Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
32817
Views
10
Helpful
5
Comments

CUCM Generating LSC Certificates for Secure Phones

Jason Burns
Level 1
Level 1

‎10-05-2009 12:53 PM - edited ‎03-12-2019 09:21 AM

The LSC (Locally Significant Certificate) is required for use in phone models that support security, but do not come with a MIC (Manufacturing Installed Certificate). For example, the 7940 and 7960
Installing the LSC requires the use of at least two USB eTokens and the CTL Client, or you can follow the procedure here to be used only with the Phone Proxy feature on the ASA: https://supportforums.cisco.com/docs/DOC-12963. The CTL Client is used to generate the necessary certificates on the CallManager. Once the CTL Provider and CAPF Services are activated on the cluster, the CTL Client can be run to generate the CTL file on the CallManager. Once this process completes it is then possible to set the "Certificate Operation" on the IP Phone to "Install/Upgrade" through the CCMAdmin Interface. This process must be used for all 7940/60 and older model IP Phones. Without the USB eToken and the CTL Client there is no way to install LSCs on IP Phones *(see note). The Part number for the USB eToken is: KEY-CCM-ADMIN-K9=

Note:

With the release of CUCM 8.0 and greater some phone models download an ITL (Initial Trust List) file that contains the CAPF certificate. Only 7941/61 and greater phone models support this ITL file. See full documentation here:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_6_1/secugd/secusbd.html

When the phone has this CAPF certificate the USB eTokens are no longer required to install an LSC on the phone. Simply perform steps 1 and 13-17.

eTokens will still be required for authenticated or encrypted configuration files, but are not needed to install an LSC on the phone.


Here are the full instructions to get the LSC to the phone. These instructions assume you have not installed the CTL Client or activated any security services on Communications Manager.

  1. In CUCM Serviceability > Service Activation activate Cisco CTL Provider and Cisco Certificate Authority Proxy Function on the publisher server
  2. Obtain two of the previously mentioned security token: KEY-CCM-ADMIN-K9=
  3. Install the CTL Client on a Windows PC. You can get the plugin from CUCM Administration > Application > Plugins > Cisco CTL Client
  4. Reboot the Windows PC
  5. Start the CTL Client and point it to the IP of your publisher server
  6. Select "Update CTL File"
  7. Insert the first token when prompted
  8. Select "Add"
  9. When finished with the first token select "Add" again and insert the second token when instructed
  10. Click "Finish" after the second token has been added
  11. Restart the Cisco TFTP and then Cisco CallManager service on all nodes in the cluster
  12. At this point on the 7960 phone GUI you should be able to navigate to Settings > (6) Security Configuration > (5) CTL File and see a long hex string
  13. From CUCM CCMAdmin navigate to Device > Phone > pick the 7940/60 IP Phone you want to provision an LSC on
  14. In the Device config page under Certificate Operation select > Install / Upgrade > By Authentication String > Enter your own auth string. This will need to be punched into the phone itself.
  15. Save the phone config in CCMAdmin and select "Reset"
  16. When the phone resets go to the physical phone and hit Settings > (6) Security Configuration > (4) LSC > **# (This operation unlocks the GUI and allows us to continue to the next step) > Update (Update will not be visible until you perform the previous step) > Enter the auth string into the phone > Hit Submit
  17. You will see "Generating Keys." This will take a few minutes. When it completes the LSC installation has finished. This phone is now ready for use with either ASA Phone Proxy, or a Secure CallManager cluster.
Labels:
Comments
ruweliu
Cisco Employee
Cisco Employee
‎10-26-2009 06:12 PM

Thanks for the sharing.

I have a question that might looks quite silly: How do I accomplish step 2? I mean, where can I get these security token? How do I suppose to put it on a USB? I had my call manager downloaded from Cisco intranet, it didn't come with any instructions on that aspect.

Appreciate your help.

Jason Burns
Level 1
Level 1
‎10-27-2009 06:32 AM

Ruwei,

That is a Cisco part number for a small hardware USB Token. You would have to order two of those hardware pieces from Cisco through whatever methods you normally use to order parts.

tenaro.gusatu.novici
Level 3
Level 3
‎06-15-2010 12:04 PM

Hi there,

can we start from beginning here: are you absolutely sure "LSC requires the use of at least two USB eTokens "? What if I want to save some bucks and I'm happy with self-signed certificate on my CUCM (meaning no money will be spent on USB eTokens)?

I'm the man in charge for my voice network and I simply want to tell my boss that our IP Telephony network is completely secured, i.e. I'm able to configure fully encrypted (signaling and media) voice communication inside our LAN (calls between any two Cisco IP phones controlled by the CUCM). I don't think USB eTokens are necessary to achieve this.

Please correct me if I'm wrong.

Regards,

Tenaro

Jason Burns
Level 1
Level 1
‎06-15-2010 03:48 PM

Tenaro,

The USB eTokens are required to run the CTL Client and generate the CTL file. Without the USB eTokens there is no way to generate a CTL file, and no way to set the cluster to mixed mode security.

USB eTokens are absolutely required to enable phone security.

karl.kornel
Community Member
‎09-07-2010 12:59 AM

There is also another reason why you need to have at least two tokens:  If I understand correctly, if you need to change the CTL file after it is created, then you need to have at least one of the tokens that was originally used.  Changing the CTL file could be needed if you add an additional subscriber, or if you add an ASA proxy.  Therefore, two tokens is for safety:  Keep one token in a safe place, and keep the other token in another safe place somewhere else.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents