cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7753
Views
35
Helpful
20
Comments
Steven Holl
Cisco Employee
Cisco Employee

I wrote a TCL script to completely automate the secure CME configuration.  The configuration of secure CME is quite complex, requiring around 60 lines of configuration.  This should alleviate the current pain points with the secure CME configuration.


Purpose

The configuration of secure CME is quite intensive, and there are several commands which require configuration in a specific sequence.  Some of which won't even show up in the final configuration.  The purpose of this script is to alleviate the burden for customers to configure secure CME by completely automating the entire secure CME configuration procedure.

Requirements

  • A CME device with phones registered to it.
  • CME running a feature set that supports secure CME.
  • CME currently has no secure CME configuration present before running script (no IOS CA, and no trust points named ca, cme, or sast2).
  • Phones do not currently have a CTL or LSC loaded before running script.
  • Script has not been previously run on this box.  Partial/existing configuration of trustpoints/CA will likely cause issues.

Caveats

Some firmware versions have issues pulling LSCs.  See the README for more information, but I'd be interested if you come across non-working firmware versions so that I can document accordingly.

The script does very limited error checking.  Ensure that you read the documentation before running so that you understand correct operation before executing.


Procedure

1. Copy securecme.tcl to router.

2. Configure the following parameters:

conf t

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password <password key for CA/certs>

event manager session cli username <aaa-username>

======> Password key must be 8+ characters and meet password requirements of IOS CA.

======> The last line is only necessary if AAA is running.  Specific a user with rights

         to run show commands.  A password does not need to be specified for the user.

Sample Configuration:

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password cisco123

event manager session cli username sholl

3. Ensure that time is correct on the router and phones:

  • Router clock is set properly before executing script; verify with 'sh clock'
  • Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
  • CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'

4. Ensure that ip domain-name has been defined.

5. Ensure that phones do not have a CTL or LSC already installed.  If so, factory reset those phones before running script.

6. Ensure that phone is running recent firmware and has the the 'type' defined under the ephone.  Some firmware has issues with LSC provisioning. See the README for more information on this.

7. Save configuration before running script.  If script's secure CME provisioning is unsuccessful, simply reload the router (and delete the CTL files off each phone, if applicable).

8. Type 'securecme' in exec mode to run the script.

89 Observe 'sh log | i ---' to observe output.  System wide messages will print at start and finish of script.

10. If provisioning is not successful and script needs to be re-run, reload router before re-running to clear out partially provisioning security settings.  Clear CTL/LSC from phones (if applicable).


Assumptions Made

  • CME is already configured, and phones are registered unencrypted. Ensure phones are configured with the 'type' command under each ephone.
  • Router is running a featureset which supports Secure CME (securityk9+uck9 or advipservicesk9 or adventerprisek9)
  • Router may need to have a UC and security feature license activated:
    • CUBE2(config)#license boot module c3900e technology-package ?
      • datak9      data technology

      • securityk9  security technology

      • uck9        unified communications technology

    • CUBE2(config)#license accept end user agreement ?

  • Router clock is set properly before executing script; verify with 'sh clock'
  • Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
  • CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'
  • 'password' is defined in the EEM configuration as a 8+ character password and meets the specifications of IOS CA requirements.
  • Script has not been previously run on this device (previous partial configuration of CA, trustpoints, CTL, etc. will probably create conflicts.)
  • The device is currently not configured with IOS CA, nor with a self-signed certificate. (i.e. Run this on a clean normal non-secure CME configuration).
  • Phones do not currently have a CTL or LSC on them before running the script.  Factory reset the phone if you are unsure of the presence of such.  (Hold #, plug in cable, wait for lights to blink, hit 123456789*0#).
  • Phones are running recent firmware.  Testing of script was successful on 15.2(2)T with multiple phone models, running 9.1.1SR1 (newer phones) and 8.1.2 (7960).

Downloading the script

See the securecmeTCL.zip file attached to the bottom of this post.

The current version is v1.4 - 1/13/2011.


Troubleshooting

Please read the README and the TCL header before running the script to avoid incorrect operation.


One can observe the logging buffer output for current status of script.  Run 'debug event manager all' during script operation for details on what the script is doing.

If you run into issues with the script for which you would like me to take a look at, I will require the following information:

  1. Output of the following information before running script:
    1. sh run
    2. sh ephone ph
    3. sh clock
  2. 'debug event manager all' enabled before running script, with 'logging buffered 10000000 7' set.
  3. Output of the following after script is run:
    1. sh log
    2. sh run
    3. sh capf-server sum
    4. sh ctl-client
    5. sh telephony-service tftp
    6. sh ephone reg

Comments

WoW !!! Great !!!

I´m having problems with Secure CME of a customer, this script will be very usefully. I will test and post the results here asap.

Thank you Steven.

Leonardo Santana
Spotlight
Spotlight

Very good documentation....

Steven, Thanks for sharing.. Very useful !

Hi Steven,

I performed a test in my environment and this TCL worked fine !!! .... good bless you !!!!!!! 

There is my lab:

2901 with uc+k9 license

7961 : 9-2-3S

7975 : 9-0-2S

One last doubt:

What steps I need to do to add a new IP Phone in this enviroment with cripto enabled ?

Can you help us a little bit more ?

Thank you very much  !!!

Steven Holl
Cisco Employee
Cisco Employee

Leonardo: Glad the script worked for you.

To add another phone, you will need to manually configure the ephone, configure it for 'device-security-mode none,' and let the phone register unencrypted.  The phone should have a CTL file at this point.  Once the phone is registered, add 'cert-oper upgrade null-string' to the ephone, and reset the ephone again.  It should reboot, query for the LSC from CAPF, and then register again, with a LSC (still unencrypted phone at this point).  Now, set 'device-security-mode encrypted' and reset a final time, and the phone will be encrypted.

Technically you should be able to combine the 'cert-oper upgrade' and 'device-security-mode encrypted' commands to a single step and it will pull the LSC from the bootloader before it registers, but I prefer to split it up for troubleshooting sake so that I know what step is having issues if the phone doesn't register.

Hi Steven,

Worked perfectly .... thank you !!!

Congratulations for this work.

crystalcross
Level 1
Level 1

Steven,

Thanks for the script this saved us for an install we had to do, you don't how long we worked at getting the certs to work with the phones. I plan on running this script again for another installation right now I have everything setup but wanted to know if i run this scirpt successfully but need to upgrade my flash on the router do you believe this will cause any problems and what should i look for to move any files that were saved to flash for secure cme.

warquezho0612
Level 1
Level 1

HI Steven,

I use your script and was successful with the encryption of pre registered ip phones (7962 and 7972). But when I was adding a new ip phone (7942 and 7960) after running the script using your comment to Leonardo, it was not successfull, the initial boot didn't get the CTL file, the second boot the LSC is not installed, am I missing something?

Hi, I'm hoping the author of this is still around.

I had a go at running your script and it seems the only phone to work with this is my 7921. I also have a 7912, 7941 and a 7970 of which I get the following output from debug ephone reg:

Apr 27 04:34:46.937: ephone-1[0/3][SEP0024C4FE1617]:SEP0024C4FE1617: Registering Device (security 0) Mismatch the ephone configuration (mode 3) the CME: reject registration

Apr 27 04:34:46.937: Skinny register (phones=3/4/21) REJECT from IP 10.0.4.103

and on the phone itself it says:

Registration Rejected: Max Phones Exceeded.

The phones are using firmware version 9-1-1TH1-16

I'm hoping when you mentioned version 'adventerprisek9' you are not referring to the cucme version 9.0+

as I am running 8.6 on a 2801.

The ios version is: c2801-adventerprisek9-mz.151-4.M4

If you need further information let me know.

Thanks!

Steven Holl
Cisco Employee
Cisco Employee

adventerprisek9 is the feature set, and doesn't refer to a version.

I tested this on multiple phone types in my lab when I wrote the script.  I'd suggest that you look at these debugs during run of the script:

debug ephone register

debug tftp events

debug event manager all

That should show you what is occurring and why there is a deviation in behavior between phone models.

Based on the error it sounds like the phones never got the secure config and are trying to register unsecurely.  Is there a signed config in the phone?  Since a phone is working, the config is likely right, and try these steps to get one of the other phones registered:

1. Factory reset the phone.

2. Manually configure the ephone in CME; configure it for  'device-security-mode none,' and let the phone register unencrypted.  The phone should have a CTL file at this point.

3. Once the phone is  registered, add 'cert-oper upgrade null-string' to the ephone, and reset  the ephone again.  It should reboot, query for the LSC from CAPF, and  then register again, with a LSC (still unencrypted phone at this  point).

4. Now, set 'device-security-mode encrypted' and reset a final  time, and the phone will be encrypted.

I'm not in a position at this point in time to help with troubleshooting  your issue and/or if there is a problem with the script, but if anyone does find an error and would like me to update the script with a correction, I'd be glad to do such.

On the 7970, under Security Configuration it states both MIC and LSC are installed,

under Trust List, has the CTL file, ITL File not installed. Here is the debug output:

thor(config-ephone)#rest

restarting 0024.C4FE.1617

thor(config-ephone)#

Apr 29 09:08:22.335: cli_history_entry_add: free_hist_list size=0, hist_list size=7

Apr 29 09:08:22.335: check_eem_cli_policy_handler: command_string=device-security-mode encrypted

Apr 29 09:08:22.335: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

Apr 29 09:08:23.471: cli_history_entry_add: free_hist_list size=0, hist_list size=7

Apr 29 09:08:23.471: check_eem_cli_policy_handler: command_string=restart

Apr 29 09:08:23.471: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

Apr 29 09:08:23.787: ephone-1[0/2][SEP0024C4FE1617]:Reset sent to phone on socket [2]

Apr 29 09:08:23.787: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.787: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.787: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.787: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.927: ephone-1[0/2]:UnregisterMessage after Reset/Restart sent

Apr 29 09:08:23.931: ephone-1[0/2][SEP0024C4FE1617]:Phone Unregistered on socket [2] SEP0024C4FE1617

Apr 29 09:08:23.931: ephone-1[0/2]:UnregisterAck sent on socket [2] (3/4/21)

Apr 29 09:08:23.931: %IPPHONE-6-UNREGISTER_NORMAL: ephone-1:SEP0024C4FE1617 IP:10.0.4.103 Socket:2 DeviceType:Phone has unregistered normally.

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.435: TFTP: Looking for CTLSEP0024C4FE1617.tlv

Apr 29 09:08:24.435: TFTP: Opened flash:/CTLFile.tlv, fd 0, size 1935 for process 84

Apr 29 09:08:24.439: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.439: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.439: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.439: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.447: TFTP: Finished flash:/CTLFile.tlv, time 00:00:00 for process 84

Apr 29 09:08:24.451: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.451: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.579: TFTP: Looking for ITLSEP0024C4FE1617.tlv

Apr 29 09:08:24.579: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.579: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.711: ND Update CDP Notification Event for rogue.home on Fa0/0

Apr 29 09:08:24.711: fh_fd_nd_event_match: num_matches = 0

Apr 29 09:08:24.723: TFTP: Looking for ITLFile.tlv

Apr 29 09:08:24.723: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.723: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:25.135: TFTP: Looking for SEP0024C4FE1617.cnf.xml

Apr 29 09:08:25.335: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:25.335: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:25.907: fh_server: fh_io_msg: received msg FH_MSG_SYS_REQINFO from client 2 pclient 2

Apr 29 09:08:25.911: EEM Inside fh_policy_proc()

Apr 29 09:08:25.911: TFTP: Opened system:/its/vrf1/SEP0024C4FE1617.cnf.xml, fd 0, size 1788 for process 84

Apr 29 09:08:25.915: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:25.915: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:25.919: TFTP: Finished system:/its/vrf1/SEP0024C4FE1617.cnf.xml, time 00:00:00 for process 84

Apr 29 09:08:25.923: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:25.923: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:28.594: TFTP: Looking for English_United_States/td-sccp.jar

Apr 29 09:08:28.598: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:28.598: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:29.430: TFTP: Looking for United_States/g3-tones.xml

Apr 29 09:08:29.430: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:29.430: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.150: New Skinny socket accepted [2] from 0, sub 1 (4 active)

Apr 29 09:08:30.150: sin_family 2, sin_port 53132, in_addr 10.0.4.103

Apr 29 09:08:30.150: skinny_add_socket 2 10.0.4.103 53132

Apr 29 09:08:30.154: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:30.154: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.154: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:30.154: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.154: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:30.154: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.514: ephone-(1)[3] StationRegisterMessage (3/4/21) from 10.0.4.103

Apr 29 09:08:30.514: ephone-(1)[3] Register StationIdentifier DeviceName SEP0024C4FE1617

Apr 29 09:08:30.514: ephone-(1)[3] StationIdentifier Instance 0    deviceType 30006

Apr 29 09:08:30.514: fSkinnyStationRegister deviceType 30006 protocolVer = 0x85720014

Apr 29 09:08:30.514: StationJoinAndDirectTransferFeatureSupportMask set disable

Apr 29 09:08:30.514: StationDisableJoinOnTheSameLineFeatureMask set enable

Apr 29 09:08:30.514: StationDisableJoinAcrossLineFeatureMask set enable

Apr 29 09:08:30.514: StationDisableDirectTransferOnTheSameLineFeatureMask set enable

Apr 29 09:08:30.514: StationDisableDirectTransferAcrossLineFeatureMask set enable

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:stationIpAddr 10.0.4.103

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:stationIpv6Addr ::

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:maxStreams 5

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:From Phone raw protocol Ver 0x85720014

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:protocol Ver 0x85720014

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:phone-size 36128 dn-size 1008

Apr 29 09:08:30.518: ephone-(1) Allow any Skinny Server IP address 10.0.4.5

Apr 29 09:08:30.518: ephone-1[0/2][SEP0024C4FE1617]:SEP0024C4FE1617: Registering Device (security 0) Mismatch the ephone configuration (mode 3) the CME: reject registration

Apr 29 09:08:30.518: Skinny register (phones=3/4/21) REJECT from IP 10.0.4.103

kaja_2kj3
Level 1
Level 1

Hi

    if we encrypt the data and voice, will we able to capture and see the packets for investigation of packets incase if there is a need like using wireshark.

Thanks

pibpicacco
Level 1
Level 1

Hi Steven,

You really help us. We had limited amount of time for setup, but your brilliant work resolved all our questions. We experianced some problems with 7960 phones, but after few attempts all was working fine.

toavinarabeson
Level 1
Level 1

Hi Steven,

Thank you for the documentation this is very helpfull, but I have a question before running the script.

Are these steps compatible with Cisco IP Communicator?

Thanks a lot

toavinarabeson
Level 1
Level 1

Thanks Steven!

It works perfectly for me!

God bless you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: