05-07-2018 07:19 AM - edited 03-18-2019 02:05 PM
I've deployed TCS v7.2.1 with SIP trunk to CUCM v11.5.1.
SIP trunk works fine with standard port 5060.
I followed the admin guide to put in SIP TLS mode. Took me some time to get the certificate right and get it uploaded on TCS.
On CUCM side the SIP trunk with Secure SIP profile becomes active.
On TCS side the trunk remains inactive.
When making call from endpoint registered on CUCM the call is in non-encrypted.
I enabled debugging (-d 2) on the TCS Content Engine service but the logs only show
“Debug: Sending trunk status [ Trunk Status = 4]”.
Anyone managed to get this working?
05-07-2018 01:36 PM
To confirm you enabled SIP TLS per the TCS 7.2 Admin Guide?
CUCM is configured per the steps in the guide?
TCS is configured per the steps in the guide?
05-07-2018 11:34 PM - edited 05-08-2018 08:26 AM
Indeed I carefully followed each step in the guide.
I had some problems with openssl to combine the cert and the private key in a pfx file.
40533386538520:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140533386538520:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140533386538520:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:188:
140533386538520:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:213:
Finally got it working by adding -descert: openssl pkcs12 -inkey privatekey.pem -in SIPTLS_tcs-csr.cer -export -out tcs_sip-cert.pfx -descert.
The certificate loaded on the TCS without errors.
But the SIP trunk on TCS side remains inactive.
I've activated debugging on the TCS Content Engine service (-d 2) but the logs do not show much details about the problem cause.
05-15-2018 12:05 PM
05-16-2018 12:07 AM
I'm using a CA signed certificate.
I've not tried the self signed certs.
I currently have a SR open with Tac.
05-21-2018 04:11 AM
I've tried with the self signed certificate and the problem remained.
Then I changed the server FQDN to it's IP address and the trunk became active on TCS side.
But the recording session remained unencrypted. Probably because the endpoint (LSC) did not trust the TCS.
I will test again with the CA signed certificate and try again. Maybe I need to update the LSC's on all the endpoints too?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: