Re: CUBE encryption

j.huizinga · ‎01-17-2022

Hi

We are looking on how to do encryption on both legs of the CUBE

So between CUCM --- CUBE(inside) encryption

And between CUBE(outside)------ encryption

For the inside we want to use a private CA and for the outside a public CA

Is this supported? Or must we use one CA for both legs?

Thanks

JH

b.winter · ‎01-17-2022

Hi,

in the SIP-UA configuration, you can control, which trustpoint (in principal which cert/CA) should be used for which remote IP addresses.

But why don't you just use the public for both? You just need to upload the CA, that signed the cert of CUBE, into callmanager-trust.

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

Roger Kallberg · ‎01-17-2022

I'm fairly confident that you can do this, however I have not done so myself. By looking at the command crypto signaling under SIP-UA there is a possibility to define the remote IP for when to use the specific trustpoint. By this it should be possible to achieve what you ask for by what I can read out of the configuration guide lines.

 crypto signaling {remote-addr ip address subnet mask| default} [ tls-profile tag | trustpoint trustpoint-name[ client-vtp trustpoint-name| [{ecdsa-cipher [curve-size 384] | strict-cipher}]| cn-san-validate {server [client-vtp trustpoint-name | [{ecdsa-cipher [curve-size 384] | strict-cipher}] }] ! ECDSA ciphers are not supported on TLS version 1.0.

For more details on TLS configuration please see this document. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-cube-sip-tls.html

j.huizinga · ‎01-18-2022

Thank you both!

I believe the easiest way is to sign the CUBE by the external CA (I believe to sign the CUBE is mandatory) and then trust the external CA

Thank you both for your help

Jan