CTL/ITL in CUCM in 10.x

Cisco Guardian · ‎09-24-2015

Hi Guys !!!

Very Good Morning to everyone .

I am small clarification to make, I have three question to ask.

First one, when a phone tries to register with the call manager 10.x, does the phone know if the cluster is secure cluster or non secure cluster ?

Second one, we want to build secure cluster using the etokens but a etokens from two different pair (not from the same pair) will this have any kind weird effect when it creates/signs the CTL file?

Third one, 10.x supports token less secure cluster, what are the advantages and disadvantages of the token less secure cluster ? Is the any difference between the token less secure cluster and etoken secure cluster from the security point of view ?

Thanks Heaps in advance !!!

Cheers,

Vino

Terry Cheema · ‎09-24-2015

1) Phones will rely on CTL file to figure out if a cluster is secure

2) Refer to this document Jason has mentioned you can use multiple tokens. But have never tried that:

https://supportforums.cisco.com/document/73611/ip-phone-security-and-ctl-certificate-trust-list#Obtain_USB_eTokens

3) I think token less should be the preferred approach going ahead. From security point of view its more secure since there are chances of losing the USB tokens etc. They have to be maintained and stored in secure locations. But with the token less method the CTL are signed by callmanager.pem of the publisher and no special hardware required.

Ref here for more info on token less CTL: http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

-Terry

Please rate all helpful posts

Cisco Guardian · ‎09-25-2015

Thanks !!!