CUCM Security Modes
CUCM provides two security modes:
- Non-secure mode (default mode)
- Mixed mode (secure mode)
Non-secure mode is the default mode when a CUCM cluster (or server) is installed fresh. In this mode, CUCM cannot provide secure signaling or media services. To enable secure mode on a CUCM server/cluster, the Certificate Authority Proxy Function (CAPF) service must be enabled on the publisher and the Certificate Trust List (CTL) service must be enabled on the publisher and subscribers. Then the cluster can be changed from non-secure mode to mixed mode. The reason it is known as mixed mode is that in this mode CUCM can support both secured and non-secured endpoints. For endpoint security, Transport Layer Security (TLS) is used for signaling and Secure RTP (SRTP) is used for media.
To convert a CUCM cluster into mixed mode, follow these steps:
- Step 1. In Cisco Unified CM Administration, choose Serviceability > Tools > Control Center - Feature Services and enable CAPF and CTL services on the CUCM publisher and CTL service on all CUCM subscribers.
- Step 2. Restart CCM and TFTP services on every node where these services are enabled.
- Step 3. Return to CUCM Administration and choose Application > Plugins to download and install the CTL Client plug-in for Windows.
- Step 4. After the CTL client is installed, log in with the IP address of the publisher and the CUCMAdministrator credentials. Follow the installation prompts.
- Step 5. Click the Set Cisco Unified CallManager Cluster to Mixed Mode radio button.
- Step 6. Insert the USB eToken when prompted by the CTL client wizard, and click OK.
- Step 7. The CTL client wizard prompts for a second eToken, removes the first eToken, and inserts the second USB eToken. Click OK. Click Finish. When prompted for the password for the eToken, enter the default password Cisco123.
- Step 8. After the CTL client wizard completes signing certificates on each server in the cluster, it reminds you to restart the CCM and TFTP services on whichever servers they are configured. Click Done. Restart the CCM and TFTP services on all servers where they are enabled and activated.
You can verify the cluster’s conversion to mixed mode by going to System > Enterprise Parameters. The parameter Cluster Security Mode should be 1, which indicates that the cluster is running in mixed mode.
CTL Client and CTL File
The CTL client, as discussed earlier, is a plug-in that can be downloaded from the CUCM Administration GUI and that runs on a Windows PC to convert a CUCM cluster from non-secure mode to mixed mode. A CTL client signs various certificates. A CTL file contains the following:
- Server Certificate
- Public Key
- Serial Number
- Issuer Name
- Subject Name
- Server Function
- DNS name
- IP address for each server
A CTL file (downloaded to Cisco Unified IP Phones and softclients) consists of the following entries (server entries or security tokens):
- Cisco TFTP
- Alternate Cisco TFTP Server (if any)
- System Administrator Security Token (SAST)
- Cisco ASA Firewall
Figure 5-4 shows the contents of a typical CTL file.
Figure 5-4 CTL File Contents
The contents of a CTL file can be viewed by issuing the CUCM OS CLI command admin: show ctl.
Cisco Unified IP Phone Certificates
Cisco Unified IP Phone certificates come in two flavors:
- Manufacturer Installed Certificate (MIC)
- Locally Significant Certificate (LSC)
Cisco manufacturing is the source for the MIC. Cisco installs the MIC in nonerasable, nonvolatile memory on a Cisco Unified IP Phone. It is available in all new phone models, and the root Certificate Authority (CA) is Cisco Certificate Authority. On the other hand, the CAPF service is the source (root) of the LSC, which must be installed by the UC administrator in erasable phone memory. The LSC can be signed by an organization’s internal CA or an external trusted CA. Figure 5-5 depicts the difference between the MIC and the LSC.
Figure 5-5 Cisco MIC vs. LSC