Secure Conferences do not work

HUGO CESAR LEYVA VIDAL · ‎12-18-2013

Hi all

I configured Secure conferences on the GW and CUCM and the dspfarm profile is registered with CUCM.

Cluster is secure, when I place calls between 2 phones the lock is shown on the phones display.

Also when I place calls between Jabbers, jabbers and phones, voicemail ports and so on.

But when I make a conference the lock is missing from the phones. the cfb resource is invoked, but the rtp is not encrypted.

My CUCM version is 9.1

IOS version 15.2.4M5

ISR2 3945

Can anyone help me out?

crypto pki trustpoint GWC0301

enrollment selfsigned

fqdn none

subject-name CN=GWC0301

revocation-check none

rsakeypair GWC0301

!

crypto pki trustpoint UCM03-C03

enrollment terminal

subject-name CN=UCM03-C03

revocation-check none

!

crypto pki trustpoint UCM04-C03

enrollment terminal

subject-name CN=UCM04-C03

revocation-check none

!

crypto pki trustpoint UCM05-O15

enrollment terminal

subject-name CN=UCM05-O15

revocation-check none

!

crypto pki certificate chain GWC0301

certificate self-signed 01

308201ED 30820156 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

12311030 0E060355 04031307 47574330 33303130 1E170D31 33313231 36313835

3732335A 170D3230 30313031 30303030 30305A30 12311030 0E060355 04031307

47574330 33303130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189

02818100 CC4C4F50 5E795FE1 3771A0EC 8C7812C9 A2F63342 9D644274 8DDB27B0

D097C91B EA106282 6D46AD44 9FBE7354 BA251FC6 10386C33 547F43C7 A5CB38F9

C017FEBB 5E70B527 1B131153 0383DB59 1126418A E14F348C F70A798A 87F2F9A4

64C40DC9 154244F4 8D9A2FC3 95EC1B87 04D8BAF9 C4438377 907F75B7 1B58C911

2BC6F4C5 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F

0603551D 23041830 16801405 C565B2B9 25786B09 B6EACFD8 53F96A40 5F058A30

1D060355 1D0E0416 041405C5 65B2B925 786B09B6 EACFD853 F96A405F 058A300D

06092A86 4886F70D 01010505 00038181 0027A890 27D4F1F6 E9CF9D29 50166978

9B4378CD 68C648D3 3793C2A6 1E5A76FD 567ACE3E A286F44D D7F7ACC9 5914855A

026F066D BE330EC7 B7ED041A 13C4B69D EC21FDDD 4B371428 1FC36513 C8E3CED8

80567B5C AB538FA7 14CBFCAF 025CE29A D6C6FDE2 70057BF8 E5609A06 6858E10A

C50734FE 74F8D04E 5B254848 BE8A4A6F 39

quit

crypto pki certificate chain UCM03-C03

certificate ca 40A56B940AD17F99BC3877932D170A98

30820326 3082028F A0030201 02021040 A56B940A D17F99BC 3877932D 170A9830

0D06092A 864886F7 0D010105 05003081 A4310B30 09060355 04061302 4D583124

30220603 55040A13 1B507265 73696465 6E636961 20646520 6C612052 65707562

6C696361 3110300E 06035504 0B130754 656C6563 6F6D3125 30230603 55040313

1C55434D 30332D43 30332E70 72657369 64656E63 69612E67 6F622E6D 78311930

17060355 04081310 44697374 7269746F 20466564 6572616C 311B3019 06035504

07131243 6F6E7374 69747579 656E7465 73203136 31301E17 0D313331 30303730

32313835 385A170D 31383130 30363032 31383537 5A3081A4 310B3009 06035504

0613024D 58312430 22060355 040A131B 50726573 6964656E 63696120 6465206C

61205265 7075626C 69636131 10300E06 0355040B 13075465 6C65636F 6D312530

23060355 0403131C 55434D30 332D4330 332E7072 65736964 656E6369 612E676F

622E6D78 31193017 06035504 08131044 69737472 69746F20 46656465 72616C31

1B301906 03550407 1312436F 6E737469 74757965 6E746573 20313631 30819F30

0D06092A 864886F7 0D010101 05000381 8D003081 89028181 009B1190 C0594C1E

FC9FAA59 7F0A38D2 773DD27C 620BEA61 35513866 D25F383A 2CA689A6 B00C0C41

1345A583 8524C162 BC84E226 8D7D95EA 50BE885A 5F1CC500 95645625 6D623095

63759862 D878C14F 6A535E18 1101FFC3 E6F96034 279BD1EF 36E25161 EED5695C

858E5E3C 7AE6CC31 E04583F0 F270E9C3 7F209A09 70C0E2DB A3020301 0001A357

3055300B 0603551D 0F040403 0202BC30 27060355 1D250420 301E0608 2B060105

05070301 06082B06 01050507 03020608 2B060105 05070305 301D0603 551D0E04

160414AD 63814EBC 1BE67BA3 178A6919 83ECD02F F01EB130 0D06092A 864886F7

0D010105 05000381 81007574 5DD1A658 44842BDB 8C03296A 1B1BBCAA B7D30BEF

75E2EF6F 0821BA9F 2E29BBA3 B9DC7717 EE6F9664 5692A133 8EF9544E 9A62B4FC

58FFF7DB EB410CB8 78CEE22A 7CFC132A 8FD561B1 8C07C47D E8205DBB 2588C874

C1239BE8 D9A383D8 5777D3B2 2B45A05B 7AD73A27 6B21FABE 216CF9BC C4F54D53

A250DEEE B91A22DD 5831

quit

crypto pki certificate chain UCM04-C03

certificate ca 5F57BA04B314954A00176D7C695F2917

30820326 3082028F A0030201 0202105F 57BA04B3 14954A00 176D7C69 5F291730

0D06092A 864886F7 0D010105 05003081 A4310B30 09060355 04061302 4D583124

30220603 55040A13 1B507265 73696465 6E636961 20646520 6C612052 65707562

6C696361 3110300E 06035504 0B130754 656C6563 6F6D3125 30230603 55040313

1C55434D 30342D43 30332E70 72657369 64656E63 69612E67 6F622E6D 78311930

17060355 04081310 44697374 7269746F 20466564 6572616C 311B3019 06035504

07131243 6F6E7374 69747579 656E7465 73203136 31301E17 0D313331 30303730

32303935 315A170D 31383130 30363032 30393530 5A3081A4 310B3009 06035504

0613024D 58312430 22060355 040A131B 50726573 6964656E 63696120 6465206C

61205265 7075626C 69636131 10300E06 0355040B 13075465 6C65636F 6D312530

23060355 0403131C 55434D30 342D4330 332E7072 65736964 656E6369 612E676F

622E6D78 31193017 06035504 08131044 69737472 69746F20 46656465 72616C31

1B301906 03550407 1312436F 6E737469 74757965 6E746573 20313631 30819F30

0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00ABC218 15930718

5E53D56E 1D621C25 8D3943E3 9C7E4349 00701DD0 B382BA34 A697B97C D06A22ED

102C77EF 2033AEC6 95FA69E8 886ACD38 68720355 CCBF7593 550E0851 53DD059F

07BB9E2C BED497FC 1CB2E706 0963DE62 9CE3C6CC BB56B081 95176474 FFC70DBA

39D9DF09 594CD473 E3594F14 1B5DBC06 6262D780 11E8FCB8 AD020301 0001A357

3055300B 0603551D 0F040403 0202BC30 27060355 1D250420 301E0608 2B060105

05070301 06082B06 01050507 03020608 2B060105 05070305 301D0603 551D0E04

160414BB 65AEE620 35568965 854657C9 3FEBCDB4 F97F0830 0D06092A 864886F7

0D010105 05000381 81009652 3766B13D A6CBEA48 46B5C440 4A3F888A E31BC170

8A4FBA1A A30B4078 96C8F243 A1ABD77D 248CC46B 34194972 583FCA08 57EFC04A

762761FB 414D867D D5D9F4C3 7523A094 FF82F885 F8712CE5 6828AD17 9D0C2A84

F5FBFAD6 465ADA74 B9875BDA FFE42041 2192F693 0B805184 A4B502AA 289C97C5

BCEB684B 7C0C7547 B72F

quit

crypto pki certificate chain UCM05-O15

certificate ca 67A8376B9B8E3D2D48100FA6B9C7CB29

30820314 3082027D A0030201 02021067 A8376B9B 8E3D2D48 100FA6B9 C7CB2930

0D06092A 864886F7 0D010105 05003081 9B310B30 09060355 04061302 4D583124

30220603 55040A13 1B507265 73696465 6E636961 20646520 6C612052 65707562

6C696361 3110300E 06035504 0B130754 656C6563 6F6D3125 30230603 55040313

1C55434D 30352D4F 31352E70 72657369 64656E63 69612E67 6F622E6D 78311930

17060355 04081310 44697374 7269746F 20466564 6572616C 31123010 06035504

0713094C 6F732050 696E6F73 301E170D 31333130 30373032 31353432 5A170D31

38313030 36303231 3534315A 30819B31 0B300906 03550406 13024D58 31243022

06035504 0A131B50 72657369 64656E63 69612064 65206C61 20526570 75626C69

63613110 300E0603 55040B13 0754656C 65636F6D 31253023 06035504 03131C55

434D3035 2D4F3135 2E707265 73696465 6E636961 2E676F62 2E6D7831 19301706

03550408 13104469 73747269 746F2046 65646572 616C3112 30100603 55040713

094C6F73 2050696E 6F733081 9F300D06 092A8648 86F70D01 01010500 03818D00

30818902 818100B6 78B6EF73 B65995C1 ECE2933F CBF4C7BE 0B2C72C7 F727A2AE

BA601198 71A1CE6B 8BBEF3B0 524BC8B7 54CF061A 0139F2C2 066002C5 604778BC

7A08E4F1 1CD37727 917AFFD0 45AC2757 3E344A9F D83B8B85 8DFE380E 453BFCD0

9BC0B0A2 487D68BD 4A99DE7D 06B13383 6112AF6D C7DE2E89 2CE6B3E3 8EF611C1

9118ED0B 7A919302 03010001 A3573055 300B0603 551D0F04 04030202 BC302706

03551D25 0420301E 06082B06 01050507 03010608 2B060105 05070302 06082B06

01050507 0305301D 0603551D 0E041604 14A7C646 4B49191E 7837A550 8CA7F665

5E18E3B0 8B300D06 092A8648 86F70D01 01050500 03818100 18BE82D4 B2440E41

3C3CE5B6 9C56ABBE F39D8358 4DF9D4DF 24EDF5E7 29AB23E3 98D4EE22 68113C2E

5962D6E9 85B0B4AE C1829806 AD123E38 B837E600 B17A1AB9 89CC7570 D05CEB1E

EAE0AEEB 37767637 F7659913 603061B0 2D4955B1 99D06442 47947E8B 66C4C619

F1B3B242 23D52E39 D2218B6A A0F4F46B B8AECB58 A2BA054F

quit

ip cef

!

sccp local GigabitEthernet0/0

sccp ccm 172.19.254.98 identifier 3 priority 3 version 7.0 trustpoint UCM05-O15

sccp ccm 172.19.254.69 identifier 2 priority 2 version 7.0 trustpoint UCM04-C03

sccp ccm 172.19.254.68 identifier 1 priority 1 version 7.0 trustpoint UCM03-C03

sccp

!

sccp ccm group 100

bind interface GigabitEthernet0/0

associate ccm 1 priority 1

associate ccm 2 priority 2

associate ccm 3 priority 3

associate profile 1 register GWC0301

associate profile 2 register XCOD_C03_01

associate profile 3 register CFBC0301

associate profile 5 register MTPG711a

associate profile 4 register MTPG711u

associate profile 6 register MTPG729ABR8

!

dspfarm profile 2 transcode

codec g711ulaw

codec g711alaw

codec g729ar8

codec g729abr8

maximum sessions 120

associate application SCCP

!

dspfarm profile 1 conference security

trustpoint GWC0301

codec g711ulaw

codec g711alaw

codec g729ar8

codec g729abr8

codec g729r8

codec g729br8

maximum sessions 20

associate application SCCP

!

dspfarm profile 3 conference

codec g729br8

codec g729r8

codec g729abr8

codec g729ar8

codec g711alaw

codec g711ulaw

maximum sessions 10

associate application SCCP

shutdown

!

dspfarm profile 4 mtp security

trustpoint GWC0301

codec g711ulaw

maximum sessions software 100

associate application SCCP

!

dspfarm profile 5 mtp security

trustpoint GWC0301

codec g711alaw

maximum sessions software 100

associate application SCCP

!

dspfarm profile 6 mtp security

trustpoint GWC0301

codec g729abr8

maximum sessions software 100

associate application SCCP

!

GW_C03_01#sh sccp all

SCCP Admin State: UP

Gateway Local Interface: GigabitEthernet0/0

IPv4 Address: 172.19.241.2

Port Number: 2000

IP Precedence: 5

User Masked Codec list: None

Call Manager: 172.19.254.98, Port Number: 2000

Priority: 3, Version: 7.0, Identifier: 3

Call Manager: 172.19.254.69, Port Number: 2000

Priority: 2, Version: 7.0, Identifier: 2

Call Manager: 172.19.254.68, Port Number: 2000

Priority: 1, Version: 7.0, Identifier: 1

Transcoding Oper State: ACTIVE - Cause Code: NONE

Active Call Manager: 172.19.254.68, Port Number: 2000

TCP Link Status: CONNECTED, Profile Identifier: 2

Reported Max Streams: 240, Reported Max OOS Streams: 0

Supported Codec: g711ulaw, Maximum Packetization Period: 30

Supported Codec: g711alaw, Maximum Packetization Period: 30

Supported Codec: g729ar8, Maximum Packetization Period: 60

Supported Codec: g729abr8, Maximum Packetization Period: 60

Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30

Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30

Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30

Conferencing Oper State: ACTIVE - Cause Code: NONE

Active Call Manager: 172.19.254.68, Port Number: 2443

TCP Link Status: CONNECTED, Profile Identifier: 1

Security

Signaling Security: ENCRYPTED TLS

Media Security: SRTP

Supported crypto suites :AES_CM_128_HMAC_SHA1_32

Reported Max Streams: 160, Reported Max OOS Streams: 0

Supported Codec: g711ulaw, Maximum Packetization Period: 30

Supported Codec: g711alaw, Maximum Packetization Period: 30

Supported Codec: g729ar8, Maximum Packetization Period: 60

Supported Codec: g729abr8, Maximum Packetization Period: 60

Supported Codec: g729r8, Maximum Packetization Period: 60

Supported Codec: g729br8, Maximum Packetization Period: 60

Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30

Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30

Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30

TLS : ENABLED

Hermanus Janse van Vuuren · ‎12-19-2013

Secure conference

The Secure Conferencing feature provides authentication and encryption to secure a conference. A conference gets considered secure when all participating devices have encrypted signaling and media. The secure conference feature supports SRTP encryption over a secure TLS or IPSec connection.

The system provides a security icon for the overall security status of the conference, which is determined by the lowest security level of the participating devices. For example, a secure conference that includes two encrypted connections and one authenticated connection has a conference security status of authenticated.

To configure secure ad hoc and meet-me conferences, you configure a secure conference bridge.

If a user initiates a conference call from a phone that is authenticated or encrypted, Cisco Unified Communications Manager allocates the secure conference bridge
If a user initiates a call from a phone that is nonsecure, Cisco Unified Communications Manager allocates a nonsecure conference bridge.

When you configure conference bridge resources as nonsecure, the conference remains nonsecure, regardless of the security configuration for the phone.

Note

Cisco Unified Communications Manager allocates a conference bridge from the Media Resource Group List (MRGL) for the phone that is initiating the conference. If a secure conference bridge is not available, Cisco Unified Communications Manager assigns a nonsecure conference bridge, and the conference is nonsecure. Likewise, if a nonsecure conference bridge is not available, Cisco Unified Communications Manager assigns a secure conference bridge, and the conference is nonsecure. If no conference bridge is available, the call will fail.

For meet-me conference calls, the phone that initiates the conference must also meet the minimum security requirement that is configured for the meet-me number. If no secure conference bridge is available or if the initiator security level does not meet the minimum, Cisco Unified Communications Manager rejects the conference attempt.

To secure conferences with barge, configure phones to use encrypted mode. After the Barge key is pressed and if the device is authenticated or encrypted, Cisco Unified Communications Manager establishes a secure connection between the barging party and the built-in bridge at the target device. The system provides a conference security status for all connected parties in the barge call.

Note

Nonsecure or authenticated Cisco Unified IP Phones that are running release 8.3 or later can now barge encrypted calls.

Conference bridge requirements

A conference bridge can register as a secure media resource when you add a hardware conference bridge to your network and configure a secure conference bridge in Cisco Unified Communications Manager Administration.

Note

Due to the performance impact to Cisco Unified Communications Manager processing, Cisco does not support secure conferencing on software conference bridge.

A Digital Signal Processor (DSP) farm, which provides conferencing on a H.323 or MGCP gateway, acts as the network resource for IP telephony conferencing. The conference bridge registers to Cisco Unified Communications Manager as a secure SCCP client.

The conference bridge root certificate must exist in CallManager trust store, and the Cisco Unified Communications Manager certificate must exist in the conference bridge trust store.
The secure conference bridge security setting must match the security setting in Cisco Unified Communications Manager to register.

For more information about conferencing routers, refer to the IOS router documentation that is provided with your router.

Cisco Unified Communications Manager assigns conference resources to calls on a dynamic basis. The available conference resource and the enabled codec provide the maximum number of concurrent, secure conferences allowed per router. Because transmit and receive streams are individually keyed for each participating endpoint (so no rekeying is necessary when a participant leaves the conference), the total secure conference capacity for a DSP module equals one-half the nonsecure capacity that you can configure.

See "Understanding Conference Devices" in the Cisco Unified Communications Manager System Guide for more information.

Secure conference icons

Cisco Unified IP Phones display a conference security icon for the security level of the entire conference. These icons match the status icons for a secure two-party call, as described in the user documentation for your phone.

The audio and video portions of the call provide the basis for the conference security level. The call gets considered secure only if both the audio and video portions are secure.

For ad hoc and meet-me secure conferences, the security icon for the conference displays next to the conference softkey in the phone window for conference participants. The icon that displays depends on the security level of the conference bridge and all participants:

A lock icon displays if the conference bridge is secure and all participants in the conference are encrypted.
A shield icon displays if the conference bridge is secure and all participants in the conference are authenticated. Some phone models do not display the shield icon.
When the conference bridge or any participant in the conference is nonsecure, the call state icon (active, hold, and so on) displays, or, on some older phone models, no icon displays.

When an encrypted phone connects to a secure conference bridge, the media streaming between the device and the conference bridge gets encrypted; however, the icon for the conference can be encrypted, authenticated, or nonsecure depending on the security levels of the other participants. A nonsecure status indicates that one of the parties is not secure or cannot be verified.

When a user presses Barge, the icon that displays next to the Barge softkey provides the security level for the barge conference. If the barging device and the barged device support encryption, the system encrypts the media between the two devices, but the barge conference status can be nonsecure, authenticated, or encrypted, depending on the security levels of the connected parties.

Secure conference status

Conference status can change as participants enter and leave the conference. An encrypted conference can revert to a security level of authenticated or nonsecure if an authenticated or nonsecure participant connects to the call. Likewise, the status can upgrade if an authenticated or nonsecure participant drops off the call. A nonsecure participant that connects to a conference call renders the conference nonsecure.

Conference status can also change when participants chain conferences together, when the security status for a chained conference changes, when a held conference call is resumed on another device, when a conference call gets barged, or when a transferred conference call completes to another device.

Note

The Advanced Ad Hoc Conference Enabled service parameter determines whether ad hoc conferences can be linked together by using features such as conference, join, direct transfer, and transfer.

Cisco Unified Communications Manager provides these options to maintain a secure conference:

Ad hoc conference lists
Meet-Me conference with minimum security level

Related References

Ad hoc conference lists

Meet-Me conference with minimum security level

Best Regards

Hermanus Janse van Vuuren · ‎12-19-2013

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/9_1_1/secugd/CUCM_BK_C0395F44_00_cucm-security-guide-91_chapter_01110.html

Best Regards