Cisco Unified Communications Manager Security Guide, Release 8.5(1)
Security by Default
Downloads: This chapterpdf (PDF - 414.0KB) The complete bookPDF (PDF - 6.01MB) | Feedback

Security by Default

Table Of Contents

Security by Default

Overview

Trust Verification Service

TVS Overview

Initial Trust List

ITL Files

Contents of the ITL File

ITL and CTL File Interaction

Autoregistration

Supported Cisco Unified IP Phones

Regenerating Certificates

Regenerating the CAPF Certificate

Regenerating a TVS Certificate

Regenerating a TFTP Certificate

Backing Up the System after Regenerating the TFTP Certificate

Upgrading from Cisco Unified Communications Manager Release 7.x to Release 8.0.

Rolling Back the Cluster to a Pre-8.0 Release

Switching Back to Release 8.0


Security by Default


This section contains the following topics:

Overview

Trust Verification Service

Initial Trust List

Autoregistration

Supported Cisco Unified IP Phones

Regenerating Certificates

Backing Up the System after Regenerating the TFTP Certificate

Upgrading from Cisco Unified Communications Manager Release 7.x to Release 8.0.

Rolling Back the Cluster to a Pre-8.0 Release

Overview

Security by Default provides the following automatic security features for Cisco Unified IP Phones:

Signing of the phone configuration files.

Support for phone configuration file encryption.

https with Tomcat and other Web services (Midlets)

For Cisco Unified Communications Manager Release 8.0, these security features are provided by default without running the CTL Client.


Note Secure Signaling and Media will still require running the CTL Client and using the hardware eTokens.


Trust Verification Service

Trust Verification Service (TVS) is the main component of Security by Default. TVS enables Cisco Unified IP Phones to authenticate application servers, such as EM services, directory, and MIDlet, during HTTPS establishment.

TVS provides the following features:

Scalability—Cisco Unified IP Phone resources are not impacted by the number of certificates to trust.

Flexibility—Addition or removal of trust certificates are automatically reflected in the system.

Security by Default—Non-media and signaling security features are part of the default installation and do not require user intervention.


Note Enabling secure signaling and media requires the CTL Client.


TVS Overview

The following basic concepts describe the Trust Verification Service:

TVS runs on the Cisco Unified Communications Manager server and authenticates certificates on behalf of the Cisco Unified IP Phone.

Instead of downloading all the trusted certificates, Cisco Unified IP Phone only need to trust TVS.

The TVS certificates and a few key certificates are bundled in a new file: the Identity Trust List file (ITL).

The ITL file gets generated automatically without user intervention.

The ITL file gets downloaded by Cisco Unified IP Phones and trust flows from there.

Initial Trust List

Cisco Unified IP Phones need an Initial Trust List (ITL) to perform the following tasks:

Authenticate their configuration file signature.

Talk securely to CAPF, a pre-requisite to support configuration files encryption.

Trust TVS (which authenticates https certificates among other functions).

If the Cisco Unified IP Phone does not have an existing CTL file, it trusts the first ITL File automatically, like it does the CTL File. Subsequent ITL files must be either signed by the same TFTP private key or TVS must be able to return the certificate corresponding to the signer.

If the Cisco Unified IP Phone has an existing CTL file, it uses the CTL file to authenticate the ITL file signature.

ITL Files

The ITL file contains the initial trust list. The ITL file has the same format as the CTL file and is basically a smaller, leaner version of the CTL file. The following attributes apply to the ITL file:

Unlike the CTL File, the system builds the ITL file automatically when you install the cluster, and the ITL file gets updated automatically if the contents need to be changed.

The ITL File does not require eTokens. It uses a soft eToken (the TFTP private key).

The ITL File is downloaded by Cisco Unified IP Phones at boot up time or during reset, right after downloading the CTL File (if present).

Contents of the ITL File

The ITL File contains the following certificates:

The certificate of the TFTP server. This certificate allows to authenticate the ITL File signature and the phone configuration file signature.

All the TVS certificates in the cluster. These certificates allow phone to talk to TVS securely to request certificates authentication.

The CAPF certificate. This allows to support configuration file encryption. The CAPF certificate is not really required in the ITL File (TVS can authenticate it) but it simplifies the connection to CAPF.

Like the CTL File, the ITL File contains a record for each certificate. Each record contains:

A certificate.

Pre-extracted certificate fields for easy look up by the Cisco Unified IP Phone.

Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)

The TFTP certificate is present in 2 ITL records with 2 different roles:

TFTP or TFTP+CCM role: to authenticate configuration file signature.

SAST role: to authenticate ITL file signature.

ITL and CTL File Interaction

The Cisco Unified IP Phone still relies on the CTL file to know the cluster security mode (nonsecure or mixed mode). The CTL File tracks the cluster security mode by including the Cisco Unified Communications Manager certificate in the Cisco Unified Communications Manager record.

The ITL File also contains the cluster security mode indication.

Autoregistration

If the cluster is in nonsecure mode, the system supports autoregistration. The default configuration file will also be signed. Cisco Unified IP Phones that do not support Security by Default will be served a nonsigned default configuration file.


Note In mixed mode, the system does not support autoregistration.


Supported Cisco Unified IP Phones

You can obtain a list of the Cisco Unified IP Phones that support security by default by using Cisco Unified Reporting. To use Cisco Unified Reporting, follow this procedure:

Procedure


Step 1 From the Cisco Unified Reporting main window, click System Reports.

Step 2 From the System Reports list, click Unified CM Phone Feature List.

Step 3 Choose the appropriate feature from the Feature pull-down menu.

Step 4 Click Submit.


For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Regenerating Certificates

If you regenerate one of the Cisco Unified Communications Manager certificates, you must perform the steps in this section.

Regenerating the CAPF Certificate

To regenerate the CAPF certificate, perform the following steps:

 
Step
Additional Information

Step 1 

Regenerate the CAPF certificate.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Step 2 

Restart the CAPF service.

See the "Activating the Certificate Authority Proxy Function Service" section in the Cisco Unified Communications Manager Security Guide.

Step 3 

Restart the TFTP service on the servers on which it is currently running.

See the "Restart the Cisco TFTP Service on the TFTP Servers" section.

Step 4 

Reset the Cisco Unified IP Phones.

See the "Reset all Cisco Unified IP Phones" section.

Regenerating a TVS Certificate

To regenerate a TVS certificate, perform the following steps:


Note If you regenerate all the TVS certificates in the cluster, you can perform these steps after you regenerate all the certificates.



Note If both the TVS and TFTP certificates are regenerated, always perform these steps before regenerating the TFTP certificate. You might need to manually delete the ITL File from all Cisco Unified IP Phones if you do not follow this procedure.


 
Step
Additional Information

Step 1 

Regenerate the TVS certificate.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Step 2 

Restart the TFTP service on the servers on which it is currently running.

See the "Restart the Cisco TFTP Service on the TFTP Servers" section.

Step 3 

Reset the Cisco Unified IP Phones.

See the "Reset all Cisco Unified IP Phones" section.

I

Regenerating a TFTP Certificate

To regenerate a TFTP certificate, follow these steps:


Note If you regenerate all the TFTP certificates in the cluster, you can perform these steps after you regenerate all the certificates.



Note If both the TFTP and TVS certificates are regenerated, always perform these steps before regenerating the TVS certificate. You might need to manually delete the ITL File from all Cisco Unified IP Phones if you do not follow this procedure.


 
Step
Additional Information

Step 1 

Regenerate the TFTP certificate.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Step 2 

If your cluster is in mixed mode, run the CTL client.

See Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.

Step 3 

Restart the Cisco TFTP service on the servers on which it is currently running.

See the "Restart the Cisco TFTP Service on the TFTP Servers" section.

Step 4 

If your cluster is in mixed mode, restart the following services if they had been started:

Cisco CallManager

Cisco CTL Provider

Cisco CTL Manager

See Chapter 11, "Configuring Services," in the Cisco Unified Serviceability Administration Guide.

Step 5 

Reset the Cisco Unified IP Phones.

See the "Reset all Cisco Unified IP Phones" section.

Step 6 

If the cluster is part of an EMCC deployment, repeat the steps for bulk certificate provisioning.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Backing Up the System after Regenerating the TFTP Certificate

The trust anchor for the ITL File is a software entity: the TFTP private key. If the server crashes, the key gets lost, and phones will not be able to validate new ITL File.

In Cisco Unified Communications Manager Release 8.0, the TFTP certificate and private key both get backed up by the Disaster Recovery System. The system encrypts the backup package to keep the private key secret. If the server crashes, the previous certificates and keys will be restored.

Whenever the TFTP certificate gets regenerated, you must create a new system backup. For backup procedures, see the Disaster Recovery System Administration Guide.

Upgrading from Cisco Unified Communications Manager Release 7.x to Release 8.0.

To upgrade your cluster from Release 7.x to Release 8.0, follow this procedure:

Procedure

Step 1 Follow the normal procedure for upgrading a cluster. For more information, see Chapter 7, "Software Upgrades," in the Cisco Unified Communications Operating System Administration Guide.


Tip After you finish upgrading all nodes in the cluster to Cisco Unified Communications Manager Release 8.0, you must also follow all the steps in this procedure to ensure that your Cisco Unified IP Phones register with the system.


Step 2 If you are running one of the following releases in mixed mode, you must run the CTL client:

Cisco Unified Communications Manager Release 7.1(2)

All regular releases of 7.1(2)

All ES releases of 712 prior to 007.001(002.32016.001)

Cisco Unified Communications Manager Release 7.1(3)

All regular releases of 713 prior to 007.001(003.21900.003) = 7.1(3a)su1a

All ES releases of 713 prior to 007.001(003.21005.001)


Note For more information about running the CTL client, see Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.


Restart the Cisco TFTP Service on the TFTP Servers

Step 3 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 4 Restart the Cisco Tftp service on each node on which it is active.

Step 5 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones


Note You must reset all the Cisco Unified IP Phones in the cluster to ensure that the phones have the most current configuration.


Step 6 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 7 Click Reset.

Step 8 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.

Back Up Your Cluster


Caution You must back up your cluster using the Disaster Recovery System (DRS) to be able to recover the cluster.

Step 9 To backup your cluster using DRS, see the Disaster Recovery System Administration Guide.


Rolling Back the Cluster to a Pre-8.0 Release

Before you roll back a cluster to a pre-8.0 release of Cisco Unified Communications Manager, you must prepare the cluster for rollback using the Prepare Cluster for Rollback to pre-8.0 enterprise parameter.


Caution If a cluster is downgraded to a pre-8.0 release of Cisco Unified Communications Manager without preparing it for rollback, Cisco Unified IP Phones that use Security by Default will be in a loop requesting the CTL, ITL, and signed configuration files while they try to register with Cisco Unified Communications Manager. Cisco Unified IP Phones in this state will not recognize any changes you make to their configuration files, and you may need to manually delete the ITL file on each Cisco Unified IP Phone in the system.

To prepare the cluster for rollback, follow this procedure on each server in the cluster:

Procedure


Step 1 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Set the Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True.


Note Enable this parameter only if you are preparing to rollback your cluster to a pre-8.0 release of Cisco Unified Communications Manager. Phone services that use https (for example, extension mobility) will not work while this parameter is enabled. However, users will be able to continue making and receiving basic phone calls while this parameter is enabled.


Restart the Cisco Trust Verification Service on all Nodes


Note You must restart services in the order that is specified in this procedure.


Step 2 From Cisco Unified Serviceability, choose Tools > Control Center - Network Services.

The Control Center - Network Services window displays.

Step 3 To restart the Cisco Trust Verification Service, click the Restart button at the bottom of the window.

Step 4 Restart the Cisco Trust Verification Service on all nodes in the cluster.

Restart the Cisco TFTP Service on the TFTP Servers

Step 5 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 6 Restart the Cisco Tftp service on each node on which it is active.

Step 7 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones


Note You must reset all the Cisco Unified IP Phones in the cluster to ensure that the phones have the most current configuration.


Step 8 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 9 Click Reset.

Step 10 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.

Revert the Cluster to the Previous Release

Step 11 Revert each server in the cluster to the previous release. For more information about reverting a cluster to a previous version, see Chapter 7, "Software Upgrades" in the Cisco Unified Communications Operating System Administration Guide.

Step 12 Wait until the cluster finishes switching to the previous version.

Step 13 If you are running one of the following releases in mixed mode, you must run the CTL client:

Cisco Unified Communications Manager Release 7.1(2)

All regular releases of 7.1(2)

All ES releases of 712 prior to 007.001(002.32016.001)

Cisco Unified Communications Manager Release 7.1(3)

All regular releases of 713 prior to 007.001(003.21900.003) = 7.1(3a)su1a

All ES releases of 713 prior to 007.001(003.21005.001)


Note For more information about running the CTL client, see Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.


Restart the Cisco TFTP Service on the TFTP Servers

Step 14 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 15 Restart the Cisco Tftp service on each node on which it is active.

Step 16 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones

Step 17 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 18 Click Reset.

Step 19 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.


Switching Back to Release 8.0

If you decide to switch back to the Release 8.0 partition after you revert the cluster to Release 7.x, follow the procedure in this section.

Procedure


Step 1 Follow the procedure for switching the cluster back to the inactive partition. For more information, see the Cisco Unified Communications Operating System Administration Guide.

Step 2 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Set the Prepare Cluster for Rollback to pre-8.0 enterprise parameter to False.

Step 3 If you were running one of the following releases in mixed mode, you must run the CTL client:

Cisco Unified Communications Manager Release 7.1(2)

All regular releases of 7.1(2)

All ES releases of 712 prior to 007.001(002.32016.001)

Cisco Unified Communications Manager Release 7.1(3)

All regular releases of 713 prior to 007.001(003.21900.003) = 7.1(3a)su1a

All ES releases of 713 prior to 007.001(003.21005.001)


Note For more information about running the CTL client, see Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.


Restart the Cisco Trust Verification Service on all Nodes


Note You must restart services in the order that is specified in this procedure.


Step 4 From Cisco Unified Serviceability, choose Tools > Control Center - Network Services.

The Control Center - Network Services window displays.

Step 5 To restart the Cisco Trust Verification Service, click the Restart button at the bottom of the window.

Step 6 Restart the Cisco Trust Verification Service on all nodes in the cluster.

Restart the Cisco TFTP Service on the TFTP Servers

Step 7 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 8 Restart the Cisco Tftp service on each node on which it is active.

Step 9 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones


Note You must reset all the Cisco Unified IP Phones in the cluster to ensure that the phones have the most current configuration.


Step 10 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 11 Click Reset.

Step 12 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.