The Cisco CUMA proxy allows Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage clients and servers. The ASA in this solution delivers inspection for the MMP (formerly called OLWP) protocol, the proprietary protocol between Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage.
The following are required before the phone proxy feature will work correctly.
The ASA firewall must be running at least version 8.0(4)
The ASA must have the appropriate license installed. Issue "sh ver" command and make sure 3DES is enabled.
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(4)
2. Create access-list for inspection port and apply the acl on the outside interface
cuma-asa(config)#access-list outside-acl permit tcp any host 100.100.100.10 eq 5443
cuma-asa(config)#access-group outside-acl in int outside
3. Generating CSR on the ASA.
This step is needed to install Verisign or Geotrust certificate on the ASA
a. Generate a key-pair - This following procedure needs to be done on the ASA
cuma-asa(config)# crypto key gen rsa label asa-veri mod 1024
INFO: The name for the keys will be: asa-veri Keypair generation process begin. Please wait..
b. Create a trustpoint with all the information to generate the CSR. The subject name here should be the exact same one that the mobile phones will be using to access CUMA. If the phones will go to https://cuma1.cisco.com:5443 then use the CN=cuma1.cisco.com
cuma-asa(config)# crypto ca trustpoint asa-to-mobile
cuma-asa(config-ca-trustpoint)# subject-name CN=cuma1.cisco.com,OU=Voice,O=Cisco,C=<2 digit country code>
d. The above CSR needs to be sent off to Verisign or Geotrust. Once you get the signed certificate, import the signed cert:
Remember - IMPORT the ID CERT
- AUTHENTICATE the CA CERT
cuma-asa(config)# crypto ca import asa-to-mobile cert
WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: y
% The fully-qualified domain name in the certificate will be: cuma1.cisco.com
Enter the base 64 encoded certificate. End with the word "quit" on a line by itself
e. Now authenticate the trustpoint with the certificate that issued you your ID cert.
It is critical that you have the entire certificate chain in the ASA's truststore so that the mobile device can properly validate the certificates during the SSL handshake.
cuma-asa(config)# crypto ca authenticate asa-to-mobile Enter the base 64 encoded CA certificate. End with the word "quit" on a line by itself
** Paste the contents of the cert **
f. If you authenticated the intermediate cert in the above step, then you must add your root certificate into the truststore into a separate trustpoint. Each trust point can have only one ID cert and one CA cert at maximum
cuma-asa(config)# crypto ca trust asa-to-mobile-root
cuma-asa(config-ca-trustpoint)# crypto ca authenticate asa-to-mobile-root Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
** Paste the contents of the root cert. **
4. Install the CUMA server's self-signed ID cert on to the ASA's trust store.
This will be used for the cummunication between the ASA and CUMA
a. Creat a self-signed cert on the CUMA server
The following needs to be done on the CUMA server
1 Sign in to the Cisco Unified Mobility Advantage Admin portal.
2 Select the [+] beside Security Context Management.
3 Select Security Contexts.
4 Select Add Context.
5 Enter information:
Do you want to create/upload a new certificate? create
Context Name "cuma"
Trust Policy "Trusted Certificates"
Client Authentication Policy "none"
Client Password "changeme"
Server Name cuma.ciscodom.com
Department Name "vsec"
Company Name "cisco"
City "san jose"
Country "US"b. Downloading Self-Signed Certificates from Cisco Unified Mobility AdvantageThe following needs to be done on the CUMA server
1 Select the [+] beside Security Context Management
2 Select Security Contexts.
3 Select Manage Context beside the security context that holds the certificate to download.
4 Select Download Certificate.
If the certificate is a chain (has associated root or intermediate certificates), only the first certificate in the chain is downloaded. This is sufficient for self-signed certificates.
Step 5 Save the file.
C. Adding a self-signed certificate from Cisco Unified Mobility Advantage onto the ASA.
The following needs to be done on the ASA
1. Open the self-signed certificate from Cisco Unified Mobility Advantage in WordPad (not Notepad.)
2. Import the certificate into the Cisco Adaptive Security Appliance trust store:
cuma-asa(config)# crypto ca trustpoint cuma-server-id-cert
cuma-asa(config-ca-trustpoint)# enrollment terminal
cuma-asa(config-ca-trustpoint)# crypto ca authenticate cuma-server-id-cert
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
** paste the contents from wordpad **
5. Exporting the ASA self-signed cert to be imported onto the CUMA server
We recommend that you configure Cisco Unified Mobility Advantage to require a certificate from
the Cisco Adaptive Security Appliance. Use this procedure to provide the required self-signed certificate.
The following needs to be done on the ASA:
a. generate a new key pair
cuma-asa(config)# crypto key generate rsa label asa-id-key mod 1024
INFO: The name for the keys will be: asa-id-key
Keypair generation process begin. Please wait...
b. add a new trustpoint
cuma-asa(config)# crypto ca trustpoint asa-self-signed-id-cert
cuma-asa(config-ca-trustpoint)# keypair asa-id-key
cuma-asa(config-ca-trustpoint)# enrollment selfc. enroll the trustpoint
cuma-asa(config-ca-trustpoint)# crypto ca enroll asa-self-signed-id-cert
% The fully-qualified domain name in the certificate will be: cuma-asa.cisco.com
% Include the device serial number in the subject name? [yes/no]: n
Generate Self-Signed Certificate? [yes/no]: y
d. export the certificate to a text file
cuma-asa(config)# crypto ca export asa-self-signed-id-cert identity-certificate
The PEM encoded identity certificate follows:
Certificate data omitted
e. copy the above output to a text file and add it to the CUMA server trust store using the following procedure:
1. Select the [+] beside Security Context Management.
2. Select Security Contexts.
3. Select Manage Context beside the Security Context into which you will import the signed certificate.
4. Select Import in the Trusted Certificates bar.
5. Paste the certificate text.
6. Name the certificate.
7. Select Import.
6. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server
ASA to mobile phone communication is on the outside and the ASA to CUMA communication is on the inside.
In the communication between ASA to mobile clients - The ASA will act as the server
In the communication between ASA to CUMA - The ASA will act as the client