Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
0
Helpful
5
Replies

TCS with SIP TLS on UCM

gfolens
Enthusiast
Enthusiast

‎05-07-2018 07:19 AM - edited ‎03-18-2019 02:05 PM

I've deployed TCS v7.2.1 with SIP trunk to CUCM v11.5.1.

SIP trunk works fine with standard port 5060.

I followed the admin guide to put in SIP TLS mode. Took me some time to get the certificate right and get it uploaded on TCS.

On CUCM side the SIP trunk with Secure SIP profile becomes active.

On TCS side the trunk remains inactive.

When making call from endpoint registered on CUCM the call is in non-encrypted.

I enabled debugging (-d 2) on the TCS Content Engine service but the logs only show

“Debug: Sending trunk status [ Trunk Status = 4]”.

Anyone managed to get this working?

0 Helpful
5 Replies 5

Patrick Sparkman
Mentor
Mentor

‎05-07-2018 01:36 PM

To confirm you enabled SIP TLS per the TCS 7.2 Admin Guide?

CUCM is configured per the steps in the guide?

TCS is configured per the steps in the guide?

0 Helpful

gfolens
Enthusiast
Enthusiast
In response to Patrick Sparkman

‎05-07-2018 11:34 PM - edited ‎05-08-2018 08:26 AM

Indeed I carefully followed each step in the guide.

I had some problems with openssl to combine the cert and the private key in a pfx file.

40533386538520:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140533386538520:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140533386538520:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:188:
140533386538520:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:213:

 

Finally got it working by adding -descert: openssl pkcs12 -inkey privatekey.pem -in SIPTLS_tcs-csr.cer -export -out tcs_sip-cert.pfx -descert.

The certificate loaded on the TCS without errors.

 

But the SIP trunk on TCS side remains inactive.

I've activated debugging on the TCS Content Engine service (-d 2) but the logs do not show much details about the problem cause.

0 Helpful

Patrick Sparkman
Mentor
Mentor
In response to gfolens

‎05-15-2018 12:05 PM

Is this a CA signed or self signed certificate?
Looking at the guide, it says that the TCSCertGen.cmd option will generate self-signed certificates for both TCS and CUCM, have you tried this instead of using OpenSSL?
0 Helpful

gfolens
Enthusiast
Enthusiast
In response to Patrick Sparkman

‎05-16-2018 12:07 AM

I'm using a CA signed certificate.

I've not tried the self signed certs.

I currently have a SR open with Tac.

 

0 Helpful

gfolens
Enthusiast
Enthusiast
In response to gfolens

‎05-21-2018 04:11 AM

I've tried with the self signed certificate and the problem remained.

Then I changed the server FQDN to it's IP address and the trunk became active on TCS side.

But the recording session remained unencrypted. Probably because the endpoint (LSC) did not trust the TCS.

I will test again with the CA signed certificate and try again. Maybe I need to update the LSC's on all the endpoints too?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents