01-10-2012 10:51 AM - edited 03-12-2019 09:42 AM
I wrote a TCL script to completely automate the secure CME configuration. The configuration of secure CME is quite complex, requiring around 60 lines of configuration. This should alleviate the current pain points with the secure CME configuration.
Purpose
The configuration of secure CME is quite intensive, and there are several commands which require configuration in a specific sequence. Some of which won't even show up in the final configuration. The purpose of this script is to alleviate the burden for customers to configure secure CME by completely automating the entire secure CME configuration procedure.
Requirements
Caveats
Some firmware versions have issues pulling LSCs. See the README for more information, but I'd be interested if you come across non-working firmware versions so that I can document accordingly.
The script does very limited error checking. Ensure that you read the documentation before running so that you understand correct operation before executing.
Procedure
1. Copy securecme.tcl to router.
2. Configure the following parameters:
conf t
event manager directory user policy "flash:/"
event manager policy securecme.tcl
event manager environment password <password key for CA/certs>
event manager session cli username <aaa-username>
======> Password key must be 8+ characters and meet password requirements of IOS CA.
======> The last line is only necessary if AAA is running. Specific a user with rights
to run show commands. A password does not need to be specified for the user.
Sample Configuration:
event manager directory user policy "flash:/"
event manager policy securecme.tcl
event manager environment password cisco123
event manager session cli username sholl
3. Ensure that time is correct on the router and phones:
4. Ensure that ip domain-name has been defined.
5. Ensure that phones do not have a CTL or LSC already installed. If so, factory reset those phones before running script.
6. Ensure that phone is running recent firmware and has the the 'type' defined under the ephone. Some firmware has issues with LSC provisioning. See the README for more information on this.
7. Save configuration before running script. If script's secure CME provisioning is unsuccessful, simply reload the router (and delete the CTL files off each phone, if applicable).
8. Type 'securecme' in exec mode to run the script.
89 Observe 'sh log | i ---' to observe output. System wide messages will print at start and finish of script.
10. If provisioning is not successful and script needs to be re-run, reload router before re-running to clear out partially provisioning security settings. Clear CTL/LSC from phones (if applicable).
Assumptions Made
datak9 data technology
securityk9 security technology
uck9 unified communications technology
CUBE2(config)#license accept end user agreement ?
Downloading the script
See the securecmeTCL.zip file attached to the bottom of this post.
The current version is v1.4 - 1/13/2011.
Troubleshooting
Please read the README and the TCL header before running the script to avoid incorrect operation.
One can observe the logging buffer output for current status of script. Run 'debug event manager all' during script operation for details on what the script is doing.
If you run into issues with the script for which you would like me to take a look at, I will require the following information:
Hello,
After running the script, anybody have the same issue?
TFTP: Looking for CTLSEP0024142EEEBE.tlv
Opened flash:/CTLFile.tlv, fd 0, size 3774 for process 107
Finished flash:/CTLFile.tlv, time 00:00:00 for process 107
Looking for ITLSEP0024142EEEBE.tlv
Looking for ITLFile.tlv
Looking for SEP0024142EEEBE.cnf.xml.sgn
Opened flash:/its/vrf1/SEP0024142EEEBE.cnf.xml.sgn, fd 0, size 1570 for process 107
Finished flash:/its/vrf1/SEP0024142EEEBE.cnf.xml.sgn, time 00:00:00 for process 107
Looking for English_United_States/mk-sccp.jar.sgn
Looking for United_States/g3-tones.xml.sgn
New Skinny socket accepted [2] from 1, sub 1 (0 active)
sin_family 2, sin_port 51949, in_addr 192.168.155.101
add_skinny_secure_socket: pid =107, new_sock=0, ip address = 192.168.155.101
skinny_secure_handshake: pid =107, sock=0, args->pid=107, ip address = 192.168.155.101
Start TLS Handshake 0 192.168.155.101 51949
TLS Handshake retcode OPSSLReadWouldBlockErr
TLS Handshake retcode OPSSLReadWouldBlockErr
TLS Handshake retcode OPSSLReadWouldBlockErr
TLS Handshake retcode OPSSLReadWouldBlockErr
TLS Handshake error -6992
TLS context configuration FAILED for 0 192.168.155.101 51949
PS I used other versions of cme, such us 4.1, 7.1, 8.6 on 2800 series routers with phones 7940, 7941, 7945 with different firmware 8-3-3, 8-3-5, 9-2-3, 9-3-1
Thanks
beastyellow , did you get success with it?
I am also facing the same problem: no CTL file is generated for the phone, and it never installs the CTL.
Good day,
I try the script and it's work fine for the primary CME , but today when the router fail and restart the phone did not register at secondary CME same as before , I try to install the same script at secondary router but same result .
have any suggestion .
Thank you
Marwan, I never built in support for a secondary CME server--it only looks for and grabs the primary CME IP. It's been a while since I've looked at this script, but I think you may just need to get the secondary CME IP in the CTL file for it to work with a secondary server. Try editing Step 6a in the script to include the commands to list a secondary hardcoded cme & tftp server IP and see how it fares.
thanks for your suggestion , but frankly it's fail also to register on the secondary CME.
anyway your script is perfect , I hope if you have more good script like this to share with us .
mainly if you try before script to limit call duration on CME.
Thank you , best regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: