The release of UCM version 8.x introduced the concept of Security by Default (SBD) in order to increase the protection level of a number of key elements within the UCM environment. The following document provides exceptional detail on how to plan and manage SBD:
However here are some key considerations as part of the impact of SBD, SBD includes some basic measures to address some historical mechanisms that inherently use unsecured communications methods, or provide a level of exposure that mitigation increases the UCM protection level, such as:
- Phone URL's (i.e. directory, services and authentication)
- Phone built-in web server
- Signed TFTP configuration files
- Managing ITL Files
Phone URL's (i.e. directory, services and authentication)
SBD introduces secure versions of the existing directory, services, authentication URL etc, the secure version of the URL is intended to use HTTPS transport. However in order manage/accept HTTPS certificates, the phone uses the Trust Verification Service (TVS) within the cluster in order to validate these on it's behalf due to the memory and performance limitations of the phone.
Phone built-in web server
Some existing applications may fail to work, for example most applications that gathers the phone serial number are dependant on parsing this information from http://[Phone IP Address]/DeviceInformationX. This information is no longer accessible, therefore a bulk update (or amendment to the common phone settings) to enable the web server in order to perform these kinds of operations.
Signed TFTP configuration files
As part of SBD, the phone will now only accept signed configuration files, if there is a problem with the signature of the config file it is no longer possible to change the phone configuration. This does not necessarily affect the registration of the phone with the cluster, however it can prevent pushing configuration changes to the phone until the config file can be trusted again.
Managing ITL Files
The key element that underpins the above in order for the existing mechanisms to continue to work, but in a more secure mannor is the ITL (Initial Trust List) file on the IP Phone. The ITL file is used to validate communications with the cluster while having minimum impact on the phones resources and performance. Managing ITL files and ensuring that the cluster certificates match is essential for normal operation, if this fails then one or more of the above will be affected.
There are a number of key steps that need to be taken to manage the server side certificates to ensure that the phones ITL file is valid and can trust the UCM cluster elements accordingly, however a number of situations can cause problems with maintaining that harmony and in some situations it may be necessary, or desirable to delete the ITL file from the phone. A common, but sometimes less favourable method of deleting the ITL file, is requesting the end users to perform the necessary steps, but this does have a number of drawbacks. However the remote deletion of the ITL file can be the most effective method, especially if it is necessary to perform the deletion more than once (i.e. with a subsequent migration of hardware to UCS).
Currently the only way to perform a remote deletion of ITL files in all situations is PhoneView from http://www.unifiedfx.com. As the ITL file is a phone local element that cannot be managed centrally from UCM, the introduction of SBD implies a new need to manage the relevant certificates on the UCM cluster and the ITL file on the phone, therefore additional planning and consideration is required for any project involving an upgrade to UCM 8 or above or the migration to the UCS server platform.
Note: It is impossible to remotely manage the ITL file if the phone's settings access is set to "Restricted" or "Disabled" prior to the upgrade, a factory reset is the only way to remove the ITL file in that situation. Therefore consideration should be given to re-enabling settings access before an upgrade, so that if the deletion of the phones ITL file is required at least this can be performed remotely and the settings access level can be re-appliedafter confirmation that all phones ITL files are in sync with the relevant cluster elements, in particular that it is possible to change the phones configuration.
UPDATE: PhoneView Version 2 is the only software that can delete the ITL file from a phone without using the phones web server (i.e. when the phone URLs are not working/updating correctly), emai firstname.lastname@example.org if you require access to the beta version.