Enabling encryption in a CUCM 10.5

vipersl65 · ‎08-04-2014

Looking for someone that has done already for some guidance. I know that you have you have to generate CSR for

1)Tomcat

2)CallManager or call-manager-trust

Am I missing something else?

Submit request to a CA like Verisign and then upload it to the Pub, restart tomcat and CAPF

Its a bit confusing especially sending the request to a CA because if I look at Verisign(Symantec), not sure what platform to select

thanks

Jaime Valencia · ‎08-05-2014

OK, so, do you want to use encryption for calls??? If so, yes, you're missing a lot of what you need.

If all you want is to avoid getting an error when logging into CUCM webpages, then yes, you need to change the certs.

HTH

java

if this helps, please rate

vipersl65 · ‎08-05-2014

Jaime,

Thanks for the reply. No, I need the calls and signalling to be encrypted.

What Im confused to begin with is downloading the CSR and submitting the request. In the OS admin of my 10.5 CUCM. I downloaded callmanager and tomcat and submitted it to verisign. My questions for that are:

1) Is that the correct CSR?

2)What else do I need to download for submission

Then in Verisgn, there is a question there about platform and I am not sure what to choose so I choose Intel.

Now, what I know is whatever file(s), I get back from Verisign, i need to upload it to the CUCM, reboot it and enable mixed mode, correct

then, from that point , configure the phone for LSC? By the way, after encryption iscompleted. CUCM will now use TLS for signaling and SRTP for media, correct?

thanks in advance

islam.kamal · ‎08-05-2014

hi

1- yes , you are completely true . But why are you going to purchase a certificate from verisign , this is will take aroung from 500 to 1000 $? , the web GUI for CUCM is only open from administrator , or some few people who has control for CUCM. You can go for two ways , self signed , and this can be by download CSR and save to our PC , then upload it to your web browser or 2nd way to use microsoft CA , kindly find the below link:-

https://supportforums.cisco.com/document/30501/cucm-uploading-ccmadmin-web-gui-certificates

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/9_1_1/CUCM_BK_C5D96C80_00_cucm-os-admin-guide-91/CUCM_BK_C5D96C80_00_cucm-os-admin-guide-91_chapter_0110.html#CUCM_TK_I42A6424_00

thanks

please rate all useful information

vipersl65 · ‎08-05-2014

Islam,

Thanks for the reply. Dont worry about the buying of certs as company is paying for it. :)

Second, is we want calls to be encrypted and not just web GUI

vipersl65 · ‎08-07-2014

Thanks for all your replies Kamal but I am not just trying to get rid of that http error in the web gui. I am trying to enable full on encryption in the cucm. meaning, phones will have encryption, signaling is encrypted, media is encrypted as well

dana.tong · ‎08-06-2014

You need two of the security tokens (KEY-CCM-ADMIN-K9).

Follow this blog

http://blinkenzomg.wordpress.com/2013/06/18/encrypting-ciscos-unified-communications-manager/

Cheers

vipersl65 · ‎08-07-2014

Tokens? You dont need them anymore at 10.5

kkeeton · ‎11-13-2015

When you are encrypting your phones, signalling, etc you need to have CUCM be in a secure or mixed mode state. In 10 version, those USB keys are not required since Cisco allows you to have tokenless CTL.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html

Once in secure mode, you have to apply a secure phone profile to the phones.

Here's 10.0 doc on phone security:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_0110.html