Registering Cisco Video Conferencing Endpoints to CUCM Using SIP-TLS
This post details how to register a Cisco Videoconferencing endpoint, specifically TC based endpoints such as the C or EX series, to Cisco Unified Communications Manager (CUCM) 10.5 utilising SIP-TLS. This post references a single node lab build throughout, and only the minimum steps to achieve the desired outcome (registering the TC based Videoconferencing endpoint to CUCM using SIP-TLS).
Firstly why would you use SIP-TLS in the first place? Using the Transport Layer Security (TLS) protocol will protect the SIP messaging traffic on the legs where it is enabled, preventing a third party (the forever mentioned and nefarious BOB) from intercepting the SIP messages for malicious purposes, such as deciphering the caller and callee details which could be sensitive in certain environments. An important note here is that TLS will only be used on the legs where it is configured and enabled so unless TLS is working end-to-end you are not totally secure from interception. Not directly related to TLS but also worth noting is SRTP, which is the Secure Real Time Transport Protocol, this should be used in tandem with SIP-TLS so that media traffic is encrypted also. You can use SRTP without SIP-TLS, but the SRTP keys would then be exposed in the SIP messaging which could allow our friend or foe BOB to decrypt the SRTP traffic. Let’s kick on with the configuration.
After initial build of CUCM 10.5, the following steps are done. Start the required services from Cisco Unified OS Administration
- Cisco CallManager
- Cisco TFTP
- Cisco AXL Web Service
- Cisco CTL Provider
- Cisco Certificate Authority Proxy Function
Change the cluster security mode from non-secure-mode to mixed mode
- SSH to CUCM and log in as admin
- Run the command utils ctl set-cluster mixed-mode
- Restart the Cisco CallManager and TFTP Services from Cisco Unified Serviceability
Install a certificate signed by a trusted Certificate Authority (CA). For a Microsoft CA, create a template with the following extensions (note I copied the base Web Server template)
- Application Policies - Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), IP Security end system (1.3.6.1.5.5.7.3.5)
- Key Usage - Select Digital Signatures, Signature is proof of origin (nonrepudiation), Allow key exchange only with key encryption (key encipherment) and Allow encryption of user data
Then create the CSR from UCM, submit the request to the CA and then upload the certificate to UCM
- From Cisco Unified OS Administration, navigate to Security > Certificate Management
- Click Generate CSR
- On the Generate Certificate Signing Request page set the Certificate Purpose to be CallManager. Leave the rest of the fields as default
- Submit the request to the CA using the template you created above, and download the certificate in Base 64
- Back on the CUCM Certificate Management page, click upload certificate/certificate chain
- First, upload the CA certificate (and chain if applicable) for the issuing CA selecting CallManager-Trust as the Certificate Purpose
- Then upload the CUCM certificate selecting CallManager as the Certificate Purpose
- Once done restart the Cisco CallManager and TFTP Services from Cisco Unified Serviceability
The next step is to create the Phone Security Profile
- From Cisco Unified CM Administration, go to System > Security > Phone Security Profile
- Find the Non-Secure profile for the endpoint model and click copy
- Update the name removing the “Non-”, or name it to your preference and configure as shown below
- Once done click Save
Next, add a new Phone
- From Cisco Unified CM Administration, go to Device > Phone
- Click Add, and select the Phone type corresponding to your video conferencing endpoint model
- Configure the phone profile for your environment ensuring that you set the Device Security Profile to the Phone Security Profile you created earlier
- Set the Certificate Authority Proxy Function (CAPF) Information as shown below, amending the date to a time in the future
- Configure the admin username and password corresponding with the admin user/pass on the endpoint
- Once done click Save
Once this is done add a DN to the phone profile
- From the Phone, click Add a new DN
- Configure as per normal with the Directory number etc. and click Save
Now on the endpoint configure provisioning
- Log into the endpoint and navigate to Configuration > System Configuration > Provisioning
- Set the Mode to CUCM and the Address to the CUCM node
Once this is done, the endpoint should be provisioned with the CTL/ITL, which can be verified from Configuration > Security > CUCM, shown below. Also, SIP settings should be automatically provisioned (shown below), noting the DefaultTransport is set to TLS.
And that’s it. You should now be able to make and receive calls.
Pro Tip #1 I came across this issue in the lab when testing various certificates whereby the TC based endpoint would show a SIP registration status of “Failed: Failed to send”. Looking at the eventlog/all.log on the endpoint, I also extracted the following errors.
Sep 16 03:59:41.042 ppc appl[2831]: 138.02 PROV I: [requestItem] Requesting http://10.105.83.65:6970/CTLSEP0050600534bc.tlv, state=ProvItemCTL (CTL requested)
Sep 16 03:59:42.196 ppc appl[2831]: 139.17 PROV I: [requestItem] Requesting http://10.105.83.65:6970/ITLSEP0050600534bc.tlv, state=ProvItemITL (ITL requested)
Sep 16 03:59:42.681 ppc appl[2831]: 139.65 PROV W: [authorizeAndInstall]: secProcessTrustFile("/tmp/ITLFile.tlv") failed: 1 (TL_FAILURE)
Sep 16 03:59:42.685 ppc appl[2831]: 139.66 PROV I: [requestItem] Requesting http://10.105.83.65:6970/SEP0050600534bc.cnf.xml.sgn, state=ProvItemConfig (config requested (either full or mini))
Sep 16 03:59:43.141 ppc appl[2831]: 140.12 PROV W: [ProvisionItem] failed to strip signature/decrypt payload
Sep 16 03:59:43.148 ppc appl[2831]: 140.12 PROV ERROR: [handleFailedProvRequest] reqURL=http://10.105.83.65:6970/SEP0050600534bc.cnf.xml.sgn status=failed reason=Failed to decrypt/verify signature of /SEP0050600534bc.cnf.xml.sgn
Sep 16 03:59:43.153 ppc appl[2831]: 140.13 PROV I: CUCMProvisionUser: Failed to provision (status=Failed)
Sep 16 03:59:43.159 ppc appl[2831]: 140.13 PROV I: void CUCMProvision::CUCMProvisionUser::tryNextUrl() exhausted (pausing)
Further investigation shows that from the endpoint Configuration > System Configuration > Security > CUCM page when compared with the output of show itl from the CUCM CLI, that the CCM+TFTP certificate serial numbers don’t match. Looking at the output of show ctl from the CUCM CLI show the incorrect serial number as well. To resolve this run the command utils ctl update CTLFile, then restart the Cisco CallManager and TFTP services from Cisco Unified Serviceability. From the endpoint then go back to Configuration > Security > CUCM, and select Delete CTL/ITL. Once it has pulled down the updated CTL/ITL files, stop and start the SIP service from Configuration > System Configuration > NetworkServices, and SIP should register successfully.
Endpoint: Role CUCM-TFTP Issuer CN=FOO Enterprise CA Serial Number 5B:6A:D9:3E:00:06:00:00:00:B7 Subject Name CN=SYDCSVUCM01.collab.foo.internal; OU=Infrastructure; O=Foo; L=Sydney; ST=NSW; C=AU Subject DNS Name SYDCSVUCM01
UCM: