Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1704
Views
0
Helpful
5
Replies

TCS with SIP TLS on UCM

gfolens
Level 4
Level 4

‎05-07-2018 07:19 AM - edited ‎03-18-2019 02:05 PM

I've deployed TCS v7.2.1 with SIP trunk to CUCM v11.5.1.

SIP trunk works fine with standard port 5060.

I followed the admin guide to put in SIP TLS mode. Took me some time to get the certificate right and get it uploaded on TCS.

On CUCM side the SIP trunk with Secure SIP profile becomes active.

On TCS side the trunk remains inactive.

When making call from endpoint registered on CUCM the call is in non-encrypted.

I enabled debugging (-d 2) on the TCS Content Engine service but the logs only show

“Debug: Sending trunk status [ Trunk Status = 4]”.

Anyone managed to get this working?

0 Helpful
5 Replies 5

Patrick Sparkman
VIP Alumni
VIP Alumni

‎05-07-2018 01:36 PM

To confirm you enabled SIP TLS per the TCS 7.2 Admin Guide?

CUCM is configured per the steps in the guide?

TCS is configured per the steps in the guide?

0 Helpful

gfolens
Level 4
Level 4
In response to Patrick Sparkman

‎05-07-2018 11:34 PM - edited ‎05-08-2018 08:26 AM

Indeed I carefully followed each step in the guide.

I had some problems with openssl to combine the cert and the private key in a pfx file.

40533386538520:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140533386538520:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140533386538520:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:188:
140533386538520:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:213:

 

Finally got it working by adding -descert: openssl pkcs12 -inkey privatekey.pem -in SIPTLS_tcs-csr.cer -export -out tcs_sip-cert.pfx -descert.

The certificate loaded on the TCS without errors.

 

But the SIP trunk on TCS side remains inactive.

I've activated debugging on the TCS Content Engine service (-d 2) but the logs do not show much details about the problem cause.

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to gfolens

‎05-15-2018 12:05 PM

Is this a CA signed or self signed certificate?
Looking at the guide, it says that the TCSCertGen.cmd option will generate self-signed certificates for both TCS and CUCM, have you tried this instead of using OpenSSL?
0 Helpful

gfolens
Level 4
Level 4
In response to Patrick Sparkman

‎05-16-2018 12:07 AM

I'm using a CA signed certificate.

I've not tried the self signed certs.

I currently have a SR open with Tac.

 

0 Helpful

gfolens
Level 4
Level 4
In response to gfolens

‎05-21-2018 04:11 AM

I've tried with the self signed certificate and the problem remained.

Then I changed the server FQDN to it's IP address and the trunk became active on TCS side.

But the recording session remained unencrypted. Probably because the endpoint (LSC) did not trust the TCS.

I will test again with the CA signed certificate and try again. Maybe I need to update the LSC's on all the endpoints too?

0 Helpful
Customers Also Viewed These Support Documents