cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1650
Views
0
Helpful
12
Replies

CMS Recorder / Certificates

VinnyC
Level 1
Level 1

We are trying to set up Recording capabilities at our site and are running into an issue with certificates and enabling the recorder.  Hopefully someone can point me in the right direction. 

I created the CSR by using the command “recorder pki csr recorder CN:<name>

It then created the recorder.key and CSR recorder.csr files. 

The files were sent over to the to the appropriate agency for server enrollment.  They sent back two text files, server_cert_base64 and server_cert_withchain_pkcs7.  I converted the server_cert to a .cer format. 

I created a CA-Chain file by combining (not 100% sure if this is correct):

    server_cert_base64.text

    recorder.txt

    Blank line

All files were loaded to CMS via WinSCP.

On CMS, I entered the command “recorder sip certs recorder.key server_cert_base64.cer CA-Chain.cer

I then went to enable the recorder by typing “recorder enable”

This is the error message I am getting; hopefully someone can help:

SUCCESS: Key and certificate pair match

FAILURE: certificate verification error: depth=0

Verification error: unable to get local issuer certificate

Any assistance would be greatly appreciated.

Thanks!

1 Accepted Solution

Accepted Solutions

About the certs:
This depends on the certs, there is no general rule. Maybe you should get some infos, how certs work and how servers validate the cert of each other.
If you have every component on one CMS, you don't need different certs for different components. You can do it or not. This is up to you or your requirements. You can also use the same certs for multiple CMS.

About the ports:
Check my last post. I have already described it there. And no, there is no command to find out, which port is open.

About your problem:
Maybe because the call is not working at all.
It seems, that you have not idea how the recording works. So: If you press the recording button a normal (SIP) call is initiated by the callbridge to recorder. Like a normal call from a phone to another phone. Nothing complicated about that.
If the recorder gets the call, it auto answers the call.
Again: What ports have you configured in the "recorder listen a" command and to which port are you pointing in the outbound rule? What else info you need about the config, other then already explained in my previous answer?

There is nothing special for the recorder config, it easy straigtforward...

View solution in original post

12 Replies 12

b.winter
VIP
VIP

What is your CA-chain? Do you have an Intermediate CA and a Root CA?
The format of the command is "recorder sip certs recorder.key recorder.cer ca-chain.cer",

In the ca-chain.cer file, you only copy in there the CA's and not the server file itself.
The recorder.cer only contains the server file.

I have been trying to figure out exactly what files to paste into the ca-chain; I thought I had it.  I did the "server_cert_base64.text" file I received, and the "recorder.txt" that I created.  So, should the "bundle" or ca-chain only be with ones that are on my local server, or with the server_cert_base64.txt and server_cert_withchain_pkcs7.txt files I received?

For the command "recorder sip certs recorder.key recorder.cer ca-chain.cer", I receiver the message:

"FAILURE: Key and certificate problem: invalid certificate"

The only time I was only able to get a SUCCESS was with my first post where I did “recorder sip certs recorder.key server_cert_base64.cer CA-Chain.cer".

Thanks in advance!

I can only guess with the names of your file, which one is which, maybe you can copy the files and change the file ending into "cer" and then double click on it and post the screenshot of the files here.

"server_cert_base64.text" --> probably the server cert, so "recorder.cer"
"recorder.txt" --> could also be the server cert
"server_cert_withchain_pkcs7.txt" --> probably includes the CA chain --> should be the "ca-bundle.cer" in the command.
and the private key ("recorder.key") should already be on the CMS, because you generate the CSR on the CMS.

Maybe also you got the private key from the CA back, maybe it's the recorder.txt. Then you would also need to upload the private key to the CMS. Check all the files you got in notepad and see if the first line contains "----- BEGIN PRIVATE KEY -----"

But it's hard to say, which file is which without to see them by myself.

Thanks for replying again.  

When I did the initial steps in CMS, it created the key and CSR files.  I sent the CSR file out to get the server certificates.  They sent back the 2 files:

File 1: "server_cert_base64.txt" --> I made this "recorder.cer".  The email I got with this file said it was my X.509 certificate in base64 encoded format, and to change it to .cer.

File 2: "server_cert_withchain_pkcs7.txt" --> I made this "ca-bundle.cer" per your advice.  The email I got with this file said that it is my certificate, the <org> PKI Subordinate CA certificate, and the <org> PKI Root certificate combined together in PKCS#7 format and base64 encoded.

When I do the command "recorder sip certs recorder.key recorder.cer ca-bundle.cer" I receive the following error:

"SUCCESS: Key and certificate pair match.  FAILURE: certificate verification error: wrong tag.  FAILURE: Recorder configuration not complete."  Any thoughts on the bundle portion?

Also, for other parts of the setup, I have done these commands:

"recorder sip listen a none 6000"

I am not 100% sure of what port I should be using.  I found different documents on setting up recordings, and each one seem to show different ports.  I have seen 5060, 5061, 6000, and 8443.  

Thank you again for the assistance!  

For File 1: This should be correct then, as you get the message "SUCCESS: Key and certificate pair match".

For File 2: there is probably the issue. They said, the file contains everything (1. certificate, 2. the <org> PKI Subordinate CA certificate, and 3. the <org> PKI Root certificate). In the ca-bundle.cer file you only need the 2. and 3.
So the ca-bundle.cer should only contain CA-certs and no server certificates. --> See the picture from @Meddane's post.

About the command "recorder sip listen a none 6000" ("recoder sip listen <interface> <unsecure-port> <secure-port>:
This is up to you. This is the unsecure / secure port, on which the recorder listens.
Normally you use 5060 / 5061, e.g. "recorder sip listen a 5060 5061"
But what ever you select here, it has to match with the settings for the recorder in the outbound call rules and the API settings.

And now coming back to the ca-bundle.cer file:
If the callbrige certificate has a different CA-chain, then you also need to include those CA-certs in the ca-bundle.cer file.
If they are not included and the callbridge connects via a secure SIP connection, then the recorder isn't able to validate the callbridge cert and the connection fails.

I got the recorder to "enable" by using the CallBridge certs since they are on the same server; I am not sure if that was the correct way to do it or not.  Thoughts?  I did:

"recorder sip certs callbridge.key callbridge.cer cachain.cer"

"recorder enable"

It then gave me the following:

SUCCESS: Key and certificate pair match

SUCCESS: certificate verified against CA bundle

SUCCUSS: Recorder enabled

If this is correct, I now need to figure out the CMS setup portion since I am not have not had a successful recording yet.  

In CMS, under Fault Conditions, it says "Recorder "recorder@recorder" unavailable (connect failure)".  

Under 'Configuration > API > callProfiles' I have the mode set to "manual" and the sipRecorderUri set to recorder@recorder.  I read on cisco that, since callbridge is on the same server, that is what we put.  I am not sure if this is correct though.  

Under 'Configuration > API > outboundDialPlanRules' i have the domain name the same as callbridge, priority set to 350 (per cisco pdf I read), the sipProxy the same as callbridge (not sure if this is correct).  

I am also working on trying to find out the correct sip listen port to configure on CMS.  5060/5061 are the default used by CB, so I cannot use that for the recorder.  Could this be causing the fault condition "Recorder "recorder@recorder" unavailable (connect failure)"?

Thanks again for the help.

If it works with the callbridge certs, then you probably have a problem with your recorder certs. But it's hard say, without having all the files and checking them on my own.

For the beginning:
If you have recorder on the same callbridge, you cannot have both listening on port 5060/5061. Only one service can use them.
Best practice is to use different ports for recorder. e.g. 5560 / 5561 (recorder sip listen a 5560 5561)

For the rest an example:
callProfile:
recordingMode --> manual
sipRecorderUri --> recording@recorder.com (this can be anything, doesn't matter if the recorder is on the same CMS or not, it only has to match with the outbound dial rule)

callLegProfile:
recordingControlAllowed --> true

Assign the callProfile and callLegProfile systemwide, or only for a space, ...

Outbound dial rule:
=> Give it a high prio, so that no other rule matches first and sends the call the wrong way
=> Try first with unencrypted. If that works, you can switch to encrypted. If that doesn't work, then it can only be something with certificates. But as you are using the same certs for the CB and recorder, this should work.

Unencrypted:
Domain --> recoder.com
SIP proxy to use --> <IP / FQDN of callbridge>:5560
Trunk type --> Standard SIP
Behavior --> Stop
Encryption --> no

Encrypted:
Domain --> recoder.com
SIP proxy to use --> <FQDN of callbridge>:5561
Trunk type --> Standard SIP
Behavior --> Stop
Encryption --> yes

Meddane
VIP
VIP

The recorder.key is not the private key of the recorder.cer certificate.

This is the procedure:

To create the Bundle CA chain certificate, in txt file Past the Subordinate certificate first and then past the Root CA certificate at the end, save the file with .cer extension. Name it for example Bundle-CA.cer.

Image1.png

 Image2.png

 Then configure the recorder service as follow, where the cms.cer is the recorder certificate signed by the root ca:

Image3.png

 

VinnyC
Level 1
Level 1

Thanks again for all the replies. 

I am able to get the recorder to enable; however, I am not sure which is the "correct" way.  Are either of these correct commands that I should use in order to get the recorder enabled properly?

"webadmin.key webadmin.cer cachain.cer" or "callbridge.key callbridge.cer cahain.cer".  Both "cachain.cer" are the same file.  Or should there be a "recorder.key recorder.cer cachain.cer" instead?  Callbridge/recorder are on the same server.  We use CMS 3.4.

With both the webadmin and callbridge commands, when I do "recorder enable", I get -- "SUCCESS: Key and certificate pair patch" "SUCCESS: Recorder enabled".

Also, I still am figuring out the correct sip listen ports to use.  If I use 5060/5060, when I go to enable the recorder, it tells me that those ports are in use.  Can I use any port, as long as they are open?  Is there a command for CMS 3.4 to see if a port is open or closed?  I found one for cisco, but it was not recognized by CMS.

Also, with the recorder currently enabled, I tried to do a recording from CMM 3.4.  I see the recorder URI added as a participant, but then it is disconnected shortly after.  Looking at the logs ("syslog follow"), the recorder disconnected line says "INFO: recording call leg for space '<spare>' disconnected with reason 7 (transaction timeout - no provisional responses sending INVITE)"  

Any thoughts on that message?

Thank you again!

About the certs:
This depends on the certs, there is no general rule. Maybe you should get some infos, how certs work and how servers validate the cert of each other.
If you have every component on one CMS, you don't need different certs for different components. You can do it or not. This is up to you or your requirements. You can also use the same certs for multiple CMS.

About the ports:
Check my last post. I have already described it there. And no, there is no command to find out, which port is open.

About your problem:
Maybe because the call is not working at all.
It seems, that you have not idea how the recording works. So: If you press the recording button a normal (SIP) call is initiated by the callbridge to recorder. Like a normal call from a phone to another phone. Nothing complicated about that.
If the recorder gets the call, it auto answers the call.
Again: What ports have you configured in the "recorder listen a" command and to which port are you pointing in the outbound rule? What else info you need about the config, other then already explained in my previous answer?

There is nothing special for the recorder config, it easy straigtforward...

VinnyC
Level 1
Level 1

Thanks for the help again!  It started working with these 3 simple changes:

1. Changed outboundDialPlanRule>domain to "recorder" instead of our local domain.

2. Changed outboundDialPlanRule>sipProxy to "CMS-IP:Port" instead of just an IP.

3. Changed callProfiles > sipRecorderUri to "recorder@recorder" 

Thanks again.

VinnyC
Level 1
Level 1

Maybe someone can help with this recorder item:

When recording, at the 15 minute mark, the recording repeats that the meeting is being recorded, and a new mp4 temp file is created.  The previous 15 minute recording is finalized into an mp4 file.

Is there a setting to make the entire recording 1 file?

Thanks in advance.