Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to manage certificates in Unified Communications Manager with Cisco expert Vasanth Kumar.
Ask questions from Tuesday February 8 to Friday February 19, 2016
Cisco Unified Communications Manager is the IP based call control solution which provides comprehensive solution for enterprise collaboration needs, Cisco UCM integrates with various other applications and third party deployments. Securing the communication and integration with other application is essential to keep the enterprise business secure.
This session will focus on answering question regarding managing the certificates in Unified Communications Manager, best practices , how to proactively mitigate issues with certificate expiration and common deployment issues related to third party CA signed certificate and troubleshooting Multi-Server SAN related issues.
Vasanth Kumar is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco India. He is expert on Cisco Unified Communication Manager and he has actively working on Voice Gateways and IM and Presence server. He has been helping customers as well as Cisco partners with installation, configuration and troubleshooting UC products ranging from small to large scale deployment for five years. Kumar holds a bachelor's degree in Electronics and Communication from DCE a college affiliated to Anna University Chennai, CCIE in Voice and Collaboration (#39543) he has also achieved RHCE and VCP certification.
Vasanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Unified Communications Applications Community
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
There are three services which triggers a cluster phone restart ( quick refresh on the screen ). These are TVS, CAPF, CCM+TFTP. Please find the screenshot displaying the warning. This warning has been addded in latest 10.5(2) su release onwards.
Please note that if you open a certificate and try to re-generate it, the warning / pop-up is not displayed.
I have opened a defect to ensure parity with the warning across all methods of certificate re-generation.
To configure the CUCM for secure RTP you have to follow these steps
Now apply the configured file to the phone
To test if the RTP is secure, apply secure profile to the 2 phones and make a call between them and once connected you will see lock sign next to timer
In step 2 after setting the cluster to mixed mode. You can restart only CCM and TFTP service on nodes where it's activated.
Please refer to the following article for more details:
Insted of step 2 you need to use CTL Client and USB token to build CTLFile. Rest of the steps remain same.
Following gives you practical guide to achieve it:
Ensure that the CTL Provider service is running on all nodes in the cluster and you have obtained USB-Tokens.
Insert the first USB token and install the "Safenet Authentication Client Tools" and "CTL Client" which can be downloaded from CCM Administrator > Application > Plugins Menu.
Subsequently you can run the CTL Client application which will fetch the CAPF, CCM+TFTP
from all notes and build a trust list. This CTL file will later be signed by the private key stored in the USB token and which makes it important to keep the tokens safe. It's mandatory to use two USB token during initial setup for backup purpose if one of the token is damaged or misplaced.
Which is why tokenless method was introduced to avoid such issues.
Thank you for your support
So, what is the advantage of using USB Token? Is it provide more complex encryption? Or what exactly?
I'm glad you asked this.
Since the USB token are used to sign the CTLFile.tlv it provided a resiliency interms of having a backup token when one is lost. Having multiple SAST token entries in CTLFile.
However with tokenless implemenation there was caveat because the CTLFile.tlv contained only one entry of Soft token (Callmanager.pem) of publisher.
However this is addressed in the 11.0 release where CTLFile.tlv contains two "System Administrator Security Token" to provide the resiliency.
Hence if you are running a 10.x release I would prefer USB token over Tokenless approach. With 11.0 onwards I would recommend using tokenless method for implementing mixed mode cluster.
Thank you too much for your support.
Can I say I can configure SRTP for our customers without any additional requirements? All what I need is CUCM Restricted version?
In order to have SRTP between device(s) need to be secured (Encrypted Signalling).
Encrypted signalling allows you to share the crypto keys securely to encode/decode RTP stream.
CUCM Restricted version allows you to enable Mixed Mode which enable devices to register securely to UCM.
Mixed mode is enabled by running CTL Client or Tokenless CLI in (10.x onwards).
I'm glad I could help.
When we say Mixed Mode? does it mean to have both encrypted and non encrypted communications?
For example, some phones are configured to use secured device profile and some non secured?
Thank you for your time and support. I have a very basic question. I did not add any certificate before to CUCM and I have to deal with certificates now. So, Can I know the disadvantages that I may face if I add a certificate for Tomcat or other for CUCM?
It's a very Intresting one.There is no harm in adding certificate to the trust-store if that's what you are trying to achieve. But, adding unnecessary certificate will overwhelm the administrator in managing them at times of troubleshooting. You can also upload CA signed server certificate for which you need to have CA certificate added to the respective trust store for ex:- tomcat-trust.
Could you please be more specific on what you are trying to achieve by uploading certificates to UCM?