Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Ask the Expert: Understanding and Managing Cisco Unified Communications Manager Certificates

            Read the bioWith Akhil Behl

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Unified Communications Manager Certificates. 

Cisco Unified Communications Manager is the heart of any Cisco Collaboration network. It provides vital services such as call control; dial plan; and, most important, a central point of integration for various UC and third party applications. Cisco Unified Communications Manager comes with a host of security features, almost all of which are based on certificates -Public Key Infrastructure (PKI). Although, certificates empower an engineer to a network manager to an information security consultant to enable and deploy security features for Cisco Collaboration network; many of the certificates and their functions remain to be understood and managed properly to achieve a truly secure voice network construct.

This is a continuation of the live webcast.

Akhil Behl is a solutions architect with Cisco Services, focusing on Cisco Collaboration and Security architectures. He leads collaboration and security projects and service delivery worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio. He has played a major role in service conception and creation for various services within Cisco Advanced Services. He has presales to sales to Professional Services to delivery to post sales experience with expertise in consulting, advisory, and guidance services. He has extensive experience in borderless, collaboration, and data center portfolios. Prior to his current role, he spent 10 years working in various roles at Linksys as a technical support lead, as an escalation engineer at the Cisco Technical Assistance Center (TAC), and as a network consulting engineer in Cisco Advanced Services.  

Akhil has a bachelor of technology degree in electronics and telecommunications from IP University and a master's degree in business administration from Symbiosis Institute. He is dual Cisco Certified Internetwork Expert CCIE 19564 in voice and security. He also holds many other industry certifications, such as PMP, ITIL, VCP, ISM, CCNA, CCSP, CCVP, ISO/IEC 27002, TOGAF, and CEH.  

Over the course of his career, Akhil has presented and contributed at various industry forums such as Enterprise Connect, Cloud Connect, Cloud Summit, Interop, Cisco Networkers, and SecCon. He has several research papers published in various national and international journals, including IEEE. He is an avid blogger and maintains a blog about unified communications security at Aashish Jolly

Aashish Jolly

Aashish Jolly is a network consulting engineer who is currently serving as the Unified Communications (UC) consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center, where he helped customers Cisco partners with installation, configuring, and troubleshooting UC products such as Cisco UC Manager and Manager Express, Cisco Unity solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco UC for more than seven years. He holds a bachelor of technology degree as well as CCIE(Voice) # 18500, CCNP Voice,  CCNA,  VCP 5 and RHCE certifications.

Remember to use the rating system to let Akhil and Aashish know if you have received an adequate response. 

Akhil & Aashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Collaboration, Voice and Video,  sub-community, IP Telephony discussion forum shortly after the event. This event lasts through January 17, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

21 REPLIES

Ask the Expert: Understanding and Managing Cisco Unified Communi

Hello Akhil and Aashish,

Here are some of the questions that came directly during your live webcast presentation, hence can you provide answers for these.

-How do I differentiate when using Tomcat for LDAP or HTTPS?

-How can I differentiate between a root CA and identity certificate by looking at certificate?

-How many e tokens  can I use to secure my CUCM cluster?

-Do I need to regenerate all certificates when I upgrade my cluster on same or different hardware?

Thanks!

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello,

Please find the answers to these questions as follows:

Q. How do I differentiate when using Tomcat for LDAP or HTTPS?

A. Tomcat certificates can be used for HTTPS as well as for LDAP security. The major difference is that, when signed for only HTTPS, Tomcat will be signed by CA as web server certificate template whereas or LDAP it has to be signed by CA as server template. In case of Tomcat, the request is redirected from HTTP to HTTPS i.e. TCP 80 > 8443 and for LDAP it works by redirecting from 389 LDAP to 636 (standalone AD) or 3269 (DC) LDAPS.

Q. How can I differentiate between a root CA and identity certificate by looking at certificate?

A. It is the CN of a certificate that can help distinguish between a CA root and identity certificate. CA root certificate will have same CN for issuer and for Subject name whereas, an identity certificate will have different CN for issuer (CA) and for subject name.

Q. How many e-tokens  can I use to secure my CUCM cluster?

A. Although there’s no fixed maximum number for eTokens that can be used for securing a cluster, a minimum of two eTokens are required and any number of eTokens can be used (ideally between 4-10) for redundancy.

Q. Do I need to regenerate all certificates when I upgrade my cluster on same or different hardware?

A. No, you need not regenerate all certificates when uploading a cluster from one version to another on same or different hardware as DRS backup contains all certificate and keys. However, due to any hostname / certificate impacting field change (any of certificate parameters) or a bug, it may be required to regenerate the certificate that is self-signed and self-generated on CUCM or get a new signed certificate from CA.

Regards,

Akhil Behl
Solutions Architect

Cisco Systems


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

By default, CallManagers automatically exchange their Tomcat certificates.

When using an external CA for signing Tomcat certificates, is there any need to keep these automatically exchanged certificates? After all, they've all been signed by the same CA whose public key you've already imported into the Tomcat-trust store.

Please rate all helpful posts.
Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello Gordon,

I would appreciate if you can extrapolate on your question as it will help us to answer it better.

From what I could understand, your question is if CUCM exchanges Tomcat certificates within a cluster and if redundant (self-signed) certificates can be deleted in case a user wishes to use externally signed certificates.

If that was your query, the answer is two fold. CUCM servers do not replicate Tomcat certificates within a cluster as each server is installed with its unique hostname/FQDN that is used to generate self-signed certificate and it will be meaningless to have different CN certificate replicated to a node that is not going to use that hostname/FQDN.

For latter part, the answer is yes, you can delete any (currently) unused certificates and leverage only the intended CA signed certificate for Tomcat. Infact, CUCM overwrites the Tomcat identity certificate with CA signed identity certificate although, you can end up with as many Tomcat trust certificates as many CA certificates (root) you upload.

Regards,


Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Ask the Expert: Understanding and Managing Cisco Unified Communi

Apart from the Tomcat certs, is there any benefit to using externally signed certs for any of the other certificates in CUCM?

Please rate all helpful posts.
Cisco Employee

Ask the Expert: Understanding and Managing Cisco Unified Communi

Hi Gordon,

   It actually depends on the security policy of an organization. With External CA, the only benefit that I see is you don't need to install root certs in every machine's trust store as most machines would already have that.

HTH,

Aashish

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello Gordon,

To add to what Aashish mentioned, having external CA sign certificates on CUCM has following advantages:

- Certificate revocation using OCSP is centralized as all certificates are rooted form same CA

- CA signed certificates come with fixed lifetime (as defined by CA authority) hence, having all certificates signed by same CA helps maintain sanity in terms of certificate lifetime

Hope this answers your query.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Ask the Expert: Understanding and Managing Cisco Unified Communi

Hi guys,

thanks for the opportunity to ask questions. I'm really new in this (security around IP Telephony) even if I tried to dig deeper into it in the past. I'd like to start with some kind of lab, where I'll be able to test things. So, will I be able to use Microsoft Server (2003 or 2008 or 2012) as CA (not aware if Cisco has one), CUCM 9.1 with demo licenses and IP Communicators as client phones to test basic signaling and/or media encryption? Can you briefly explain what will be the steps to demonstrate secure environment? For example, is it something like this: install CA, request certificate signing from CUCM, request certificate signing from IP phones, upload signed certificates to CUCM and phones, configure secure calls on CUCM, make calls and use wireshark to prove that signaling/media messages can't be captured?

Ask the Expert: Understanding and Managing Cisco Unified Communi

To secure calls, you need to use Security Tokens:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/csa_token_ids/sec_tkn.html

GTG

Please rate all helpful posts.

Please rate all helpful posts.

Ask the Expert: Understanding and Managing Cisco Unified Communi

Thanks Gordon,

I appreciate your reply. While we are still waiting for any reply from Akhil and Aashish, can you please explain why it is not possible to configure encrypted calls without Security Tokens? Link you provided specifies version 7.1.5 as minimum CUCM version to use for Security Tokens; how it was configured before that version? I'm trying to figure out if Security Tokens are mandatory parts or just nice-to-have/recommended.

Ask the Expert: Understanding and Managing Cisco Unified Communi

Yes, the experts have been noticeable by their absence ;-)

The security token has been required since at least CUCM 6 for encrypted calls, and is still required for CUCM 9.

I haven't looked at the whole call security thing for a while, but I seem to remember that there are multiple components of encrypted calls in CUCM:

- Phone signalling & media

- CUCM <> CUCM

- Gateway signalling & media.

I believe the tokens handle the phone side. A quick google reveals these two starter pages:

http://blinkenzomg.wordpress.com/2013/06/18/encrypting-ciscos-unified-communications-manager/

http://www.netcraftsmen.net/blogs/entry/configuring-calling-encryption-between-cisco-ip-phones-and-cisco-unity-connection.html

GTG

Please rate all helpful posts.

Please rate all helpful posts.
Cisco Employee

Ask the Expert: Understanding and Managing Cisco Unified Communi

Security Tokens are mandatory for secure media b/w IP Phones among other things. Here's a nice document that explains CTL, USB etokens and their purpose along with configuration.

https://supportforums.cisco.com/docs/DOC-18834

Regards,

Aashish

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello Tenaro,

Security tokens have been in existence ever since CUCM was designed to support encryption. From what I can remember, since CUCM 4.x security eToekns have been required for enabling CAPF based LSC and creating CTL file for phones.

To setup a secure environment with TLS for signaling and SRTP for media you'll need to run through CTL client wizard followed by applying a security profile to endpoints and finally placing a call between two secure phones such that the lock shows up besides the line you're calling from confirming that the call is secure.

For detailed information on eTokens, CAPF, and CTL you can refer to Chapter 9 of Securing Cisco IP Telephony Networks

http://click.linksynergy.com/fs-bin/click?id=aV8WWcTd0Yc&offerid=145238.10000326&type=3&subid=0

http://www.amazon.com/dp/1587142953

Please let us know if you have any more queries on this topic.

Regards,

Akhil Behl

Solutions Architect

Cisco Systems

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953
Cisco Employee

Ask the Expert: Understanding and Managing Cisco Unified Communi

You're approach is correct. Generate CSR and get it signed by Microsoft CA you've setup in your lab. Place root certs service-type -trust store and relevant service certs in their respective stores. So root certs go into tomcat-trust store in CUCM. The signed cert for tomcat goes into Tomcat. You can upload the root certs to the pub only and they'll be replicated.

Here's a nice document on CUCM certificates for your reference

High Level View of Certificates and Authorities in CUCM
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080bf6103.shtml

Regards,

Aashish

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello Tenaro,

I replied to your query about use of eTokens to secure CUCM. In case you have any specific queries about use of any other certificates in your lab or production system feel free to ask.

Also, I'll recommend going through the book Securing Cisco IP Telephony Networks and explore UC security in greater detail so you can decide what certificates you need in your environment and how you wish you leverage secure services.

http://www.amazon.com/dp/1587142953

Regards,


Akhil Behl
Solutions Architect

Cisco Systems


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Ask the Expert: Understanding and Managing Cisco Unified Communi

Thanks Akhil,

can you please confirm that following paragraph is correct (or let me know if something is wrong):

Cisco is installing certificate in every phone during production (this is called Manufactured Installed Certificate). Thanks to that MIC, phone will accept secure messages only if signed by Cisco. Messages don't have to be signed directly by Cisco: use eTokens to declare that your existing CUCM publisher is trusted by Cisco and that IP phones can also trust  this new guy because Cisco approved it. In other words, eTokens allow  you to sign newly created list of trusted CAs and because eTokens sign  it as Cisco then IP phones will not have any problems to accept this  encrypted list (called CTL). Once IP phone learns it can trust local CUCM it will be able to install LSC and use it instead of MIC.

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello Tenaro,

Yes, that is absolutely correct. There are two major categories of certificates - Manufacturing Installed Certificates (MIC) and Locally Significant Certificates (LSC). MIC come factory installed and are signed by Cisco manufacturing CA (root is already present in CUCM certifiate store). LSC are derived from CAPF and are signed by CTL client using eTokens.

In either case, the cluster must be in mixed-mode to support call encryption i.e. CTL client must be used and run with eTokens to convert CUCM cluster to mixed-mode such that phone certificates whether MIC or LSC can be used.

Hope this resolves your query!

For greater insight to Cisco PKI, UC security, and CUCM encryption/authentication please refer to Securing Cisco IP  Telephony Networks book.

http://click.linksynergy.com/fs-bin/click?id=aV8WWcTd0Yc&offerid=145238.10000326&type=3&subid=0

http://www.amazon.com/dp/1587142953

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953
New Member

Ask the Expert: Understanding and Managing Cisco Unified Communi

Akhil,

I have a situation where phones aren't downloading a new ITL file causing them to be unable to download thier signed configuration file. They get what appears to be a valid CTL file but the ITL file is listed as "Not Installed". What steps should I take to troubleshoot this issue?

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Hello Robert,

There could be a couple of things you can look for in this case.

  • Check the Enterprise Paramter for Roll Back to pre 8.x and ensure it is set to False.
  • Check the status of ITL file from CUCM CLI - using command show itl and ensure that the system has a valid ITL file.

Also, you can try and create a new phone (presuming its the existing phones that are unable to download ITL file) in CUCM and see if that endpoint is able to download ITL followed by CTL.

Regards,

Akhil Behl
Solutions Architect

Cisco Systems


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953
New Member

Ask the Expert: Understanding and Managing Cisco Unified Communi

So it turns out that I needed to run the CTL client after I had done an upgrade from CUCM 8.5(1) to 8.6.. Due to this being on my test system the phone configurations didn't change much and I just realized there was an issue.. Thanks for the help. Was that update needed due to the back end OS change on the appliance or will I need to run the CTL client after every CUCM update 8.x and greater?

Bronze

Re: Ask the Expert: Understanding and Managing Cisco Unified Com

Good to know that the issue is fixed. That makes sense since, after an upgrade, CTL client re-run is always recommended (please see webcast or presentation slides) to overcome any bugs and refreshing CTL cache.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953
2975
Views
35
Helpful
21
Replies
CreatePlease login to create content