Subscriber are set to
  
  
• Intl: prefix to access international numbers, including the trunk-access-code. In your case
  
  000
  
  
• Ntl: prefix to access national numbers, including the trunk-access-code.
  
  In your case
  
  00
  
  
• Subscriber: prefix to access local numbers (also known as trunk-access-code).
  In your case
  
  0
  
  
• make sure Area-Code/Country-Code/Subscriber are set as follows:
  
  
  • Area-Code: the area code of your trunk line
    
    In countries which do not have area codes (that is, users must always dial full national or international numbers) this field must be left empty!
    
    621
    
    
• Country-Code: the country code of your trunk line.
  
  In your case
  
  49
  
  
• leave Subscriber as is (empty)
  

Trying it

• use your IP111 where John Doe is registered
• do a long press on the 5 (j)
  you should see a  search result entry for John Doe (14). This is a result from the PBX LDAP server
  
• clear the j using the backspace key on the upper right
  
• and press 7 three times (yielding an r)
  you should see a  search result entry for Renée-Francois. This is a result from the Contacts App service instance LDAP server

• open John Doe's PBX User record
• switch to the Apps tab
• tick the phone App
  
  now, several Apps representing John Doe's devices are available in the ALL APPS area (POTS phone, Hot Desking and IP111)
  
  
• start one of your phone apps
  
• search for both j and f
  
  Notice that the search for f works  as expected but the search for j does not. John Doe is found by the telephone's LDAP client because visibility through LDAP access is a yes/no configuration in the PBX object (controlled by the Hide from LDAP check-mark which is currently off for John Doe). Visibility through search-api access (which myApps (or more precisely: the phone App) is using) however is controlled by a much more sophisticated privacy mechanism which we need to configure before it works

• edit John Doe's profile by starting the Profile App available in the ALL APPS area
• switch to the Privacy tab
• click on + Filter for domain to add a rule for all users in your PBX system
• put dvl-ckl2.net (your PBX System Name) in to the input field next to the @
• tick the Visible check-mark
  
  This is to say that John Doe is visible to all users in this specific domain. If you like, you can tick all the other privacy options (except for Group, you must not tick this as this is not a privacy option but changes the interpretation of what you have typed in the input field from being a domain name to being a group name)
  
  
• if you now go back to the phone App and re-run the search for j, it should work
  

Finding search API providers

•  use Christoph's AP app installer
• restart the PBX Manager
• use the Christoph's AP events plugin to all the App object in the PBX:
• Events with Name set to Events and SIP to events
  
• Alarms with Name set to Alarms and SIP to alarms
• Logging with Name set to Logging and SIP to logging
• Events API with Name set to Events API and SIP to events-api

• click on Events configuration / Change authentication account
• set the Username to something sensible, e.g. events
• set the Password to a secure value, which is ip411 in the course as you know
  

• open the Maintenance / Logging tab on your IP411LEFT
• un-tick all check-marks which may be set so far
• tick the PBX Calls check-mark
• open the Logging App from the ALL APPS area in myApps
• lift the receiver of John Doe's IP111
• hang up again

• use Christoph's AP app installer
  
• restart the PBX Manager
• use the Christoph's AP messages plugin to add all the App object in the PBX:
• Connect with Name set to Connect and SIP to connect
  
• Api with Name set to MessagesAPI and SIP to messages-api

• Long Name Lisa Svensson
• Name lisa.svensson
• Password ip411
• Assigned Apps connect, profile, users-api and search
• active group membership in group group-for-connect
• visibility setting for @dvl-ckl2.net with Visible ticked
  
  Also,
• add John Doe to the group-for-connect group
• start Connect as John Doe
  
  finally
  
• open a new browser and log in as lisa.svensson with password ip411
  
  note: this needs to be a different browser, not just a new browser window or tab. For example, if you use Firefox currently, you could use a Chrome window. If you don't have another browser on your laptop, you can use the native myApps client (you can get it from the  Recommended Tools for this Course page)
  
  
• start Connect as Lisa Svensson

---

If you also want some nice avatar images for Lisa and John, you can use these: , and upload them using the Profile App.

These pictures are courtesy of  www.freepik.com.

• type a new message in to the Start a new discussion field, say something like what I always wanted to say
  
  This creates a post which you can reply to
  
  
• click on the message, then on Reply and type do you hear me
  
  Here you have your first thread

• he can edit one of his messages
  
• and add the text @lisa.svensson to it

• go to More / USERS
• click on John Doe
• click on the bell-symbol next to John Doe's avatar picture
• click More / FOLLOWING. You will see that John Doe is in the list of people Lisa is following
  
  
• switch to John Doe's Connect App and post a new message with content no at

Mentioning groups

• click on the burger menu (upper right)
  
  This is where user settings for ordinary users can be found. However, users with admin rights (those that have connect~admin assigned in their Apps tab) can access administrative functions here
  
  
• then select Zones
  you will see a list of existing zones with the entries Connect and John Doe
  
  
• click on Add a zone to create a new zone
• set Display name to Coffee gossip
• set App id to connect
• and finally set Id within App to coffee-gossip

• open the App object for Profile in the PBX
• switch to the Apps tab
• tick the connect check-mark

• in Lisa's Connect App, click on MORE
• select Zones
• click on the Coffee gossip zone (it shows up above the list with 3 dots to the right)
• click on the 3 dots
• select Pin to home
• switch to the HOME area, the zone is now in your list
  
• click on Coffee gossip in the list
• click on the 3 dots
• select Set as main page
  
  The icon next to the zone's name changes to a house-symbol.

• click on MORE / TAGS
• click on party-of-the-week
  
• on the three dots select Pin to home
• switch to the HOME area

• They have agreed to use the hashtag #weekly-meeting for posts about this meeting. This is used for several types of posts that are related to that particular regular meeting, such as meeting minutes, agenda items, and other discussions
• So they have also agreed to use the hashtag #agenda for agenda items.
• To identify items that have not yet been discussed, they use the hashtag #open

• in the MORE / TAGS list, she clicks on weekly-meeting
  
• using the 3 dots, she selects Create channel
• and creates a new channel called Weekly Meeting
  
• she switches to the CHANNELS area and clicks on #weekly-meeting (or Weekly Meeting). The tag is now shown in top of the home page
  
• using the 3 dots next to it, she  selects Pin channel

• in the MORE / TAGS list, she clicks on weekly-meeting , agenda and open
  
  The tags accumulate on the top of the list
  
  
• using the 3 dots, she selects Create channel
• and creates a new channel with name Things to discuss
  

• she edits the post
• writes a summary and
  
• removes the #open hashtag by clicking on it underneath the text box (it will be striked out then)
  

• re-start the PBX Manager plugin
  A new item Christoph's AP letsencrypt appears
  
  
• open the plugin and switch to the Settings
  
  
• tick the Enable check-mark
  
  
• change the Let's encrypt directory URL from its default (which is https://acme-v02.api.letsencrypt.org/directory) to the staging service URL https://acme-staging-v02.api.letsencrypt.org/directory
  
  Of course, in a real-life situation you would not do this. However, here in the training, you don't want to create and subscribe real certificates. This is just for playing around with them and for this, the staging directory is exactly the way to go
  
  
• agree to the subscriber agreement
  
  
• set the Email address to your own E-mail address ckl@innovaphone.com. LE will use that to send expiry notes to you
  
  
• set the Client password to ip411ip411 and take note of it (a strict policy here does not allow our usual friend ip411). You will need it later on each device you want a certificate for
  
  Again, in a real-life situation, you would use a secure password
  
  
• you can leave the Certificate Installation before expiry (days) as (the default is 3)
  
  
• take note of both the Client URL and the URL for Let's Encrypt root certificates. You will need them later on each device you want a certificate for

TLS Handshake

• innovaphone Device Certification Authority
• innovaphone Device Certification Authority 2
• *.innovaphone.com

1. configure the App service instance (already done)
2. configure the AP's LE client
3. wait for the new AP certificate to appear
   
4. configure the IP411LEFT's LE client
5. wait for the untrusted certificate to appear in the list of Rejected certificates
6. from there, add it to the trust list
7. wait for the new device certificate to appear
   

• go to Settings / Let's Encrypt (accessible from the burger menu)
  
  
• tick the Enable check-mark
  
  
• set the Let's Encrypt App URL to the service URL of your Connector for Let's Encrypt App instance: wss://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/letsencrypt/clients
  
  You can copy this  from the Client URL field in the Christoph's AP letsencrypt PBX Manager plugin
  
  
• set the Let's Encrypt App Password to the value you have set as Client password in the Let's Encrypt App service instance configuration (didn't you take note of it? never mind, it is ip411ip411)
  
  
• never touch the Key length (bit) (which defaults to 2048 bits) unless you really know what you do
  
  This is because changing the certificate's key length to a higher value would impact the performance of your system significantly, as it slows down each and any TLS connection establishment
  
  
• set the DNS name(s) to the DNS name of your AP: apps-dvl-ckl2.training.innovaphone.com
  
  We could add more DNS names here which would appear as subject alternate name (SAN) in the certificate issued by LE
  

It's a good time to have a cup of coffee now (well then, perhaps besser an even quicker espresso) until you see the  new device certificate appearing in burger menu / Settings / Security.

It is essential that you first acquire the LE certificate for the AP. This is because access to the AP is required for all other devices in order to obtain a certificate from LE. For this to work, you need to trust the AP's certificate (and hence LE's certificates). This can only be done once you have configured the LE client on the AP.

• tick the Enable check-mark
  
  
• set the Let's Encrypt App URL to the value shown as Client URL in the Let's Encrypt App service instance configuration (didn't you take note of it? never mind, here it is wss://apps-dvl-ckl2.training.innovaphone.com/dvl-ckl2.net/letsencrypt/clients)
  
  
• set the Let's Encrypt App Password to the value you have set as Client password in the Let's Encrypt App service instance configuration (didn't you take note of it? never mind, it is ip411ip411)
  
  
• never touch the Key length (which defaults to 2048 bits) unless you really know what you do
  
  This is because changing the certificate's key length to a higher value would impact the performance of your system significantly, as it slows down each and any TLS connection establishment
  
  
• set the DNS name to the DNS name of your PBX: hq-dvl-ckl2.training.innovaphone.com