Automated Secure CME Configuration Script

Steven Holl · ‎01-10-2012

I wrote a TCL script to completely automate the secure CME configuration. The configuration of secure CME is quite complex, requiring around 60 lines of configuration. This should alleviate the current pain points with the secure CME configuration.

Purpose

The configuration of secure CME is quite intensive, and there are several commands which require configuration in a specific sequence. Some of which won't even show up in the final configuration. The purpose of this script is to alleviate the burden for customers to configure secure CME by completely automating the entire secure CME configuration procedure.

Requirements

A CME device with phones registered to it.
CME running a feature set that supports secure CME.
CME currently has no secure CME configuration present before running script (no IOS CA, and no trust points named ca, cme, or sast2).
Phones do not currently have a CTL or LSC loaded before running script.
Script has not been previously run on this box. Partial/existing configuration of trustpoints/CA will likely cause issues.

Caveats

Some firmware versions have issues pulling LSCs. See the README for more information, but I'd be interested if you come across non-working firmware versions so that I can document accordingly.

The script does very limited error checking. Ensure that you read the documentation before running so that you understand correct operation before executing.

Procedure

1. Copy securecme.tcl to router.

2. Configure the following parameters:

conf t

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password <password key for CA/certs>

event manager session cli username <aaa-username>

======> Password key must be 8+ characters and meet password requirements of IOS CA.

======> The last line is only necessary if AAA is running. Specific a user with rights

to run show commands. A password does not need to be specified for the user.

Sample Configuration:

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password cisco123

event manager session cli username sholl

3. Ensure that time is correct on the router and phones:

Router clock is set properly before executing script; verify with 'sh clock'
Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'

4. Ensure that ip domain-name has been defined.

5. Ensure that phones do not have a CTL or LSC already installed. If so, factory reset those phones before running script.

6. Ensure that phone is running recent firmware and has the the 'type' defined under the ephone. Some firmware has issues with LSC provisioning. See the README for more information on this.

7. Save configuration before running script. If script's secure CME provisioning is unsuccessful, simply reload the router (and delete the CTL files off each phone, if applicable).

8. Type 'securecme' in exec mode to run the script.

89 Observe 'sh log | i ---' to observe output. System wide messages will print at start and finish of script.

10. If provisioning is not successful and script needs to be re-run, reload router before re-running to clear out partially provisioning security settings. Clear CTL/LSC from phones (if applicable).

Assumptions Made

CME is already configured, and phones are registered unencrypted. Ensure phones are configured with the 'type' command under each ephone.
Router is running a featureset which supports Secure CME (securityk9+uck9 or advipservicesk9 or adventerprisek9)
Router may need to have a UC and security feature license activated:
- CUBE2(config)#license boot module c3900e technology-package ?
  - datak9 data technology
  - securityk9 security technology
  - uck9 unified communications technology
- CUBE2(config)#license accept end user agreement ?

Router clock is set properly before executing script; verify with 'sh clock'
Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'
'password' is defined in the EEM configuration as a 8+ character password and meets the specifications of IOS CA requirements.
Script has not been previously run on this device (previous partial configuration of CA, trustpoints, CTL, etc. will probably create conflicts.)
The device is currently not configured with IOS CA, nor with a self-signed certificate. (i.e. Run this on a clean normal non-secure CME configuration).
Phones do not currently have a CTL or LSC on them before running the script. Factory reset the phone if you are unsure of the presence of such. (Hold #, plug in cable, wait for lights to blink, hit 123456789*0#).
Phones are running recent firmware. Testing of script was successful on 15.2(2)T with multiple phone models, running 9.1.1SR1 (newer phones) and 8.1.2 (7960).

Downloading the script

See the securecmeTCL.zip file attached to the bottom of this post.

The current version is v1.4 - 1/13/2011.

Troubleshooting

Please read the README and the TCL header before running the script to avoid incorrect operation.

One can observe the logging buffer output for current status of script. Run 'debug event manager all' during script operation for details on what the script is doing.

If you run into issues with the script for which you would like me to take a look at, I will require the following information:

Output of the following information before running script:
1. sh run
2. sh ephone ph
3. sh clock
'debug event manager all' enabled before running script, with 'logging buffered 10000000 7' set.
Output of the following after script is run:
1. sh log
2. sh run
3. sh capf-server sum
4. sh ctl-client
5. sh telephony-service tftp
6. sh ephone reg

Leonardo Oliveira · ‎01-11-2012

WoW !!! Great !!!

I´m having problems with Secure CME of a customer, this script will be very usefully. I will test and post the results here asap.

Thank you Steven.

Leonardo Santana · ‎01-12-2012

Very good documentation....

Muthurani Lavanya Paneerselvam · ‎01-16-2012

Steven, Thanks for sharing.. Very useful !

Leonardo Oliveira · ‎02-15-2012

Hi Steven,

I performed a test in my environment and this TCL worked fine !!! .... good bless you !!!!!!!

There is my lab:

2901 with uc+k9 license

7961 : 9-2-3S

7975 : 9-0-2S

One last doubt:

What steps I need to do to add a new IP Phone in this enviroment with cripto enabled ?

Can you help us a little bit more ?

Thank you very much !!!

Steven Holl · ‎02-15-2012

Leonardo: Glad the script worked for you.

To add another phone, you will need to manually configure the ephone, configure it for 'device-security-mode none,' and let the phone register unencrypted. The phone should have a CTL file at this point. Once the phone is registered, add 'cert-oper upgrade null-string' to the ephone, and reset the ephone again. It should reboot, query for the LSC from CAPF, and then register again, with a LSC (still unencrypted phone at this point). Now, set 'device-security-mode encrypted' and reset a final time, and the phone will be encrypted.

Technically you should be able to combine the 'cert-oper upgrade' and 'device-security-mode encrypted' commands to a single step and it will pull the LSC from the bootloader before it registers, but I prefer to split it up for troubleshooting sake so that I know what step is having issues if the phone doesn't register.

Leonardo Oliveira · ‎02-16-2012

Hi Steven,

Worked perfectly .... thank you !!!

Congratulations for this work.

crystalcross · ‎03-08-2012

Steven,

Thanks for the script this saved us for an install we had to do, you don't how long we worked at getting the certs to work with the phones. I plan on running this script again for another installation right now I have everything setup but wanted to know if i run this scirpt successfully but need to upgrade my flash on the router do you believe this will cause any problems and what should i look for to move any files that were saved to flash for secure cme.

warquezho0612 · ‎01-29-2013

HI Steven,

I use your script and was successful with the encryption of pre registered ip phones (7962 and 7972). But when I was adding a new ip phone (7942 and 7960) after running the script using your comment to Leonardo, it was not successfull, the initial boot didn't get the CTL file, the second boot the LSC is not installed, am I missing something?

Holbrook Bunting · ‎04-26-2013

Hi, I'm hoping the author of this is still around.

I had a go at running your script and it seems the only phone to work with this is my 7921. I also have a 7912, 7941 and a 7970 of which I get the following output from debug ephone reg:

Apr 27 04:34:46.937: ephone-1[0/3][SEP0024C4FE1617]:SEP0024C4FE1617: Registering Device (security 0) Mismatch the ephone configuration (mode 3) the CME: reject registration

Apr 27 04:34:46.937: Skinny register (phones=3/4/21) REJECT from IP 10.0.4.103

and on the phone itself it says:

Registration Rejected: Max Phones Exceeded.

The phones are using firmware version 9-1-1TH1-16

I'm hoping when you mentioned version 'adventerprisek9' you are not referring to the cucme version 9.0+

as I am running 8.6 on a 2801.

The ios version is: c2801-adventerprisek9-mz.151-4.M4

If you need further information let me know.

Thanks!

Steven Holl · ‎04-28-2013

adventerprisek9 is the feature set, and doesn't refer to a version.

I tested this on multiple phone types in my lab when I wrote the script. I'd suggest that you look at these debugs during run of the script:

debug ephone register

debug tftp events

debug event manager all

That should show you what is occurring and why there is a deviation in behavior between phone models.

Based on the error it sounds like the phones never got the secure config and are trying to register unsecurely. Is there a signed config in the phone? Since a phone is working, the config is likely right, and try these steps to get one of the other phones registered:

1. Factory reset the phone.

2. Manually configure the ephone in CME; configure it for 'device-security-mode none,' and let the phone register unencrypted. The phone should have a CTL file at this point.

3. Once the phone is registered, add 'cert-oper upgrade null-string' to the ephone, and reset the ephone again. It should reboot, query for the LSC from CAPF, and then register again, with a LSC (still unencrypted phone at this point).

4. Now, set 'device-security-mode encrypted' and reset a final time, and the phone will be encrypted.

I'm not in a position at this point in time to help with troubleshooting your issue and/or if there is a problem with the script, but if anyone does find an error and would like me to update the script with a correction, I'd be glad to do such.

Holbrook Bunting · ‎04-29-2013

On the 7970, under Security Configuration it states both MIC and LSC are installed,

under Trust List, has the CTL file, ITL File not installed. Here is the debug output:

thor(config-ephone)#rest

restarting 0024.C4FE.1617

thor(config-ephone)#

Apr 29 09:08:22.335: cli_history_entry_add: free_hist_list size=0, hist_list size=7

Apr 29 09:08:22.335: check_eem_cli_policy_handler: command_string=device-security-mode encrypted

Apr 29 09:08:22.335: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

Apr 29 09:08:23.471: cli_history_entry_add: free_hist_list size=0, hist_list size=7

Apr 29 09:08:23.471: check_eem_cli_policy_handler: command_string=restart

Apr 29 09:08:23.471: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

Apr 29 09:08:23.787: ephone-1[0/2][SEP0024C4FE1617]:Reset sent to phone on socket [2]

Apr 29 09:08:23.787: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.787: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.787: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.787: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.927: ephone-1[0/2]:UnregisterMessage after Reset/Restart sent

Apr 29 09:08:23.931: ephone-1[0/2][SEP0024C4FE1617]:Phone Unregistered on socket [2] SEP0024C4FE1617

Apr 29 09:08:23.931: ephone-1[0/2]:UnregisterAck sent on socket [2] (3/4/21)

Apr 29 09:08:23.931: %IPPHONE-6-UNREGISTER_NORMAL: ephone-1:SEP0024C4FE1617 IP:10.0.4.103 Socket:2 DeviceType:Phone has unregistered normally.