Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

An IP Phone loading a new configuration verifies the configuration file before applying it.
The IP Phone needs the public key of the TFTP server to do so. Because the public key of
the TFTP server is different for every installation, it cannot be embedded in the firmware
of the IP Phone. Therefore, phones require a CTL to use this feature.
432 Chapter 16: Implementing Security in CUCM
The configuration files are signed by the Cisco TFTP server with its private key, as shown
in Figure 16-13.
Figure 16-13 Signed IP Phone Configuration Files
NOTE When the cluster is enabled for security, phone configuration files are automatically
signed for all IP Phones that have a certificate. Cisco Unified IP Phones 7940 and
7960 that run SIP receive signed configuration files. However, these phones do not verify
the signature of the configuration file.
Encrypted Configuration Files
Encryption of phone configuration files is a CUCM feature that protects privileged information
in the configuration file in transit from the CUCM TFTP server to the phone. The
configuration file contains information that many organizations might deem sensitive, such
as SIP digest authentication credentials, username and password, and the IP addresses for
the CUCM, TFTP server, Domain Name System (DNS) server, and so on.
Encrypted configuration files are available on all Cisco PKI-enabled SIP phones, Cisco
Unified IP Phone 7905 and Cisco Unified IP 7912 SIP phones, and the following SCCP
phones: Cisco Unified IP Phone 797[015], 796[125], 794[125], 7931, 7911, and 7906
models.
NOTE The Cisco Unified IP Phone 7931 model does not support SIP Also, the 7905
and 7912 phones have reached end-of-sale status.
Signed and Encrypted Configuration Files 433
Obtaining Phone Encrypted Configuration Files
The manner in which phones obtain encrypted configuration files depends on whether the
phone has a certificate.
First, the CUCM TFTP server uses a symmetric encryption algorithm to encrypt the
configuration file.
If the receiving IP Phone has a certificate, the CUCM TFTP server encrypts the key that it
used for the symmetric encryption of the configuration file content with the public key of
the IP Phone. This asymmetrically encrypted key is appended to the configuration file that
now contains both the symmetrically encrypted phone configuration and the asymmetrically
encrypted key that was used to encrypt the phone configuration. The receiving phone uses
its private key and decrypts the symmetrically encrypted key that was attached to the
configuration file. Now the phone can decrypt its configuration, because it knows the
symmetric key that was used for the encryption.
If the receiving IP Phone does not have a certificate, the CUCM TFTP server makes the
symmetrically encrypted configuration file available for download. The receiving phone
needs to know the key that was used for the encryption. Because it cannot be appended to
the configuration file in a secure way (it cannot be asymmetrically encrypted because the
phone does not have a certificate), the administrator must enter the key into the phone
manually.
Cisco Unified IP Phone 7940 and 7960 models do not support the Cisco PKI in SIP mode,
and Cisco Unified IP Phone 7905 and 7912 models do not support the Cisco PKI at all. All
four models support encrypted configuration files only in SIP mode but not when they are
being used with SCCP.
When these phones are used with SIP and enable encrypted configuration files, the phone
configuration file encryption key must be manually entered into each phone.
The Cisco Unified IP Phone 7905 and 7912 models have a writable web server, so the phone
configuration file encryption key that the CUCM TFTP server uses can be copied and
pasted to the phone over a web interface.
The Cisco Unified IP Phone 7040 and 7960 models have a read-only web server, so using
the web interface is not an option. The keys have to be entered manually using the phone
keypad.
434 Chapter 16: Implementing Security in CUCM
Configuring Encrypted Configuration Files
To encrypt phone configuration files, follow these steps:
Step 1 Verify that the cluster security mode is set to Secure.
Step 2 Create a new Phone Security Profile, and check the TFTP Encrypted
Config check box.
Step 3 Apply the phone security profile to the phone(s). For phones that do not
have certificates, set a symmetric configuration file encryption key in the
Phone Configuration window.
Step 4 Enter the symmetric configuration file encryption key into phones that do
not have certificates. Use the key that you configured in the Phone
configuration window of the corresponding phone.
The encrypted phone configuration file uses the following format, depending on the phone
model:
• Cisco Unified IP Phone 7905 and 7912 (SIP): LDMAC.x
• Cisco Unified IP Phone 7940 and 7960 (SIP): SIPM4C.cnf.enc.sgn
• Cisco Unified IP Phone 797[015], 796[125], 794[125], and 7911 (SIP):
SIPMAC.cnf.xml.enc.sgn
• Cisco Unified IP Phone 797[015], 796[0125], 794[0125], 7931 (SCCP only),
and 7911: SEPMAC.cnf.xml.enc.sgn
Phone Security Profiles
Phone security profiles are used to apply common security settings to one or more phones.
To configure phone security profiles, choose Cisco Unified CM Administration > System
> Security Profile > Phone Security Profile, as shown in Figure 16-14.
You can configure the following security features in a phone security profile:
• Encrypted configuration files: This feature can be enabled only in a phone security
profile; it cannot be enabled individually in the Phone Configuration window.
• Device Security Mode: This feature (which is discussed later) can be enabled only in
a phone security profile; it cannot be enabled individually in the Phone Configuration
• CAPF Authentication Mode and CAPF Key Size: These two settings can be configured
in the phone security profile as well as in the Phone Configuration window. The
setting of the phone configuration has higher priority.
window.
Signed and Encrypted Configuration Files 435
NOTE CAPF settings also can be configured directly in the IP Phone Configuration
window.
Figure 16-14 Phone Security Profiles
Default SCCP Phone Security Profiles
CUCM has a number of default phone security profiles with nonsecure configurations, as
shown in Figure 16-15.
Figure 16-15 Default Phone Security Profiles
436 Chapter 16: Implementing Security in CUCM
The figure shows a list of default SCCP security phone profiles. One profile exists per
phone model and supported protocol. Default security profiles have the name Device -
Standard Protocol: SIP or SCCP Non-Secure Profile. These profiles cannot be modified or
deleted. If nondefault settings are required, new security profiles must be created. You can
create them from scratch or by copying and modifying a standard security profile.
Configuring TFTP Encrypted Configuration Files
To enable configuration file encryption for a phone, as shown in Figure 16-16, check
the TFTP Encrypted Config check box in a phone security profile, and apply this phone
security profile to the phone.
Figure 16-16 Configuring TFTP Encrypted Configuration Files
For phones that do not have a certificate (the Cisco Unified IP Phones 7905, 7912, 7940
[SIP], and 7960 [SIP]), a symmetric key, which is used to encrypt the configuration file, has
to be entered as shown in the bottom right of Figure 16-16. On these IP Phones, the same
key has to be manually entered into the phone.