Unanswered Question
Feb 10th, 2010
User Badges:


I have a lab setup with Cisco UCM 7.0.2 and i have two phones registered to the CUCM , one SIP and one SCCP phone.

I have another 3rd party PBX with phones ringing these two phones. I want to enable SRTP and my main question is as follows:

to activate SRTP for the Cisco phones do i need to set my CUCM to mixed mode ?

Both Cisco phones have MIC certs installed on them and looking at the settings on the phones it looks like the phones

are in non-secure mode. I used CTL client to see could i change the CUCM to mixed mode but i get a response saying i need

a security token.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jaime Valencia Wed, 02/10/2010 - 12:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,


You need 2 security tokens for that, if you don't have them it's impossible to enable encryption.

Configuring the Cisco CTL Client

Before you configure the Cisco CTL Client, verify that you activated the Cisco CTL Provider service and the Cisco Certificate Authority Proxy Function service in Cisco Unified Serviceability. Obtain at least two security tokens; the Cisco certificate authority issues these security tokens. The security tokens must come from Cisco. You will insert the tokens one at a time into the USB port on the server/workstation. If you do not have a USB port on the server, you may use a USB PCI card.



If this helps, please rate

tommyphelan Thu, 02/11/2010 - 01:15
User Badges:

thanks for the speedy response Java

I have one more question to clarify more for me.

I understand now that i need two Security Tokens to enable mixed mode for the CUCM.

Is it neccesary to put LSC certs onto the phone also for SRTP or should the MIC certs suffice ?

Eugene Zuevski Thu, 10/25/2012 - 07:20
User Badges:

Is is possible to use security tokens in vmware environment installation refers to the CUCM 9.0?

Robert Thomas Thu, 10/25/2012 - 07:27
User Badges:
  • Silver, 250 points or more

I think you can use the same CTL for vmware cobsider the usb will be connected to the admin pc with the ctl client software not the server itself.

The the ctl client will insert the certs into the cucm cluster.

Sent from Cisco Technical Support iPhone App

Jaime Valencia Tue, 11/06/2012 - 06:02
User Badges:
  • Cisco Employee,
  • Hall of Fame,


Yes, just follow the instructions from the CUCM security guide.

Whether it's on an MCS or a UCS makes no difference.



if this helps, please rate

jeffrdix Fri, 07/02/2010 - 07:34
User Badges:

It is strongly recommended that you use LSC's as opposed to MIC's





Cisco recommends that you use manufacturer-installed certificates (MICs) for LSC installation only. Cisco supports LSCs to authenticate the TLS connection with Cisco Unified Communications Manager. Because MIC root certificates can be compromised, customers who configure phones to use MICs for TLS authentication or for any other purpose do so at their own risk. Cisco assumes no liability if MICs are compromised.


This Discussion

Related Content