cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11653
Views
40
Helpful
22
Replies

Ask the Expert: Understanding and Managing Cisco Unified Communications Manager Certificates

ciscomoderator
Community Manager
Community Manager

            Read the bioWith Akhil Behl

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Unified Communications Manager Certificates. 

Cisco Unified Communications Manager is the heart of any Cisco Collaboration network. It provides vital services such as call control; dial plan; and, most important, a central point of integration for various UC and third party applications. Cisco Unified Communications Manager comes with a host of security features, almost all of which are based on certificates -Public Key Infrastructure (PKI). Although, certificates empower an engineer to a network manager to an information security consultant to enable and deploy security features for Cisco Collaboration network; many of the certificates and their functions remain to be understood and managed properly to achieve a truly secure voice network construct.

This is a continuation of the live webcast.

Akhil Behl is a solutions architect with Cisco Services, focusing on Cisco Collaboration and Security architectures. He leads collaboration and security projects and service delivery worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio. He has played a major role in service conception and creation for various services within Cisco Advanced Services. He has presales to sales to Professional Services to delivery to post sales experience with expertise in consulting, advisory, and guidance services. He has extensive experience in borderless, collaboration, and data center portfolios. Prior to his current role, he spent 10 years working in various roles at Linksys as a technical support lead, as an escalation engineer at the Cisco Technical Assistance Center (TAC), and as a network consulting engineer in Cisco Advanced Services.  

Akhil has a bachelor of technology degree in electronics and telecommunications from IP University and a master's degree in business administration from Symbiosis Institute. He is dual Cisco Certified Internetwork Expert CCIE 19564 in voice and security. He also holds many other industry certifications, such as PMP, ITIL, VCP, ISM, CCNA, CCSP, CCVP, ISO/IEC 27002, TOGAF, and CEH.  

Over the course of his career, Akhil has presented and contributed at various industry forums such as Enterprise Connect, Cloud Connect, Cloud Summit, Interop, Cisco Networkers, and SecCon. He has several research papers published in various national and international journals, including IEEE. He is an avid blogger and maintains a blog about unified communications security at Aashish Jolly

Aashish Jolly

Aashish Jolly is a network consulting engineer who is currently serving as the Unified Communications (UC) consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center, where he helped customers Cisco partners with installation, configuring, and troubleshooting UC products such as Cisco UC Manager and Manager Express, Cisco Unity solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco UC for more than seven years. He holds a bachelor of technology degree as well as CCIE(Voice) # 18500, CCNP Voice,  CCNA,  VCP 5 and RHCE certifications.

Remember to use the rating system to let Akhil and Aashish know if you have received an adequate response. 

Akhil & Aashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Collaboration, Voice and Video,  sub-community, IP Telephony discussion forum shortly after the event. This event lasts through January 17, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

22 Replies 22

Hello Tenaro,

I replied to your query about use of eTokens to secure CUCM. In case you have any specific queries about use of any other certificates in your lab or production system feel free to ask.

Also, I'll recommend going through the book Securing Cisco IP Telephony Networks and explore UC security in greater detail so you can decide what certificates you need in your environment and how you wish you leverage secure services.

http://www.amazon.com/dp/1587142953

Regards,


Akhil Behl
Solutions Architect

Cisco Systems


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Thanks Akhil,

can you please confirm that following paragraph is correct (or let me know if something is wrong):

Cisco is installing certificate in every phone during production (this is called Manufactured Installed Certificate). Thanks to that MIC, phone will accept secure messages only if signed by Cisco. Messages don't have to be signed directly by Cisco: use eTokens to declare that your existing CUCM publisher is trusted by Cisco and that IP phones can also trust  this new guy because Cisco approved it. In other words, eTokens allow  you to sign newly created list of trusted CAs and because eTokens sign  it as Cisco then IP phones will not have any problems to accept this  encrypted list (called CTL). Once IP phone learns it can trust local CUCM it will be able to install LSC and use it instead of MIC.

Hello Tenaro,

Yes, that is absolutely correct. There are two major categories of certificates - Manufacturing Installed Certificates (MIC) and Locally Significant Certificates (LSC). MIC come factory installed and are signed by Cisco manufacturing CA (root is already present in CUCM certifiate store). LSC are derived from CAPF and are signed by CTL client using eTokens.

In either case, the cluster must be in mixed-mode to support call encryption i.e. CTL client must be used and run with eTokens to convert CUCM cluster to mixed-mode such that phone certificates whether MIC or LSC can be used.

Hope this resolves your query!

For greater insight to Cisco PKI, UC security, and CUCM encryption/authentication please refer to Securing Cisco IP  Telephony Networks book.

http://click.linksynergy.com/fs-bin/click?id=aV8WWcTd0Yc&offerid=145238.10000326&type=3&subid=0

http://www.amazon.com/dp/1587142953

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Robert Lake
Level 1
Level 1

Akhil,

I have a situation where phones aren't downloading a new ITL file causing them to be unable to download thier signed configuration file. They get what appears to be a valid CTL file but the ITL file is listed as "Not Installed". What steps should I take to troubleshoot this issue?

Hello Robert,

There could be a couple of things you can look for in this case.

  • Check the Enterprise Paramter for Roll Back to pre 8.x and ensure it is set to False.
  • Check the status of ITL file from CUCM CLI - using command show itl and ensure that the system has a valid ITL file.

Also, you can try and create a new phone (presuming its the existing phones that are unable to download ITL file) in CUCM and see if that endpoint is able to download ITL followed by CTL.

Regards,

Akhil Behl
Solutions Architect

Cisco Systems


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

So it turns out that I needed to run the CTL client after I had done an upgrade from CUCM 8.5(1) to 8.6.. Due to this being on my test system the phone configurations didn't change much and I just realized there was an issue.. Thanks for the help. Was that update needed due to the back end OS change on the appliance or will I need to run the CTL client after every CUCM update 8.x and greater?

Good to know that the issue is fixed. That makes sense since, after an upgrade, CTL client re-run is always recommended (please see webcast or presentation slides) to overcome any bugs and refreshing CTL cache.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

noc
Level 1
Level 1

Hello Akhil and Aashish

 

I have a question, about LSC certs.  I have CUCM cluster in my company, and I am in the process of rolling out LSC certs on multiple 9971 IP Phones.  

 

I am trying to figure out how to automatically roll out LSC certs from CUCM when the IP Phones gets reset to factory default settings.

 

Currently in CUCM I have to modify CAPF settings for IP phone and chose install option for LSC cert as well as specify the date for 2048 bit cert.  If i do it manually this way, LSC gets installed, and I was able to verify that indeed it gets installed form the phone.

 

However, when I reset the phone to factory default settings the LSC cert is no longer getting pushed back to the phone automatically, unless i log back into CUCM find the phone and once again select install setting for LSC inside CAPF Section.

 

The thing is, after resetting phones to factory default i would like the certs to also automatically get pushed from CUCM onto the phones, without me manually logging into CUCM and selecting the phone, then modifying install setting.

 

Do you guys happen to know if this is intended way of how factory default works with CUCM?  Or is there anyway to somehow modify this behavior for the phone to automatically obtain LSC?

 

Note after resetting the phone.. all the other... settings get pushed, meaning phone gets an IP Address etc..  It's just i am doing this for over 1000 phones, and prefer to have LSC rolled out automatically even if the phone gets reset to factory default.  

 

I realize there is also a bulk function available to do a bulk load of configurations on multiple phones, however the problem is not in bulk loading the config on multiple phones, but rather insuring that the LSC cert gets deployed automatically. 

 

Please help, I can't seem to figure this one one.