The LSC (Locally Significant Certificate) is required for use in phone models that support security, but do not come with a MIC (Manufacturing Installed Certificate). For example, the 7940 and 7960
Installing the LSC requires the use of at least two USB eTokens and the CTL Client, or you can follow the procedure here to be used only with the Phone Proxy feature on the ASA: https://supportforums.cisco.com/docs/DOC-12963. The CTL Client is used to generate the necessary certificates on the CallManager. Once the CTL Provider and CAPF Services are activated on the cluster, the CTL Client can be run to generate the CTL file on the CallManager. Once this process completes it is then possible to set the "Certificate Operation" on the IP Phone to "Install/Upgrade" through the CCMAdmin Interface. This process must be used for all 7940/60 and older model IP Phones. Without the USB eToken and the CTL Client there is no way to install LSCs on IP Phones *(see note). The Part number for the USB eToken is: KEY-CCM-ADMIN-K9=
With the release of CUCM 8.0 and greater some phone models download an ITL (Initial Trust List) file that contains the CAPF certificate. Only 7941/61 and greater phone models support this ITL file. See full documentation here:
When the phone has this CAPF certificate the USB eTokens are no longer required to install an LSC on the phone. Simply perform steps 1 and 13-17.
eTokens will still be required for authenticated or encrypted configuration files, but are not needed to install an LSC on the phone.
Here are the full instructions to get the LSC to the phone. These instructions assume you have not installed the CTL Client or activated any security services on Communications Manager.
In CUCM Serviceability > Service Activation activate Cisco CTL Provider and Cisco Certificate Authority Proxy Function on the publisher server
Obtain two of the previously mentioned security token: KEY-CCM-ADMIN-K9=
Install the CTL Client on a Windows PC. You can get the plugin from CUCM Administration > Application > Plugins > Cisco CTL Client
Reboot the Windows PC
Start the CTL Client and point it to the IP of your publisher server
Select "Update CTL File"
Insert the first token when prompted
When finished with the first token select "Add" again and insert the second token when instructed
Click "Finish" after the second token has been added
Restart the Cisco TFTP and then Cisco CallManager service on all nodes in the cluster
At this point on the 7960 phone GUI you should be able to navigate to Settings > (6) Security Configuration > (5) CTL File and see a long hex string
From CUCM CCMAdmin navigate to Device > Phone > pick the 7940/60 IP Phone you want to provision an LSC on
In the Device config page under Certificate Operation select > Install / Upgrade > By Authentication String > Enter your own auth string. This will need to be punched into the phone itself.
Save the phone config in CCMAdmin and select "Reset"
When the phone resets go to the physical phone and hit Settings > (6) Security Configuration > (4) LSC > **# (This operation unlocks the GUI and allows us to continue to the next step) > Update (Update will not be visible until you perform the previous step) > Enter the auth string into the phone > Hit Submit
You will see "Generating Keys." This will take a few minutes. When it completes the LSC installation has finished. This phone is now ready for use with either ASA Phone Proxy, or a Secure CallManager cluster.
Hi All, I am currently in a setup of Hybrid Data Security on Webex Teams, involving 3x KMS.I already have a case open, but the engineer looks not understanding ...In fact, the KMS are configured with IP:10.10.10.1010.10.10.2010.10.10.30For a total un...
Hi guys,one question for my better understanding.What happens, if the quantity of registering devices exceeds the maximum of 2500 per Expressway node?Is the registration of these devices rejected on this node and Jabber will try to connect to another node...
Hey guys. I found something been changed in the SIP message of VCS Expressway-E. When a terminal registered on CUCM calls an external server or terminal, the Request-URI was changed .I captured the diagnos...
Cisco Meeting Manager with CMS isn't up to expectations ... Turned up CMS 24 March with CMM. Completed 692 meetings to date. Average participants is 30 to 40 with over 7 simultaneous calls running totalling over 70 participants. ...
Has anyone been able to get the Group Call tcl script working that you can "purchase" from ciscoscript.com? Since Cisco UCM doesn't have a clear solution for auto group-conferencing calling, TAC referred us to a 'former' voice engineer that ca...