Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

Secure conferencing is a new feature introduced with CUCM 6.0. Secure conferencing
requires a secure conference bridge media resource, which is provided by a Cisco IOS DSP
farm. The secure conference media resource needs a certificate, which can be issued by any
CA (including a Cisco IOS CA that runs on the same Cisco IOS router).
The secure conference bridge media resource registers with CUCM by using SCCP over
TLS. CUCM PKI-based two-way certificate exchange is used for TLS device authentication.
AES and SHA-1 are used for TLS packet authentication and encryption.
To verify the certificates exchanged in TLS, the following are required:
• CUCM systems have to recognize the certificate of the issuer of the certificate that is
used by the secure conference media resource. In this way, the CUCM server that the
secure conference bridge registers can verify the signature of the certificate presented
by the secure conference bridge.
Secure Conferencing 451
• The Cisco IOS router that provides the secure conference media resource needs to
recognize the certificate of all the CUCM systems with which the secure conference
bridge can register. This information allows the Cisco IOS router to compare the certificate
presented by the CUCM with which the secure conference bridge registers
against the locally stored certificate.
Secure conferences are supported on the following Cisco Unified IP Phones:
• 7940 and 7960 only when SCCP is used and only for authenticated conferences
• 7906, 7911, and 7931, only when SCCP is used
• 794[125], 796[125], and 797[015]
A secure conference can be authenticated (all members use authenticated signaling), thus
ensuring that the member devices are authentic and not spoofed. Or a secure conference can
be encrypted (all members use authenticated and encrypted signaling and SRTP), thus also
providing confidentiality—not only for signaling, but also for the RTP streams.
Secure Conferencing Considerations
To successfully set up a secure conference, an IP Phone that invokes a conference must be
allowed to allocate a secure conference by its media resource list configuration. This action,
however, is no guarantee that the conference will be secure.
The conference starts at the corresponding security level only if a secure conference media
resource is allocated for the conference and the device security mode of the IP Phone is
authenticated or encrypted.
This security level changes as members join or drop out of the conference, and it always
uses the maximum possible level that is supported by all conference members. The levels
can be nonsecure, authenticated, or encrypted.
For Meet-Me conferences, a minimum level can be configured for secure conferences in the
Meet-Me Conference Configuration window. Devices that do not support the configured
minimum level do not gain access to the secure Meet-Me conference in this case.
The minimum Cisco IOS release that is required for secure conferencing is 12.4(11)XW1.
452 Chapter 16: Implementing Security in CUCM
Secure Conferencing Configuration Procedure
The following steps are required to implement secure conferences:
Step 1 Obtain a certificate for the secure conference media resource from
any CA.
Step 2 Configure a secure conference bridge media resource in Cisco IOS.
Step 3 Export the certificate that is used by CUCM (to be done on each server).
Step 4 Add the CUCM certificate or certificates to the Cisco IOS router.
Step 5 Export the certificate of the CA that issued the certificate to the secure
conference media resource (see Step 1).
Step 6 Add the CA certificate to CUCM (to be done on each server).
Step 7 Add and configure the secure conference bridge in CUCM.
Step 8 Optionally, configure a minimum level for Meet-Me conferences, if
desired (the default is nonsecure).
Unless all media resources should be available to all users, media resource groups and
media resource group lists are implemented. When you are adding one or more secure
conference media resources, media resource groups and media resource group lists have to
be updated appropriately. If they are not updated, all phones support signaling over TLS
and SRTP for media. If secure conference bridges and nonsecure conference bridges are
available, media resource groups (MRG) and media resource group lists (MRGL) should
be implemented in such a way that phones not supporting security should always prefer
nonsecure conference media resources over secure conference media resources. This
configuration prevents valuable secure conference media resources from being hooked up
for insecure conferences that could also be provided by other (nonsecure) conference media
resources.
NOTE Media resource group and media resource group list configuration is covered in
detail in Implementing Cisco Unified Communications Manager, Part 1 (CIPT1).
TIP It is extremely important to keep in mind that all devices that receive certificates
must have correct date and time information. If they do not have the correct date and
time, certificates might not be accepted if their validity period is out of the range of the
receiving device. Running NTP in the network is strongly recommended when
certificates are used.
Secure Conferencing 453
Step 1: Obtain a Certificate for t he Secure Conference Media Resource
The first step in implementing a secure conference bridge is to obtain a certificate for the
secure conference media resource at the Cisco IOS router, as shown in Example 16-2.
Example 16-2 Step I: Obtain a Certificate for the Secure Conference Media Resource
1
c r y p t o pki t r u s t p o i n t s e c u r e - c f b - tp
enrollment u r l (URL of CA)
serial-number none
fqdn none
ip-address none
subject-name cn=HQ-1_Secure-CFB, ou=Pod-1, o=Lab
revocation-check none
i
•
c r y p t o pki a u t h e n t i c a t e s e c u r e - c f b - tp
c r y p t o pki e n r o l l s e c u r e - c f b - tp
Example 16-2 shows the Cisco IOS configuration that is required to obtain a certificate
from a CA. After you enter the crypto pki authenticate command, the certificate of the CA
specified in the enrollment URL is downloaded. The fingerprint of the received certificate
is displayed and should be out-of-band verified. If correct, the certificate must be accepted
to get stored in the router's NVRAM. After the CA's certificate has been downloaded, it can
be requested from the CA. Enter the crypto pki enroll command to start the enrollment
with the CA that is specified in the enrollment URL. After the certificate is received, you
see a message that shows the fingerprint of the received certificate. This should be out-ofband
verified.
The specified CA has to support Simple Certificate Enrollment Protocol (SCEP), which is
used for the enrollment. Any CA can be used. Therefore, the required configuration steps
at the CA vary. Example 16-3 shows the configuration of a Cisco IOS router that acts as
aCA.
Example 16-3 Cisco IOS Router Configuration Acting as a CA
i p h t t p server
c r y p t o pki server i o s - ca
grant auto
no shutdown
NOTE The enrollment URL for a Cisco IOS CA is http:///P of Cisco IOS router:80.
The Cisco IOS CA can run on the same router that is configured with the secure
conference media resource.
454 Chapter 16: Implementing Security in CUCM
Step 2: Configure a Secure Conference Media Resource at the Cisco IOS Router
Example 16-4 shows the configuration of a secure conference media resource at the Cisco
IOS router.
Example 16-4 Step 2: Configure a Secure Conference Media Resource at the Cisco IOS Router
1 I
v o i c e - c a r d 0
dspfarm
dsp services dspfarm
I
•
seep l o c a l Loopback0
seep ccm 1 0 . 1 . 1 . 1 i d e n t i f i e r 1 version 6.0
seep
i
4
seep ccm group 1
associate ccm 1 p r i o r i t y 1
associate p r o f i l e 1 r e g i s t e r secure-cfb
i
•
dspfarm p r o f i l e 1 conference s e c u r i ty
t r u s t p o i n t s e c u r e - c f b - tp
codec g711ulaw
maximum sessions 2
associate a p p l i c a t i o n SCCP
no shutdown
This step differs from configuring a nonsecure conference bridge only in that you have
to add the keyword security to the dspfarm profile command. You also must refer to the
obtained certificate by specifying the corresponding name in the trustpoint command,
which is entered under the dspfarm profile command.
The remaining configuration is identical to the configuration of a nonsecure conference
media resource.
Step 3: Export the CUCM Certificate
To export the CUCM certificate, as shown in Figure 16-29, in CUCM Operating System
Administration choose Security > Certificate Management and click Find.
From the list of certificates, download the Cisco CallManager certificate in .pern format by
clicking the Cisco CallManager .pern link. A download window opens; save the certificate
file on your PC.
NOTE This procedure must be performed for each Cisco Unified Communications
server with which the secure conference bridge can register. These servers are specified
in the associate ccm command under the seep ccm group command. For each server, a
different trustpoint name has to be used.
Secure Conferencing 455
Figure 16-29 Step 3: Export CUCM Certificate(s)
Step 4: Add CUCM Certificates to a Cisco IOS Router
Next you add the previously exported certificate to the Cisco IOS router, as shown in
Example 16-5.
Example 16-5 Step 4: Add the CUCM Certificate(s) to a Cisco IOS Router
|~i
c r y p t o pki t r u s t p o i n t CUCM1-1
enrollment terminal
revocation-check none
i
•
c r y p t o pki a u t h e n t i c a t e CUCM1-1
At the Cisco IOS router where you set up the secure conference media resource, in global
configuration mode, enter the commands shown in Figure 16-29. You are prompted to paste
the certificate by using the CLI. You can do this by opening the previously downloaded file
(see Step 3) in a text editor, copying its content, and then pasting it into the router.
NOTE This procedure has to be performed for each Cisco Unified Communications
server with which the secure conference bridge can register. These servers are specified
in the associate ccm command under the seep ccm group command. For each server, a
different trustpoint name must be used.
456 Chapter 16: Implementing Security in CUCM
After you enter the crypto pki export command, the router displays the certificate chain
of the specified trustpoint. In other words, it displays the certificate of the trustpoint (the
certificate that is used by the secure conference media resource) and the certificate chain of
the CA that issued the certificate of the trustpoint.
The .pem-formatted certificate is displayed in text format (and therefore is unreadable).
Select the text of the displayed certificate of the C A, and copy it into a text editor. Then save
it as a file.
Step 6: Add the CA Certificate to CUCM(s)
In this step, you upload the previously exported CA certificate to the CUCM(s). As shown
in Figure 16-30, in Cisco Unified Operating System Administration choose Security >
Certificate Management.
In Cisco Unified OS Administration, choose Security > Certificate Management and
click Upload Certificate.
Choose CallManager-trust for the Certificate Name to indicate that the certificate that w i l l
be uploaded is a certificate that the Cisco CallManager service should trust.
Click Browse and specify the location of the previously saved file that contains the
certificate of the CA that issued the certificate to the secure conference media resource.
Click Upload File to upload the file to the CUCM server.
NOTE This procedure has to be performed for each Cisco Unified Communications
server with which the secure conference bridge can register. These servers are specified
in the associate ccm command under the seep ccm group command. For each server, a
different trustpoint name must be used.
Step 5: Export the CA Certificate
Next you export the certificate of the CA that issued the certificate to the secure conference
media resource at the Cisco IOS router that w i l l provide the conference media resource.
Enter the following command in global configuration mode:
crypto pki export name-of-trustpoint pern terminal
For example:
c r y p t o pki export s e c u r e - c f b - t p pern t e r m i n al
NOTE Enter the name of the trustpoint that was specified during enrollment (see
Step 1).
Secure Conferencing 457
Figure 16-30 Step 6: Add the CA Certificate to CUCM(s)
Step 7: Configure a Secure Conference in CUCM
To configure the secure conference media resource in CUCM Administration, as shown in
Figure 16-31, choose Media Resources > Conference Bridge and click Add New.
Figure 16-31 Step 7: Configure a Secure Conference in CUCM
458 Chapter 16: Implementing Security in CUCM
Choose Cisco IOS Enhanced Conference Bridge for the Conference Bridge Type. Enter
the name that was specified for the secure conference media resource at the Cisco IOS
router in the associate profile command under the seep ccm group command (see Step 2).
NOTE The Conference Bridge Name is case-sensitive.
Enter a description, and assign the appropriate device pool and location.
For the Device Security Mode, choose Encrypted Conference Bridge and click Save.
Step 8: Set t he Minimum Security Level for Meet-Me Conferences
Figure 16-32 shows how to configure a minimum security level for Meet-Me conferences
in CUCM Administration. Choose Call Routing > Meet-Me Number/Pattern and click
Add New, or choose an existing Meet-Me.
Figure 16-32 Step 8: Set the Minimum Security Level for Meet-Me Conferences
In the Meet-Me Number Configuration window, you set the minimum level that is enforced
for the Meet-Me conference using the Minimum Security Level parameter. The three
possible values are Non-Secure, Authenticated, and Encrypted.
NOTE Because the minimum security level is set for each Meet-Me number, you can
configure Meet-Me numbers for each security level. Inform users which Meet-Me
number they have to use to get a certain minimum security level