With Akhil Behl
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Unified Communications Manager Certificates.
Cisco Unified Communications Manager is the heart of any Cisco Collaboration network. It provides vital services such as call control; dial plan; and, most important, a central point of integration for various UC and third party applications. Cisco Unified Communications Manager comes with a host of security features, almost all of which are based on certificates -Public Key Infrastructure (PKI). Although, certificates empower an engineer to a network manager to an information security consultant to enable and deploy security features for Cisco Collaboration network; many of the certificates and their functions remain to be understood and managed properly to achieve a truly secure voice network construct.
This is a continuation of the live webcast.
Akhil Behl is a solutions architect with Cisco Services, focusing on Cisco Collaboration and Security architectures. He leads collaboration and security projects and service delivery worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio. He has played a major role in service conception and creation for various services within Cisco Advanced Services. He has presales to sales to Professional Services to delivery to post sales experience with expertise in consulting, advisory, and guidance services. He has extensive experience in borderless, collaboration, and data center portfolios. Prior to his current role, he spent 10 years working in various roles at Linksys as a technical support lead, as an escalation engineer at the Cisco Technical Assistance Center (TAC), and as a network consulting engineer in Cisco Advanced Services.
Akhil has a bachelor of technology degree in electronics and telecommunications from IP University and a master's degree in business administration from Symbiosis Institute. He is dual Cisco Certified Internetwork Expert CCIE 19564 in voice and security. He also holds many other industry certifications, such as PMP, ITIL, VCP, ISM, CCNA, CCSP, CCVP, ISO/IEC 27002, TOGAF, and CEH.
Over the course of his career, Akhil has presented and contributed at various industry forums such as Enterprise Connect, Cloud Connect, Cloud Summit, Interop, Cisco Networkers, and SecCon. He has several research papers published in various national and international journals, including IEEE. He is an avid blogger and maintains a blog about unified communications security at Aashish Jolly
Aashish Jolly is a network consulting engineer who is currently serving as the Unified Communications (UC) consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center, where he helped customers Cisco partners with installation, configuring, and troubleshooting UC products such as Cisco UC Manager and Manager Express, Cisco Unity solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco UC for more than seven years. He holds a bachelor of technology degree as well as CCIE(Voice) # 18500, CCNP Voice, CCNA, VCP 5 and RHCE certifications.
Remember to use the rating system to let Akhil and Aashish know if you have received an adequate response.
Akhil & Aashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Collaboration, Voice and Video, sub-community, IP Telephony discussion forum shortly after the event. This event lasts through January 17, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
Webcast related links:
Hello Akhil and Aashish,
Here are some of the questions that came directly during your live webcast presentation, hence can you provide answers for these.
-How do I differentiate when using Tomcat for LDAP or HTTPS?
-How can I differentiate between a root CA and identity certificate by looking at certificate?
-How many e tokens can I use to secure my CUCM cluster?
-Do I need to regenerate all certificates when I upgrade my cluster on same or different hardware?
Please find the answers to these questions as follows:
Q. How do I differentiate when using Tomcat for LDAP or HTTPS?
A. Tomcat certificates can be used for HTTPS as well as for LDAP security. The major difference is that, when signed for only HTTPS, Tomcat will be signed by CA as web server certificate template whereas or LDAP it has to be signed by CA as server template. In case of Tomcat, the request is redirected from HTTP to HTTPS i.e. TCP 80 > 8443 and for LDAP it works by redirecting from 389 LDAP to 636 (standalone AD) or 3269 (DC) LDAPS.
Q. How can I differentiate between a root CA and identity certificate by looking at certificate?
A. It is the CN of a certificate that can help distinguish between a CA root and identity certificate. CA root certificate will have same CN for issuer and for Subject name whereas, an identity certificate will have different CN for issuer (CA) and for subject name.
Q. How many e-tokens can I use to secure my CUCM cluster?
A. Although there’s no fixed maximum number for eTokens that can be used for securing a cluster, a minimum of two eTokens are required and any number of eTokens can be used (ideally between 4-10) for redundancy.
Q. Do I need to regenerate all certificates when I upgrade my cluster on same or different hardware?
A. No, you need not regenerate all certificates when uploading a cluster from one version to another on same or different hardware as DRS backup contains all certificate and keys. However, due to any hostname / certificate impacting field change (any of certificate parameters) or a bug, it may be required to regenerate the certificate that is self-signed and self-generated on CUCM or get a new signed certificate from CA.
Author of “Securing Cisco IP Telephony Networks”
By default, CallManagers automatically exchange their Tomcat certificates.
When using an external CA for signing Tomcat certificates, is there any need to keep these automatically exchanged certificates? After all, they've all been signed by the same CA whose public key you've already imported into the Tomcat-trust store.
I would appreciate if you can extrapolate on your question as it will help us to answer it better.
From what I could understand, your question is if CUCM exchanges Tomcat certificates within a cluster and if redundant (self-signed) certificates can be deleted in case a user wishes to use externally signed certificates.
If that was your query, the answer is two fold. CUCM servers do not replicate Tomcat certificates within a cluster as each server is installed with its unique hostname/FQDN that is used to generate self-signed certificate and it will be meaningless to have different CN certificate replicated to a node that is not going to use that hostname/FQDN.
For latter part, the answer is yes, you can delete any (currently) unused certificates and leverage only the intended CA signed certificate for Tomcat. Infact, CUCM overwrites the Tomcat identity certificate with CA signed identity certificate although, you can end up with as many Tomcat trust certificates as many CA certificates (root) you upload.
Author of “Securing Cisco IP Telephony Networks”
It actually depends on the security policy of an organization. With External CA, the only benefit that I see is you don't need to install root certs in every machine's trust store as most machines would already have that.
To add to what Aashish mentioned, having external CA sign certificates on CUCM has following advantages:
- Certificate revocation using OCSP is centralized as all certificates are rooted form same CA
- CA signed certificates come with fixed lifetime (as defined by CA authority) hence, having all certificates signed by same CA helps maintain sanity in terms of certificate lifetime
Hope this answers your query.
Author of “Securing Cisco IP Telephony Networks”
thanks for the opportunity to ask questions. I'm really new in this (security around IP Telephony) even if I tried to dig deeper into it in the past. I'd like to start with some kind of lab, where I'll be able to test things. So, will I be able to use Microsoft Server (2003 or 2008 or 2012) as CA (not aware if Cisco has one), CUCM 9.1 with demo licenses and IP Communicators as client phones to test basic signaling and/or media encryption? Can you briefly explain what will be the steps to demonstrate secure environment? For example, is it something like this: install CA, request certificate signing from CUCM, request certificate signing from IP phones, upload signed certificates to CUCM and phones, configure secure calls on CUCM, make calls and use wireshark to prove that signaling/media messages can't be captured?
I appreciate your reply. While we are still waiting for any reply from Akhil and Aashish, can you please explain why it is not possible to configure encrypted calls without Security Tokens? Link you provided specifies version 7.1.5 as minimum CUCM version to use for Security Tokens; how it was configured before that version? I'm trying to figure out if Security Tokens are mandatory parts or just nice-to-have/recommended.
Yes, the experts have been noticeable by their absence ;-)
The security token has been required since at least CUCM 6 for encrypted calls, and is still required for CUCM 9.
I haven't looked at the whole call security thing for a while, but I seem to remember that there are multiple components of encrypted calls in CUCM:
- Phone signalling & media
- CUCM <> CUCM
- Gateway signalling & media.
I believe the tokens handle the phone side. A quick google reveals these two starter pages:
Please rate all helpful posts.
Security tokens have been in existence ever since CUCM was designed to support encryption. From what I can remember, since CUCM 4.x security eToekns have been required for enabling CAPF based LSC and creating CTL file for phones.
To setup a secure environment with TLS for signaling and SRTP for media you'll need to run through CTL client wizard followed by applying a security profile to endpoints and finally placing a call between two secure phones such that the lock shows up besides the line you're calling from confirming that the call is secure.
For detailed information on eTokens, CAPF, and CTL you can refer to Chapter 9 of Securing Cisco IP Telephony Networks
Please let us know if you have any more queries on this topic.
You're approach is correct. Generate CSR and get it signed by Microsoft CA you've setup in your lab. Place root certs service-type -trust store and relevant service certs in their respective stores. So root certs go into tomcat-trust store in CUCM. The signed cert for tomcat goes into Tomcat. You can upload the root certs to the pub only and they'll be replicated.
Here's a nice document on CUCM certificates for your reference
High Level View of Certificates and Authorities in CUCM