This document describes Cisco Unified Communications Manager (CUCM) integration with secure Telephony Service Provider (TSP).
Cisco recommends that you have knowledge of these topics:
CUCM version 11.5 and above
The information in this document is based on these software and hardware versions:
Cisco Call Manager version 11.5
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
These are the Cisco TSP components:
CiscoTSP dll- TAPI service implementation provided by CiscoTSP
CTIQBE over TCP/IP - Cisco protocol used to monitor and control devices and lines
CTI Manager Service - Manages CTI resources and connections to devices. Exposed to 3rd-party applications via Cisco TSP and/or JTAPI API
During Secure connection CiscoTSP does a TFTP connection in order to get the Certificate Trust List (CTL) File.
The CTL file for a standalone cluster consists of ITL recovery, call manager and Certificate Authority Proxy Function (CAPF) certificates. Then CiscoTSP, with the provided instance ID and authentication String in the CiscoTSP configuration, does a CAPF handshake.
If the handshake is successful, CiscoTSP creates the QBE certificate with the information of end user’s CAPF instance.
Note: Cisco TSP doesn't work with offline CA.
Verify that you performed all the necessary tasks in order to install and configure the Cisco CTL Client. Verify that the Cluster Security Mode in the Enterprise Parameters Configuration window is 1 (mixed mode).
In order to use CAPF, you must activate the Cisco CAPF service on the first node.
Because the genration of many certificates at the same time might cause call-processing interruptions, Cisco strongly recommends that you use CAPF during a scheduled maintenance window.
Ensure that the first node is functional and running during the entire certificate operation.
Ensure that the CTI/ JTAPI/TAPI application is functional during the entire certificate operation.
Create Application User:
Verify that the application or end users exist in the Standard CTI Enabled group
In order to add an application user or end users to the Standard CTI Secure Connection user group, click the Standard CTI Secure Connection link
In order to add an application user or end users to the Standard CTI Allow Reception of SRTP Key Material user group, click the Standard CTI Allow Reception of SRTP Key Material link as shown in the image.
Create CAPF Profile for Application User as shown in the image.
Select the user created in Step 1. (tapi).
Give any number as instance ID.
Select the certificate Operation in install upgrade.
Download and install the TAPI Plugin from CUCM (Navigate to Application > Plugin).
Add the application user details as configured on CUCM as shown in the image.
Enter the CTI manager details as shown in the image.
Enter the Authorization String same as CUCM and click Fetch Certificate for the 1st time as certificates have to be downloaded, as shown in the image.
Use this section in order to confirm that your configuration works properly.
In the application user CAPF Profile, Locally Significant Certificate (LSC) must be installed successfully. The certificate operation status must not be operation pending, as shown in the image.
All the certificates from CUCM are downloaded on the windows machine. Path: C:\ProgramData\Cisco\certificates\ciscotsp001 and as shown in the image.
You can also verify if the CTI integration is working properly with the use of windows inbuilt phone dialer. If the CTI integration is successful, you can see the extension of the phones controlled by the user, as shown in the image.
This section provides information you can use in order to troubleshoot your configuration.
From the application (TSP) side, you need to set the traces to detailed and the default trace location is C:\Temp, as shown in the image.
From CUCM side, you need these traces :
Sample Trace from TSP
Firstly, the TSP contacts TFTP server in order to get CTL file:
The CTL file for a standalone cluster consists of ITLrecovery, call manager and CAPF certificates. Then CiscoTSP, with the provided instance ID and authentication String in the CiscoTSP configuration, does a CAPF handshake. If the handshake is successful, CiscoTSP creates the QBE certificate with the information of end user’s CAPF instance: