cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7806
Views
35
Helpful
20
Comments
Steven Holl
Cisco Employee
Cisco Employee

I wrote a TCL script to completely automate the secure CME configuration.  The configuration of secure CME is quite complex, requiring around 60 lines of configuration.  This should alleviate the current pain points with the secure CME configuration.


Purpose

The configuration of secure CME is quite intensive, and there are several commands which require configuration in a specific sequence.  Some of which won't even show up in the final configuration.  The purpose of this script is to alleviate the burden for customers to configure secure CME by completely automating the entire secure CME configuration procedure.

Requirements

  • A CME device with phones registered to it.
  • CME running a feature set that supports secure CME.
  • CME currently has no secure CME configuration present before running script (no IOS CA, and no trust points named ca, cme, or sast2).
  • Phones do not currently have a CTL or LSC loaded before running script.
  • Script has not been previously run on this box.  Partial/existing configuration of trustpoints/CA will likely cause issues.

Caveats

Some firmware versions have issues pulling LSCs.  See the README for more information, but I'd be interested if you come across non-working firmware versions so that I can document accordingly.

The script does very limited error checking.  Ensure that you read the documentation before running so that you understand correct operation before executing.


Procedure

1. Copy securecme.tcl to router.

2. Configure the following parameters:

conf t

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password <password key for CA/certs>

event manager session cli username <aaa-username>

======> Password key must be 8+ characters and meet password requirements of IOS CA.

======> The last line is only necessary if AAA is running.  Specific a user with rights

         to run show commands.  A password does not need to be specified for the user.

Sample Configuration:

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password cisco123

event manager session cli username sholl

3. Ensure that time is correct on the router and phones:

  • Router clock is set properly before executing script; verify with 'sh clock'
  • Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
  • CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'

4. Ensure that ip domain-name has been defined.

5. Ensure that phones do not have a CTL or LSC already installed.  If so, factory reset those phones before running script.

6. Ensure that phone is running recent firmware and has the the 'type' defined under the ephone.  Some firmware has issues with LSC provisioning. See the README for more information on this.

7. Save configuration before running script.  If script's secure CME provisioning is unsuccessful, simply reload the router (and delete the CTL files off each phone, if applicable).

8. Type 'securecme' in exec mode to run the script.

89 Observe 'sh log | i ---' to observe output.  System wide messages will print at start and finish of script.

10. If provisioning is not successful and script needs to be re-run, reload router before re-running to clear out partially provisioning security settings.  Clear CTL/LSC from phones (if applicable).


Assumptions Made

  • CME is already configured, and phones are registered unencrypted. Ensure phones are configured with the 'type' command under each ephone.
  • Router is running a featureset which supports Secure CME (securityk9+uck9 or advipservicesk9 or adventerprisek9)
  • Router may need to have a UC and security feature license activated:
    • CUBE2(config)#license boot module c3900e technology-package ?
      • datak9      data technology

      • securityk9  security technology

      • uck9        unified communications technology

    • CUBE2(config)#license accept end user agreement ?

  • Router clock is set properly before executing script; verify with 'sh clock'
  • Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
  • CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'
  • 'password' is defined in the EEM configuration as a 8+ character password and meets the specifications of IOS CA requirements.
  • Script has not been previously run on this device (previous partial configuration of CA, trustpoints, CTL, etc. will probably create conflicts.)
  • The device is currently not configured with IOS CA, nor with a self-signed certificate. (i.e. Run this on a clean normal non-secure CME configuration).
  • Phones do not currently have a CTL or LSC on them before running the script.  Factory reset the phone if you are unsure of the presence of such.  (Hold #, plug in cable, wait for lights to blink, hit 123456789*0#).
  • Phones are running recent firmware.  Testing of script was successful on 15.2(2)T with multiple phone models, running 9.1.1SR1 (newer phones) and 8.1.2 (7960).

Downloading the script

See the securecmeTCL.zip file attached to the bottom of this post.

The current version is v1.4 - 1/13/2011.


Troubleshooting

Please read the README and the TCL header before running the script to avoid incorrect operation.


One can observe the logging buffer output for current status of script.  Run 'debug event manager all' during script operation for details on what the script is doing.

If you run into issues with the script for which you would like me to take a look at, I will require the following information:

  1. Output of the following information before running script:
    1. sh run
    2. sh ephone ph
    3. sh clock
  2. 'debug event manager all' enabled before running script, with 'logging buffered 10000000 7' set.
  3. Output of the following after script is run:
    1. sh log
    2. sh run
    3. sh capf-server sum
    4. sh ctl-client
    5. sh telephony-service tftp
    6. sh ephone reg

Comments

Hello,

After running the script, anybody have the same issue?

TFTP: Looking for CTLSEP0024142EEEBE.tlv

Opened flash:/CTLFile.tlv, fd 0, size 3774 for process 107

Finished flash:/CTLFile.tlv, time 00:00:00 for process 107

Looking for ITLSEP0024142EEEBE.tlv

Looking for ITLFile.tlv

Looking for SEP0024142EEEBE.cnf.xml.sgn

Opened flash:/its/vrf1/SEP0024142EEEBE.cnf.xml.sgn, fd 0, size 1570 for process 107

Finished flash:/its/vrf1/SEP0024142EEEBE.cnf.xml.sgn, time 00:00:00 for process 107

Looking for English_United_States/mk-sccp.jar.sgn

Looking for United_States/g3-tones.xml.sgn

New Skinny socket accepted [2] from 1, sub 1 (0 active)

sin_family 2, sin_port 51949, in_addr 192.168.155.101

add_skinny_secure_socket: pid =107, new_sock=0, ip address = 192.168.155.101

skinny_secure_handshake: pid =107, sock=0, args->pid=107, ip address = 192.168.155.101

Start TLS Handshake 0 192.168.155.101 51949

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake error -6992

TLS context configuration FAILED for 0 192.168.155.101 51949

PS I used other versions of cme, such us 4.1, 7.1, 8.6 on 2800 series routers with phones 7940, 7941, 7945 with different firmware 8-3-3, 8-3-5, 9-2-3, 9-3-1

Thanks

I used other versions of cme, such us 4.1, 7.1, 8.6 on 2800 series routers with phones 7940, 7941, 7945 with different firmware 8-3-3, 8-3-5, 9-2-3, 9-3-1

beastyellow , did you get success with it? 

 

I am also facing the same problem: no CTL file is generated for the phone, and it never installs the CTL.

 

Marwan Urabi
Level 1
Level 1

Good day,  

I try the script and it's work fine for the primary CME , but today when the router fail and restart the phone did not register at secondary CME same as before , I try to install the same script at secondary router but same result .

have any suggestion .

Thank you 

Steven Holl
Cisco Employee
Cisco Employee

Marwan, I never built in support for a secondary CME server--it only looks for and grabs the primary CME IP.  It's been a while since I've looked at this script, but I think you may just need to get the secondary CME IP in the CTL file for it to work with a secondary server.  Try editing Step 6a in the script to include the commands to list a secondary hardcoded cme & tftp server IP and see how it fares.

 

Marwan Urabi
Level 1
Level 1

thanks for your suggestion , but frankly it's fail also to register on the secondary CME.

anyway your script is perfect , I hope if you have more good script like this to share with us .

mainly if you try before script to limit call duration on CME.

 

Thank you , best regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: