- Cisco Community
- Technology and Support
- Collaboration
- Collaboration Knowledge Base
- Secure Conference Configuration on CUCM 6.1.4
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
12-10-2009 01:59 PM - edited 03-12-2019 09:25 AM
Secure Conference Overview
The Secure Conferencing feature provides authentication and encryption to secure a conference. A conference is secured when all participating devices have encrypted signaling and media. The secure conference feature supports SRTP encryption over a secure TLS or IPSec connection. The system provides a security icon for the overall security status of the conference, which is determined by the lowest security level of the participating devices. For example, a secure conference that includes two encrypted connections and one authenticated connection has a conference security status of authenticated.
Secure Conference Icons
Cisco Unified IP Phones display a conference security icon for the security level of the entire conference. These icons match the status icons for a secure two-party call, as described in the user documentation for your phone.
For ad hoc and Meet-Me secure conferences, the security icon for the conference displays next to the conference softkey in the phone window for conference participants. The icon that displays depends on the security level of the conference bridge and all participants:
•A lock icon displays if the conference bridge is secure and all participants in the conference are encrypted.
•A shield icon displays if the conference bridge is secure and all participants in the conference are authenticated.
•When the conference bridge or any participant in the conference is non-secure, the call state icon (active, hold, and so on) displays, or, on some older phone models, no icon displays.
Generating the Self-Signed Certificate on the Router
Step 1: You need to generate the RSA KEY for the self-signed certificate you are going to Create.
CFBROUTER#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CFBROUTER(config)#crypto key Generate rsa general-keys label CFBROUTER modulus 1024
The name for the keys will be: CFBROUTER
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Step 2: Create the trust-point for the router self-signed certificate
CFBROUTER(config)#crypto pki trustpoint CFBROUTER
Step 3: Confgiure enrollment configuration
CFBROUTER(ca-trustpoint)#enrollment selfsigned
Step 4: Associate the RSA KEY pair you have generated to the trust point
CFBROUTER(ca-trustpoint)#rsakeypair CFBROUTER
Step 5: (Optional) If you do not want the domain name in the certificate
CFBROUTER(ca-trustpoint)#fqdn none
Step 6: (Optional) If you do not want revocation-check
CFBROUTER(ca-trustpoint)#revocation-check none
Step 7:(Optional) If you want subject-name
CFBROUTER(ca-trustpoint)#subject-name CN=CFBROUTER
Step 8: We need to enroll the certificate
CFBROUTER(config)#crypto pki enroll CFBROUTER
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self-signed Router Certificate? [yes/no]: yes
Router Self-signed Certificate successfully created
Step 9: Now copy the self-signed certificate to the txt file. Select the text starting with '-----BEGIN CERTIFICATE-----' to '-----END CERTIFICATE-----' and paste it into a text editor. Save the file as the CFBROUTER.pem format which call manager uses.
CFBROUTER(config)#crypto pki export CFBROUTER pem terminal
% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIICWTCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQQFADA4MTYwEgYDVQQFEwtGVFgx
MTM5QTAyMDAgBgkqhkiG9w0BCQIWE0NGQlJPVVRFUi5jaXNjby5jb20wHhcNMDkx
MjA5MTUxMzEzWhcNMjAwMTAxMDAwMDAwWjA4MTYwEgYDVQQFEwtGVFgxMTM5QTAy
MDAgBgkqhkiG9w0BCQIWE0NGQlJPVVRFUi5jaXNjby5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAL7WFkgDqHGWtVIXP3VsVQDRAzxMODWjrxE7DlDM9l8C
sYZB6W/iKqGoU8b3QMDJhOky8gRreRduZk5EeHPvanPdf4F7kJ+ylNQXkUU1ouUd
rpFvOG0WvpKMkzZgRSY9ml2yJyO96pu9Tppnnr7ummPslmByBevwxaZdW8ftMJMd
AgMBAAGjczBxMA8GA1UdEwEB/wQFMAMBAf8wHgYDVR0RBBcwFYITQ0ZCUk9VVEVS
LmNpc2NvLmNvbTAfBgNVHSMEGDAWgBQvGViElFhUXoaWKBFd6SxD62cLBTAdBgNV
HQ4EFgQULxlYhJRYVF6GligRXeksQ+tnCwUwDQYJKoZIhvcNAQEEBQADgYEACtFs
PSuOTOlb27Nlg6LFoi+5TeGj0bydyBi7d4rV5/5j2OGHWVI/bwSTzfPnI7Oy4Xdx
C9EShDY7rFyt3V5wbodm91yA2DMM7rbJTJrBnFwsgtI03GfIDAkw7H4ULO9lvBQV
+A2/fqJZbtD9xyq0hRWqX+mDnDmRGrMz/X1mUgA=
-----END CERTIFICATE-----
% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
MIICWTCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQQFADA4MTYwEgYDVQQFEwtGVFgx
MTM5QTAyMDAgBgkqhkiG9w0BCQIWE0NGQlJPVVRFUi5jaXNjby5jb20wHhcNMDkx
MjA5MTUxMzEzWhcNMjAwMTAxMDAwMDAwWjA4MTYwEgYDVQQFEwtGVFgxMTM5QTAy
MDAgBgkqhkiG9w0BCQIWE0NGQlJPVVRFUi5jaXNjby5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAL7WFkgDqHGWtVIXP3VsVQDRAzxMODWjrxE7DlDM9l8C
sYZB6W/iKqGoU8b3QMDJhOky8gRreRduZk5EeHPvanPdf4F7kJ+ylNQXkUU1ouUd
rpFvOG0WvpKMkzZgRSY9ml2yJyO96pu9Tppnnr7ummPslmByBevwxaZdW8ftMJMd
AgMBAAGjczBxMA8GA1UdEwEB/wQFMAMBAf8wHgYDVR0RBBcwFYITQ0ZCUk9VVEVS
LmNpc2NvLmNvbTAfBgNVHSMEGDAWgBQvGViElFhUXoaWKBFd6SxD62cLBTAdBgNV
HQ4EFgQULxlYhJRYVF6GligRXeksQ+tnCwUwDQYJKoZIhvcNAQEEBQADgYEACtFs
PSuOTOlb27Nlg6LFoi+5TeGj0bydyBi7d4rV5/5j2OGHWVI/bwSTzfPnI7Oy4Xdx
C9EShDY7rFyt3V5wbodm91yA2DMM7rbJTJrBnFwsgtI03GfIDAkw7H4ULO9lvBQV
+A2/fqJZbtD9xyq0hRWqX+mDnDmRGrMz/X1mUgA=
-----END CERTIFICATE-----
=========
Uploading the Router Certificate on CUCM
Step 1: Go to Cisco Unified OS Administration > Security > Certificate Management.
Step 2: Click on ‘Upload Certificate.’ Select the CallManager-trust on the drop-down menu. Browse to the certificate ‘CFBROUTER.pem’ and click ’Upload File.’
Step 3: In certificate list. Click on certificate with subject CN as router. To view certificate.
Downloading the CUCM certificate in CUCM
Step 1: Go to Cisco Unified OS Administration > Security > Certificate Management.
Step 2: Select the Communications Manager certificate titled callmanager.pem. Clicking on it will open a separate window.
Step 3: Click ‘Download’ and save the callmanager.PEM file. Save the file with a .txt extension.
Steps to create CUCM trust-point and authenticated certificate with router CA .
Step 1: Create the trust-point for the Communications Manager server
CFBROUTER(config)# crypto pki trustpoint cucm61310016
Step 2: Configure the enrollment via terminal input
CFBROUTER(ca-trustpoint)#enrollment terminal
Step 3:(Optional) Configure the subject-name
CFBROUTER(ca-trustpoint)#subject-name CN=cucm61310016
Step 4: (Optional) Configure revocation-check
CFBROUTER(ca-trustpoint)#revocation-check none
Step 5: Authenticate the Communications Manager certificate on the IOS router
CFBROUTER(config)#crypto ca authenticate cucm61310016
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICIjCCAYugAwIBAgIIT+c0g2+hklwwDQYJKoZIhvcNAQEFBQAwFzEVMBMGA1UE
AxMMY3VjbTYxMzEwMDE2MB4XDTA5MDUwODE4MTY0OFoXDTE0MDUwODE4MTY0OFow
FzEVMBMGA1UEAxMMY3VjbTYxMzEwMDE2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCDAqUdTqbD21kCnLw4BR958GXA4ToZCxeUfRa8kzxmAj1gCQ3CGEVH/kJh
ije5JlGHl5E52SXg2qPt3K0VIRCEwdcmQT8DZiATl5Jp3lmdxIUFae1Bp7hWttgy
x5CI9A8Iz72xCtXzTeMCGAsfpvk/zk4Q0hiM3hxE17jGJilbvQIDAQABo3cwdTAL
BgNVHQ8EBAMCArwwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEF
BQcDBTAeBgNVHREEFzAVhhNzaXA6Q049Y3VjbTYxMzEwMDE2MB0GA1UdDgQWBBQN
3VKMpKd7y7UMyX1fV7Ytw/UkkDANBgkqhkiG9w0BAQUFAAOBgQA+fO14cUt61p50
M5R5y96v8+VDg8WE2V50kcAFAv8DlxRNaSzSfbXmziQTxUxRM/qGxV4ITXu/MzrA
iMO4EsdvH/iMcSMeStsNGFx9Fjkdwq0mmkWyE3xsVAxypK3xcdGhL/juYQzj3DS5
mdg13Gw1OoU0CGJMf81+qRQ2+2Oldg==
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: 5DE48F1E 065CF4FE F2B489F8 40CAE26C
Fingerprint SHA1: 450C030A DCE6D412 253586E6 95152ECF D604A0FA
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Now certificates are exchanged between the Commuinications Manager and IOS router.
Configuring a Secure Conference Bridge on the IOS router
Step 1: Configure the voice-card on the Router.
CFBROUTER(config)#voice-card 0
CFBROUTER(config-voicecard)#dsp services dspfarm
Step 2: Configure the dspfarm profile. Make sure that you use the trust point for the Router configured in this profile here.
CFBROUTER(config)#dspfarm profile 1 conference security
CFBROUTER(config-dspfarm-profile)#trustpoint CFBROUTER
CFBROUTER(config-dspfarm-profile)#codec g711ulaw
CFBROUTER(config-dspfarm-profile)#codec g711alaw
CFBROUTER(config-dspfarm-profile)#codec g729ar8
CFBROUTER(config-dspfarm-profile)#codec g729abr8
CFBROUTER(config-dspfarm-profile)#codec g729r8
CFBROUTER(config-dspfarm-profile)#codec g729br8
CFBROUTER(config-dspfarm-profile)#maximum sessions 10
CFBROUTER(config-dspfarm-profile)#associate application SCCP
CFBROUTER(config-dspfarm-profile)#no shut
Step 3: Configure the SCCP information on the router. Under the CCM configuration you will need to give the trust-point of the Communications Manager server.
CFBROUTER(config)#sccp local gigabitEthernet 0/0
CFBROUTER(config)#sccp sccp ccm 14.48.38.61 identifier 1 version 6.0 trustpoint cucm61310016
CFBROUTER(config)#sccp
Step 4: Configure the SCCP CCM group to associate the Communications Manager and DSP profiles.
CFBROUTER(config)#sccp ccm group 1
CFBROUTER(config-sccp-ccm)#bind interface GigabitEthernet0/0
CFBROUTER(config-sccp-ccm)#associate ccm 1 priority 1
CFBROUTER(config-sccp-ccm)#associate profile 1 register CFBROUTER
Configuring the Conference Bridge Within CUCM
Step 1: On the CUCM web administration console, go to Media Resources > Conference Bridge
Step 2: Click on ‘Add New.’
Step3: Select Cisco IOS Enhanced Confernece Bridge for ‘Conference Bridge Type .’
Step 4: Enter the ‘Conference Bridge Name’ with what was defined in Step 4 of the previous section. CFBROUTER
Step 5: Select the desired Device Pool.
Step 6: Select the desired Common Device Configuration.
Step 7: Select the desired Location.
Step 8: Change the Device Security Mode to Encrypted Conference Bridge .
Step 9: Click Save.
The conference bridge should now be registered.
Router Configuration |
|---|
| Current configuration : 4706 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! Hostname of the router is important on the Router when you are doing ! self-signed certificate. ! hostname CFBROUTER ! ! This dsp service dspfarm is need to have the Conference profile configuration voice-card 0 dsp services dspfarm ! ! This is the Trunst Point that needs to be configured on the IOS router ! crypto pki trustpoint CFBROUTER enrollment selfsigned fqdn none subject-name CN=CFBROUTER revocation-check none rsakeypair CFBROUTER ! ! Trust Point for the CUCM server certificate that was authenticated. crypto pki trustpoint cucm61310016 enrollment terminal subject-name CN=cucm61310016 revocation-check none ! ! crypto pki certificate chain CFBROUTER certificate self-signed 04 30820211 3082017A A0030201 02020104 300D0609 2A864886 F70D0101 04050030 14311230 10060355 04031309 43464252 4F555445 52301E17 0D303931 32313031 32313130 305A170D 32303031 30313030 30303030 5A301431 12301006 03550403 13094346 42524F55 54455230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C0AE273E 8EA66549 56ACBCEE CE864CDA 6F2FC782 458F3139 B14F2A46 B485A3E1 ADEE15B7 13AB6C00 0779A4CD 31D6AAD3 5BB761E0 D8B649BF 59365190 3563BA36 9C5F4439 94B6CD48 69A09492 E2B27BCA 53A670B4 48935240 E80C11DC DF0A050A E0ABC85D BE142DF1 3E612A83 F3C56250 4D0EAE6A C7D2B57C 0EE138EF 8927B975 02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D 11041730 15821343 4642524F 55544552 2E636973 636F2E63 6F6D301F 0603551D 23041830 16801472 CE9AF9BF FA0C342F B7B3599D 29569DA1 1F4E4330 1D060355 1D0E0416 041472CE 9AF9BFFA 0C342FB7 B3599D29 569DA11F 4E43300D 06092A86 4886F70D 01010405 00038181 00283534 5A021A92 61AE4C16 534DBEB3 1981B2CC F7AAB5B3 B7CEDA45 2D749086 DCC9280E 1FFEDD5F 28900768 6F87CEC8 D6CB635D 73032C55 279F32F5 AB017A63 8314AE8D 89090D0C 5E57E435 7651FD93 9D9B6449 47BC4666 8D532C56 9703A956 3E8EF2F2 53A45D62 91BE5546 1E75D426 BAA1974F CEEF9C40 2CB80D15 75EE7A17 90 quit crypto pki certificate chain cucm61310016 certificate ca 4FE734836FA1925C 30820222 3082018B A0030201 0202084F E734836F A1925C30 0D06092A 864886F7 0D010105 05003017 31153013 06035504 03130C63 75636D36 31333130 30313630 1E170D30 39303530 38313831 3634385A 170D3134 30353038 31383136 34385A30 17311530 13060355 0403130C 6375636D 36313331 30303136 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008302A5 1D4EA6C3 DB59029C BC38051F 79F065C0 E13A190B 17947D16 BC933C66 023D6009 0DC21845 47FE4261 8A37B926 51879791 39D925E0 DAA3EDDC AD152110 84C1D726 413F0366 20139792 69DE599D C4850569 ED41A7B8 56B6D832 C79088F4 0F08CFBD B10AD5F3 4DE30218 0B1FA6F9 3FCE4E10 D2188CDE 1C44D7B8 C626295B BD020301 0001A377 3075300B 0603551D 0F040403 0202BC30 27060355 1D250420 301E0608 2B060105 05070301 06082B06 01050507 03020608 2B060105 05070305 301E0603 551D1104 17301586 13736970 3A434E3D 6375636D 36313331 30303136 301D0603 551D0E04 1604140D DD528CA4 A77BCBB5 0CC97D5F 57B62DC3 F5249030 0D06092A 864886F7 0D010105 05000381 81003E7C ED78714B 7AD69E74 339479CB DEAFF3E5 4383C584 D95E7491 C00502FF 0397144D 692CD27D B5E6CE24 13C54C51 33FA86C5 5E084D7B BF333AC0 88C3B812 C76F1FF8 8C71231E 4ADB0D18 5C7D1639 1DC2AD26 9A45B213 7C6C540C 72A4ADF1 71D1A12F F8EE610C E3DC34B9 99D835DC 6C353A85 3408624C 7FCD7EA9 1436FB63 A576 quit ! ! ! interface GigabitEthernet0/0 ip address 14.50.207.148 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 14.50.207.1 ip http server no ip http secure-server ! ! SCCP configuration sccp local GigabitEthernet0/0 ! CCM configuration. Give the trust point name of the CUCM server. sccp ccm 14.48.38.61 identifier 1 version 6.0 trustpoint cucm61310016 sccp ! ! SCCP ccm group configuration sccp ccm group 1 bind interface GigabitEthernet0/0 associate ccm 1 priority 1 ! Registering the conference Bridge name associate profile 1 register CFBROUTER ! ! DSP profile for the Conference Bridge. dspfarm profile 1 conference security ! Trust point for the Router needed to be configured. trustpoint CFBROUTER codec g711ulaw codec g711alaw codec g729ar8 codec g729abr8 codec g729r8 codec g729br8 maximum sessions 10 associate application SCCP ! line con 0 line aux 0 line vty 0 4 password cisco login ! scheduler allocate 20000 1000 end |
Troubleshooting
Verifying Certificates Within IOS
CFBROUTER#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 4FE734836FA1925C
Certificate Usage: General Purpose
Issuer:
cn=cucm61310016
Subject:
cn=cucm61310016
Validity Date:
start date: 18:16:48 UTC May 8 2009
end date: 18:16:48 UTC May 8 2014
Associated Trustpoints: cucm61310016
Storage: nvram:cucm61310016#9292CA.cer
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 04
Certificate Usage: General Purpose
Issuer:
cn=CFBROUTER
Subject:
Name: CFBROUTER
cn=CFBROUTER
Validity Date:
start date: 12:11:00 UTC Dec 10 2009
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: CFBROUTER
Storage: nvram:CFBROUTER#4.cer
Verifying Trustpoint Information
CFBROUTER#sh crypto pki trustpoints
Trustpoint CFBROUTER:
Subject Name:
cn=CFBROUTER
Serial Number (hex): 04
Persistent self-signed certificate trust point
Trustpoint cucm61310016:
Subject Name:
cn=cucm61310016
Serial Number (hex): 4FE734836FA1925C
Certificate configured.
Debugging CFB Registration
SCCP debgus
debug sccp all
SSL debugs
debug ssl openssl errors
debug ssl openssl msg
debug ssl openssl states
Pki debugs
debug crypto pki transactions
debug crypto pki messages
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: