×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Secure Conferences do not work

Unanswered Question
Dec 18th, 2013
User Badges:

Hi all


I configured Secure conferences on the GW and CUCM and the dspfarm profile is registered with CUCM.

Cluster is secure, when I place calls between 2 phones the lock is shown on the phones display.

Also when I place calls between Jabbers, jabbers and phones, voicemail ports and so on.

But when I make a conference the lock is missing from the phones. the cfb resource is invoked, but the rtp is not encrypted.

My CUCM version is 9.1

IOS version 15.2.4M5

ISR2 3945


Can anyone help me out?




crypto pki trustpoint GWC0301

enrollment selfsigned

fqdn none

subject-name CN=GWC0301

revocation-check none

rsakeypair GWC0301

!

crypto pki trustpoint UCM03-C03

enrollment terminal

subject-name CN=UCM03-C03

revocation-check none

!

crypto pki trustpoint UCM04-C03

enrollment terminal

subject-name CN=UCM04-C03

revocation-check none

!

crypto pki trustpoint UCM05-O15

enrollment terminal

subject-name CN=UCM05-O15

revocation-check none

!

!

crypto pki certificate chain GWC0301

certificate self-signed 01

  308201ED 30820156 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  12311030 0E060355 04031307 47574330 33303130 1E170D31 33313231 36313835

  3732335A 170D3230 30313031 30303030 30305A30 12311030 0E060355 04031307

  47574330 33303130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189

  02818100 CC4C4F50 5E795FE1 3771A0EC 8C7812C9 A2F63342 9D644274 8DDB27B0

  D097C91B EA106282 6D46AD44 9FBE7354 BA251FC6 10386C33 547F43C7 A5CB38F9

  C017FEBB 5E70B527 1B131153 0383DB59 1126418A E14F348C F70A798A 87F2F9A4

  64C40DC9 154244F4 8D9A2FC3 95EC1B87 04D8BAF9 C4438377 907F75B7 1B58C911

  2BC6F4C5 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F

  0603551D 23041830 16801405 C565B2B9 25786B09 B6EACFD8 53F96A40 5F058A30

  1D060355 1D0E0416 041405C5 65B2B925 786B09B6 EACFD853 F96A405F 058A300D

  06092A86 4886F70D 01010505 00038181 0027A890 27D4F1F6 E9CF9D29 50166978

  9B4378CD 68C648D3 3793C2A6 1E5A76FD 567ACE3E A286F44D D7F7ACC9 5914855A

  026F066D BE330EC7 B7ED041A 13C4B69D EC21FDDD 4B371428 1FC36513 C8E3CED8

  80567B5C AB538FA7 14CBFCAF 025CE29A D6C6FDE2 70057BF8 E5609A06 6858E10A

  C50734FE 74F8D04E 5B254848 BE8A4A6F 39

            quit

crypto pki certificate chain UCM03-C03

certificate ca 40A56B940AD17F99BC3877932D170A98

  30820326 3082028F A0030201 02021040 A56B940A D17F99BC 3877932D 170A9830

  0D06092A 864886F7 0D010105 05003081 A4310B30 09060355 04061302 4D583124

  30220603 55040A13 1B507265 73696465 6E636961 20646520 6C612052 65707562

  6C696361 3110300E 06035504 0B130754 656C6563 6F6D3125 30230603 55040313

  1C55434D 30332D43 30332E70 72657369 64656E63 69612E67 6F622E6D 78311930

  17060355 04081310 44697374 7269746F 20466564 6572616C 311B3019 06035504

  07131243 6F6E7374 69747579 656E7465 73203136 31301E17 0D313331 30303730

  32313835 385A170D 31383130 30363032 31383537 5A3081A4 310B3009 06035504

  0613024D 58312430 22060355 040A131B 50726573 6964656E 63696120 6465206C

  61205265 7075626C 69636131 10300E06 0355040B 13075465 6C65636F 6D312530

  23060355 0403131C 55434D30 332D4330 332E7072 65736964 656E6369 612E676F

  622E6D78 31193017 06035504 08131044 69737472 69746F20 46656465 72616C31

  1B301906 03550407 1312436F 6E737469 74757965 6E746573 20313631 30819F30

  0D06092A 864886F7 0D010101 05000381 8D003081 89028181 009B1190 C0594C1E

  FC9FAA59 7F0A38D2 773DD27C 620BEA61 35513866 D25F383A 2CA689A6 B00C0C41

  1345A583 8524C162 BC84E226 8D7D95EA 50BE885A 5F1CC500 95645625 6D623095

  63759862 D878C14F 6A535E18 1101FFC3 E6F96034 279BD1EF 36E25161 EED5695C

  858E5E3C 7AE6CC31 E04583F0 F270E9C3 7F209A09 70C0E2DB A3020301 0001A357

  3055300B 0603551D 0F040403 0202BC30 27060355 1D250420 301E0608 2B060105

  05070301 06082B06 01050507 03020608 2B060105 05070305 301D0603 551D0E04

  160414AD 63814EBC 1BE67BA3 178A6919 83ECD02F F01EB130 0D06092A 864886F7

  0D010105 05000381 81007574 5DD1A658 44842BDB 8C03296A 1B1BBCAA B7D30BEF

  75E2EF6F 0821BA9F 2E29BBA3 B9DC7717 EE6F9664 5692A133 8EF9544E 9A62B4FC

  58FFF7DB EB410CB8 78CEE22A 7CFC132A 8FD561B1 8C07C47D E8205DBB 2588C874

  C1239BE8 D9A383D8 5777D3B2 2B45A05B 7AD73A27 6B21FABE 216CF9BC C4F54D53

  A250DEEE B91A22DD 5831

            quit

crypto pki certificate chain UCM04-C03

certificate ca 5F57BA04B314954A00176D7C695F2917

  30820326 3082028F A0030201 0202105F 57BA04B3 14954A00 176D7C69 5F291730

  0D06092A 864886F7 0D010105 05003081 A4310B30 09060355 04061302 4D583124

  30220603 55040A13 1B507265 73696465 6E636961 20646520 6C612052 65707562

  6C696361 3110300E 06035504 0B130754 656C6563 6F6D3125 30230603 55040313

  1C55434D 30342D43 30332E70 72657369 64656E63 69612E67 6F622E6D 78311930

  17060355 04081310 44697374 7269746F 20466564 6572616C 311B3019 06035504

  07131243 6F6E7374 69747579 656E7465 73203136 31301E17 0D313331 30303730

  32303935 315A170D 31383130 30363032 30393530 5A3081A4 310B3009 06035504

  0613024D 58312430 22060355 040A131B 50726573 6964656E 63696120 6465206C

  61205265 7075626C 69636131 10300E06 0355040B 13075465 6C65636F 6D312530

  23060355 0403131C 55434D30 342D4330 332E7072 65736964 656E6369 612E676F

  622E6D78 31193017 06035504 08131044 69737472 69746F20 46656465 72616C31

  1B301906 03550407 1312436F 6E737469 74757965 6E746573 20313631 30819F30

  0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00ABC218 15930718

  5E53D56E 1D621C25 8D3943E3 9C7E4349 00701DD0 B382BA34 A697B97C D06A22ED

  102C77EF 2033AEC6 95FA69E8 886ACD38 68720355 CCBF7593 550E0851 53DD059F

  07BB9E2C BED497FC 1CB2E706 0963DE62 9CE3C6CC BB56B081 95176474 FFC70DBA

  39D9DF09 594CD473 E3594F14 1B5DBC06 6262D780 11E8FCB8 AD020301 0001A357

  3055300B 0603551D 0F040403 0202BC30 27060355 1D250420 301E0608 2B060105

  05070301 06082B06 01050507 03020608 2B060105 05070305 301D0603 551D0E04

  160414BB 65AEE620 35568965 854657C9 3FEBCDB4 F97F0830 0D06092A 864886F7

  0D010105 05000381 81009652 3766B13D A6CBEA48 46B5C440 4A3F888A E31BC170

  8A4FBA1A A30B4078 96C8F243 A1ABD77D 248CC46B 34194972 583FCA08 57EFC04A

  762761FB 414D867D D5D9F4C3 7523A094 FF82F885 F8712CE5 6828AD17 9D0C2A84

  F5FBFAD6 465ADA74 B9875BDA FFE42041 2192F693 0B805184 A4B502AA 289C97C5

  BCEB684B 7C0C7547 B72F

            quit

crypto pki certificate chain UCM05-O15

certificate ca 67A8376B9B8E3D2D48100FA6B9C7CB29

  30820314 3082027D A0030201 02021067 A8376B9B 8E3D2D48 100FA6B9 C7CB2930

  0D06092A 864886F7 0D010105 05003081 9B310B30 09060355 04061302 4D583124

  30220603 55040A13 1B507265 73696465 6E636961 20646520 6C612052 65707562

  6C696361 3110300E 06035504 0B130754 656C6563 6F6D3125 30230603 55040313

  1C55434D 30352D4F 31352E70 72657369 64656E63 69612E67 6F622E6D 78311930

  17060355 04081310 44697374 7269746F 20466564 6572616C 31123010 06035504

  0713094C 6F732050 696E6F73 301E170D 31333130 30373032 31353432 5A170D31

  38313030 36303231 3534315A 30819B31 0B300906 03550406 13024D58 31243022

  06035504 0A131B50 72657369 64656E63 69612064 65206C61 20526570 75626C69

  63613110 300E0603 55040B13 0754656C 65636F6D 31253023 06035504 03131C55

  434D3035 2D4F3135 2E707265 73696465 6E636961 2E676F62 2E6D7831 19301706

  03550408 13104469 73747269 746F2046 65646572 616C3112 30100603 55040713

  094C6F73 2050696E 6F733081 9F300D06 092A8648 86F70D01 01010500 03818D00

  30818902 818100B6 78B6EF73 B65995C1 ECE2933F CBF4C7BE 0B2C72C7 F727A2AE

  BA601198 71A1CE6B 8BBEF3B0 524BC8B7 54CF061A 0139F2C2 066002C5 604778BC

  7A08E4F1 1CD37727 917AFFD0 45AC2757 3E344A9F D83B8B85 8DFE380E 453BFCD0

  9BC0B0A2 487D68BD 4A99DE7D 06B13383 6112AF6D C7DE2E89 2CE6B3E3 8EF611C1

  9118ED0B 7A919302 03010001 A3573055 300B0603 551D0F04 04030202 BC302706

  03551D25 0420301E 06082B06 01050507 03010608 2B060105 05070302 06082B06

  01050507 0305301D 0603551D 0E041604 14A7C646 4B49191E 7837A550 8CA7F665

  5E18E3B0 8B300D06 092A8648 86F70D01 01050500 03818100 18BE82D4 B2440E41

  3C3CE5B6 9C56ABBE F39D8358 4DF9D4DF 24EDF5E7 29AB23E3 98D4EE22 68113C2E

  5962D6E9 85B0B4AE C1829806 AD123E38 B837E600 B17A1AB9 89CC7570 D05CEB1E

  EAE0AEEB 37767637 F7659913 603061B0 2D4955B1 99D06442 47947E8B 66C4C619

  F1B3B242 23D52E39 D2218B6A A0F4F46B B8AECB58 A2BA054F

            quit

ip cef

!

sccp local GigabitEthernet0/0

sccp ccm 172.19.254.98 identifier 3 priority 3 version 7.0 trustpoint UCM05-O15

sccp ccm 172.19.254.69 identifier 2 priority 2 version 7.0 trustpoint UCM04-C03

sccp ccm 172.19.254.68 identifier 1 priority 1 version 7.0 trustpoint UCM03-C03

sccp

!

sccp ccm group 100

bind interface GigabitEthernet0/0

associate ccm 1 priority 1

associate ccm 2 priority 2

associate ccm 3 priority 3

associate profile 1 register GWC0301

associate profile 2 register XCOD_C03_01

associate profile 3 register CFBC0301

associate profile 5 register MTPG711a

associate profile 4 register MTPG711u

associate profile 6 register MTPG729ABR8

!

dspfarm profile 2 transcode 

codec g711ulaw

codec g711alaw

codec g729ar8

codec g729abr8

maximum sessions 120

associate application SCCP

!

dspfarm profile 1 conference security

trustpoint GWC0301

codec g711ulaw

codec g711alaw

codec g729ar8

codec g729abr8

codec g729r8

codec g729br8

maximum sessions 20

associate application SCCP

!

dspfarm profile 3 conference 

codec g729br8

codec g729r8

codec g729abr8

codec g729ar8

codec g711alaw

codec g711ulaw

maximum sessions 10

associate application SCCP

shutdown

!

dspfarm profile 4 mtp security

trustpoint GWC0301

codec g711ulaw

maximum sessions software 100

associate application SCCP

!

dspfarm profile 5 mtp security

trustpoint GWC0301

codec g711alaw

maximum sessions software 100

associate application SCCP

!

dspfarm profile 6 mtp security

trustpoint GWC0301

codec g729abr8

maximum sessions software 100

associate application SCCP

!




GW_C03_01#sh sccp all

SCCP Admin State: UP

Gateway Local Interface: GigabitEthernet0/0

        IPv4 Address: 172.19.241.2

        Port Number: 2000

IP Precedence: 5

User Masked Codec list: None

Call Manager: 172.19.254.98, Port Number: 2000

Priority: 3, Version: 7.0, Identifier: 3

Call Manager: 172.19.254.69, Port Number: 2000

Priority: 2, Version: 7.0, Identifier: 2

Call Manager: 172.19.254.68, Port Number: 2000

Priority: 1, Version: 7.0, Identifier: 1



Transcoding Oper State: ACTIVE - Cause Code: NONE

Active Call Manager: 172.19.254.68, Port Number: 2000

TCP Link Status: CONNECTED, Profile Identifier: 2

Reported Max Streams: 240, Reported Max OOS Streams: 0

Supported Codec: g711ulaw, Maximum Packetization Period: 30

Supported Codec: g711alaw, Maximum Packetization Period: 30

Supported Codec: g729ar8, Maximum Packetization Period: 60

Supported Codec: g729abr8, Maximum Packetization Period: 60

Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30

Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30

Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30



Conferencing Oper State: ACTIVE - Cause Code: NONE

Active Call Manager: 172.19.254.68, Port Number: 2443

TCP Link Status: CONNECTED, Profile Identifier: 1

Security

Signaling Security: ENCRYPTED TLS

Media Security: SRTP

Supported crypto suites :AES_CM_128_HMAC_SHA1_32

Reported Max Streams: 160, Reported Max OOS Streams: 0

Supported Codec: g711ulaw, Maximum Packetization Period: 30

Supported Codec: g711alaw, Maximum Packetization Period: 30

Supported Codec: g729ar8, Maximum Packetization Period: 60

Supported Codec: g729abr8, Maximum Packetization Period: 60

Supported Codec: g729r8, Maximum Packetization Period: 60

Supported Codec: g729br8, Maximum Packetization Period: 60

Supported Codec: rfc2833 dtmf, Maximum Packetization Period: 30

Supported Codec: rfc2833 pass-thru, Maximum Packetization Period: 30

Supported Codec: inband-dtmf to rfc2833 conversion, Maximum Packetization Period: 30

TLS : ENABLED

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Hermanus Janse ... Thu, 12/19/2013 - 00:35
User Badges:
  • Silver, 250 points or more

Secure conference


The  Secure Conferencing feature provides authentication and encryption to  secure a conference. A conference gets considered secure when all  participating devices have encrypted signaling and media. The secure  conference feature supports SRTP encryption over a secure TLS or IPSec  connection.


The system provides a security  icon for the overall security status of the conference, which is  determined by the lowest security level of the participating devices.  For example, a secure conference that includes two encrypted connections  and one authenticated connection has a conference security status of  authenticated.


To configure secure ad hoc and meet-me conferences, you configure a secure conference bridge.


  • If a user initiates a conference call from a phone that is authenticated or encrypted, Cisco Unified Communications Manager allocates the secure conference bridge
  • If a user initiates a call from a phone that is nonsecure, Cisco Unified Communications Manager allocates a nonsecure conference bridge.


When you configure conference  bridge resources as nonsecure, the conference remains nonsecure,  regardless of the security configuration for the phone.



Note


Cisco Unified Communications Manager  allocates a conference bridge from the Media Resource Group List (MRGL)  for the phone that is initiating the conference. If a secure conference  bridge is not available, Cisco Unified Communications Manager  assigns a nonsecure conference bridge, and the conference is nonsecure.  Likewise, if a nonsecure conference bridge is not available, Cisco Unified Communications Manager assigns a secure conference bridge, and the conference is nonsecure. If no conference bridge is available, the call will fail.



For meet-me conference calls,  the phone that initiates the conference must also meet the minimum  security requirement that is configured for the meet-me number. If no  secure conference bridge is available or if the initiator security level  does not meet the minimum, Cisco Unified Communications Manager rejects the conference attempt.


To secure conferences with  barge, configure phones to use encrypted mode. After the Barge key is  pressed and if the device is authenticated or encrypted, Cisco Unified Communications Manager  establishes a secure connection between the barging party and the  built-in bridge at the target device. The system provides a conference  security status for all connected parties in the barge call.



Note


Nonsecure or authenticated Cisco Unified IP Phones that are running release 8.3 or later can now barge encrypted calls.


Conference bridge requirements

A  conference bridge can register as a secure media resource when you add a  hardware conference bridge to your network and configure a secure  conference bridge in Cisco Unified Communications Manager Administration.


Note


Due to the performance impact to Cisco Unified Communications Manager processing, Cisco does not support secure conferencing on software conference bridge.


A Digital Signal Processor  (DSP) farm, which provides conferencing on a H.323 or MGCP gateway, acts  as the network resource for IP telephony conferencing. The conference  bridge registers to Cisco Unified Communications Manager as a secure SCCP client.

  • The conference bridge root certificate must exist in CallManager trust store, and the Cisco Unified Communications Manager certificate must exist in the conference bridge trust store.
  • The secure conference bridge security setting must match the security setting in Cisco Unified Communications Manager to register.

For more information about conferencing routers, refer to the IOS router documentation that is provided with your router.

Cisco Unified Communications Manager  assigns conference resources to calls on a dynamic basis. The available  conference resource and the enabled codec provide the maximum number of  concurrent, secure conferences allowed per router. Because transmit and  receive streams are individually keyed for each participating endpoint  (so no rekeying is necessary when a participant leaves the conference),  the total secure conference capacity for a DSP module equals one-half  the nonsecure capacity that you can configure.

See "Understanding Conference Devices" in the Cisco Unified Communications Manager System Guide for more information.


Secure conference icons

Cisco Unified IP Phones  display a conference security icon for the security level of the entire  conference. These icons match the status icons for a secure two-party  call, as described in the user documentation for your phone.

The audio and video portions  of the call provide the basis for the conference security level. The  call gets considered secure only if both the audio and video portions  are secure.

For ad hoc and meet-me secure  conferences, the security icon for the conference displays next to the  conference softkey in the phone window for conference participants. The  icon that displays depends on the security level of the conference  bridge and all participants:

  • A lock icon displays if the conference bridge is secure and all participants in the conference are encrypted.
  • A  shield icon displays if the conference bridge is secure and all  participants in the conference are authenticated. Some phone models do  not display the shield icon.
  • When  the conference bridge or any participant in the conference is  nonsecure, the call state icon (active, hold, and so on) displays, or,  on some older phone models, no icon displays.

When an encrypted phone  connects to a secure conference bridge, the media streaming between the  device and the conference bridge gets encrypted; however, the icon for  the conference can be encrypted, authenticated, or nonsecure depending  on the security levels of the other participants. A nonsecure status  indicates that one of the parties is not secure or cannot be verified.

When a user presses Barge, the  icon that displays next to the Barge softkey provides the security  level for the barge conference. If the barging device and the barged  device support encryption, the system encrypts the media between the two  devices, but the barge conference status can be nonsecure,  authenticated, or encrypted, depending on the security levels of the  connected parties.


Secure conference status


Conference  status can change as participants enter and leave the conference. An  encrypted conference can revert to a security level of authenticated or  nonsecure if an authenticated or nonsecure participant connects to the  call. Likewise, the status can upgrade if an authenticated or nonsecure  participant drops off the call. A nonsecure participant that connects to  a conference call renders the conference nonsecure.

Conference status can also  change when participants chain conferences together, when the security  status for a chained conference changes, when a held conference call is  resumed on another device, when a conference call gets barged, or when a  transferred conference call completes to another device.


Note


The  Advanced Ad Hoc Conference Enabled service parameter determines whether  ad hoc conferences can be linked together by using features such as  conference, join, direct transfer, and transfer.


Cisco Unified Communications Manager provides these options to maintain a secure conference:

  • Ad hoc conference lists
  • Meet-Me conference with minimum security level


Related References



Ad hoc conference lists


Meet-Me conference with minimum security level

Actions

This Discussion