• Introduction
• Prerequisites
• Components Used
• Network Diagram
• Configurations
• CAPF Service
• Mixed Mode
• Create Device Security Profiles, Setup The Devices CAPF Configuration, Restart Services
• Verify The Device Has An LSC
• Apply The Device Security Profile
• Troubleshooting
• Low level Troubleshooting
• Troubleshooting With PCAPs, Traces, and Logs
• Miscellaneous Information

 

-------------

Please rate helpful content (i.e. videos, documents, comments). Also, please select the correct answer(s) if any comment(s) answer your question otherwise the questions remains on the support forums as unanswered.

-------------

Introduction

In order to have encrypted media or secure signaling you will need to install an LSC onto the device you are going to be using. In this case I will be using Jabber and the point of this document is to cover how one gets the LSC onto their Jabber client.

Prerequisites

 

1. Have CUCM integrated with IM&P to the point the Jabber can make phone calls
2. Have the Jabber client on the domain.

On a windows 7 computer this can be checked by going to 
start > right click on computer

Look for the section titled "Computer name, domain, and workgroup settings" 
If the computer is not on the domain, click change settings and get the 
computer on the domain.

Components Used

A lot of information in this guide will be software, and software version, specific.

    Windows 7 Virtual Machine (where Jabber is hosted)

14.48.38.17

    CUCM: 10.5.2.11900-3

Publisher: 14.48.38.5
Sub1: 14.48.38.6
Sub2: 14.48.38.7

    IM&P: 10.5.2.21900-4

Primary: 14.48.38.8
Secondary: 14.48.38.9

    Jabber: 10.6.4 build 63238

    Windows Server 2008 R2

Network Diagram

Windows 7 VM at 14.48.38.17 /24 ---> CUCM 14.48.38.5 /24

 The Jabber client and the CUCM are on the same network with no firewalls or connectivity issues.

 

The windows 7 VM and the CUCM cluster are on the same network 14.48.38.0 /24.

It is important to know the topology because you may have Expressway 
or maybe a firewall in the path which may, or may not, cause issues. If you are
experiencing issues, one of the best things you can do is simplify the path between
the Jabber client and the CUCM.

Configurations

CAPF Service

 

Ensure the Cisco Certificate Authority Proxy (CAPF) service in Cisco Unified Serviceability is activated (need to veryify on the publisher only)

Mixed Mode

 

Set CUCM into Mixed mode
      1: Go under you enterprise parameters to see if the cluster is in mixed mode. 0 means it isn't 1 means it is.

 

      1a: If the CUCM is not in mixed-mode, Go into the CLI of the Publisher and set the cluster into mixed-mode        

 

admin:utils ctl set-cluster mixed-mode
This operation will set the cluster to Mixed mode. Do you want to continue? (y/n):

Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster that run these services
admin:

 

1b: If you just now moved to mixed-mode you will need to restart the callmanager, tftp, and CAPF services. These are all under the tools > conftrol center - feature services in the serviceability web page

 

Create Device Security Profiles, Setup The Devices CAPF Configuration, Restart Services

 

Step 1	Ensure the Cisco CTL Provider service in Cisco Unified Serviceability is activated Be sure to activate the Cisco CTL Provider service on each Cisco Unified Communications Manager server in the cluster. Tip    If you activated this service prior to a Cisco Unified Communications Manager upgrade, you do not need to activate the service again. The service automatically activates after the upgrade.
Step 2	Ensure the Cisco Certificate Authority Proxy service in Cisco Unified Serviceability is activated (on the publisher only) to install, upgrade, troubleshoot, or delete locally significant certificates. Timesaver    Performing this task before you configure the Cisco CTL client (utils ctl set-cluster mixed-mode) ensures that you do not have to update the CTL file to use CAPF.
Step 3	Configure the phone security profiles by going to system > security > phone security profile > add new Tip    You can select a non secure profile from the list of available profiles, copy it, tweak it to be secure, then save the new profile.   Perform the following tasks when you configure the profiles:   Configure the device security mode. Tip    The device security mode migrates automatically during the Cisco Unified Communications Manager upgrade. If you want to configure encryption for devices that only supported authentication in a prior release, you must choose a security profile for encryption in the Phone Configuration window. Configure CAPF settings (for some phones that are running SCCP and SIP). If you plan to use digest authentication for phones that are running SIP, check the Enable Digest Authentication check box. To enable encrypted configuration files (for some phones that are running SCCP and SIP), check the Encrypted Confide check box. To exclude digest credentials in configuration file downloads, check the Exclude Digest Credential in Configuration File check box.
Step 4	Configure the CAPF settings on the devices configuration page.   Make sure the phone has a non-secure Device Security Profile on device's configuration window Specify the CAPF settings Set it to install/upgrade Set the date to be a future date Set all other information to match what you configured for the Device Security Profile Save the configurations and click the reset button
Step 5	If you've logged into Jabber before, completely exit/quit Jabber  (Don't just sign out. Sign out, then click exit or quit), and clear the Jabber cache on the Jabber client.

 

 

 

 

Verify The Device Has An LSC

 

Check the CAPF operation state un CUCM CSF configuration page (add screenshot)
Only the thumbprint of the LSC will be found in the jabber directories:

C:\Users\pkinane\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates

 

 

 

NOTE: The AppData folder is hidden so you can get to it by typing %appdata% into the Windows Explorer directory bar and hitting enter. You can also configure the laptop to show hidden files.

 

 

To see the actual cert you need to go to start > run > certmgr.msc > personal > certificates. The "Issued To" section should match the device name in CUCM.

 

 

 

 

 

Apply The Device Security Profile

 

Apply the phone security profile(s) to the device(s) by going to device > phone > select a device > and update the dropdown for Device Security Profile

If the LSC is on Jabber, and you have the encrytped Device Security Profile, you can can call another device that has an LSC and an encrypted Device Security Profile and you should see a lock on the Jabber popup for the call. This lock indicates that the call is using SRTP (encryption).

 

 

 

 

 

 

 

Troubleshooting

Low level Troubleshooting

NOTE: Before going through all of the troubleshooting steps, confirm there is no expressway or firewall in the path, and that the computer where Jabber is installed isn't using a VPN connection. If there is any of the previously mentioned things in the path, it will help your troubleshooting to make the path as simplistic as possible. You can reference my topology that was listed near the beginning of this document.

 

• Completely exit/quit Jabber (Don't just sign out. Sign out, then click exit or quit)

 

 

 

• Clear the Jabber cache. To do this, go to these two directories and delete the Jabber folder

1. C:\Users\pkinane\AppData\Roaming\Cisco\Unified Communications
2. C:\Users\pkinane\AppData\Local\Cisco\Unified Communications

Each time you login to Jabber and the LSC isn't delivered, you should clear the cache, make whatever changes you think are appropriate, then try to login again and see if Jabber has the LSC. If not, clear the cache again. This helps make sure Jabber goes through a complete initial registration process.

 

• Try with a null string
  

• Try getting the LSC on a Cisco hard phone

    (if this is successful, we know CUCM isn't having issues)

 

• If you are able to get the LSC on the hard phone, try getting it on Jabber using a MAC computer

    NOTE: Be sure to clear the Jabber cache on the MAC
    NOTE: Be sure to use the same login information you were trying earlier on the Windows machine.

 

 

• Go to one of the pc's that can't obtain an LSC and try using someone else's login credentials if they successfully got an LSC on their PC (if this works, there might be a configuration difference between the CSF devices for each user)

Troubleshooting With PCAPs, Traces, and Logs

• Required PCAP: From the jabber client, CUCM publisher (the pub is the CAPF server)
  

• Possibly useful PCAPs: From the subscribers and the IM&P nodes

• Jabber Log

• Traces from the CUCM server (all should be set to detailed): CallManager, CAPF, TFTP, Packet Capture Logs (this gathers the pcaps that are created from the CLI), and the event viewer application and event viewer sys logs.
  

What you see in the CAPF traces from CUCM for a successful CAPF operation

 

##### Here we see the type of trace, the cluster ID which is set to the default on this cluster, the FQDN of the node, the trace level configuration which is detailed, and the full version of CUCM
14:21:00.812 HDR|10/07/2015 CAPF,StandAloneCluster,pub1052.pkinane.lab,Detailed,10.5.2.11900-3


##### Here we see some information about the CAPF port and CAPF Service parameters
14:21:01.037 |   CServiceParameters::Init() Obtained CAPFPhonePort (3804) from DB.
14:21:01.037 |   CServiceParameters::Init() CAPF Service Parameters:
14:21:01.037 |   CServiceParameters::Init() Certificate Valid For=5 years
14:21:01.037 |   CServiceParameters::Init() Key Gen Timer=30
14:21:01.037 |   CServiceParameters::Init() Key Gen Max Retries=3
14:21:01.037 |   CServiceParameters::Init() Key Size=1024:2
14:21:01.037 |   CServiceParameters::Init() Certificate Generation Method=CAPF:1
14:21:01.037 |   CServiceParameters::Init() Get Enterprise IPv6 mode 
14:21:01.037 |   CServiceParameters::Init() select * from processconfig where paramname='EnableIPV6'
14:21:01.038 |   CServiceParameters::Init() Obtained EnableIPv6 (F) from DB:
14:21:01.038 |   CServiceParameters::Init() Obtained IPv6 mode (0) from DB.
14:21:01.038 |   CServiceParameters::Init() Reading CAPF Service Parameters done
14:21:01.038 |<--CServiceParameters::Init() 
14:21:01.039 |-->debug 
14:21:01.039 |   debug phone port is 3804
14:21:01.039 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug port 3804 has been enabled
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug Phone Certificate Generation Method=CAPF_CERT_GEN_LOCALLY_BY_CAPF
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug ca type is 0
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug  JurisdictionID is 
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug capfKeySize is 1024
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug CA Address is :446
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug keygen retry is 3
14:21:01.254 |<--debug 
14:21:01.254 |-->debug 
14:21:01.254 |   debug keygen timer is 1800000




##### CAPF has created a socket and is ready for communication with devices.
14:21:01.387 |   debug Socket 0x0000000f ready for connection with AF_INET family, on port 3804




##### CAPF received and accepted a connection on the socket that was recently created.
14:28:21.997 |   debug Accepted TCP connection from socket 0x0000000f
, fd = 7




##### Here we see the new phone connection and the IP address that is creating the connection.
14:28:21.997 |   debug 2:UNKNOWN:Got a new ph conn 14.48.38.17 on 7, Total Acc = 1..




##### SSL handshake is begining and we see some information about it here
14:28:22.507 |   debug capfSSLHandShakeNotify
14:28:22.507 |<--debug 
14:28:22.507 |-->debug 
14:28:22.507 |   debug 14.48.38.17: capfSSLHandShake Session ciphers - AES256-SHA




##### The TLS handshake is done
14:28:22.508 |   debug TLS HS Done for ph_conn .




##### We see the device ID followed by information about the device including the CAPF settings on the device's configuration page.
14:28:23.022 |   debug     Device Id             : CSFPKINANE 
14:28:23.022 |<--debug 
14:28:23.022 |-->debug 
14:28:23.022 |   debug 2:UNKNOWN:CAPF CORE: Rcvd Event: CAPF_EV_CAPF_AUTH_RES in State: CAPF_STATE_AWAIT_AUTH_RES
14:28:23.022 |<--debug 
14:28:23.022 |-->debug 
14:28:23.022 |   debug 2:CSFPKINANE:CSFPKINANE len 11
14:28:23.022 |<--debug 
14:28:23.022 |-->debug 
14:28:23.022 |   debug 2:CSFPKINANE:capfExcessiveAuthFail 0
14:28:23.022 |<--debug 
14:28:23.022 |-->Select(CSFPKINANE) 
14:28:23.313 |   Select(CSFPKINANE) device exists 
14:28:23.313 |   Select(CSFPKINANE) BEFORE DB query Authentication Mode=AUTH_BY_STR:1
14:28:23.313 |   Select(CSFPKINANE) KeySize=KEY_SIZE_2048:3
14:28:23.313 |   Select(CSFPKINANE) Operation=OPERATION_UPGRADE:2
14:28:23.313 |   Select(CSFPKINANE) Operation Status =CERT_STATUS_SCHEDULE:2
14:28:23.313 |   Select(CSFPKINANE) Authentication Mode=AUTH_BY_STR:1
14:28:23.313 |   Select(CSFPKINANE) Authentication String=1762628255
14:28:23.313 |   Select(CSFPKINANE) Operation Should Finish By=2015:10:17:12:00
14:28:23.313 |<--Select(CSFPKINANE) 
14:28:23.313 |-->debug 
14:28:23.313 |   debug 2:CSFPKINANE:keySize for id CSFPKINANE is 3
14:28:23.313 |<--debug 
14:28:23.314 |-->debug 
14:28:23.314 |   debug 2:CSFPKINANE:cert operation for id CSFPKINANE is 2 
14:28:23.314 |<--debug 
14:28:23.314 |-->debug 
14:28:23.314 |   debug 2:CSFPKINANE:auth string for id CSFPKINANE is 1762628255 
14:28:23.314 |<--debug 
14:28:23.314 |-->debug 
14:28:23.314 |   debug 2:CSFPKINANE:auth mode for id CSFPKINANE is 1 
14:28:23.314 |<--debug 
14:28:23.314 |-->debug 
14:28:23.314 |   debug 2:CSFPKINANE:status for id CSFPKINANE is 2 
14:28:23.314 |<--debug 
14:28:23.314 |-->CAPFDevice::IsOperationAllowed(CERT_STATUS_SCHEDULE) 
14:28:23.314 |   CAPFDevice::IsOperationAllowed(CERT_STATUS_SCHEDULE) IsOperationAllowed()=>yes
14:28:23.314 |<--CAPFDevice::IsOperationAllowed(CERT_STATUS_SCHEDULE) 
14:28:23.314 |-->debug 
14:28:23.314 |   debug 2:CSFPKINANE:op allowed for id CSFPKINANE is 1 
14:28:23.314 |<--debug 
14:28:23.314 |-->Select(CSFPKINANE) 
14:28:23.316 |   Select(CSFPKINANE) device exists 
14:28:23.316 |   Select(CSFPKINANE) BEFORE DB query Authentication Mode=AUTH_BY_STR:1
14:28:23.316 |   Select(CSFPKINANE) KeySize=KEY_SIZE_2048:3
14:28:23.316 |   Select(CSFPKINANE) Operation=OPERATION_UPGRADE:2
14:28:23.316 |   Select(CSFPKINANE) Operation Status =CERT_STATUS_SCHEDULE:2
14:28:23.316 |   Select(CSFPKINANE) Authentication Mode=AUTH_BY_STR:1
14:28:23.316 |   Select(CSFPKINANE) Authentication String=1762628255
14:28:23.316 |   Select(CSFPKINANE) Operation Should Finish By=2015:10:17:12:00
14:28:23.316 |<--Select(CSFPKINANE) 
14:28:23.316 |-->debug 
14:28:23.316 |   debug 2:CSFPKINANE:upg finish time for id CSFPKINANE is 2015:10:17:12:00 




##### The CAPF operation is complete and we should now see an LSC for the device.
14:28:23.709 |   debug 2:CSFPKINANE:Certificate upgrade successful




##### CUCM is updating information in the database for this device
14:28:23.771 |   SetOperationStatus(Success:CAPF_OP_SUCCESS):0 sql query - (UPDATE Device SET tkCertificateOperation=1, tkcertificatestatus='3' WHERE my_lower(name)=my_lower('CSFPKINANE'))





##### The operation for the device's configuration page is updated:
14:28:24.856 |   debug 2:CSFPKINANE:pubKey length: 270
14:28:24.856 |<--debug 
14:28:24.856 |-->Select(CSFPKINANE) 
14:28:24.861 |   Select(CSFPKINANE) device exists 
14:28:24.861 |   Select(CSFPKINANE) BEFORE DB query Authentication Mode=AUTH_BY_STR:1
14:28:24.861 |   Select(CSFPKINANE) KeySize=KEY_SIZE_2048:3
14:28:24.861 |   Select(CSFPKINANE) Operation=OPERATION_NONE:1
14:28:24.861 |   Select(CSFPKINANE) Operation Status =CERT_STATUS_UPGRADE_SUCCESS:3
14:28:24.861 |   Select(CSFPKINANE) Authentication Mode=AUTH_BY_STR:1
14:28:24.861 |   Select(CSFPKINANE) Authentication String=1762628255
14:28:24.861 |   Select(CSFPKINANE) Operation Should Finish By=2015:10:17:12:00




##### CUCM updates it's database with the pub key of the certificate
14:28:24.862 |   debug 2:CSFPKINANE:keyAuthority: LSC
14:28:24.862 |<--debug 
14:28:24.862 |-->debug 
14:28:24.862 |   debug 2:CSFPKINANE:Encoding public key
14:28:24.862 |<--debug 
14:28:24.862 |-->debug 
14:28:24.862 |   debug capfEncodePublicKey()
14:28:24.862 |<--debug 
14:28:24.862 |-->debug 
14:28:24.862 |   debug Converted pubkey to base64
14:28:24.862 |<--debug 
14:28:24.862 |-->debug 
14:28:24.862 |   debug Returning openssl formatted pubkey from capfEncodePublicKey()
14:28:24.862 |<--debug 
14:28:24.862 |-->debug 
14:28:24.862 |   debug 2:CSFPKINANE:Saving pubkey in database
14:28:24.862 |<--debug 
14:28:24.862 |-->debug 
14:28:24.863 |   debug 2:CSFPKINANE:encoded pubkey:
{-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwGKQBSQlmU7vakShw0lPQ8tOXho+fBATyY2vf0IsH94AcuHlfP7w
Ou9IguWwvICqKwgHKIrsxn+xVi8B8Xo5N0mziVcTKvJMK5sFCYVoFlBKUV3fzh0d
d+gSZQ7ZDjEviGw7hTa9hlyJXFu60SWIsnuf+7+0AgqtyCLY7gEcXln0P7Tr043X
AT1TguQLZM3cTH/zujaM50LV34yGMM3YMEpGfcUI3kG+UfPzR2GuSEcw+yp5z3/g
q8Sq3kPlDD19zUPxXM8LAcUAherJmN+u6qy0Odj37akWMCc8PXhgaTgu/wWUHWeh
oz8zxWAMX+wOS/ePk8ogYiJXZhHouDl4/QIDAQAB
-----END RSA PUBLIC KEY-----}
14:28:24.863 |<--debug 
14:28:24.863 |-->SetPublicKey(-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwGKQBSQlmU7vakShw0lPQ 
14:28:24.863 |   SetPublicKey(-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwGKQBSQlmU7vakShw0lPQ pubkey length: 425
14:28:24.863 |   SetPublicKey(-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwGKQBSQlmU7vakShw0lPQ sql query - (UPDATE Device SET publickey='-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwGKQBSQlmU7vakShw0lPQ8tOXho+fBATyY2vf0IsH94AcuHlfP7w
Ou9IguWwvICqKwgHKIrsxn+xVi8B8Xo5N0mziVcTKvJMK5sFCYVoFlBKUV3fzh0d
d+gSZQ7ZDjEviGw7hTa9hlyJXFu60SWIsnuf+7+0AgqtyCLY7gEcXln0P7Tr043X
AT1TguQLZM3cTH/zujaM50LV34yGMM3YMEpGfcUI3kG+UfPzR2GuSEcw+yp5z3/g
q8Sq3kPlDD19zUPxXM8LAcUAherJmN+u6qy0Odj37akWMCc8PXhgaTgu/wWUHWeh
oz8zxWAMX+wOS/ePk8ogYiJXZhHouDl4/QIDAQAB
-----END RSA PUBLIC KEY-----',  tkkeyauthority='1' WHERE my_lower(name) = my_lower('CSFPKINANE'))
14:28:25.167 |<--SetPublicKey(-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwGKQBSQlmU7vakShw0lPQ 




##### The CAPF session is torn down
14:28:25.955 |-->debug 
14:28:25.955 |   debug 2:CSFPKINANE:capfReleaseSession: cause: 1
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug 2:CSFPKINANE:Sending END_SESSION msg
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug 2:CSFPKINANE:Sending END_SESSION msg
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug 
Decoded Phone Msg:
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug     Protocol Discriminator: 55
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug     MsgType               : CAPF_MSG_END_SESSION
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug     Session Id            : 2
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug     Length                : 4
14:28:25.955 |<--debug 
14:28:25.955 |-->debug 
14:28:25.955 |   debug     Reason                : 1

 

What you see in the Jabber log for a successful CAPF operation

 

##### Starting new instance of Jabber
2015-10-07 05:25:03,160 INFO  [0x000003f4] [\src\jabber-client\src\JabberApp.cpp(32)] [jabber-app] [start] - 
--------------------------------------------------
Starting new instance of Cisco Jabber
--------------------------------------------------




##### Config file doesn't exist: 
2015-10-07 05:25:03,206 DEBUG [0x000003f4] [ers\config\LocalFileConfigStore.cpp(272)] [LocalFileConfigStore] [LocalFileConfigStore::readFromFile] - Config file doesn't exist: C:\Users\pkinane\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config\jabberLocalConfig.xml





##### Jabber is requesting it's CTL
2015-10-07 05:26:01,359 INFO  [0x00000830] [etutils\src\http\CurlHttpUtils.cpp(1163)] [csf.httpclient] [http::CurlHttpUtils::configureEasyRequest] - *-----* Making HTTP request to: http://1sub1052.pkinane.lab:6970/CTLSEPCSFPKINANE.tlv [24]




##### Jabber recieves a 200 ok for the CTL file
2015-10-07 05:26:01,374 INFO  [0x00000830] [ls\src\http\BasicHttpClientImpl.cpp(410)] [csf.httpclient] [http::executeImpl] - *-----* HTTP response from: http://1sub1052.pkinane.lab:6970/CTLSEPCSFPKINANE.tlv [24] -> 200.




##### Jabber now has the CTL file
2015-10-07 05:26:01,376 INFO  [0x00000830] [src\config\ConfigRetriever.cpp(632)] [csf.ecc] [ecc::ConfigRetriever::retrieveAndProcessTLVFile] - Successfully retrieved file at URL: tftp://1sub1052.pkinane.lab/CTLSEPCSFPKINANE.tlv




##### The full config
2015-10-07 05:26:01,396 DEBUG [0x00000830] [src\config\ConfigRetriever.cpp(1007)] [csf.ecc] [ecc::ConfigRetriever::retrieveConfigFromLastServer] - Softphone Config XML: "<device  xsi:type="axl:XIPPhone" ctiid="68" uuid="{b2997500-b8ad-16a2-c8de-676a185804dd}">
<fullConfig>true</fullConfig>
<portalDefaultServer>pub1052.pkinane.lab</portalDefaultServer>
<deviceProtocol>SIP</deviceProtocol>
<sshUserId></sshUserId>
<sshPassword>********</sshPassword>
<ipAddressMode>0</ipAddressMode>
<allowAutoConfig>true</allowAutoConfig>
<dadEnable>true</dadEnable>
<redirectEnable>false</redirectEnable>
<echoMultiEnable>false</echoMultiEnable>
<ipPreferenceModeControl>0</ipPreferenceModeControl>
<ipMediaAddressFamilyPreference>0</ipMediaAddressFamilyPreference>
<tzdata>
<tzolsonversion>2014f</tzolsonversion>
<tzupdater>tzupdater.jar</tzupdater>
</tzdata>
<mlppDomainId>000000</mlppDomainId>
<mlppIndicationStatus>Off</mlppIndicationStatus>
<preemption>Disabled</preemption>
<executiveOverridePreemptable>false</executiveOverridePreemptable>
<devicePool  uuid="{a91a735d-cb62-e8a6-093f-05d14f8c21ad}">
<revertPriority>0</revertPriority>
<name>SJ_DP</name>
<dateTimeSetting  uuid="{9ec4850a-7748-11d3-bdf0-00108302ead1}">
<name>CMLocal</name>
<dateTemplate>M/D/Y</dateTemplate>
<timeZone>Greenwich Standard Time</timeZone>
<olsonTimeZone>Etc/GMT</olsonTimeZone>
</dateTimeSetting>
<callManagerGroup>
<name>SJ_CMG</name>
<tftpDefault>false</tftpDefault>
<members>
<member  priority="0">
<callManager>
<name>1sub1052.pkinane.lab</name>
<description>1sub1052</description>
<ports>
<ethernetPhonePort>2000</ethernetPhonePort>
<sipPort>5060</sipPort>
<securedSipPort>5061</securedSipPort>
<mgcpPorts>
<listen>2427</listen>
<keepAlive>2428</keepAlive>
</mgcpPorts>
</ports>
<processNodeName>1sub1052.pkinane.lab</processNodeName>
</callManager>
</member>
<member  priority="1">
<callManager>
<name>2sub1052.pkinane.lab</name>
<description>2sub1052</description>
<ports>
<ethernetPhonePort>2000</ethernetPhonePort>
<sipPort>5060</sipPort>
<securedSipPort>5061</securedSipPort>
<mgcpPorts>
<listen>2427</listen>
<keepAlive>2428</keepAlive>
</mgcpPorts>
</ports>
<processNodeName>2sub1052.pkinane.lab</processNodeName>
</callManager>
</member>
</members>
</callManagerGroup>
<srstInfo  uuid="{cd241e11-4a58-4d3d-9661-f06c912a18a3}">
<name>Disable</name>
<srstOption>Disable</srstOption>
<userModifiable>false</userModifiable>
<ipAddr1></ipAddr1>
<port1>2000</port1>
<ipAddr2></ipAddr2>
<port2>2000</port2>
<ipAddr3></ipAddr3>
<port3>2000</port3>
<sipIpAddr1></sipIpAddr1>
<sipPort1>5060</sipPort1>
<sipIpAddr2></sipIpAddr2>
<sipPort2>5060</sipPort2>
<sipIpAddr3></sipIpAddr3>
<sipPort3>5060</sipPort3>
<isSecure>false</isSecure>
</srstInfo>
<connectionMonitorDuration>120</connectionMonitorDuration>
</devicePool>
<sipProfile>
<sipProxies>
<backupProxy>USECALLMANAGER</backupProxy>
<backupProxyPort>5060</backupProxyPort>
<emergencyProxy>USECALLMANAGER</emergencyProxy>
<emergencyProxyPort>5060</emergencyProxyPort>
<outboundProxy>USECALLMANAGER</outboundProxy>
<outboundProxyPort>5060</outboundProxyPort>
<registerWithProxy>true</registerWithProxy>
</sipProxies>
<sipCallFeatures>
<cnfJoinEnabled>true</cnfJoinEnabled>
<callForwardURI>x-cisco-serviceuri-cfwdall</callForwardURI>
<callPickupURI>x-cisco-serviceuri-pickup</callPickupURI>
<callPickupListURI>x-cisco-serviceuri-opickup</callPickupListURI>
<callPickupGroupURI>x-cisco-serviceuri-gpickup</callPickupGroupURI>
<meetMeServiceURI>x-cisco-serviceuri-meetme</meetMeServiceURI>
<abbreviatedDialURI>x-cisco-serviceuri-abbrdial</abbreviatedDialURI>
<rfc2543Hold>false</rfc2543Hold>
<callHoldRingback>2</callHoldRingback>
<URIDialingDisplayPreference>1</URIDialingDisplayPreference>
<localCfwdEnable>true</localCfwdEnable>
<semiAttendedTransfer>true</semiAttendedTransfer>
<anonymousCallBlock>2</anonymousCallBlock>
<callerIdBlocking>2</callerIdBlocking>
<dndControl>0</dndControl>
<remoteCcEnable>true</remoteCcEnable>
<retainForwardInformation>false</retainForwardInformation>
</sipCallFeatures>
<sipStack>
<sipInviteRetx>6</sipInviteRetx>
<sipRetx>10</sipRetx>
<timerInviteExpires>180</timerInviteExpires>
<timerRegisterExpires>3600</timerRegisterExpires>
<timerRegisterDelta>5</timerRegisterDelta>
<timerKeepAliveExpires>120</timerKeepAliveExpires>
<timerSubscribeExpires>120</timerSubscribeExpires>
<timerSubscribeDelta>5</timerSubscribeDelta>
<timerT1>500</timerT1>
<timerT2>4000</timerT2>
<maxRedirects>70</maxRedirects>
<remotePartyID>true</remotePartyID>
<userInfo>None</userInfo>
</sipStack>
<autoAnswerTimer>1</autoAnswerTimer>
<autoAnswerAltBehavior>false</autoAnswerAltBehavior>
<autoAnswerOverride>true</autoAnswerOverride>
<transferOnhookEnabled>false</transferOnhookEnabled>
<enableVad>false</enableVad>
<preferredCodec>none</preferredCodec>
<dtmfAvtPayload>101</dtmfAvtPayload>
<dtmfDbLevel>3</dtmfDbLevel>
<dtmfOutofBand>avt</dtmfOutofBand>
<kpml>3</kpml>
<phoneLabel></phoneLabel>
<stutterMsgWaiting>2</stutterMsgWaiting>
<callStats>true</callStats>
<offhookToFirstDigitTimer>15000</offhookToFirstDigitTimer>
<T302Timer>15000</T302Timer>
<silentPeriodBetweenCallWaitingBursts>10</silentPeriodBetweenCallWaitingBursts>
<disableLocalSpeedDialConfig>true</disableLocalSpeedDialConfig>
<poundEndOfDial>false</poundEndOfDial>
<startMediaPort>16384</startMediaPort>
<stopMediaPort>32766</stopMediaPort>
<organizationTopLevelDomain></organizationTopLevelDomain>
<sipLines>
<line  button="1" lineIndex="1">
<featureID>9</featureID>
<featureLabel></featureLabel>
<proxy>USECALLMANAGER</proxy>
<port>5060</port>
<name>1003</name>
<displayName></displayName>
<autoAnswer>
<autoAnswerEnabled>2</autoAnswerEnabled>
</autoAnswer>
<callWaiting>3</callWaiting>
<sharedLine>true</sharedLine>
<messageWaitingLampPolicy>3</messageWaitingLampPolicy>
<messageWaitingAMWI>0</messageWaitingAMWI>
<messagesNumber>4000</messagesNumber>
<ringSettingIdle>4</ringSettingIdle>
<ringSettingActive>5</ringSettingActive>
<contact>70ae9c29-63e5-0b42-1e3b-66bcadde912b</contact>
<forwardCallInfoDisplay>
<callerName>true</callerName>
<callerNumber>false</callerNumber>
<redirectedNumber>false</redirectedNumber>
<dialedNumber>true</dialedNumber>
</forwardCallInfoDisplay>
<maxNumCalls>6</maxNumCalls>
<busyTrigger>2</busyTrigger>
</line>
</sipLines>
<externalNumberMask></externalNumberMask>
<voipControlPort>5060</voipControlPort>
<dscpForAudio  tcl="conversational.audio.aq:admitted">184</dscpForAudio>
<dscpForPriorityAudio>180</dscpForPriorityAudio>
<dscpForImmediateAudio>176</dscpForImmediateAudio>
<dscpForFlashAudio>164</dscpForFlashAudio>
<dscpForFlashOverrideAudio>168</dscpForFlashOverrideAudio>
<dscpForExecutiveOverrideAudio>168</dscpForExecutiveOverrideAudio>
<dscpForPriorityVideo>156</dscpForPriorityVideo>
<dscpForImmediateVideo>148</dscpForImmediateVideo>
<dscpForFlashVideo>140</dscpForFlashVideo>
<dscpForFlashOverrideVideo>132</dscpForFlashOverrideVideo>
<dscpForExecutiveOverrideVideo>132</dscpForExecutiveOverrideVideo>
<dscpVideo  tcl="conversational.video.avconf.aq:admitted">136</dscpVideo>
<dscpAudioForVideo  tcl="conversational.audio.avconf.aq:admitted">136</dscpAudioForVideo>
<dscpForTelepresence  tcl="conversational.video.immersive.aq:admitted">128</dscpForTelepresence>
<dscpAudioForTelepresence  tcl="conversational.audio.immersive.aq:admitted">128</dscpAudioForTelepresence>
<ringSettingBusyStationPolicy>0</ringSettingBusyStationPolicy>
<dialTemplate></dialTemplate>
<softKeyFile>SKb0ec918f-b9ee-994b-57ae-345883c1fde8.xml</softKeyFile>
<alwaysUsePrimeLine>false</alwaysUsePrimeLine>
<alwaysUsePrimeLineVoiceMail>false</alwaysUsePrimeLineVoiceMail>
</sipProfile>
<commonProfile>
<phonePassword>********</phonePassword>
<backgroundImageAccess>true</backgroundImageAccess>
<callLogBlfEnabled>2</callLogBlfEnabled>
</commonProfile>
<loadInformation></loadInformation>
<vendorConfig>
<ice></ice><instantMessaging></instantMessaging><desktopClient></desktopClient></vendorConfig>
<commonConfig>
<webAccess>0</webAccess><sshAccess>1</sshAccess><RingLocale>0</RingLocale><ice></ice><instantMessaging></instantMessaging><desktopClient></desktopClient></commonConfig>
<enterpriseConfig>
</enterpriseConfig>
<versionStamp>1444241936-349fbcb1-1f2d-45ab-8318-9d7347e7091e</versionStamp>
<userLocale>
<name>English_United_States</name>
<uid>1</uid>
<langCode>en_US</langCode>
<version>10.0.0.0(1)</version>
<winCharSet>iso-8859-1</winCharSet>
</userLocale>
<networkLocale>United_States</networkLocale>
<networkLocaleInfo>
<name>United_States</name>
<uid>64</uid>
<version>10.0.0.0(1)</version>
</networkLocaleInfo>
<deviceSecurityMode>3</deviceSecurityMode>
<dscpForSCCPPhoneConfig>96</dscpForSCCPPhoneConfig>
<dscpForSCCPPhoneServices>0</dscpForSCCPPhoneServices>
<dscpForCm2Dvce>96</dscpForCm2Dvce>
<transportLayerProtocol>3</transportLayerProtocol>
<dndCallAlert>5</dndCallAlert>
<phonePersonalization>0</phonePersonalization>
<rollover>0</rollover>
<singleButtonBarge>0</singleButtonBarge>
<joinAcrossLines>0</joinAcrossLines>
<autoCallPickupEnable>false</autoCallPickupEnable>
<blfAudibleAlertSettingOfIdleStation>0</blfAudibleAlertSettingOfIdleStation>
<blfAudibleAlertSettingOfBusyStation>0</blfAudibleAlertSettingOfBusyStation>
<capfAuthMode>1</capfAuthMode>
<capfList>
<capf>
<phonePort>3804</phonePort>
<processNodeName>pub1052.pkinane.lab</processNodeName>
</capf>
</capfList>
<certHash></certHash>
<encrConfig>false</encrConfig>
<advertiseG722Codec>1</advertiseG722Codec>
<mobility>
<handoffdn></handoffdn>
<dtmfdn></dtmfdn>
<ivrdn></ivrdn>
<dtmfHoldCode>*81</dtmfHoldCode>
<dtmfExclusiveHoldCode>*82</dtmfExclusiveHoldCode>
<dtmfResumeCode>*83</dtmfResumeCode>
<dtmfTxfCode>*84</dtmfTxfCode>
<dtmfCnfCode>*85</dtmfCnfCode>
</mobility>
<TLSResumptionTimer>3600</TLSResumptionTimer>
<userId  serviceProfileFile="SPb515cb06-4094-db74-0520-33b8235007c5.cnf.xml">pkinane</userId>
<ownerId  serviceProfileFile="SPb515cb06-4094-db74-0520-33b8235007c5.cnf.xml">pkinane</ownerId>
<phoneServices  useHTTPS="true">
<provisioning>0</provisioning>
<phoneService  type="1" category="0">
<name>Missed Calls</name>
<url>Application:Cisco/MissedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="2" category="0">
<name>Voicemail</name>
<url>Application:Cisco/Voicemail</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Received Calls</name>
<url>Application:Cisco/ReceivedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Placed Calls</name>
<url>Application:Cisco/PlacedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Personal Directory</name>
<url>Application:Cisco/PersonalDirectory</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Corporate Directory</name>
<url>Application:Cisco/CorporateDirectory</url>
<vendor></vendor>
<version></version>
</phoneService>
</phoneServices>
</device>




##### Authentication string required but not supplied! (MY CAPF CONFIGURATION REQUIRED AN AUTH STRING)
2015-10-07 05:26:01,402 ERROR [0x00000830] [src\config\ConfigRetriever.cpp(1186)] [csf.ecc] [ecc::ConfigRetriever::secureProcessConfigFile] - Authentication string required but not supplied!
2015-10-07 05:26:01,402 ERROR [0x00000830] [control\CallControlManagerImpl.cpp(1095)] [csf.ecc.api] [ecc::CallControlManagerImpl::doFetchSoftphoneConfig] - doFetchSoftphoneConfig() could not obtain config for CSFPKINANE




##### Jabber is going to open a window so the user can put in the auth string
2015-10-07 05:26:01,408 DEBUG [0x000003f4] [ctionplugin\CapfAuthStringWindow.cpp(13)] [plugin-runtime] [CapfAuthStringWindow] - Initialising window. Setting up bindings




##### Jabber is going to request the LSC and allocate memory for it
2015-10-07 05:27:23,100 INFO  [0x00000830] [ect\security\src\sec_certificate.c(1103)] [csf.ecc.handyiron] [secGetCertificate] - [secGetCertificate] called, type=CERT_TYPE_LSC
2015-10-07 05:27:23,100 INFO  [0x00000830] [ect\security\src\sec_certificate.c(1125)] [csf.ecc.handyiron] [secGetCertificate] - [secGetCertificate] Allocating memory for certificate (866 bytes)
2015-10-07 05:27:23,100 INFO  [0x00000830] [ect\security\src\sec_certificate.c(1136)] [csf.ecc.handyiron] [secGetCertificate] - [secGetCertificate] Returning SEC_CERT_GETCERT_OK
2015-10-07 05:27:23,100 INFO  [0x00000830] [project\secCommon\src\sec_ssl_api.c(795)] [csf.ecc.handyiron] [secSSLGetCertificateX509] - SSL session setup - Get Active cert ok
2015-10-07 05:27:23,100 DEBUG [0x00000830] [project\secCommon\src\sec_ssl_api.c(797)] [csf.ecc.handyiron] [secSSLGetCertificateX509] - SSL session setup - cert len=866, type=LSC




##### Jabber is looking to verify certificate informaiton for CAPF
2015-10-07 05:27:23,601 INFO  [0x00000830] [project\secCommon\src\sec_ssl_api.c(739)] [csf.ecc.handyiron] [secSSLCertVerify] - SSL session setup Cert Verification - Invoking external certificate validation plugin.
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ftphonewrapper\CC_SIPCCService.cpp(4987)] [csf.ecc] [CC_SIPCCService_verifyCertificate] - CC_SIPCCService__verifyCertificate(SEC_ROLE_CAPF)
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ftphonewrapper\CC_SIPCCService.cpp(5022)] [csf.ecc] [CC_SIPCCService_verifyCertificate] - CAPF server certificate for pub1052.pkinane.lab needs to be verified against CTL only.
2015-10-07 05:27:23,601 INFO  [0x00000830] [project\secCommon\src\sec_ssl_api.c(742)] [csf.ecc.handyiron] [secSSLCertVerify] - SSL session setup Cert Verification - Certificate external validation plugin returned.
2015-10-07 05:27:23,601 INFO  [0x00000830] [project\secCommon\src\sec_ssl_api.c(754)] [csf.ecc.handyiron] [secSSLCertVerify] - SSL session setup Cert Verification - Invoking certificate validation helper plugin.
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ject\security\src\sec_certificate.c(547)] [csf.ecc.handyiron] [X509_get_serialNumber_info] - OpenSSL returned a serial number with length = 10
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ject\security\src\sec_certificate.c(551)] [csf.ecc.handyiron] [X509_get_serialNumber_info] - OpenSSL returned Serial Number = "4D DF 08 91 00 00 00 00 00 05"
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ject\security\src\sec_certificate.c(601)] [csf.ecc.handyiron] [X509_get_serialNumber_info] - Serial Number = "4D DF 08 91 00 00 00 00 00 05"
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ject\security\src\sec_trust_list.c(1537)] [csf.ecc.handyiron] [secFindTrustListItem] - Searching CTL File for entry with Role: SEC_ROLE_CAPF, SUBJECTNAME = "C=US;ST=NC;L=RTP;O=Cisco;OU=CUCM TAC;CN=CAPF-5a7314a6", ISSUERNAME= "DC=lab;DC=pkinane;CN=pkinane-WIN2K8-CA", SERIALNUMBER = "4D DF 08 91 00 00 00 00 00 05"
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ject\security\src\sec_trust_list.c(1538)] [csf.ecc.handyiron] [secFindTrustListItem] - # CTL Entries: 5
2015-10-07 05:27:23,601 DEBUG [0x00000830] [ject\security\src\sec_trust_list.c(1549)] [csf.ecc.handyiron] [secFindTrustListItem] - --- Looking at CTL Entry: 0
2015-10-07 05:27:23,601 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(668)] [csf.ecc.handyiron] [secSignerCmp] - - Role: SEC_ROLE_SAST
2015-10-07 05:27:23,601 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(674)] [csf.ecc.handyiron] [secSignerCmp] - - SUBJECTNAME = "CN=pub1052.pkinane.lab;OU=TAC CUCM;O=Cisco;L=RTP;ST=NC;C=US"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(675)] [csf.ecc.handyiron] [secSignerCmp] - - ISSUERNAME = "CN=pub1052.pkinane.lab;OU=TAC CUCM;O=Cisco;L=RTP;ST=NC;C=US"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(676)] [csf.ecc.handyiron] [secSignerCmp] - - SERIALNUMBER = "60 4E 36 B4 ED CF 44 60 11 4F 79 FA 4E 24 29 A0"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [ject\security\src\sec_trust_list.c(1549)] [csf.ecc.handyiron] [secFindTrustListItem] - --- Looking at CTL Entry: 1
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(668)] [csf.ecc.handyiron] [secSignerCmp] - - Role: SEC_ROLE_CUCM_TFTP
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(674)] [csf.ecc.handyiron] [secSignerCmp] - - SUBJECTNAME = "CN=pub1052.pkinane.lab;OU=TAC CUCM;O=Cisco;L=RTP;ST=NC;C=US"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(675)] [csf.ecc.handyiron] [secSignerCmp] - - ISSUERNAME = "CN=pub1052.pkinane.lab;OU=TAC CUCM;O=Cisco;L=RTP;ST=NC;C=US"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(676)] [csf.ecc.handyiron] [secSignerCmp] - - SERIALNUMBER = "60 4E 36 B4 ED CF 44 60 11 4F 79 FA 4E 24 29 A0"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [ject\security\src\sec_trust_list.c(1549)] [csf.ecc.handyiron] [secFindTrustListItem] - --- Looking at CTL Entry: 2
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(668)] [csf.ecc.handyiron] [secSignerCmp] - - Role: SEC_ROLE_CAPF
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(674)] [csf.ecc.handyiron] [secSignerCmp] - - SUBJECTNAME = "CN=CAPF-5a7314a6;OU=CUCM TAC;O=Cisco;L=RTP;ST=NC;C=US"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(675)] [csf.ecc.handyiron] [secSignerCmp] - - ISSUERNAME = "CN=pkinane-WIN2K8-CA"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(676)] [csf.ecc.handyiron] [secSignerCmp] - - SERIALNUMBER = "4D DF 08 91 00 00 00 00 00 05"
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(682)] [csf.ecc.handyiron] [secSignerCmp] - Roles match, checking serial numbers.
2015-10-07 05:27:23,602 DEBUG [0x00000830] [al\project\security\src\sec_utils.c(688)] [csf.ecc.handyiron] [secSignerCmp] - Serial Numbers match.
2015-10-07 05:27:23,602 DEBUG [0x00000830] [ject\security\src\sec_trust_list.c(1556)] [csf.ecc.handyiron] [secFindTrustListItem] - --- Found match in CTL Entry: 2
2015-10-07 05:27:23,602 INFO  [0x00000830] [project\secCommon\src\sec_ssl_api.c(757)] [csf.ecc.handyiron] [secSSLCertVerify] - SSL session setup Cert Verification - Certificate validation helper plugin returned.
2015-10-07 05:27:23,602 INFO  [0x00000830] [project\secCommon\src\sec_ssl_api.c(762)] [csf.ecc.handyiron] [secSSLCertVerify] - SSL session setup Cert Verification - Certificate is valid.
2015-10-07 05:27:23,602 DEBUG [0x00000830] [project\secCommon\src\sec_ssl_api.c(770)] [csf.ecc.handyiron] [secSSLCertVerify] - SSL session setup Cert Verification - returning validation result = 1




##### new LSC validated
2015-10-07 05:27:24,707 INFO  [0x00000830] [ernal\project\capf\src\capf_core.c(2150)] [csf.ecc.handyiron] [capf_clnt_check_cert] - new LSC validated




##### [storeLSC] - Store LSC 
2015-10-07 05:27:24,707 INFO  [0x00000830] [ernal\project\capf\src\capf_main.c(1531)] [csf.ecc.handyiron] [storeLSC] - Store LSC - pkey encryption not enabled




##### Opened personal system cert store. || - Successfully created the certificate context.
2015-10-07 05:27:24,712 DEBUG [0x00000830] [nt\win32\CertificateStoreManager.cpp(35)] [SystemService.CertificateManagement] [CertificateStoreManager::CertificateStoreManager] - Opened personal system cert store.
2015-10-07 05:27:24,713 DEBUG [0x00000830] [agement\win32\CertificateContext.cpp(78)] [SystemService.CertificateManagement] [CertificateContext::importData] - Successfully created the certificate context.




##### Added certificate to system certificate store.
2015-10-07 05:27:24,737 INFO  [0x00000830] [t\win32\CertificateStoreManager.cpp(104)] [SystemService.CertificateManagement] [CertificateStoreManager::add] - Added certificate to system certificate store.
2015-10-07 05:27:24,737 DEBUG [0x00000830] [nt\win32\CertificateStoreManager.cpp(62)] [SystemService.CertificateManagement] [CertificateStoreManager::~CertificateStoreManager] - Closed certificate store.




##### CAPF LSC updated - going back to fetch new config.
2015-10-07 05:27:27,381 INFO  [0x00000830] [src\config\ConfigRetriever.cpp(818)] [csf.ecc] [ecc::ConfigRetriever::secureRetrieveConfig] - CAPF LSC updated - going back to fetch new config.



##### Requesting new config
2015-10-07 05:27:27,883 INFO  [0x00000830] [etutils\src\http\CurlHttpUtils.cpp(1163)] [csf.httpclient] [http::CurlHttpUtils::configureEasyRequest] - *-----* Making HTTP request to: http://1sub1052.pkinane.lab:6970/CSFPKINANE.cnf.xml.sgn [31]




##### 200 OK for the new config
2015-10-07 05:27:27,889 INFO  [0x00000830] [ls\src\http\BasicHttpClientImpl.cpp(410)] [csf.httpclient] [http::executeImpl] - *-----* HTTP response from: http://1sub1052.pkinane.lab:6970/CSFPKINANE.cnf.xml.sgn [31] -> 200.




##### data written to file successfully and whole config
2015-10-07 05:27:27,895 DEBUG [0x00000830] [ephonyservice\StorageHelperImpl.cpp(309)] [StorageHelper] [StorageHelperImpl::writeFile] - data written to file successfully [C:\Users\pkinane\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Security\CSFPKINANE.cnf.xml.sgn.config.encr]
2015-10-07 05:27:27,895 DEBUG [0x00000830] [src\config\ConfigRetriever.cpp(1007)] [csf.ecc] [ecc::ConfigRetriever::retrieveConfigFromLastServer] - Softphone Config XML: "<device  xsi:type="axl:XIPPhone" ctiid="68" uuid="{b2997500-b8ad-16a2-c8de-676a185804dd}">
<fullConfig>true</fullConfig>
<portalDefaultServer>pub1052.pkinane.lab</portalDefaultServer>
<deviceProtocol>SIP</deviceProtocol>
<sshUserId></sshUserId>
<sshPassword>********</sshPassword>
<ipAddressMode>0</ipAddressMode>
<allowAutoConfig>true</allowAutoConfig>
<dadEnable>true</dadEnable>
<redirectEnable>false</redirectEnable>
<echoMultiEnable>false</echoMultiEnable>
<ipPreferenceModeControl>0</ipPreferenceModeControl>
<ipMediaAddressFamilyPreference>0</ipMediaAddressFamilyPreference>
<tzdata>
<tzolsonversion>2014f</tzolsonversion>
<tzupdater>tzupdater.jar</tzupdater>
</tzdata>
<mlppDomainId>000000</mlppDomainId>
<mlppIndicationStatus>Off</mlppIndicationStatus>
<preemption>Disabled</preemption>
<executiveOverridePreemptable>false</executiveOverridePreemptable>
<devicePool  uuid="{a91a735d-cb62-e8a6-093f-05d14f8c21ad}">
<revertPriority>0</revertPriority>
<name>SJ_DP</name>
<dateTimeSetting  uuid="{9ec4850a-7748-11d3-bdf0-00108302ead1}">
<name>CMLocal</name>
<dateTemplate>M/D/Y</dateTemplate>
<timeZone>Greenwich Standard Time</timeZone>
<olsonTimeZone>Etc/GMT</olsonTimeZone>
</dateTimeSetting>
<callManagerGroup>
<name>SJ_CMG</name>
<tftpDefault>false</tftpDefault>
<members>
<member  priority="0">
<callManager>
<name>1sub1052.pkinane.lab</name>
<description>1sub1052</description>
<ports>
<ethernetPhonePort>2000</ethernetPhonePort>
<sipPort>5060</sipPort>
<securedSipPort>5061</securedSipPort>
<mgcpPorts>
<listen>2427</listen>
<keepAlive>2428</keepAlive>
</mgcpPorts>
</ports>
<processNodeName>1sub1052.pkinane.lab</processNodeName>
</callManager>
</member>
<member  priority="1">
<callManager>
<name>2sub1052.pkinane.lab</name>
<description>2sub1052</description>
<ports>
<ethernetPhonePort>2000</ethernetPhonePort>
<sipPort>5060</sipPort>
<securedSipPort>5061</securedSipPort>
<mgcpPorts>
<listen>2427</listen>
<keepAlive>2428</keepAlive>
</mgcpPorts>
</ports>
<processNodeName>2sub1052.pkinane.lab</processNodeName>
</callManager>
</member>
</members>
</callManagerGroup>
<srstInfo  uuid="{cd241e11-4a58-4d3d-9661-f06c912a18a3}">
<name>Disable</name>
<srstOption>Disable</srstOption>
<userModifiable>false</userModifiable>
<ipAddr1></ipAddr1>
<port1>2000</port1>
<ipAddr2></ipAddr2>
<port2>2000</port2>
<ipAddr3></ipAddr3>
<port3>2000</port3>
<sipIpAddr1></sipIpAddr1>
<sipPort1>5060</sipPort1>
<sipIpAddr2></sipIpAddr2>
<sipPort2>5060</sipPort2>
<sipIpAddr3></sipIpAddr3>
<sipPort3>5060</sipPort3>
<isSecure>false</isSecure>
</srstInfo>
<connectionMonitorDuration>120</connectionMonitorDuration>
</devicePool>
<sipProfile>
<sipProxies>
<backupProxy>USECALLMANAGER</backupProxy>
<backupProxyPort>5060</backupProxyPort>
<emergencyProxy>USECALLMANAGER</emergencyProxy>
<emergencyProxyPort>5060</emergencyProxyPort>
<outboundProxy>USECALLMANAGER</outboundProxy>
<outboundProxyPort>5060</outboundProxyPort>
<registerWithProxy>true</registerWithProxy>
</sipProxies>
<sipCallFeatures>
<cnfJoinEnabled>true</cnfJoinEnabled>
<callForwardURI>x-cisco-serviceuri-cfwdall</callForwardURI>
<callPickupURI>x-cisco-serviceuri-pickup</callPickupURI>
<callPickupListURI>x-cisco-serviceuri-opickup</callPickupListURI>
<callPickupGroupURI>x-cisco-serviceuri-gpickup</callPickupGroupURI>
<meetMeServiceURI>x-cisco-serviceuri-meetme</meetMeServiceURI>
<abbreviatedDialURI>x-cisco-serviceuri-abbrdial</abbreviatedDialURI>
<rfc2543Hold>false</rfc2543Hold>
<callHoldRingback>2</callHoldRingback>
<URIDialingDisplayPreference>1</URIDialingDisplayPreference>
<localCfwdEnable>true</localCfwdEnable>
<semiAttendedTransfer>true</semiAttendedTransfer>
<anonymousCallBlock>2</anonymousCallBlock>
<callerIdBlocking>2</callerIdBlocking>
<dndControl>0</dndControl>
<remoteCcEnable>true</remoteCcEnable>
<retainForwardInformation>false</retainForwardInformation>
</sipCallFeatures>
<sipStack>
<sipInviteRetx>6</sipInviteRetx>
<sipRetx>10</sipRetx>
<timerInviteExpires>180</timerInviteExpires>
<timerRegisterExpires>3600</timerRegisterExpires>
<timerRegisterDelta>5</timerRegisterDelta>
<timerKeepAliveExpires>120</timerKeepAliveExpires>
<timerSubscribeExpires>120</timerSubscribeExpires>
<timerSubscribeDelta>5</timerSubscribeDelta>
<timerT1>500</timerT1>
<timerT2>4000</timerT2>
<maxRedirects>70</maxRedirects>
<remotePartyID>true</remotePartyID>
<userInfo>None</userInfo>
</sipStack>
<autoAnswerTimer>1</autoAnswerTimer>
<autoAnswerAltBehavior>false</autoAnswerAltBehavior>
<autoAnswerOverride>true</autoAnswerOverride>
<transferOnhookEnabled>false</transferOnhookEnabled>
<enableVad>false</enableVad>
<preferredCodec>none</preferredCodec>
<dtmfAvtPayload>101</dtmfAvtPayload>
<dtmfDbLevel>3</dtmfDbLevel>
<dtmfOutofBand>avt</dtmfOutofBand>
<kpml>3</kpml>
<phoneLabel></phoneLabel>
<stutterMsgWaiting>2</stutterMsgWaiting>
<callStats>true</callStats>
<offhookToFirstDigitTimer>15000</offhookToFirstDigitTimer>
<T302Timer>15000</T302Timer>
<silentPeriodBetweenCallWaitingBursts>10</silentPeriodBetweenCallWaitingBursts>
<disableLocalSpeedDialConfig>true</disableLocalSpeedDialConfig>
<poundEndOfDial>false</poundEndOfDial>
<startMediaPort>16384</startMediaPort>
<stopMediaPort>32766</stopMediaPort>
<organizationTopLevelDomain></organizationTopLevelDomain>
<sipLines>
<line  button="1" lineIndex="1">
<featureID>9</featureID>
<featureLabel></featureLabel>
<proxy>USECALLMANAGER</proxy>
<port>5060</port>
<name>1003</name>
<displayName></displayName>
<autoAnswer>
<autoAnswerEnabled>2</autoAnswerEnabled>
</autoAnswer>
<callWaiting>3</callWaiting>
<sharedLine>true</sharedLine>
<messageWaitingLampPolicy>3</messageWaitingLampPolicy>
<messageWaitingAMWI>0</messageWaitingAMWI>
<messagesNumber>4000</messagesNumber>
<ringSettingIdle>4</ringSettingIdle>
<ringSettingActive>5</ringSettingActive>
<contact>70ae9c29-63e5-0b42-1e3b-66bcadde912b</contact>
<forwardCallInfoDisplay>
<callerName>true</callerName>
<callerNumber>false</callerNumber>
<redirectedNumber>false</redirectedNumber>
<dialedNumber>true</dialedNumber>
</forwardCallInfoDisplay>
<maxNumCalls>6</maxNumCalls>
<busyTrigger>2</busyTrigger>
</line>
</sipLines>
<externalNumberMask></externalNumberMask>
<voipControlPort>5060</voipControlPort>
<dscpForAudio  tcl="conversational.audio.aq:admitted">184</dscpForAudio>
<dscpForPriorityAudio>180</dscpForPriorityAudio>
<dscpForImmediateAudio>176</dscpForImmediateAudio>
<dscpForFlashAudio>164</dscpForFlashAudio>
<dscpForFlashOverrideAudio>168</dscpForFlashOverrideAudio>
<dscpForExecutiveOverrideAudio>168</dscpForExecutiveOverrideAudio>
<dscpForPriorityVideo>156</dscpForPriorityVideo>
<dscpForImmediateVideo>148</dscpForImmediateVideo>
<dscpForFlashVideo>140</dscpForFlashVideo>
<dscpForFlashOverrideVideo>132</dscpForFlashOverrideVideo>
<dscpForExecutiveOverrideVideo>132</dscpForExecutiveOverrideVideo>
<dscpVideo  tcl="conversational.video.avconf.aq:admitted">136</dscpVideo>
<dscpAudioForVideo  tcl="conversational.audio.avconf.aq:admitted">136</dscpAudioForVideo>
<dscpForTelepresence  tcl="conversational.video.immersive.aq:admitted">128</dscpForTelepresence>
<dscpAudioForTelepresence  tcl="conversational.audio.immersive.aq:admitted">128</dscpAudioForTelepresence>
<ringSettingBusyStationPolicy>0</ringSettingBusyStationPolicy>
<dialTemplate></dialTemplate>
<softKeyFile>SKb0ec918f-b9ee-994b-57ae-345883c1fde8.xml</softKeyFile>
<alwaysUsePrimeLine>false</alwaysUsePrimeLine>
<alwaysUsePrimeLineVoiceMail>false</alwaysUsePrimeLineVoiceMail>
</sipProfile>
<commonProfile>
<phonePassword>********</phonePassword>
<backgroundImageAccess>true</backgroundImageAccess>
<callLogBlfEnabled>2</callLogBlfEnabled>
</commonProfile>
<loadInformation></loadInformation>
<vendorConfig>
<ice></ice><instantMessaging></instantMessaging><desktopClient></desktopClient></vendorConfig>
<commonConfig>
<webAccess>0</webAccess><sshAccess>1</sshAccess><RingLocale>0</RingLocale><ice></ice><instantMessaging></instantMessaging><desktopClient></desktopClient></commonConfig>
<enterpriseConfig>
</enterpriseConfig>
<versionStamp>1444242505-4e9ce190-4ec2-42d1-bd89-bc03a0548401</versionStamp>
<userLocale>
<name>English_United_States</name>
<uid>1</uid>
<langCode>en_US</langCode>
<version>10.0.0.0(1)</version>
<winCharSet>iso-8859-1</winCharSet>
</userLocale>
<networkLocale>United_States</networkLocale>
<networkLocaleInfo>
<name>United_States</name>
<uid>64</uid>
<version>10.0.0.0(1)</version>
</networkLocaleInfo>
<deviceSecurityMode>3</deviceSecurityMode>
<dscpForSCCPPhoneConfig>96</dscpForSCCPPhoneConfig>
<dscpForSCCPPhoneServices>0</dscpForSCCPPhoneServices>
<dscpForCm2Dvce>96</dscpForCm2Dvce>
<transportLayerProtocol>3</transportLayerProtocol>
<dndCallAlert>5</dndCallAlert>
<phonePersonalization>0</phonePersonalization>
<rollover>0</rollover>
<singleButtonBarge>0</singleButtonBarge>
<joinAcrossLines>0</joinAcrossLines>
<autoCallPickupEnable>false</autoCallPickupEnable>
<blfAudibleAlertSettingOfIdleStation>0</blfAudibleAlertSettingOfIdleStation>
<blfAudibleAlertSettingOfBusyStation>0</blfAudibleAlertSettingOfBusyStation>
<capfAuthMode>0</capfAuthMode>
<capfList>
<capf>
<phonePort>3804</phonePort>
<processNodeName>pub1052.pkinane.lab</processNodeName>
</capf>
</capfList>
<certHash>e11fb2715427321eec2006ca93ccdd1c</certHash>
<encrConfig>false</encrConfig>
<advertiseG722Codec>1</advertiseG722Codec>
<mobility>
<handoffdn></handoffdn>
<dtmfdn></dtmfdn>
<ivrdn></ivrdn>
<dtmfHoldCode>*81</dtmfHoldCode>
<dtmfExclusiveHoldCode>*82</dtmfExclusiveHoldCode>
<dtmfResumeCode>*83</dtmfResumeCode>
<dtmfTxfCode>*84</dtmfTxfCode>
<dtmfCnfCode>*85</dtmfCnfCode>
</mobility>
<TLSResumptionTimer>3600</TLSResumptionTimer>
<userId  serviceProfileFile="SPb515cb06-4094-db74-0520-33b8235007c5.cnf.xml">pkinane</userId>
<ownerId  serviceProfileFile="SPb515cb06-4094-db74-0520-33b8235007c5.cnf.xml">pkinane</ownerId>
<phoneServices  useHTTPS="true">
<provisioning>0</provisioning>
<phoneService  type="1" category="0">
<name>Missed Calls</name>
<url>Application:Cisco/MissedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="2" category="0">
<name>Voicemail</name>
<url>Application:Cisco/Voicemail</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Received Calls</name>
<url>Application:Cisco/ReceivedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Placed Calls</name>
<url>Application:Cisco/PlacedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Personal Directory</name>
<url>Application:Cisco/PersonalDirectory</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService  type="1" category="0">
<name>Corporate Directory</name>
<url>Application:Cisco/CorporateDirectory</url>
<vendor></vendor>
<version></version>
</phoneService>
</phoneServices>
</device>

 

 

If you are not able to resolve the issue by this point, it is recommended to check database replication, and restart the CAPF service.

Miscellaneous Information

 

1. The LSC is not stored on CUCM it is stored with the device (Jabber in this case). What IS stored on CUCM is the CAPF certificate which signs the LSC.
2. If you want to get the LSC onto CUCM so that you can look at it without finding it on the device, you can change the CAPF operation to troubleshoot and CUCM will get a copy of the certificate from the device.
3. When on the CSF device configuration page and setting up CAPF, it is *very* important to only click on links within the admin interface.  Do not click on any of the web browser buttons such as refresh or back buttons. This effectively re-submits the form and turns off the CAPF registration.

-------------

Please rate helpful content (i.e. videos, documents, comments). Also, please select the correct answer(s) if any comment(s) answer your question otherwise the questions remains on the support forums as unanswered.

-------------