CUCM Security By Default
Cisco has introduced the concept of Security By Default (SBD) from CUCM version 8.0 onward. SBD mandates that every endpoint obtain an Identity Trust List (ITL) file, which is a leaner version of a Certificate Trust List (CTL) file.
Trust Verification Service (TVS) is the core component of the SBD feature. TVS runs on all CUCM servers in the cluster and authenticates certificates on behalf of Cisco Unified IP Phones. TVS certificates, along with a few other key certificates, are bundled in the ITL file. Security By Default provides three basic functions for supported Cisco Unified IP Phones:
- Default authentication of the TFTP downloaded files (configuration, locale, and so on)
- Optional encryption of the TFTP configuration files
- Certificate verification for the phone-initiated HTTPS connections using a remote certificate trust store on CUCM and TVS
ITL is similar to CTL, but ITL does not need any security feature to be enabled explicitly. Moreover, ITL is not a replacement for CTL; it is for initial security so that endpoints can trust the CUCM. To encrypt signaling or media, CTL is still required. The ITL file is created automatically when the cluster is installed. The CUCM TFTP server’s private key is used to sign the ITL file. When a CUCM server/cluster is in non-secure mode, the ITL file is downloaded on every supported Cisco Unified IP Phone; however, when a CUCM server/cluster is in mixed mode, the CTL file is downloaded followed by the ITL file. The contents of an ITL file can be viewed by using the CUCM OS CLI command admin: show itl.