Solved: Ask the Expert: Implementation and Monitoring Security in Cisco Unified Communications Manager (CUCM...

Monica Lluis · ‎05-18-2016

Implementing security mechanisms in the Cisco Unified Communications Manager system prevents identity theft of the phones and the Cisco Unified Communications Manager server, data tampering, and call-signaling/media-stream tampering. This Session would cover implementing,maintaining, troubleshooting all CUCM certificates, along with best practises. Securing media(SRTP) like CTL, ITL troubleshooting would also be covered.

To participate in this event, please use the Reply Button to ask your question.

Ask questions from Tuesday May 23 to Friday June 3rd, 2016

Featured Experts

Ajay Viswanath is a Customer Support Engineer in the Cisco HTTS( High Touch Technical Services) team working in the Unified Communications Domain. He has been with Cisco from October 2013 and works with engineering and customers to resolve complex issues. His area of expertise include’s Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Voice Gateways, Cisco Unified Sip Proxy, IM and Presence server. He has a total of 7 years experience in the Collaboration field. He Holds a CCIE in Collaboration(45756) and a Masters Degree in Information technology. In his free time loves to travel and explore the world.

Nirmal Issac is a Customer Support Engineer in Cisco TAC team for Unified Communications technology based in Bangalore, India. His area of expertise include Cisco Unified Communications Manager, IM & Presence server, Cisco Unity, Cisco Jabber, Cisco Emergency Responder and Attendant Console. He has over 4 years of industry experience working with large enterprises and Cisco Partners. He holds a Bachelor of Engineering degree in Telecommunication from Anna University. He also holds CCIE certification (#45964) in Collaboration technology.

Find other https://supportforums.cisco.com/expert-corner/events.

** Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

https://supportforums.cisco.com/expert-corner/events ">https://supportforums.cisco.com/expert-corner/events.

We look forward to your participation. This event is open to all, including partners. Please Share this event in your social channels. Have a technical question? Get answers here before opening a TAC case by visiting the Cisco Support Community.

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Ajay Viswanath · ‎05-23-2016

Hello Everyone,

I am writing a very Brief summary on what all topic's we would be covering on this session.

HTTPS Webpage Security

Hypertext Transfer Protocol over Secure Sockets Layer (SSL)(HTTPS) secures the communication between browser and CUCM Web application pages like ccmadmin,ccmservice, cmplatform,cmuser etc. The tomcat service in CUCM sends a public key whenever these webpages are accessed and the data sent to the server is encrypted using this key. The Public key can be self signed or can be signed by a Certificate Authority.Cisco IP phones also support HTTPS for feature like Extension Mobility, Extension Mobility cross cluster, personal directory etc.

Security by Default.

Security by Default was introduced after version 8.0. Phone security is done by default using the CTL,ITL and TVS service. ITL file is generated by the server without any user intervention and the CTL file should be uploaded by users using etokens to secure media and signaling. The ITL file contains a list of certificates which the phones uses to trust things like phone configuration file, server registration etc. For other certificates which are not there in the ITL, the phone uses the TVS server to authenticate on it’s behalf. Since the phone cannot download all the certificates, the TVS service is contacted where the phone does not have these certificates.

Certificate Authority Proxy Function

Certificate Authority Proxy Function (CAPF), which automatically installs with Cisco Unified Communications Manager, performs the following tasks, depending on your configuration:

Authenticate via an existing Manufacturing Installed Certificate (MIC), Locally Significant Certificate (LSC), randomly generated authentication string, or optional less secure "null" authentication.
Issues locally significant certificates to supported Cisco Unified IP Phones.
Upgrades existing locally significant certificates on the phones.
Retrieves phone certificates for viewing and troubleshooting.

Phone Virtual Private Network(VPN)

The Cisco VPN Client for Cisco Unified IP Phones adds another option for customers attempting to solve the remote telecommuter problem by complementing other Cisco remote telecommuting offerings. The Phone VPN solution works with VPN using a Cisco VPN on ASA or VPN on IOS. In this the phone on the first time is needed to be on the internal network, then once the certificates are downloaded on the phone, it can set up a VPN connection through the Cisco ASA or an IOS gateway to reach the CUCM from a public network.

Apart from the above, I would also be covering Secure SRST, Securing Gateways and Trunks, CUCM certificates.

Do let us know for any questions..

Regards

Ajay

View solution in original post

Nirmal Issac · ‎06-02-2016

Hi Sudarshan,

Thank you for the question. We need to re-run CTL client only in the below scenarios.

If you change the name or IP address of a Cisco Unified Communications Manager server
If you change the IP address or hostname for any configured TFTP servers
If you change the IP address or hostname for any configured ASA firewall
If you enabled the Cisco Certificate Authority Function service in Cisco Unified Serviceability
If you need to add or remove a security token
If you need to add or remove a TFTP server
If you need to add or remove a Cisco Unified Communications Manager server
If you need to add or remove an ASA firewall
If you restore a Cisco Unified Communications Manager server or Cisco Unified Communications Manager data
If you manually regenerate certificates on a Cisco Unified Communications Manager cluster that contains a CTL file
If you update from a CUCM version prior to 7.1.5 to a version 7.1.5 or later.
After you upload a third-party, CA-signed certificate to the platform

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/9_1_1/secugd/CUCM_BK_C0395F44_00_cucm-security-guide-91/CUCM_BK_C0395F44_00_cucm-security-guide-91_chapter_0100.html#CUCM_TK_U0801AC3_00

However, please be aware about the new certificate format in CUCM v11. The latest release has two CCM certificates- one with RSA and another one with ECDSA algorithm. The support for ECDSA is a new feature in the v11.

Please refer the below link.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_0_1/CUCM_BK_R30921A8_00_CUCM_release-notes_1101/new_and_changed_features.html#CUCM_RF_C318B0C7_00

Addition of this certificate can make the size of CTL file more than 64KB (in clusters with many nodes), and this can cause issues with certain phones like 7940. Hence the below defect was opened and currently the CTL file distributed by CUCM v11 will not contain the ECDSA certificate.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut80769

Just FYI, the CUCM will present ECDSA certificate to SIP clients like Jabber, and you may face issues with Secure phone connectivity in Cisco Jabber client after you upgrade the CUCM. Please note the below section in the defect notes.

"For Phones there are no current phone models that need the CallManager-ECDSA certificate. We have moved ahead to place these certificates in a new ITL File which can be retrieved from HTTPS configuration download, but since the phone development has not yet happen there is not a workaround for the phones.

Jabber clients will need to have their CallManager-ECDSA certificates can be signed by external CAs. Then that CA must be present in the Jabber OS certificate trust store. Another solution would be to put the CallManager-ECDSA certificate in the system trust store."

In case you have a Cisco Jabber deployment along with the CUCM, you may need to keep this info in mind.

Please let me know if you have any additional questions.

HTH

Regards

Nirmal Issac

View solution in original post

Ajay Viswanath · ‎05-23-2016

Hello Everyone,

I am writing a very Brief summary on what all topic's we would be covering on this session.

HTTPS Webpage Security

Hypertext Transfer Protocol over Secure Sockets Layer (SSL)(HTTPS) secures the communication between browser and CUCM Web application pages like ccmadmin,ccmservice, cmplatform,cmuser etc. The tomcat service in CUCM sends a public key whenever these webpages are accessed and the data sent to the server is encrypted using this key. The Public key can be self signed or can be signed by a Certificate Authority.Cisco IP phones also support HTTPS for feature like Extension Mobility, Extension Mobility cross cluster, personal directory etc.

Security by Default.

Security by Default was introduced after version 8.0. Phone security is done by default using the CTL,ITL and TVS service. ITL file is generated by the server without any user intervention and the CTL file should be uploaded by users using etokens to secure media and signaling. The ITL file contains a list of certificates which the phones uses to trust things like phone configuration file, server registration etc. For other certificates which are not there in the ITL, the phone uses the TVS server to authenticate on it’s behalf. Since the phone cannot download all the certificates, the TVS service is contacted where the phone does not have these certificates.

Certificate Authority Proxy Function

Certificate Authority Proxy Function (CAPF), which automatically installs with Cisco Unified Communications Manager, performs the following tasks, depending on your configuration:

Authenticate via an existing Manufacturing Installed Certificate (MIC), Locally Significant Certificate (LSC), randomly generated authentication string, or optional less secure "null" authentication.
Issues locally significant certificates to supported Cisco Unified IP Phones.
Upgrades existing locally significant certificates on the phones.
Retrieves phone certificates for viewing and troubleshooting.

Phone Virtual Private Network(VPN)

The Cisco VPN Client for Cisco Unified IP Phones adds another option for customers attempting to solve the remote telecommuter problem by complementing other Cisco remote telecommuting offerings. The Phone VPN solution works with VPN using a Cisco VPN on ASA or VPN on IOS. In this the phone on the first time is needed to be on the internal network, then once the certificates are downloaded on the phone, it can set up a VPN connection through the Cisco ASA or an IOS gateway to reach the CUCM from a public network.

Apart from the above, I would also be covering Secure SRST, Securing Gateways and Trunks, CUCM certificates.

Do let us know for any questions..

Regards

Ajay

Jinto Alakkal · ‎05-24-2016

Hi Ajay/Nirmal

What's the difference between CTL and ITL Files and in what are all scenarios we prefer CTL in a cluster also can you explain a bit about rollback option in enterprise parameters and in what scenarios it will be useful. How we can effectively migrate from an older hardware to new one without any issue of CTL or ITL files

Ajay Viswanath · ‎05-25-2016

Hi Jinto

The ITL file is similar to the CTL, however ITL is enabled by default after version 8.0 and created automatically without usual intervention. ITL is used by the endpoints to trust the CUCM. CTL is required to encrypt Media and signaling and needs to be installed using e tokens.

When you rollback to pre 8.0, the CUCM resets the phone and sends a blank ITL file, so that the phone can register with any server. We can use this when migrating phones to a different cluster. However this should be done prior to migration not after that.

Regards

Ajay

Carlos Olortiga · ‎06-01-2016

Hi Ajay/Nirmal

When we use Jabber at first time, we need to accept many certificates by CUCM, Presence, Unity, etc. Can I avoid all this confirmations?

Regards

Carlos

Nirmal Issac · ‎06-02-2016

Hi Carlos,

Thank you for the question. Cisco Jabber for Windows supports TLS communication from the version 9.2.x itself. Secure communication is mandatory for all HTTPS/XMPP communication in all Cisco Jabber clients (Except for a few features like retrieving photo from Web-Server). There is no way to disable the use of certificates.

The certificate warning pop up comes up due to the below reasons

a) The certificate is not trusted by the OS (Windows/Mac/Android/iOS).

b) Even if the certificate is trusted by the OS, there is a mismatch between the name of the server as added in the certificate and as addressed/known by Cisco Jabber.

c) The certificate is revocated by the CA/Revocation server is not reachable.

The certificate warning pop up can be avoided by using CA signed certificates. It can either be a Public Certificate Authority (eg Verisign, GoDaddy) or a Private CA in your enterprise. OS supports most of the Public CA by default. The Private CA is not trusted by default, and needs to be pushed to the PC using AD Group policy.

The below document explains the configuration needed for avoiding certificate pop ups.

Jabber Complete How-To Guide for Certificate Validation

Please let me know if you have any questions.

Regards

Nirmal Issac

Sudharshan S · ‎05-25-2016

We have a deployment of cucm 8.6 in mixed mode. we are planning to upgrade the server to 11.x in the coming months. Are there any important instructions / config to make sure that secure phones will not have any issues? Should we run CTL client again after upgrade?

Nirmal Issac · ‎06-02-2016

Hi Sudarshan,

Thank you for the question. We need to re-run CTL client only in the below scenarios.

If you change the name or IP address of a Cisco Unified Communications Manager server
If you change the IP address or hostname for any configured TFTP servers
If you change the IP address or hostname for any configured ASA firewall
If you enabled the Cisco Certificate Authority Function service in Cisco Unified Serviceability
If you need to add or remove a security token
If you need to add or remove a TFTP server
If you need to add or remove a Cisco Unified Communications Manager server
If you need to add or remove an ASA firewall
If you restore a Cisco Unified Communications Manager server or Cisco Unified Communications Manager data
If you manually regenerate certificates on a Cisco Unified Communications Manager cluster that contains a CTL file
If you update from a CUCM version prior to 7.1.5 to a version 7.1.5 or later.
After you upload a third-party, CA-signed certificate to the platform

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/9_1_1/secugd/CUCM_BK_C0395F44_00_cucm-security-guide-91/CUCM_BK_C0395F44_00_cucm-security-guide-91_chapter_0100.html#CUCM_TK_U0801AC3_00

However, please be aware about the new certificate format in CUCM v11. The latest release has two CCM certificates- one with RSA and another one with ECDSA algorithm. The support for ECDSA is a new feature in the v11.

Please refer the below link.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_0_1/CUCM_BK_R30921A8_00_CUCM_release-notes_1101/new_and_changed_features.html#CUCM_RF_C318B0C7_00

Addition of this certificate can make the size of CTL file more than 64KB (in clusters with many nodes), and this can cause issues with certain phones like 7940. Hence the below defect was opened and currently the CTL file distributed by CUCM v11 will not contain the ECDSA certificate.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut80769

Just FYI, the CUCM will present ECDSA certificate to SIP clients like Jabber, and you may face issues with Secure phone connectivity in Cisco Jabber client after you upgrade the CUCM. Please note the below section in the defect notes.

"For Phones there are no current phone models that need the CallManager-ECDSA certificate. We have moved ahead to place these certificates in a new ITL File which can be retrieved from HTTPS configuration download, but since the phone development has not yet happen there is not a workaround for the phones.

Jabber clients will need to have their CallManager-ECDSA certificates can be signed by external CAs. Then that CA must be present in the Jabber OS certificate trust store. Another solution would be to put the CallManager-ECDSA certificate in the system trust store."

In case you have a Cisco Jabber deployment along with the CUCM, you may need to keep this info in mind.

Please let me know if you have any additional questions.

HTH

Regards

Nirmal Issac

sathishkumar.rajendran · ‎05-25-2016

I heard that Cucm new release has secure tftp functionality. Is it true? How do we enable it? Which certificates are needed?

Nirmal Issac · ‎05-27-2016

Hi Sathish,

Thank you for the question. End points can request for the files in CUCM TFTP over HTTP (eg Cisco Jabber client) and this is not secure.

The new feature is not exactly secure TFTP, but the CUCM 11 allows the client to create connection over secure port 6972 over HTTPS. This facilitates secure download of the files from CUCM TFTP over HTTPS.

Please refer page 53 in the below link.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_0_1/secugd/CUCM_BK_C1A78C1D_00_cucm-security-guide-1101.pdf

From now on, any change in CUCM cert will require the deactivation and re-activation of TFTP service.

Please let me know if you have any questions.

regards

Nirmal Issac

Ask the Expert: Implementation and Monitoring Security in Cisco Unified Communications Manager (CUCM)