Hi Clark, I am sorry for my

clark white · ‎01-13-2015

Dears,

I have 3 below doubts,

In CUCM/CUC 10.5 onwards we don't require a security etokens (safenet or ActivIdentity,usb etoken ) for CTL file. pls confirm.
I was installing 10.5 unrestricted version and I stop on the attached screenshot, if suppose after completing the installation if I am doing the secure communication configuration it will be accepted by the unrestricted version or it will not work.
I have installed unrestricted version 8.6.2.for last 2 years now I want to move to the secure cluster do I have to reinstall a restricted version 8.6.2 and do the backup of unrestricted version and then configure secure communication on newly installed restricted version.

Wilson Samuel · ‎01-13-2015

Hi Clarke,

The basic difference between Restricted and Unrestricted version is that, Unrestricted version Does NOT allow any provision for Secure Cisco Phones / Communications on that cluster (i.e. No Encryption Features allowed) and is intended to be used Only by the countries / organizations that are on the US Sanctions list.

Further more, if you are installing Restricted version of the Software, by default it is Not Secure by any means, it just means that, down the road if you need Encryption (i.e. CTL , VPN etc) you may configure them :-)

More over, if you have got Unrestricted Software and would want to Upgrade to Restricted, you can only do so by Exporting the configuration and installing the same version of the Unrestricted Software, import the same and then do the in-seat upgrade of the Restricted version.

Please find these two attachments which tries to simplify the saga of Restricted vs Unrestricted Softwares

HTH

clark white · ‎01-13-2015

Dear Wilson,

In CUCM/CUC 10.5 does require a etoken (safenet or ActivIdentity,usb etoken ) or without these etoken also we can configure the encryption for the between phones and cucm.

thanks

Ayodeji Okanlawon · ‎01-14-2015

To secure your media you will need Cisco's USB token. Here is the part number.

KEY-CCM-ADMIN-K9

I don't think you can use any other token. If its only signalling you want to secure, all you need is just to use TLS with certificates

Please rate all useful posts

pkolenichev · ‎01-14-2015

Hi,

since cucm version 10 USB token is not required. Please see security guide - http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100.html

You definitely need restricted version of CUCM.

Best Regards,

Petko

clark white · ‎01-14-2015

Dear Petko,

Can you put on the specific page on the guide where it clearly says that it is not required.

pkolenichev · ‎01-14-2015

Hi Clark,

if you open pdf version of security document look at table 2. Page 4.

"Hardware security tokens are required for only the CTL Client.

The CLI
command set utils ctl does not require hardware security tokens."

Best Regards,

Petko

clark white · ‎01-14-2015

Dear Petko,

Confused how to setup as i am aware for the procedure for etokens such as below.

Turn on CAPF and CTL services on CUCM Publisher and CTL service on all CUCM subscribers,
Download and Install a CTL client
login in CTL client with Publisher IP
set the cluster to mixed mode
insert the USB etoken and click OK and the certificate of the etoken is displayed then click next and certificates from all the servers are pulled.
then click add to add more etokens
Now we have certificates of all the servers and etokens click finish
restart the CCM and tftp services

How will be the procedure when i dont have the etokens ??? Please explain in bullets.

Thanks

pkolenichev · ‎01-15-2015

Hi Clark,

to enable SRTP between phones procedure is like this:

Turn on CAPF and CTL services on CUCM Publisher and CTL service on all CUCM subscribers. All subscribers in the cluster should be up and running.
set the cluster to mixed mode
check that phones have CTL file installed. If phones get message registration reject, delete CTL file and try to update it. Also look for MIC or LSC certificates installed on the phones.
on cucm go to system -> security-> phone security profile. copy the required phone non security profile and based on it create new security phone profile with device security mode - encrypted and Authentication Mode "by existing certificate"
apply new security profile to the phones
make call between phones. Verify that srtp is working either by wireshark or by keylok icon on the phone display.

Best Regards,

Petko

clark white · ‎01-15-2015

Dear Petko,

Thanks for the reply and appreciate for being patients and replying to the post.

set the cluster to mixed mode

The above step has to be done by login in the ctl client by publisher ip and enable mixed mode please correct me ??

The CLI
command set utils ctl does not require hardware security tokens."

when the above command will be used ???? if i am not wrong after step 2 of your post.

After the command set utils ctl then i hope i shld continue with step 3 of your post.

Thanks

clark white · ‎01-17-2015

Dears,

Anybody can help me out for the query above.

thanks

pkolenichev · ‎02-02-2015

Hi Clark,

I am sorry for my delay. Have you found the answers to your concerns?

Here are the answers of the questions:

mixed mode is enabled via cli using follow command:

utils ctl set-cluster mixed-mode

after this step you can proceed to step 3. CTL file is generated automatically.

ctl client programs is used only when you have usb security token

I hope now is clear.

Best Regards,

Petko

cucm 10.5