Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Automated Secure CME Configuration Script

I wrote a TCL script to completely automate the secure CME configuration.  The configuration of secure CME is quite complex, requiring around 60 lines of configuration.  This should alleviate the current pain points with the secure CME configuration.


Purpose

The configuration of secure CME is quite intensive, and there are several commands which require configuration in a specific sequence.  Some of which won't even show up in the final configuration.  The purpose of this script is to alleviate the burden for customers to configure secure CME by completely automating the entire secure CME configuration procedure.

Requirements

  • A CME device with phones registered to it.
  • CME running a feature set that supports secure CME.
  • CME currently has no secure CME configuration present before running script (no IOS CA, and no trust points named ca, cme, or sast2).
  • Phones do not currently have a CTL or LSC loaded before running script.
  • Script has not been previously run on this box.  Partial/existing configuration of trustpoints/CA will likely cause issues.

Caveats

Some firmware versions have issues pulling LSCs.  See the README for more information, but I'd be interested if you come across non-working firmware versions so that I can document accordingly.

The script does very limited error checking.  Ensure that you read the documentation before running so that you understand correct operation before executing.


Procedure

1. Copy securecme.tcl to router.

2. Configure the following parameters:

conf t

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password <password key for CA/certs>

event manager session cli username <aaa-username>

======> Password key must be 8+ characters and meet password requirements of IOS CA.

======> The last line is only necessary if AAA is running.  Specific a user with rights

         to run show commands.  A password does not need to be specified for the user.

Sample Configuration:

event manager directory user policy "flash:/"

event manager policy securecme.tcl

event manager environment password cisco123

event manager session cli username sholl

3. Ensure that time is correct on the router and phones:

  • Router clock is set properly before executing script; verify with 'sh clock'
  • Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
  • CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'

4. Ensure that ip domain-name has been defined.

5. Ensure that phones do not have a CTL or LSC already installed.  If so, factory reset those phones before running script.

6. Ensure that phone is running recent firmware and has the the 'type' defined under the ephone.  Some firmware has issues with LSC provisioning. See the README for more information on this.

7. Save configuration before running script.  If script's secure CME provisioning is unsuccessful, simply reload the router (and delete the CTL files off each phone, if applicable).

8. Type 'securecme' in exec mode to run the script.

89 Observe 'sh log | i ---' to observe output.  System wide messages will print at start and finish of script.

10. If provisioning is not successful and script needs to be re-run, reload router before re-running to clear out partially provisioning security settings.  Clear CTL/LSC from phones (if applicable).


Assumptions Made

  • CME is already configured, and phones are registered unencrypted. Ensure phones are configured with the 'type' command under each ephone.
  • Router is running a featureset which supports Secure CME (securityk9+uck9 or advipservicesk9 or adventerprisek9)
  • Router may need to have a UC and security feature license activated:
    • CUBE2(config)#license boot module c3900e technology-package ?
      • datak9      data technology

      • securityk9  security technology

      • uck9        unified communications technology

    • CUBE2(config)#license accept end user agreement ?

  • Router clock is set properly before executing script; verify with 'sh clock'
  • Router clock timezone is set properly before executing script; verify with 'sh run | i timezone'
  • CME Time-zone is set properly before executing script; verify with 'sh telephony-s | i time'
  • 'password' is defined in the EEM configuration as a 8+ character password and meets the specifications of IOS CA requirements.
  • Script has not been previously run on this device (previous partial configuration of CA, trustpoints, CTL, etc. will probably create conflicts.)
  • The device is currently not configured with IOS CA, nor with a self-signed certificate. (i.e. Run this on a clean normal non-secure CME configuration).
  • Phones do not currently have a CTL or LSC on them before running the script.  Factory reset the phone if you are unsure of the presence of such.  (Hold #, plug in cable, wait for lights to blink, hit 123456789*0#).
  • Phones are running recent firmware.  Testing of script was successful on 15.2(2)T with multiple phone models, running 9.1.1SR1 (newer phones) and 8.1.2 (7960).

Downloading the script

See the securecmeTCL.zip file attached to the bottom of this post.

The current version is v1.4 - 1/13/2011.


Troubleshooting

Please read the README and the TCL header before running the script to avoid incorrect operation.


One can observe the logging buffer output for current status of script.  Run 'debug event manager all' during script operation for details on what the script is doing.

If you run into issues with the script for which you would like me to take a look at, I will require the following information:

  1. Output of the following information before running script:
    1. sh run
    2. sh ephone ph
    3. sh clock
  2. 'debug event manager all' enabled before running script, with 'logging buffered 10000000 7' set.
  3. Output of the following after script is run:
    1. sh log
    2. sh run
    3. sh capf-server sum
    4. sh ctl-client
    5. sh telephony-service tftp
    6. sh ephone reg

Comments

WoW !!! Great !!!

I´m having problems with Secure CME of a customer, this script will be very usefully. I will test and post the results here asap.

Thank you Steven.

Very good documentation....

Steven, Thanks for sharing.. Very useful !

Hi Steven,

I performed a test in my environment and this TCL worked fine !!! .... good bless you !!!!!!! 

There is my lab:

2901 with uc+k9 license

7961 : 9-2-3S

7975 : 9-0-2S

One last doubt:

What steps I need to do to add a new IP Phone in this enviroment with cripto enabled ?

Can you help us a little bit more ?

Thank you very much  !!!

Cisco Employee

Leonardo: Glad the script worked for you.

To add another phone, you will need to manually configure the ephone, configure it for 'device-security-mode none,' and let the phone register unencrypted.  The phone should have a CTL file at this point.  Once the phone is registered, add 'cert-oper upgrade null-string' to the ephone, and reset the ephone again.  It should reboot, query for the LSC from CAPF, and then register again, with a LSC (still unencrypted phone at this point).  Now, set 'device-security-mode encrypted' and reset a final time, and the phone will be encrypted.

Technically you should be able to combine the 'cert-oper upgrade' and 'device-security-mode encrypted' commands to a single step and it will pull the LSC from the bootloader before it registers, but I prefer to split it up for troubleshooting sake so that I know what step is having issues if the phone doesn't register.

Hi Steven,

Worked perfectly .... thank you !!!

Congratulations for this work.

Community Member

Steven,

Thanks for the script this saved us for an install we had to do, you don't how long we worked at getting the certs to work with the phones. I plan on running this script again for another installation right now I have everything setup but wanted to know if i run this scirpt successfully but need to upgrade my flash on the router do you believe this will cause any problems and what should i look for to move any files that were saved to flash for secure cme.

Community Member

HI Steven,

I use your script and was successful with the encryption of pre registered ip phones (7962 and 7972). But when I was adding a new ip phone (7942 and 7960) after running the script using your comment to Leonardo, it was not successfull, the initial boot didn't get the CTL file, the second boot the LSC is not installed, am I missing something?

Community Member

Hi, I'm hoping the author of this is still around.

I had a go at running your script and it seems the only phone to work with this is my 7921. I also have a 7912, 7941 and a 7970 of which I get the following output from debug ephone reg:

Apr 27 04:34:46.937: ephone-1[0/3][SEP0024C4FE1617]:SEP0024C4FE1617: Registering Device (security 0) Mismatch the ephone configuration (mode 3) the CME: reject registration

Apr 27 04:34:46.937: Skinny register (phones=3/4/21) REJECT from IP 10.0.4.103

and on the phone itself it says:

Registration Rejected: Max Phones Exceeded.

The phones are using firmware version 9-1-1TH1-16

I'm hoping when you mentioned version 'adventerprisek9' you are not referring to the cucme version 9.0+

as I am running 8.6 on a 2801.

The ios version is: c2801-adventerprisek9-mz.151-4.M4

If you need further information let me know.

Thanks!

Cisco Employee

adventerprisek9 is the feature set, and doesn't refer to a version.

I tested this on multiple phone types in my lab when I wrote the script.  I'd suggest that you look at these debugs during run of the script:

debug ephone register

debug tftp events

debug event manager all

That should show you what is occurring and why there is a deviation in behavior between phone models.

Based on the error it sounds like the phones never got the secure config and are trying to register unsecurely.  Is there a signed config in the phone?  Since a phone is working, the config is likely right, and try these steps to get one of the other phones registered:

1. Factory reset the phone.

2. Manually configure the ephone in CME; configure it for  'device-security-mode none,' and let the phone register unencrypted.  The phone should have a CTL file at this point.

3. Once the phone is  registered, add 'cert-oper upgrade null-string' to the ephone, and reset  the ephone again.  It should reboot, query for the LSC from CAPF, and  then register again, with a LSC (still unencrypted phone at this  point).

4. Now, set 'device-security-mode encrypted' and reset a final  time, and the phone will be encrypted.

I'm not in a position at this point in time to help with troubleshooting  your issue and/or if there is a problem with the script, but if anyone does find an error and would like me to update the script with a correction, I'd be glad to do such.

Community Member

On the 7970, under Security Configuration it states both MIC and LSC are installed,

under Trust List, has the CTL file, ITL File not installed. Here is the debug output:

thor(config-ephone)#rest

restarting 0024.C4FE.1617

thor(config-ephone)#

Apr 29 09:08:22.335: cli_history_entry_add: free_hist_list size=0, hist_list size=7

Apr 29 09:08:22.335: check_eem_cli_policy_handler: command_string=device-security-mode encrypted

Apr 29 09:08:22.335: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

Apr 29 09:08:23.471: cli_history_entry_add: free_hist_list size=0, hist_list size=7

Apr 29 09:08:23.471: check_eem_cli_policy_handler: command_string=restart

Apr 29 09:08:23.471: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

Apr 29 09:08:23.787: ephone-1[0/2][SEP0024C4FE1617]:Reset sent to phone on socket [2]

Apr 29 09:08:23.787: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.787: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.787: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.787: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.927: ephone-1[0/2]:UnregisterMessage after Reset/Restart sent

Apr 29 09:08:23.931: ephone-1[0/2][SEP0024C4FE1617]:Phone Unregistered on socket [2] SEP0024C4FE1617

Apr 29 09:08:23.931: ephone-1[0/2]:UnregisterAck sent on socket [2] (3/4/21)

Apr 29 09:08:23.931: %IPPHONE-6-UNREGISTER_NORMAL: ephone-1:SEP0024C4FE1617 IP:10.0.4.103 Socket:2 DeviceType:Phone has unregistered normally.

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:23.931: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:23.931: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.435: TFTP: Looking for CTLSEP0024C4FE1617.tlv

Apr 29 09:08:24.435: TFTP: Opened flash:/CTLFile.tlv, fd 0, size 1935 for process 84

Apr 29 09:08:24.439: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.439: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.439: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.439: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.447: TFTP: Finished flash:/CTLFile.tlv, time 00:00:00 for process 84

Apr 29 09:08:24.451: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.451: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.579: TFTP: Looking for ITLSEP0024C4FE1617.tlv

Apr 29 09:08:24.579: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.579: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:24.711: ND Update CDP Notification Event for rogue.home on Fa0/0

Apr 29 09:08:24.711: fh_fd_nd_event_match: num_matches = 0

Apr 29 09:08:24.723: TFTP: Looking for ITLFile.tlv

Apr 29 09:08:24.723: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:24.723: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:25.135: TFTP: Looking for SEP0024C4FE1617.cnf.xml

Apr 29 09:08:25.335: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:25.335: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:25.907: fh_server: fh_io_msg: received msg FH_MSG_SYS_REQINFO from client 2 pclient 2

Apr 29 09:08:25.911: EEM Inside fh_policy_proc()

Apr 29 09:08:25.911: TFTP: Opened system:/its/vrf1/SEP0024C4FE1617.cnf.xml, fd 0, size 1788 for process 84

Apr 29 09:08:25.915: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:25.915: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:25.919: TFTP: Finished system:/its/vrf1/SEP0024C4FE1617.cnf.xml, time 00:00:00 for process 84

Apr 29 09:08:25.923: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:25.923: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:28.594: TFTP: Looking for English_United_States/td-sccp.jar

Apr 29 09:08:28.598: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:28.598: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:29.430: TFTP: Looking for United_States/g3-tones.xml

Apr 29 09:08:29.430: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:29.430: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.150: New Skinny socket accepted [2] from 0, sub 1 (4 active)

Apr 29 09:08:30.150: sin_family 2, sin_port 53132, in_addr 10.0.4.103

Apr 29 09:08:30.150: skinny_add_socket 2 10.0.4.103 53132

Apr 29 09:08:30.154: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:30.154: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.154: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:30.154: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.154: fh_fd_syslog_event_match: num_matches = 0

Apr 29 09:08:30.154: fh_fd_data_syslog: num_matches = 0

Apr 29 09:08:30.514: ephone-(1)[3] StationRegisterMessage (3/4/21) from 10.0.4.103

Apr 29 09:08:30.514: ephone-(1)[3] Register StationIdentifier DeviceName SEP0024C4FE1617

Apr 29 09:08:30.514: ephone-(1)[3] StationIdentifier Instance 0    deviceType 30006

Apr 29 09:08:30.514: fSkinnyStationRegister deviceType 30006 protocolVer = 0x85720014

Apr 29 09:08:30.514: StationJoinAndDirectTransferFeatureSupportMask set disable

Apr 29 09:08:30.514: StationDisableJoinOnTheSameLineFeatureMask set enable

Apr 29 09:08:30.514: StationDisableJoinAcrossLineFeatureMask set enable

Apr 29 09:08:30.514: StationDisableDirectTransferOnTheSameLineFeatureMask set enable

Apr 29 09:08:30.514: StationDisableDirectTransferAcrossLineFeatureMask set enable

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:stationIpAddr 10.0.4.103

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:stationIpv6Addr ::

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:maxStreams 5

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:From Phone raw protocol Ver 0x85720014

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:protocol Ver 0x85720014

Apr 29 09:08:30.514: ephone-1[0/2][SEP0024C4FE1617]:phone-size 36128 dn-size 1008

Apr 29 09:08:30.518: ephone-(1) Allow any Skinny Server IP address 10.0.4.5

Apr 29 09:08:30.518: ephone-1[0/2][SEP0024C4FE1617]:SEP0024C4FE1617: Registering Device (security 0) Mismatch the ephone configuration (mode 3) the CME: reject registration

Apr 29 09:08:30.518: Skinny register (phones=3/4/21) REJECT from IP 10.0.4.103

Bronze

Hi

    if we encrypt the data and voice, will we able to capture and see the packets for investigation of packets incase if there is a need like using wireshark.

Thanks

Community Member

Hi Steven,

You really help us. We had limited amount of time for setup, but your brilliant work resolved all our questions. We experianced some problems with 7960 phones, but after few attempts all was working fine.

Community Member

Hi Steven,

Thank you for the documentation this is very helpfull, but I have a question before running the script.

Are these steps compatible with Cisco IP Communicator?

Thanks a lot

Community Member

Thanks Steven!

It works perfectly for me!

God bless you!

Community Member

Hello,

After running the script, anybody have the same issue?

TFTP: Looking for CTLSEP0024142EEEBE.tlv

Opened flash:/CTLFile.tlv, fd 0, size 3774 for process 107

Finished flash:/CTLFile.tlv, time 00:00:00 for process 107

Looking for ITLSEP0024142EEEBE.tlv

Looking for ITLFile.tlv

Looking for SEP0024142EEEBE.cnf.xml.sgn

Opened flash:/its/vrf1/SEP0024142EEEBE.cnf.xml.sgn, fd 0, size 1570 for process 107

Finished flash:/its/vrf1/SEP0024142EEEBE.cnf.xml.sgn, time 00:00:00 for process 107

Looking for English_United_States/mk-sccp.jar.sgn

Looking for United_States/g3-tones.xml.sgn

New Skinny socket accepted [2] from 1, sub 1 (0 active)

sin_family 2, sin_port 51949, in_addr 192.168.155.101

add_skinny_secure_socket: pid =107, new_sock=0, ip address = 192.168.155.101

skinny_secure_handshake: pid =107, sock=0, args->pid=107, ip address = 192.168.155.101

Start TLS Handshake 0 192.168.155.101 51949

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake retcode OPSSLReadWouldBlockErr

TLS Handshake error -6992

TLS context configuration FAILED for 0 192.168.155.101 51949

PS I used other versions of cme, such us 4.1, 7.1, 8.6 on 2800 series routers with phones 7940, 7941, 7945 with different firmware 8-3-3, 8-3-5, 9-2-3, 9-3-1

Thanks

I used other versions of cme, such us 4.1, 7.1, 8.6 on 2800 series routers with phones 7940, 7941, 7945 with different firmware 8-3-3, 8-3-5, 9-2-3, 9-3-1
Community Member

beastyellow , did you get success with it? 

 

I am also facing the same problem: no CTL file is generated for the phone, and it never installs the CTL.

 

Community Member

Good day,  

I try the script and it's work fine for the primary CME , but today when the router fail and restart the phone did not register at secondary CME same as before , I try to install the same script at secondary router but same result .

have any suggestion .

Thank you 

Cisco Employee

Marwan, I never built in support for a secondary CME server--it only looks for and grabs the primary CME IP.  It's been a while since I've looked at this script, but I think you may just need to get the secondary CME IP in the CTL file for it to work with a secondary server.  Try editing Step 6a in the script to include the commands to list a secondary hardcoded cme & tftp server IP and see how it fares.

 

Community Member

thanks for your suggestion , but frankly it's fail also to register on the secondary CME.

anyway your script is perfect , I hope if you have more good script like this to share with us .

mainly if you try before script to limit call duration on CME.

 

Thank you , best regards

3510
Views
35
Helpful
20
Comments