Configuring Secure SCCP VG224 (VG2XX) Over TLS with CUCM

1    INTRODUCTION
This report explains and gives the steps to be done to activate secure VG224 as SCCP , on this report I use the router as Certificate authority (CA) , if you use third party CA , there will be a slight difference ,some steps has to be done manually

2    PRE-REQUEST
•    You must activate security mixed mode on the callmanager
•    You must activate the http server on the Cisco Router by typing (ip http server) , this will allow the enrolment with the CA server
Note: The call manager has two modes, non secure mode and mixed mode, when using mixed mode both IP phone (secure profile and non secure profile can register with the CUCM)
Note: To use mixed mode you must buy the security tokens and use the CTL client to upload the certificate

3    PROCEDURE
3.1    CREATE THE CERTIFICATE AUTHORITY (CA)
Router(config)# crypto pki server vg224caserver
Router(cs-server)# database level complete
Router(cs-server)# database url slot0:
Router(cs-server)# issuer-name CN=vg224caserver
Router(cs-server)# grant auto
% This will cause all certificate requests to be automatically granted.
Are you sure you want to do this? [yes/no]: y
Router(cs-server)# no shutdown
% Once you start the server, you can no longer change some of
% the configuration.
Are you sure you want to do this? [yes/no]: y
% Generating 1024 bit RSA keys …[OK]
% Certificate Server enabled.

Note: The    grant auto command is used to allow the automatic acceptance of enrolment to the CA server

3.2    ENROLMENT TO THE CA SERVER
3.2.1    CONFIGURE THE PARAMETERS OF THE CERTIFICATE
Router(config)#crypto pki trustpoint VG224ca
Router(ca-trustpoint)# enrollment url http://X.X.X.X
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# exit
The X.X.X.X is the IP address of the SRST Router, with the configuration above, you say, my certificate name is srstca , it will enroll with the server x.x.x.x , it will be valid for ever

3.2.2    AUTHENTICATION OF THE CERTIFICATE
Router(config)# crypto pki authenticate VG224ca
Certificate has the following attributes:
Fingerprint MD5: 4CA53F 50C65894B7D 71DBFD7 75DDBFCA
Fingerprint SHA1: 5C3B6B9E E7 F6A8269DFA458DA6F39F20918A B2 91
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.

3.2.3    ENROLLEMENT OF THE CERTIFICATE
Router(config)# crypto pki enroll VG224ca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: router.cisco.com
% The subject name in the certificate will be: router.cisco.com
% Include the router serial number in the subject name? [yes/no]: y
% The serial number in the certificate will be: D0B9E79C
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The ‘show crypto pki certificate’ command will also show the fingerprint.

3.2.4    DEACTIVATE THE AUTO ENROLLMENT
crypto pki server srstcaserver
shutdown
no grant auto
no shutdown

Note: For security reason deactivate auto enrollment on the CA server

3.3    IMPORTING CUCM CERTIFICATES
3.3.1    DOWNLOAD CUCM CERTIFICATES
From Cisco Unified Communications Operating System Administration, under certificate management menu download all certificates in PEM listed under CAPF-trust, including :
Callmanager
Cisco_Manufacturing_CA,
Cisco_Root_CA_2048,
CAP-RTP-001,
CAP-RTP-002,
CAPF, and
CAPF-xxx.
Also download any CAPF-xxx certificates that are listed under CallManager-trust only
Note: Not all of the above certificate are needed for recent callmanager >5.x  , importing all of them will ensure the validation of this procedure
Note: the needed certificate for CUCM 8.5 is callmanager.pem, Cisco_Root_CA_2048.pem ,  Cisco_Manufacturing_CA.pem,  CAP-RTP-001.pem , CAPF.pem

Hint: How to decide which certificate to import
The last version of CUCM when  writing this procedure was 8.6 , you may want to refer to last procedure from cisco to verify if there is any modification .
The name of the certification may change in future version, here is a way I could verify the needed certifications. Open the certification file in a text editor program (Notepad++) And verify the end of the certificate , it must match the one indicated by Cisco Guide
http://www.cisco.com/en/US/docs/voice_ip_comm/cusrst/admin/sccp_sip_srst/configuration/guide/SCCP_and_SIP_SRST_Admin_Guide

Ex :
In the Cisco guide it says execute the following command crypto pki trustpoint CiscoCA
CiscoCA is the name of the trust point or the certificate, you will never find this name on the callmanager Certificate managemanet page (>5.X)
When comparing the certificate in the Cisco guide
MIICKDCCAZGgAwIBAgIC8wEwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
GjAYBgNVBAoTEUNpc2NvIFN5c3RlbXMgSW5jMRUwEwYDVQQDEwxDQVBGLTdEN0Qw
QzAwHhcNMDQwNzE1MjIzODMyWhcNMTkwNzEyMjIzODMxWjBAMQswCQYDVQQGEwJV
UzEaMBgGA1UEChMRQ2lzY28gU3lzdGVtcyBJbmMxFTATBgNVBAMTDENBUEYtN0Q3
RDBDMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0hvMOZZ9ENYWme11YGY1
it2rvE3Nk/eqhnv8P9eqB1iqt+fFBeAG0WZ5bO5FetdU+BCmPnddvAeSpsfr3Z+h
x+r58fOEIBRHQLgnDZ+nwYH39uwXcRWWqWwlW147YHjV7M5c/R8T6daCx4B5NBo6
kdQdQNOrV3IP7kQaCShdM/kCAwEAAaMxMC8wDgYDVR0PAQH/BAQDAgKEMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDBTANBgkqhkiG9w0BAQUFAAOBgQCaNi6x
sL6M5NlDezpSBO3QmUVyXMfrONV2ysrSwcXzHu0gJ9MSJ8TwiQmVaJ47hSTlF5a8
YVYJ0IdifXbXRo+/EEO7kkmFE8MZta5rM7UWj8bAeR42iqA3RzQaDwuJgNWT9Fhh
GgfuNAlo5h1AikxsvxivmDlLdZyCMoqJJd7B2Q==

You will notice that it ends with 2Q== the only certificate on the call manager that ends with 2Q== is CAP-RTP-001.pem certificate
I have also noticed that CAPF-82c946c6.pem and CAPF.pem is in fact the same certificate
Below is the name of each certificate file name found on the CUCM 8.6 and the only needed certificate to be imported.
CAPF.pem= CAPF
CAP-RTP-001.pem= CiscoCA
Cisco_Manufacturing_CA.pem= CiscoManufactureCA
Cisco_Root_CA_2048.pem= CiscoRootCA2048

3.3.2    IMPORT CUCM CERTIFICATE TO THE VG224
Callmanager.pem (of the publisher)
Router(config)# crypto pki trustpoint callmanagerPub
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate callmanagerPub
PS: if you have more than one server , then you will need to include their callmanager.pem certificate , please see (3.5.2) at the end of this report

Callmanager.pem (of the subscriber)
Router(config)# crypto pki trustpoint callmanagerSub
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate callmanagerSub

PS: In fact you will need only the callmanager.pem of the callmanager members group servers , so suppose you have callmanager group called Group1 that contain SERV1 , SERV2 and SERV3 , then you will need the three PEM certificate

CAPF.pem
Router(config)# crypto pki trustpoint CAPF
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate CAPF
Now open the CAPF.pem with a text editor and copy and paste all the text inside ,then hit enter until you get the below prompt :
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Repeat the same steps to the rest of the certificates:

CAP-RTP-001.pem
Router(config)# crypto pki trustpoint CiscoCA
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate CiscoCA

Cisco_Manufacturing_CA.pem
Router(config)# crypto pki trustpoint CiscoManufactureCA
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate CiscoManufactureCA

Cisco_Root_CA_2048.pem
Router(config)# crypto pki trustpoint CiscoRootCA2048
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate CiscoRootCA2048

3.4    IMPORT THE VGXXX CERTIFICATE
Router(config)crypto pki export VG224ca pem terminal
Copy the text and past it to text editor , name your file Vg.pem
Begin and end line must be included

—–BEGIN CERTIFICATE—–
MIICDTCCAXagAwIBAgIBATANBgkqhkiG9w0BAQQFADAaMRgwFgYDVQQDEw9WRzIy
NFRPY2FzZXJ2ZXIwHhcNMTIwIwMTA0MTA0MTU0MjMxWhcNMzMTU0MjMxWjAaMRgw
….
…..


….
—–END CERTIFICATE—–

From Cisco Unified Communications Operating System Administration, under certificate management menu, click on upload certificate
Chose callmanager trust type, give a description and point to the vg.pem file that you have exported
3.5    APPLY SECURITY PARAMETERS
You must set some parameters

3.5.1    PARAMETERS ON CUCM
Chose the secure profile under each port , notice if you configure security on the VG , you must apply it to all ports
PS:  you can’t have a port on secure mode and another port as non secure port

3.5.2    PARAMETERS ON THE VG

STC application:

no stcapp
stcapp ccm-group 1
stcapp security trustpoint VG224ca
stcapp security mode encrypted
stcapp

SCCP:
sccp local FastEthernet0/0
sccp ccm 10.195.124.21 identifier 1 version 7.0
sccp ccm 10.195.124.71 identifier 2 version 7.0
sccp ip precedence 3
sccp
!

Note: notice that I have 2 callmanager , so you must import both certificate , create 2 trust  point callmanagePub and callmanagerSub , then import the corresponding file callmanager.pem found on each server

sccp ccm group 1
associate ccm 1 priority 1
associate ccm 2 priority 2
!

dial-peer voice 99900 pots
service stcapp
security mode encrypted
port 2/0

PS: you must create a dial peer for each port , if you don’t the port will not register

Advertisements
This entry was posted in CallManager, Gateway, LAB and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s