Cisco IP Phone Authentication and Encryption for …...Resetting the Devices, Restarting Cisco...

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

Text Part Number: OL-5109-01

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)

Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)Copyright © 2003 Cisco Systems, Inc. All rights reserved.

Cisco IP PhonOL-5109-01

C O N T E N T S

Preface vii

Purpose viii

Audience viii

Organization ix

Related Documentation ix

Conventions x

Obtaining Documentation x

Cisco.com xi

Documentation CD-ROM xi

Ordering Documentation xi

Documentation Feedback xii

Obtaining Technical Assistance xii

Cisco TAC Website xiii

Opening a TAC Case xiii

TAC Case Priority Definitions xiv

Obtaining Additional Publications and Information xiv

C H A P T E R 1 Security Overview 1-1

Authentication and Encryption Terminology 1-2

System Requirements 1-4

iiie Authentication and Encryption for Cisco CallManager 4.0(1)

Contents

Interactions and Restrictions 1-4

Interaction Between Cisco CallManager and the Cisco IP Phone 1-5

Restrictions 1-6

Best Practices 1-8

Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster 1-9

Authentication and Encryption Installation 1-10

Configuration Checklist 1-11

Where to Find More Information 1-12

C H A P T E R 2 Authentication, Integrity, and Encryption 2-1

Authentication and Integrity Overview 2-2

Image Authentication 2-2

Device Authentication 2-2

File Authentication 2-3

Signaling Authentication 2-3

Encryption Overview 2-5

Signaling Encryption 2-5

Media Encryption 2-6

Activating the Cisco CTL Provider Service 2-7

Configuring Ports for the TLS Connection 2-8

Installing the Cisco CTL Client 2-10

Configuring the Cisco CTL Client 2-12

Updating the CTL File 2-17

Changing the Clusterwide Security Mode 2-19

Cisco CTL Client Configuration Settings 2-20

Deleting a CTL File Entry 2-24

ivCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

Contents

Configuring the Devices for Authentication or Encryption 2-25

Configuring the Security Device System Default for Supported Phone Models 2-26

Configuring the Device Security Mode for a Single Device 2-27

Using the Cisco Bulk Administration Tool to Configure the Device Security Mode 2-28

Device Security Mode Configuration Settings 2-29

C H A P T E R 3 Certificate Authority Proxy Function 3-1

Certificate Authority Proxy Function Overview 3-2

Downloading the Certificate Authority Proxy Function 3-5

Installing the Certificate Authority Proxy Function 3-6

Upgrading Certificate Authority Proxy Function 3-7

Using CAPF to Generate Phone Certificates 3-8

Updating CAPF Settings 3-12

CAPF Settings and Commands 3-13

Installing the Locally Significant Certificate on Supported Phones 3-18

Upgrading the Locally Significant Certificate on the Phone 3-20

Deleting the Locally Significant Certificate on the Phone 3-21

C H A P T E R 4 Phone Hardening 4-1

Disabling the Gratuitous ARP Setting 4-1

Disabling Web Access Setting 4-2

Disabling the PC Voice VLAN Access Setting 4-2

Disabling the Setting Access Setting 4-3

Disabling the PC Port Setting 4-3

Performing Phone Hardening Tasks 4-4

vCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

Contents

C H A P T E R 5 Troubleshooting 5-1

Using Alarms 5-2

Using Microsoft Performance Monitor Counters 5-3

Reviewing the Log Files 5-3

Troubleshooting the Cisco CTL Client 5-4

Changing the Security Token Password (Etoken) 5-5

Setting the Smart Card Service to Started and Automatic 5-6

Error Messages for the Cisco CTL Client 5-7

Troubleshooting the Phone When a Problem Exists with the CTL File 5-14

Comparing CTL File Versions on the Cisco IP Phone and Server 5-17

Deleting the CTL File on the Cisco IP Phone 5-17

Deleting the CTL File on the Server 5-19

Troubleshooting If You Lose One Security Token (Etoken) 5-20

Troubleshooting If You Lose All Security Tokens (Etoken) 5-21

Verifying the Security Mode for the Cisco CallManager Cluster 5-22

Verifying or Uninstalling the Cisco CTL Client 5-23

Determining the Cisco CTL Client Version 5-24

Troubleshooting the CAPF Utility 5-24

Error Messages for the CAPF Utility 5-25

Verifying or Uninstalling the CAPF Utility 5-28

Troubleshooting If You Incorrectly Enter the Authentication String on the Phone 5-29

Troubleshooting If the Locally Significant Certificate Validation Fails 5-29

Verifying That You Installed the Locally Significant Certificate on the Phone 5-30

IN D E X

viCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

Preface

This preface describes the purpose, audience, organization, and conventions of this guide and provides information on how to obtain related documentation.

The preface covers these topics:

• Purpose, page viii

• Audience, page viii

• Organization, page ix

• Related Documentation, page ix

• Conventions, page x

• Obtaining Documentation, page x

• Obtaining Technical Assistance, page xii

viiCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

PrefacePurpose

PurposeCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1) helps system and phone administrators perform the following tasks:

• Configure authentication.

• Configure encryption.

• Install and configure the Certificate Authority Proxy Function (CAPF) utility.

• Install, upgrade, or delete locally significant certificates on supported. Cisco IP Phone models

• Configure phone hardening.

• Troubleshoot issues.

AudienceThis guide provides a reference and procedural guide for system and phone administrators who plan to configure the security features.

viiiCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

PrefaceOrganization

OrganizationTable 1 lists the major sections of this guide:

Related DocumentationRefer to the following documents for further information about related Cisco IP telephony applications and products:

• Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G

• Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Model 7970G

• Cisco IP Phone Administrator Guide for Cisco CallManager Models 7902G, 7905G, and 7912G

• The firmware release notes that support your phone model

Table 1 Guide Overview

Chapter Description

Chapter 1, “Security Overview” Provides an overview of security terminology, system requirements, interactions and restrictions, installation requirements, and a configuration checklist.

Chapter 2, “Authentication, Integrity, and Encryption”

Provides an overview of the different types of authentication and encryption and describes how to configure authentication through the Cisco CTL client and Cisco CallManager Administration.

Chapter 3, “Certificate Authority Proxy Function”

Provides an overview of Certificate Authority Proxy Function and describes how to install and configure CAPF; describes how to install locally significant certificates on supported phones.

Chapter 4, “Phone Hardening” Describes how to disable some phone settings in Cisco CallManager Administration to tighten security.

Chapter 5, “Troubleshooting” Describes how to resolve some issues that are associated with security

ixCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

PrefaceConventions

• Cisco IP Telephony Solution Reference Network Design Guide

• Security application notes for topics, such as toll fraud, operating system hardening, TCP/UDP ports, and so on

• Cisco Security Agent documentation that is compatible with the version of Cisco CallManager 4.0 that is installed in the cluster

• Readme documentation for Cisco-provided operating system upgrades and service releases that post to cisco.com

ConventionsNotes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Tips use the following conventions:

Tip Means the following are useful tips.

Cautions use the following conventions:

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Obtaining DocumentationCisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

xCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

PrefaceObtaining Documentation

Cisco.comYou can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:


International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROMCisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Click Subscriptions & Promotional Materials in the left navigation bar.

Ordering DocumentationYou can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

xiCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

http://www.cisco.com/univercd/home/home.htm


http://www.cisco.com/public/countries_languages.shtml

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

http://www.cisco.com/go/subscription


PrefaceDocumentation Feedback

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation FeedbackYou can submit e-mail comments about technical documentation to [email protected].

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco SystemsAttn: Customer Document Ordering170 West Tasman DriveSan Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.

xiiCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01


http://www.cisco.com/en/US/partner/ordering/index.shtml

PrefaceObtaining Technical Assistance

Cisco TAC WebsiteThe Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:

http://www.cisco.com/tac

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC CaseUsing the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:

http://www.cisco.com/tac/caseopen

For P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

xiiiCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

http://www.cisco.com/tac

http://tools.cisco.com/RPF/register/register.do

http://www.cisco.com/tac/caseopen


PrefaceObtaining Additional Publications and Information

TAC Case Priority DefinitionsTo ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking

xivCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01


http://www.cisco.com/en/US/products/products_catalog_links_launch.html

http://www.ciscopress.com


investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html

xvCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

http://www.cisco.com/packet

http://www.cisco.com/go/iqmagazine

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

http://www.cisco.com/en/US/learning/index.html


xviCisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

Cisco IP Phone Authentication and EOL-5109-01

C H A P T E R 1
Security Overview
Implementing authentication and encryption in the Cisco CallManager system prevents identity theft of the phone/Cisco CallManager server, data tampering, and call-signaling/media-stream tampering.

To alleviate these threats, the Cisco IP telephony network establishes and maintains authenticated communication streams between the phone and the server, digitally signs files before the file is transferred to the phone, and encrypts media streams and call signaling between Cisco IP Phones.

This chapter provides information on the following topics:

• Authentication and Encryption Terminology, page 1-2

• System Requirements, page 1-4

• Interactions and Restrictions, page 1-4

• Authentication and Encryption Installation, page 1-10

• Configuration Checklist, page 1-11

• Where to Find More Information, page 1-12

1-1ncryption for Cisco CallManager 4.0(1)

Chapter 1 Security OverviewAuthentication and Encryption Terminology

Authentication and Encryption TerminologyThe definitions in Table 1-1 apply when you configure authentication and encryption for your Cisco IP telephony network:

Table 1-1 Terminology

Term Definition

Authentication Process that verifies the identity of an entity.

File Authentication Process that validates digitally signed files that the phone downloads. The phone validates the signature to make sure that file tampering did not occur after the file creation.

Image Authentication Process that prevents tampering with the binary image prior to loading it on the phone.

Device Authentication Process that validates the identity of the device and ensures that the entity is who it claims to be.

Signaling Authentication Process that validates that no tampering has occurred to signaling packets during transmission; uses the Transport Layer Security protocol.

Certificate Trust List (CTL) Lists that all security-related operations require; a file that is created when you install and configure the Cisco CTL client in the Cisco CallManager cluster; contains a predefined list of trusted items that the Site Administrator Security Token (security token) signs.

Mixed Mode Within a cluster that you configured for security, includes devices that are configured for authentication/encryption and phones that are configured as non-secure.

Site Administrator Security Token (security token; etoken)

A hardware device that you insert in a USB port and that contains a certificate that the Cisco Certificate Authority issued; used for file authentication, it signs the CTL file and retrieves the private key of the certificate.

1-2Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)

OL-5109-01

Chapter 1 Security OverviewAuthentication and Encryption Terminology

Transport Layer Security (TLS)

Protocol that provides integrity, authentication, and encryption through the use of a configured port.

Secure Call Call in which all devices are authenticated and the media stream is encrypted.

Nonsecure Call Call in which at least one device is not authenticated or encrypted.

Integrity Process that ensures that data tampering has not occurred between entities.

Encryption Process that ensures that only the intended recipient receives and reads the data; process that translates data into ciphertext, which appears random and meaningless.

Signaling Encryption Process that ensures that all SCCP signaling messages that are sent between the device and the Cisco CallManager server are encrypted.

Media Encryption Process that ensures that the media streams between supported devices are encrypted.

Certificate Authority (CA) Entity that issues certificates; may be a Cisco or third-party entity.

Certificate Authority Proxy Function (CAPF)

Process whereby supported devices can request locally significant certificates.

Locally Significant Certificate

Certificates that are installed on the phone by using CAPF functionality; issued by a certificate authority server or CAPF.

Man-in-the-Middle Attacks Process that allows an attacker to observe and modify the information flow between Cisco CallManager and the phone.

Table 1-1 Terminology (continued)

Term Definition


OL-5109-01

Chapter 1 Security OverviewSystem Requirements

System RequirementsThe following system requirements exist for authentication or encryption:

• Cisco CallManager 4.0(1) serves as the minimum requirement for each server in the cluster.

• Operating system 2000.2.5 (or later) serves as the minimum requirement for each server in the cluster. Verify that you have installed the latest operating system service release that goes with operating system 2000.2.5 (or later).

• Before you install the Cisco CTL client, verify that the workstation or server runs Windows 2000 sp3a (or later).

• The same Windows administrator username and password must exist on each server in the cluster.

Related Topics


• Authentication and Encryption Installation, page 1-10

• Authentication, Integrity, and Encryption, page 2-1

• Certificate Authority Proxy Function, page 3-1


• Troubleshooting, page 5-1

Interactions and RestrictionsThis section contains information on the following topics:

• Interaction Between Cisco CallManager and the Cisco IP Phone, page 1-5

• Restrictions, page 1-6

• Best Practices, page 1-8

• Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster, page 1-9


OL-5109-01

Chapter 1 Security OverviewInteractions and Restrictions

Interaction Between Cisco CallManager and the Cisco IP PhoneWhen you install Cisco CallManager 4.0(1) or later, the Cisco CallManager cluster boots up in nonsecure mode; when the phones boot up after the Cisco CallManager installation, all devices register as nonsecure with Cisco CallManager.

The Cisco CallManager installation creates a self-signed certificate on corresponding Cisco CallManager and TFTP servers. After you configure the cluster for authentication, Cisco CallManager uses this self-signed certificate to authenticate with supported Cisco IP Phones.

Note The features in this document support a limited list of Cisco IP Phone models. For the latest list of supported phones, refer to the phone administration documentation that supports Cisco CallManager 4.0(1).

Cisco CallManager supports authentication, integrity, and encryption for some Cisco IP Phone to Cisco IP Phone calls within a single cluster where no media services are used. Table 1-2 provides a list of supported features on various Cisco IP Phones.

Table 1-2 Features for Cisco IP Phones

Cisco IP Phone Model Supported Feature

Cisco IP Phone model 7970

Image authentication, file authentication, device authentication, signaling encryption, media encryption, factory reset, and phone hardening, such as web server disabling

Cisco IP Phone models 7960 and 7940

Image authentication, file authentication, device authentication, customer-site certificate installations, factory resets, and phone hardening, such as web server disabling

Cisco IP Phone models 7912, 7910, 7905G, and 7902

Image authentication


OL-5109-01


Tip For information on unsupported scenarios, see the “Restrictions” section on page 1-6.

Note Calls can only register as secure if you configured the Cisco CallManager cluster for mixed mode and the device(s) support authentication or encryption.

Before you implement all authentication and encryption features across a widespread network, Cisco strongly recommends that you implement them in a secure lab environment and verify that the features behave as expected.

Cisco CallManager maintains the authentication and encryption status at the device level, in this case, with the Cisco IP Phone. If all phones that are involved in the call register as secure, the call status registers as secure. If one of the phones registers as nonsecure, the call registers as nonsecure, even if the phone of the caller or recipient registers as secure.

When a call is held, forwarded, or transferred, the call status may be temporarily nonsecure or unknown until the call between the parties is established.

Cisco CallManager retains the authentication and encryption status of the device when a user uses Cisco CallManager Extension Mobility. Cisco CallManager also retains the authentication and encryption status of the device when shared lines are configured.

RestrictionsConsider the following restrictions before you install and configure the authentication and encryption features:

• Auto-registration does not work when you configure the cluster for mixed mode, which is required for device authentication.

• You cannot implement signaling or media encryption if device authentication does not exist in the cluster; that is, if you do not install and configure the Cisco CTL client.


OL-5109-01


• If you use a multicluster TFTP configuration, you must configure all Cisco CallManager clusters for the same security mode through the Cisco CTL client. You must install the Cisco CTL client in each cluster and choose the same clusterwide security mode during the configuration.

Caution Ensure that the TFTP path and alternate TFTP paths for building configuration files are unique; if the paths are not unique, a TFTP server may overwrite the CTL file that the other cluster creates.

• Application Layer Gateways (ALG) that allow Voice over IP to traverse firewalls and Network Address Translation (NAT) do not work with signaling encryption. For Cisco IOS firewalls, use the UDP ALG. For NAT, route private addresses internally or use route maps; use IPSec and V3PNs for remote locations.

• Cisco CallManager supports authentication, integrity, and encryption for Cisco IP Phone to Cisco IP Phone calls within a single cluster where no media services are used. For example, Cisco CallManager 4.0(1) does not provide authentication, integrity, or encryption in the following cases:

– Computer Telephony Integration (CTI) devices; gateways; intercluster trunks; transcoders; media termination points

– Calls that are made over two different clusters

– Ad hoc or MeetMe conferences

– Music on Hold

– Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP), and H.323 devices

– Survivable Remote Site Telephony (SRST)

– Some Cisco IP Phones models

Tip If the call is authenticated or encrypted, the Cisco IP Phone model 7970 displays an icon that indicates the call state.

For a list of supported phones, see Table 1-2, the phone administration documentation that supports this version of Cisco CallManager, or the firmware release notes that support the phone model.


OL-5109-01


Caution Do not use Terminal Services to install the Cisco CTL client or CAPF utility. Cisco installs Terminal Services, so Cisco Technical Assistance Center (TAC) can perform remote troubleshooting and configuration tasks.

Do not use Virtual Network Computing (VNC) to install or configure the Cisco CTL client. If you want to do so, you can use VNC to install the CAPF utility. Using the CAPF utility via VNC may cause high CPU utilization, so do not use VNC when you use the CAPF utility to generate certificates.

Best PracticesCisco strongly recommends the following best practices:

• Always perform installation and configuration tasks in a secure lab environment before you deploy to a wide-scale network.

• Use the features that are described in this document in conjunction with the latest Cisco-provided operating system service releases and upgrades that are available on cisco.com.

• Use the features that are described in this document in conjunction with the Cisco Security Agent that supports this release of Cisco CallManager.

• Use the features that are described in this document with Cisco-approved, third-party security applications; for example, MacAfee antivirus software

• Use Windows native mode IPSEC for authenticated and encrypted signaling to gateways and other application servers; for example, Cisco Unity, or Cisco IP Contact Center (IPCC), or other Cisco CallManager servers.

Note This document does not describe Windows IPSEC configuration. For information on IPSEC configuration, refer to the Security Application Notes.


OL-5109-01


Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster

This section describes when you need to reset the devices, restart the Cisco CallManager service in Cisco CallManager Serviceability, or when to reboot the server/cluster.

Consider the following guidelines:

• Reset a single device after you change the device security mode in Cisco CallManager Administration.

• Reset the devices if you perform phone hardening tasks.

• Reset the devices after you change the clusterwide security mode from mixed to nonsecure mode (or vice versa).

• Restart all devices after you configure the Cisco CTL client or update the CTL file.

• Restart the Cisco CallManager service after you change the clusterwide security mode from mixed to nonsecure mode (or vice versa).

• Reboot all Cisco CallManager and Cisco TFTP servers after you configure the Cisco CTL client or update the CTL file.

• Reboot the server where you installed the Cisco CTL client if you set the Smart Card service to Started and Automatic.

To restart the Cisco CallManager service, refer to the Cisco CallManager Serviceability Administration Guide.

To reset a single device after updating the configuration, see the “Configuring the Devices for Authentication or Encryption” section on page 2-25.

To reset all devices in the cluster, perform the following procedure:

Procedure

Step 1 In Cisco CallManager Administration, choose System > Cisco CallManager.

Step 2 In the pane on the left side of the window, choose a server.


OL-5109-01

Chapter 1 Security OverviewAuthentication and Encryption Installation

Step 3 Click Reset Devices.

Step 4 Perform Step 2 and Step 3 for each server in the cluster.

Related Topics






Authentication and Encryption InstallationTo obtain authentication support, you install a plugin, the Cisco CTL client, from Cisco CallManager Administration. You must install the Cisco CTL client on a single Windows 2000 server or workstation that has a USB port. If you choose to do so, you can install the client on a Cisco CallManager server that has a USB port. To install the Cisco CTL client, you must obtain at least two security tokens.

Media and signaling encryption automatically install when you install Cisco CallManager 4.0(1).

Caution Cisco recommends that you install and configure the Certificate Authority Proxy Function (CAPF) utility on the publisher database server. If you install and configure it on another server in the cluster, be aware that the utility may adversely affect Cisco CallManager performance. Use the utility during a scheduled maintenance window.

To use the CAPF utility, you must have administrative privileges on the server.

Related Topics




OL-5109-01

Chapter 1 Security OverviewConfiguration Checklist

Configuration ChecklistTo implement the features for Cisco CallManager and the Cisco IP Phone, perform the tasks that are described in Table 1-3.

Table 1-3 Configuration Checklist for Authentication and Encryption

Configuration Steps Related Procedures and Topics

Step 1 On each Cisco CallManager and Cisco TFTP server in the cluster, activate the Cisco CTL Provider service in Cisco CallManager Serviceability.

Activating the Cisco CTL Provider Service, page 2-7

Step 2 If you do not want to use the default settings, configure ports for the TLS connection.

Configuring Ports for the TLS Connection, page 2-8

Step 3 Obtain at least two security tokens and the passwords, hostnames/IP addresses, and port numbers for the servers that you will configure for the Cisco CTL client.

Configuring the Cisco CTL Client, page 2-12

Step 4 Install the Cisco CTL client. System Requirements, page 1-4

Authentication and Encryption Installation, page 1-10

Installing the Cisco CTL Client, page 2-10

Step 5 Configure the Cisco CTL client. Configuring the Cisco CTL Client, page 2-12

Step 6 Install and configure the CAPF utility. System Requirements, page 1-4

Authentication and Encryption Installation, page 1-10

Downloading the Certificate Authority Proxy Function, page 3-5

Installing the Certificate Authority Proxy Function, page 3-6

Using CAPF to Generate Phone Certificates, page 3-8


OL-5109-01

Chapter 1 Security OverviewWhere to Find More Information

Where to Find More InformationRelated Cisco Documentation


• Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Model 7970G

• Cisco IP Phone Administrator Guide for Cisco CallManager Models 7902G, 7905G, and 7912G

• The firmware release notes that support the phone model

• Cisco IP Telephony Solution Reference Network Design Guide

Step 7 Update the Cisco CTL file with the CAPF information.

Tip You may do this step simultaneously while you use the CAPF utility.

Updating the CTL File, page 2-17

Step 8 Install the locally significant certificates on supported Cisco IP Phones.

System Requirements, page 1-4

Installing the Locally Significant Certificate on Supported Phones, page 3-18

Step 9 Configure supported devices for authentication or encryption.

Configuring the Devices for Authentication or Encryption, page 2-25

Step 10 Perform phone-hardening tasks. Performing Phone Hardening Tasks, page 4-4

Step 11 Reset all phones in the cluster. Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster, page 1-9

Step 12 Reboot all servers in the cluster. Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster, page 1-9

Table 1-3 Configuration Checklist for Authentication and Encryption (continued)

Configuration Steps Related Procedures and Topics


OL-5109-01


• Security application notes for toll fraud, operating system hardening, TCP/UDP ports, and so on

• Cisco Security Agent documentation that is compatible with the version of Cisco CallManager 4.0 that is installed in the cluster

• Readme documentation for Cisco-provided operating system upgrades and service releases that post to cisco.com


OL-5109-01



OL-5109-01


C H A P T E R 2
Authentication, Integrity, and Encryption
This chapter contains information on the following topics:

• Authentication and Integrity Overview, page 2-2

• Encryption Overview, page 2-5

• Activating the Cisco CTL Provider Service, page 2-7

• Configuring Ports for the TLS Connection, page 2-8

• Installing the Cisco CTL Client, page 2-10

• Configuring the Cisco CTL Client, page 2-12

• Updating the CTL File, page 2-17

• Changing the Clusterwide Security Mode, page 2-19

• Cisco CTL Client Configuration Settings, page 2-20

• Deleting a CTL File Entry, page 2-24

• Configuring the Devices for Authentication or Encryption, page 2-25

• Device Security Mode Configuration Settings, page 2-29


Chapter 2 Authentication, Integrity, and EncryptionAuthentication and Integrity Overview

Authentication and Integrity OverviewIntegrity and authentication protect against the following threats:

• TFTP file manipulation (integrity)

• Modification of call-processing signaling between the phone and Cisco CallManager (authentication)

• Man-in-the-middle attacks (authentication), as defined in Table 1-1

• Phone and server identity theft (authentication)

Cisco CallManager supports the following types of authentication and integrity:

• Image Authentication, page 2-2

• Device Authentication, page 2-2

• File Authentication, page 2-3

• Signaling Authentication, page 2-3

Image AuthenticationThis process prevents tampering with the binary image, that is, the firmware load, prior to loading it on the phone. Tampering with the image causes the phone to fail the authentication process and reject the image. Image authentication occurs through signed binary files that are automatically installed when you install Cisco CallManager 4.0(1). Likewise, firmware updates that you download from the web also provide signed binary images.

For a list of devices that are supported, see the “Interactions and Restrictions” section on page 1-4.

Device AuthenticationThis process validates the identity of the device and ensures that the entity is who it claims to be; for a list of devices that are supported, see the “Interactions and Restrictions” section on page 1-4.

Device authentication occurs between the Cisco CallManager server and supported Cisco IP Phones when each entity accepts the certificate of the other entity; only then does a secure connection between the entities occur.


OL-5109-01


File AuthenticationThis process validates digitally signed files that the phone downloads; for example, the configuration, ring list, locale, and CTL files. The phone validates the signature to verify that file tampering did not occur after the file creation; for a list of devices that are supported, see the “Interactions and Restrictions” section on page 1-4.

For additional information on how file authentication works, see the “Signaling Authentication” section on page 2-3.

Signaling AuthenticationThis process, also known as signaling integrity, uses the TLS protocol to validate that no tampering has occurred to signaling packets during transmission.

File authentication and signaling authentication rely on the creation of the Certificate Trust List (CTL) file, which is created when you install and configure the Cisco Certificate Trust List (CTL) client on a single Windows 2000 workstation or server, perhaps a Cisco CallManager server, that has a USB port. The CTL file contains entries for the following servers or security tokens:

• Site Administrator Security Token (SAST)

• Cisco CallManager or Cisco TFTP

• Cisco CallManager and Cisco TFTP running on the same server

• Certificate Authority Proxy Function (CAPF)

• Alternate Cisco TFTP

The CTL file contains a server certificate, public key, serial number, signature, issuer name, subject name, server function, DNS name, and IP address for servers. After you create the CTL file, you must reboot all Cisco CallManager servers and all Cisco TFTP servers in the cluster. The next time that the phone initializes, it downloads the CTL file from the TFTP server. If the CTL file contains a TFTP server entry that has a self-signed certificate, the phone requests a signed configuration file in .sgn format. If none of the TFTP servers has a certificate, the phone requests an unsigned file.


OL-5109-01


The TFTP server does not sign any files if you configure the cluster for nonsecure mode. The TFTP server signs static files, such as ring list, localized, default .cnf.xml, and ring list wav, files in .sgn format. The TFTP server signs files in <device name>.cnf.xml format every time that the TFTP server verifies that a data change occurred for the file.

The TFTP server writes the signed files to disk if caching is disabled. If the TFTP server verifies that a saved file has changed, the TFTP server re-signs the file. The new file on the disk overwrites the saved file that gets deleted. Before the phone can download the new file, the administrator must restart affected devices in Cisco CallManager Administration.

After the phone receives the files from the TFTP server, the phone verifies the integrity of the files by validating the signature on the file. For the phone to establish a TLS connection, ensure that the following criteria are met:

• A certificate must exist in the phone.

• The CTL file must exist on the phone, and the Cisco CallManager entry and certificate must exist in the file.

• You have configured the device for authentication or encryption.

When the preceding criteria are met, the phone establishes a TLS connection through a TLS SCCP port, which is a configured port number added to (+) 443. By default, the phone connects to port 2443 by using TLS. The handshake authenticates the certificates from the server and the phone and establishes a secure connection.

Note The Cisco CallManager self-signed certificates provide server identification, including the Cisco CallManager server name and the Global Unique Identifier (GUID). On each server in the cluster, Cisco CallManager stores the certificates, which exist in DER format, in C:\Program Files\Cisco\Certificates. Administrators have read-only access to the certificates.

Cisco stores the CTL file, which exists in .tlv format, in C:\Program Files\Cisco\tftppath on the servers in the cluster where the Cisco CallManager and Cisco TFTP services run.

Related Topics




OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionEncryption Overview






Encryption Overview

Tip For a list of devices that are supported, see the “System Requirements” section on page 1-4.

Encryption installs automatically when you install Cisco CallManager 4.0 on each server in the cluster.

The files from the security package install in C:\Program Files\Cisco\bin.

Cisco CallManager supports the following types of encryption:

• Signaling Encryption, page 2-5

• Media Encryption, page 2-6

Signaling EncryptionSignaling encryption ensures that all SCCP signaling messages that are sent between the device and the Cisco CallManager server are encrypted.

Signaling encryption ensures that the information that pertains to the parties, DTMF digits that are entered by the parties, call status, media encryption keys, and configuration information are protected against unintended or unauthorized access.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionEncryption Overview

Tip Application Layer Gateways (ALG) that allow Voice over IP to traverse firewalls and Network Address Translation (NAT) do not work with signaling encryption. For Cisco IOS firewalls, use the UDP ALG. For NAT, route private addresses internally or use route maps; use IPSec and V3PNs for remote locations.

Media EncryptionMedia encryption, which uses SRTP, ensures that the media streams between supported devices prove secure and that only the intended device receives and reads the data. Media encryption includes creating a media master key pair for the devices, delivering the keys to the devices, and securing the delivery of the keys while the keys are in transport.

Authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur.

The following example demonstrates media encryption.

1. Device A and Device B, which support media encryption and authentication, register with Cisco CallManager.

2. When Device A places a call to Device B, Cisco CallManager requests two sets of media session master values from the key manager function.

3. Both devices receive the two sets, one set for the media stream, Device A—Device B, and the other set for the media stream, Device B—Device A.

4. Using the first set of master values, Device A derives the keys that encrypt and authenticate the media stream, Device A—Device B.

5. Using the second set of master values, Device A derives the keys that authenticate and decrypt the media stream, Device B—Device A.

6. Device B uses these sets in the inverse operational sequence.

7. After the devices receive the keys, the devices perform the required key derivation, and SRTP packet processing occurs.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionActivating the Cisco CTL Provider Service

Tip For a list of supported items, see the “Interactions and Restrictions” section on page 1-4.

Related Topics





Activating the Cisco CTL Provider ServiceWhen you configure the Cisco CTL client, this service changes the cluster security mode from nonsecure to mixed mode and vice versa and transports the server certificates to the CTL file; the service then transports the CTL file to all Cisco CallManager and Cisco FTP servers.

Tip You must activate the Cisco CTL Provider service on all servers where you have activated the Cisco CallManager or Cisco TFTP services.

Verify that the local administrator password or the Super Users account username and password are synchronized on all Cisco CallManager and Cisco TFTP servers.

To activate the service, perform the following procedure:

Procedure

Step 1 In Cisco CallManager Serviceability, choose Tools > Service Activation.

Step 2 In the pane on the left side of the window, choose a server where you have activated the Cisco CallManager or Cisco TFTP services.

Step 3 Check the CTL Provider service check box.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionConfiguring Ports for the TLS Connection

Step 4 Click Update.

Step 5 Perform this procedure on all servers where you have activated the Cisco CallManager or Cisco TFTP services.

Note After you activate the service, the Cisco CTL Provider service reverts to the default CTL port, which is 2444. If you want to change the port, see the “Configuring Ports for the TLS Connection” section on page 2-8.

Related Topics

• Cisco CallManager Serviceability Administration Guide

• Cisco CallManager Serviceability System Guide



Configuring Ports for the TLS ConnectionYou may have to configure a different port number if the port is currently being used or if you use a firewall and you cannot use the port within the firewall.

The Cisco CTL Provider default port for the TLS connection equals 2444. The Cisco CTL Provider port monitors requests from the Cisco CTL client. This port processes Cisco CTL client requests, such as retrieving the CTL file, setting the clusterwide security mode, saving the CTL file to TFTP servers, and retrieving a list of Cisco CallManager and TFTP servers in the cluster.

The Cisco CallManager port monitors registration requests from the phone. In nonsecure mode, the phone connects through port 2000. In mixed mode, the Cisco CallManager port for TLS connection equals the value for the Cisco CallManager port number added to (+) 443; therefore, the default TLS connection for Cisco CallManager equals 2443.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionConfiguring Ports for the TLS Connection

To change the default setting, perform the following procedure:

Procedure

Step 1 Perform the following tasks, depending on the port that you want to change:

• To change the Cisco CTL Provider port, perform Step 2 through Step 6.

• To change the Cisco CallManager port, perform Step 7 through Step 10.

Step 2 To change the Cisco CTL Provider port, choose Service > Service Parameters from Cisco CallManager Administration.

Step 3 Choose a server where the Cisco CTL Provider service runs.

Step 4 Choose Cisco CTL Provider service.

Tip In the upper, right corner of the window, click the"i" button to review information for the service parameter.

Step 5 To change the Cisco CTL Provider port, enter the new port number in the Port Number field.


Step 7 To change the Cisco CallManager port, choose System > Cisco CallManager in Cisco CallManager Administration.

Step 8 Choose a server where the Cisco CallManager service runs.

Step 9 In the Ethernet Phone Port field, enter the new port number.


Related Topics







OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionInstalling the Cisco CTL Client

Installing the Cisco CTL ClientYou install the Cisco CTL client on a single Windows 2000 workstation or server that has a USB port. The server or workstation can exist at a remote site. If you choose to do so, you can install the client on a server where Cisco CallManager Release 4.0 is installed.

You must use the client and update the CTL file when the following events occur:

• After the Cisco CallManager installation

• After you restore a Cisco CallManager server or Cisco CallManager data

• After you upgrade the Cisco CallManager cluster

• After you change the IP address or hostname of the Cisco CallManager server

• After you add or remove a security token, CAPF server, TFTP server, or Cisco CallManager server

Caution Do not use Terminal Services to install the client. Cisco installs Terminal Services, so Cisco Technical Assistance Center (TAC) can perform remote troubleshooting and configuration tasks.

You must disable the Cisco Security Agent (CSA) or other Cisco-approved intrusion detection or antivirus applications before you run the plugin. Failure to disable the applications may prevent the installation and result in unrecoverable errors.

Tip If the Smart Card service is not set to started and automatic on the server or workstation where you plan to install the client, the installation fails. For information on how to perform this task, see the “Troubleshooting” section on page 5-1.

To review a list of error messages that could display during the installation of the plugin, see the “Troubleshooting” section on page 5-1.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionInstalling the Cisco CTL Client

To install the Cisco CTL client, perform the following procedure:

Procedure

Step 1 Verify that the Smart Card service is set to started and automatic. For more information, see the “Setting the Smart Card Service to Started and Automatic” section on page 5-6.

Step 2 Browse to Cisco CallManager Administration from the Windows 2000 workstation or server that has the USB port; that is, the location where you plan to install the client.

Step 3 From Cisco CallManager Administration, choose Application > Install Plugins.

Step 4 To download the file, click Cisco CTL Client.

Step 5 Download the file to a location that you will remember.

Step 6 To begin the installation, double-click Cisco CTL Client (icon or executable depending on where you saved the file).

Step 7 The version of the Cisco CTL client displays; click Continue.

Step 8 The installation wizard displays. Click Next.

Step 9 Accept the license agreement and click Next.

Step 10 Choose a folder where the client will exist. If you want to do so, click Browse to change the default location; after you choose the location, click Next.

Step 11 To begin the installation, click Next.

Step 12 After the installation completes, click Finish to exit.

Tip To verify that the client installed, see the “Troubleshooting” section on page 5-1.

Related Topics




• Setting the Smart Card Service to Started and Automatic, page 5-6


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionConfiguring the Cisco CTL Client




• Deleting a CTL File Entry, page 2-24



Configuring the Cisco CTL Client

Tip Configure the Cisco CTL client during a scheduled maintenance window because you must reboot all servers in the cluster for the changes to take effect.

The Cisco CTL client performs the following tasks:

• Sets the Cisco CallManager cluster security mode.

Tip You cannot set the Cisco CallManager clusterwide mixed mode through the Enterprise Parameters window of Cisco CallManager Administration. You must configure the CTL client to set the clusterwide mode. For more information, see the “Cisco CTL Client Configuration Settings” section on page 2-20.

• Creates the Certificate Trust List (CTL), which is a file that contains certificate entries for security tokens, Cisco CallManager, alternate TFTP, and CAPF servers.

The CTL file indicates the servers that support TLS for the phone connection. The client automatically detects the Cisco CallManager and Cisco TFTP servers and adds certificate entries for these servers.

You must manually add alternate TFTP and Certificate Authority Proxy Function (CAPF) servers and Site Administrator Security Tokens (SAST) to the CTL file.

The security tokens that you insert during the configuration sign the CTL file.


OL-5109-01


Tip You can configure an alternative TFTP server, even if this server exists in a different cluster. Through manual configuration, the certificate from the alternate TFTP server gets added to the CTL file, which is written to the FileLocation path as specified in the TFTP service parameter. For a multicluster configuration, you must map the drive on the alternate TFTP server and configure the FileLocation parameter to the mapped drive. For example, if you use TFTP1 as your alternate TFTP server and you have mapped drive L: to the path on TFTP1, the FileLocation equals L:\TFTPPath. You must add the TFTP server, TFTP1, for example, by specifying a valid administrator username and password for TFTP1. The Cisco CTL client will write the CTL file to L:\TFTPPath.

Before you implement this TFTP configuration, all servers in the multicluster environment must run the same version of Cisco CallManager 4.0; be aware that all servers in the multicluster environment must run the Cisco CTL Provider service.

Caution The Cisco IP Telephony Backup and Restore System (BARS) backs up the CTL file only if the file exists in the default TFTP directory.

Before You Begin

Before you configure the Cisco CTL client, obtain at least two security tokens; the Cisco certificate authority issues these security tokens.

Obtain the following passwords, hostnames/IP addresses, and port numbers:

• Local administrative password and hostname/IP address for Cisco CallManager and the port number for the CTL Provider service

• Local administrative password, hostname/IP address, and port number for CAPF

• Local administrative password and hostname/IP address for alternate TFTP

• Security token administrative password

See Table 2-1 for a description of the preceding information.


OL-5109-01


Tip Before you install the Cisco CTL client, verify that you have network connectivity to each server in the cluster; likewise, ensure that the server uses DNS and that each server is running. To ensure that you have network connectivity to all servers in the cluster, issue a ping command to each server. Choose Start > Run; enter cmd, and click OK. At the command prompt, enter ping <server>, where server equals the name of the server that displays in the Server Configuration window of Cisco CallManager Administration. Repeat the ping command for each server in the cluster.

If you installed multiple Cisco CTL clients, Cisco CallManager only accepts CTL configuration information on one client at a time, but you can perform configuration tasks on up to five Cisco CTL clients simultaneously. While you perform configuration tasks on one client, Cisco CallManager automatically stores the information that you entered on the other clients. To configure the client, perform the following procedure:

Procedure

Step 1 Obtain at least two security tokens that you purchased.

Step 2 Perform one of the following tasks:

• Double-click the Cisco CTL Client icon that exists on the desktop of the workstation/server where you installed it.

• Choose Start > Programs > Cisco CTL Client.

Step 3 Enter the configuration settings for the Cisco CallManager server, as described in Table 2-1; click Next.

Step 4 Click Set CallManager Cluster to Mixed Mode, as described in Table 2-1; click Next.

Step 5 Perform the following tasks, depending on what you want to accomplish:

• To add a security token, see Step 6 through Step 12.

• To add an alternate TFTP server, see Step 13 through Step 15.

• To add a CAPF server, see Step 16 and Step 17.

• To complete the Cisco CTL client configuration, see Step 18 through Step 22.


OL-5109-01


Caution You need a minimum of two security tokens the first time that you configure the client. Do not insert the tokens until the application prompts you to do so. If you have two USB ports on the workstation or server, do not insert two security tokens at the same time.

Step 6 When the application prompts you to do so, insert one security token in an available USB port on the workstation or server where you are currently configuring the Cisco CTL client; click OK.

Step 7 The security token information displays for the token that you inserted; click Add.

Step 8 The detected certificate entries display in the pane.

Step 9 To add other security token(s) to the certificate trust list, click Add Tokens.

Step 10 If you have not already done so, remove the token that you inserted into the server or workstation. When the application prompts you to do so, insert the next token and click OK.

Step 11 The security token information for the other token displays; click Add.

Step 12 For all security tokens, repeat Step 9 through Step 11.

Step 13 The certificate entries display in the pane. If you need to add an Alternate TFTP server, click Add TFTP Server.

Step 14 Enter the configuration settings, as described in Table 2-1.

Step 15 Click Next.

Step 16 The certificate entries display in the pane. To add a CAPF server, click Add CAPF.

Step 17 Enter the configuration settings, as described in Table 2-1; click Next.

Step 18 When you have added all security tokens and servers, click Finish.

Step 19 Enter the username password for the security token, as described in Table 2-1; click OK.

Step 20 After the client creates the CTL file, a window displays the server, file location, and status of the CTL file on each server. Click Finish.


OL-5109-01


Step 21 Reset all devices in the cluster. See the “Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster” section on page 1-9.

Step 22 Reboot all Cisco CallManager and TFTP servers in the cluster.

Tip To verify that you set the Cisco CallManager cluster to mixed mode, see the “Troubleshooting” section on page 5-1.

If you are prompted to change the security token password, see the “Troubleshooting” section on page 5-1.

Related Topics













OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionUpdating the CTL File

Updating the CTL FileYou must update the CTL file if the following scenarios occur:

• If you add a new Cisco CallManager server to the cluster

• If you change the name or IP address of the Cisco CallManager server in the cluster

• If you need to add or delete additional security tokens

• If you need to add, delete, or replace the alternate TFTP or CAPF server

• If you restore the Cisco CallManager server or Cisco CallManager data

• If you upgrade the Cisco CallManager cluster

You must reboot all Cisco CallManager and Cisco TFTP servers in the cluster for the changes to take effect; you must also reset all devices in the cluster before you reboot the servers. See the “Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster” section on page 1-9 for more information on how to perform this task.

Tip Cisco strongly recommends that you update the file when minimal call-processing interruptions will occur.

To update the information that exists in CTL file, perform the following procedure:

Procedure

Step 1 Obtain one security token that you inserted to configure the latest CTL file.

Step 2 Double-click the Cisco CTL Client icon that exists on the desktop of the workstation/server where you installed it.

Step 3 Enter the configuration settings for the Cisco CallManager server, as described in Table 2-1; click Next.

Tip You make updates in this window for the Cisco CallManager server.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionUpdating the CTL File

Step 4 To update the CTL file, click Update CTL File, as described in Table 2-1; click Next.

Caution For all CTL file updates, you must insert one security token that already exists in the CTL file into the USB port. The client validates the signature of the CTL file through this token. You cannot add new tokens until the CTL client validates the signature. If you have two USB ports on the workstation or server, do not insert both security tokens at the same time.

Step 5 If you have not already inserted one security token in an available USB port on the workstation or server where you are currently updating the CTL file, insert one of the security tokens; click OK.

Step 6 The security token information displays for the token that you inserted; click Next.

The detected certificate entries display in the pane.

Tip You cannot update the Cisco CallManager or Cisco TFTP entries from this pane. To update the Cisco CallManager entry, click Cancel and perform Step 2 through Step 6 again.

Step 7 To update existing Cisco CTL entries or to add or delete security tokens, consider the following information:

• To update alternate TFTP or CAPF entries, delete the entry, as described in “Deleting a CTL File Entry” section on page 2-24; then, add the entry, as described in “Configuring the Cisco CTL Client” section on page 2-12.

• To add new security tokens, see “Configuring the Cisco CTL Client” section on page 2-12.

• To delete a security token, see the “Deleting a CTL File Entry” section on page 2-24.

Tip If you are prompted to change the security token password, see the “Troubleshooting” section on page 5-1.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionChanging the Clusterwide Security Mode

Related Topics











Changing the Clusterwide Security ModeYou must use the Cisco CTL client to configure the clusterwide security mode. You cannot change the clusterwide security mode from the Enterprise Parameters window of Cisco CallManager Administration.

To change the clusterwide security mode after the initial configuration of the Cisco CTL client, you must update the CTL file, as described in the “Updating the CTL File” section on page 2-17 and Table 2-1. If you change the clusterwide security mode from mixed to nonsecure mode, the CTL file still exists on the servers in the cluster, but the CTL file does not contain any certificates. Because no certificates exist in the CTL file, the phone requests an unsigned configuration file and registers as nonsecure with Cisco CallManager.

Related Topics





OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionCisco CTL Client Configuration Settings

Cisco CTL Client Configuration SettingsThe cluster can exist in one of two modes, as described in Table 2-1. Only mixed mode supports authentication. When you configure the Cisco CTL client for authentication, you must choose Set CallManager Cluster to Mixed Mode.

Use Table 2-1 to configure the Cisco CTL client for the first time, to update the CTL file, or to change the mode from mixed to nonsecure.

Table 2-1 Configuration Settings for CTL Client

Setting Description

Radio Button

Set CallManager Cluster to Mixed Mode

Mixed mode allows authenticated or encrypted Cisco IP Phones and nonauthenticated Cisco IP Phones to register with Cisco CallManager. In this mode, Cisco CallManager ensures that authenticated or encrypted devices use a secure SCCP port.

Note Cisco CallManager disables auto-registration if you configure the cluster for mixed mode.


OL-5109-01


Set CallManager Cluster to Non-Secure Mode

All devices register as unauthenticated with Cisco CallManager, and Cisco CallManager supports image authentication only.

When you choose this mode, the CTL client removes the certificates for all entries that are listed in the CTL file, but the CTL file still exists in the directory that you specified. The phone requests unsigned configuration files and registers as nonsecure with Cisco CallManager.

Tip To revert the phone to the default nonsecure mode, you must delete the CTL file from the phone and all Cisco CallManager servers. For information on deleting the CTL file from the phone and Cisco CallManager servers, see the “Troubleshooting” section on page 5-1.

Tip You can use auto-registration in this mode.

Update CTL File After you have created the CTL file, you must choose this option to make any changes to the CTL file. Choosing this option ensures that the Cluster Security mode does not change.

CallManager Server

Hostname or IP Address Enter the hostname or IP address for a server in the cluster that runs the Cisco CallManager or Cisco TFTP service.

Port Enter the port number, which equals the CTL port for the Cisco CTL Provider service that runs on the specified Cisco CallManager server. The default port number equals 2444.

Table 2-1 Configuration Settings for CTL Client (continued)

Setting Description


OL-5109-01


Username and Password Enter a username and password that has administrative privileges on the Cisco CallManager server.

Tip Verify that you entered the username and password for the Cisco CallManager administrator or Power User account. The same username and password must exist on all servers in the cluster.

Alternate TFTP Server

Hostname or IP Address Note Alternate TFTP server designates a Cisco TFTP server that exists in a different cluster. If you use two different clusters for the alternate TFTP server configuration, both clusters must use the same clusterwide security mode, which means that you must install and configure the Cisco CTL client in both clusters. Likewise, both clusters must run the same version of Cisco CallManager 4.0.

Caution Ensure that the path in the TFTP service parameter, FileLocation, is the same for all servers in the cluster.

Enter the hostname or IP address for the TFTP server.

Port Enter the port number, which equals the CTL port for the Cisco CTL Provider service that runs on the specified TFTP server. The default port number equals 2444.

Username and Password Enter a username and password that have local administrative privileges on the server.


Setting Description


OL-5109-01


Related Topics










CAPF Server

Hostname or IP Address Enter the hostname or IP address for the CAPF server.

Port The default port number equals 3805. If you want to do so, enter a different port number for the CAPF server.

Username and Password Enter a username and password that have local administrative privileges on the server.

Security Token

User Password The first time that you configure the Cisco CTL client, enter Cisco123, the case-sensitive default password, to retrieve the private key of the certificate and ensure that the CTL file gets signed.

Tip To change this password, see the “Changing the Security Token Password (Etoken)” section on page 5-5.


Setting Description


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionDeleting a CTL File Entry

Deleting a CTL File EntryAt any time, you can delete some CTL entries that display in the CTL Entries window of the Cisco CTL client. After you open the client and follow the prompts to display the CTL Entries window, click Delete Selected to delete the entry.

You cannot delete servers that run Cisco CallManager or Cisco TFTP from the CTL file. You can delete alternate TFTP servers and security tokens that you manually add to the CTL file, but you cannot delete TFTP servers that the client automatically detects.

Two security token entries must exist in the CTL file at all times. You cannot delete all security tokens from the file.

Tip For information on uninstalling the Cisco CTL client, deleting the CTL file from the phone, or deleting the CTL file from the server, see the “Troubleshooting the Cisco CTL Client” section on page 5-4.

Related Topics











OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionConfiguring the Devices for Authentication or Encryption

Configuring the Devices for Authentication or Encryption

To configure the devices for authentication or encryption, perform one of the following tasks:

• Configure the default device security mode for supported phone models.

• Configure the device security mode for a single device in the Phone Configuration window of Cisco CallManager Administration.

• Configure the device security mode for a supported phone model by using the Cisco Bulk Administration Tool.

For information on the device security mode configuration settings, see the “Device Security Mode Configuration Settings” section on page 2-29.

Related Topics










OL-5109-01


Configuring the Security Device System Default for Supported Phone Models

Note This procedure requires that you reset the devices and restart the Cisco CallManager service for the changes to take effect.

In Cisco CallManager Administration, the security device system default for all phone types displays as Non-Secure. To set the security device system default to Authenticated or Encrypted, perform the following procedure:

Procedure

Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 In the Security Parameters section, locate Device Security Mode.

Step 3 From the drop-down list box, choose Authenticated or Encrypted. For more information, see Table 2-2.

Step 4 At the top of the Enterprise Parameters window, click Update.

Step 5 Reset all devices in the cluster; see “Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster” section on page 1-9.

Step 6 Restart the Cisco CallManager service for the changes to take effect.

Related Topics






OL-5109-01


Configuring the Device Security Mode for a Single DeviceTo configure the device security mode for a single device, perform the following procedure. This procedure assumes that you have added the device to the database.

Configuring the Device Security Mode in the Phone Configuration window of Cisco CallManager Administration triggers a rebuild of the device configuration .xml file. After you configure the device security mode for the first time or if you change the device security mode, you must reset the device, so the phone requests the new configuration file.

Procedure

Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

If you have not added the phone to the database, the phone does not display in the list. For information on adding a phone, refer to the Cisco CallManager Administration Guide.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the Device Security Mode drop-down list box.

If the phone type does not support security, this option does not display. You cannot configure authentication or encryption for the phone type.

Step 5 From the Device Security Mode drop-down list box, choose the option that you want to configure. See Table 2-2 for information on the options.

The Device Security Mode drop-down list box only displays if the phone supports authentication or encryption. For example, if the phone does not support encryption, the encryption option does not display in the drop-down list box.


OL-5109-01



Step 7 Click Reset Phone.

Caution When you reset the phone, the system drops all calls that are occurring through a gateway.

Related Topics





Using the Cisco Bulk Administration Tool to Configure the Device Security Mode

You can use the Cisco Bulk Administration Tool that supports Cisco CallManager 4.0(1) to configure the device security mode for specific phone models that support encryption or authentication. For more information on how to perform this task, refer to the Bulk Administration Tool User Guide that supports this version of Cisco CallManager.

Related Topics





• Bulk Administration Tool User Guide


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionDevice Security Mode Configuration Settings

Device Security Mode Configuration SettingsThe options in Table 2-2 exist for the device security mode.

Related Topics





• Bulk Administration Tool User Guide

Table 2-2 Device Security Modes

Option Description

Use System Default The phone uses the value that you specified for the enterprise parameter, Device Security Mode.

Non-secure No security features except image authentication exist for the phone. A TCP connection opens to Cisco CallManager.

Authenticated Cisco CallManager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens.

Encrypted Cisco CallManager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens.


OL-5109-01

Chapter 2 Authentication, Integrity, and EncryptionDevice Security Mode Configuration Settings


OL-5109-01


C H A P T E R 3
Certificate Authority Proxy Function
This chapter provides information on the following topics:

• Certificate Authority Proxy Function Overview, page 3-2

• Downloading the Certificate Authority Proxy Function, page 3-5

• Installing the Certificate Authority Proxy Function, page 3-6

• Upgrading Certificate Authority Proxy Function, page 3-7

• Using CAPF to Generate Phone Certificates, page 3-8

• Updating CAPF Settings, page 3-12

• CAPF Settings and Commands, page 3-13

• Installing the Locally Significant Certificate on Supported Phones, page 3-18

• Upgrading the Locally Significant Certificate on the Phone, page 3-20

• Deleting the Locally Significant Certificate on the Phone, page 3-21


Chapter 3 Certificate Authority Proxy FunctionCertificate Authority Proxy Function Overview

Certificate Authority Proxy Function OverviewThe Certificate Authority Proxy Function (CAPF) utility can perform the following tasks, depending on your configuration:

• Issue locally significant certificates to supported Cisco IP Phone models.

• Using SCEP, request certificates from third-party certificate authorities on behalf of supported Cisco IP Phone models.

• Upgrade existing certificates on the phones.

• Retrieve phone certificates for viewing.

• Delete locally significant certificates on the phone.

After you install and use the CAPF utility, the phone generates a public/private key pair, encrypts, signs, and decrypts some messages, and stores, retrieves, and deletes the certificate and the key pair. The CAPF utility performs other necessary tasks that are associated with the certificates, including installing and upgrading locally significant certificates on the phone.

The CAPF utility generates a key pair and certificate that is specific for CAPF, and the utility copies this certificate to all Cisco CallManager servers in the cluster.

Tip The CAPF certificate uses the .0 extension. To verify that the utility copied the CAPF certificate to the servers, browse to C:\Program Files\Cisco\Certificates on each server in the cluster, and locate the file that ends with .0.

Verify that the same certificate exists in the directory where you installed CAPF.

After the utility generates the CAPF key pair and certificate, you use the CAPF Command Line Interface (CLI), so CAPF retrieves phone records from the Cisco CallManager database. The first time that you use CAPF, the following information displays for each Cisco IP Phone 7960 and 7940 that exists in the Cisco CallManager database:

• Device Name

• Corresponding description


OL-5109-01


• Corresponding directory number for line 1

• Unique authentication string

After you identify where the phone is located, you or the phone user must enter the authentication string on the phone.

The phone information from the database displays for each Cisco IP Phone 7960 and 7940. If thousands of phones exist in the cluster, all phones may not display in the CLI. The CAPF utility logs the phone record information in C:\Program Files\Cisco\CAPF\Trace\CAPF.csv. If you have access to software that converts CSV files, such as Microsoft Excel, you can convert the CAPF.csv file and view the records by using that software.

Likewise, on the server where you installed CAPF, all information logs to C:\Program Files\Cisco\CAPF\Trace\capf<xxxxx>.log, where <xxxxx> represents an increasing number. When the log file includes many entries, the utility creates a new log file and increments the name of the log file by one number. Always review the last line in the file to determine if the information spans across multiple files.

The CAPF utility stamps all logs in the capf.log file with the time and date. The CAPF utility does not delete or overwrite the capf.log files. If the disc runs out of space, you may need to delete the older log files and retain the newer files.

Caution Cisco IP Telephony Backup and Restore System (BARS) does not back up CAPF log or CSV files.

The following requirements exist for the CAPF utility:

• Cisco recommends that you install the CAPF utility on the publisher database server. If you install the utility on another server in the cluster, be aware that using the utility may adversely affect Cisco CallManager performance. Cisco strongly recommends that you use the CAPF utility during a scheduled maintenance window.

• If Cisco Security Agent (CSA) or Cisco-approved, third party applications exist on the server where you plan to install the CAPF utility, disable the services that are associated with the applications before you download the utility. Do not enable the services at any time during the installation. Failing to disable the services may cause installation interruptions or errors. For information on how to disable the CSA services, refer to the CSA installation document that supports this version of Cisco CallManager.


OL-5109-01


• All servers in the Cisco CallManager 4.0 cluster must use the same administrator username and password, so the CAPF utility can authenticate to all servers in the cluster.

• You must have administrative privileges on the server to use the utility.

• Install one CAPF utility per cluster. If you have multiple clusters, you must install the utility on a server in each cluster.

• The server where you installed CAPF must have a certificate that associates with it, and the CTL file must contain a certificate entry for the CAPF server.

• If you want to do so, you can use the Microsoft Certificate Services with CAPF if the Microsoft Certificate Services software runs on a Windows 2003 server. For information on how to use this software or for troubleshooting support, contact the certificate authority vendor directly.

If the utility will request certificates from Microsoft Certificate Services, you must enter the necessary configuration information, for example, the IP address or hostname, for this certificate authority in the CAPF CLI.

If you plan to use Microsoft Certificate Services, you must install the SCEP add-on on the server where you install Microsoft Certificate Services. To obtain the SCEP add-on, contact the certificate authority vendor directly.

Related Topics












OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionDownloading the Certificate Authority Proxy Function

Downloading the Certificate Authority Proxy Function

Caution Cisco recommends that you download and install the utility on the publisher database server. If you install the utility on another server in the cluster, be aware that the utility may adversely affect Cisco CallManager performance. Use the utility during a scheduled maintenance window.

Caution If Cisco Security Agent (CSA) or Cisco-approved, third party applications exist on the server where you plan to install the CAPF utility, disable the services that are associated with the applications before you download the utility. Do not enable the services at any time during the installation. Failing to disable the services may cause installation interruptions or errors. For information on how to disable the CSA services, refer to the CSA installation document that supports this version of Cisco CallManager.

Perform the following procedure to download the Certificate Authority Proxy Function:

Procedure

Step 1 Click http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml.

You must have a Cisco Connection Online (CCO) username and password to obtain the software from the web.

Step 2 Click Cisco CallManager 4.0.

Step 3 On the page that displays, locate the file name that begins with CAPF.

Step 4 Download the file to the hard drive on the server.

Step 5 Note the location where you save the downloaded file.


OL-5109-01

http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml

Chapter 3 Certificate Authority Proxy FunctionInstalling the Certificate Authority Proxy Function

Related Topics






Installing the Certificate Authority Proxy FunctionTo install the Certificate Authority Proxy Function, perform the following procedure:

Procedure

Step 1 On the server where you downloaded the executable, double-click the downloaded file to begin the installation.

Step 2 In the Welcome window, click Next.

Step 3 Enter your full name and name of your organization. Choose who can use this application. Click Next.

Step 4 Choose the location where the files will install. If you want to do so, click Browse to navigate to the location. After you choose the location, click Next.


Step 6 Click Finish.

Tip To verify that the CAPF utility installed, see the “Troubleshooting the CAPF Utility” section on page 5-24.

Related Topics




OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionUpgrading Certificate Authority Proxy Function








Upgrading Certificate Authority Proxy FunctionWhen you upgrade CAPF, the installation package, for example, MSI, checks whether a previous version of the application exists on the server or workstation. When the installation package identifies that a previous version exists, the upgrade occurs. If the installation package identifies that no previous version exists, a full CAPF installation occurs.

Tip If you want to remove the CAPF application before you install a later version, see the “Troubleshooting the CAPF Utility” section on page 5-24.

To upgrade CAPF, perform the following procedure:

Procedure

Step 1 Perform the procedure in “Downloading the Certificate Authority Proxy Function” section on page 3-5.

Step 2 If the installation package determines that you have installed a previous version of the software, a dialog box indicates that the upgrade updates only the changed files. Click OK.

Step 3 In the CAPF Installation Wizard window, click Next.

Step 4 Enter your full name and name of your organization. Choose who can use this application. Click Next.

Step 5 Choose the location where the files will install. If you want to do so, click Browse to navigate to the location. After you choose the location, click Next.


OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionUsing CAPF to Generate Phone Certificates


Step 7 Click Finish.

Related Topics










Using CAPF to Generate Phone CertificatesUse Table 3-1 as a reference when you use the CAPF utility.

After you exit the utility, CAPF utility saves all existing configuration information. You can restart the utility at any time and use the existing configuration information if you enter the appropriate commands from Table 3-1.

Subsequent use of the CAPF utility does not generate a CAPF key pair and certificate; if you want to generate a new CAPF key pair and certificate, you must issue the appropriate command in the CLI. Cisco recommends that you do not generate a new CAPF key pair and certificate unless the key pair or certificate appears compromised or you need to modify the key size that is used by the current key pair.

If you installed multiple CAPF utilities on different servers, be aware that you can only use one utility at a time.


OL-5109-01


Perform the following procedure to use the Certificate Authority Proxy Function:

Procedure


• Choose Start > Programs > CAPF.

• On the desktop, double-click the CAPF icon.

Step 2 A Command Line Interface displays. Enter your username, as described in Table 3-1.

Step 3 Enter your password, as described in Table 3-1.

Tip CAPF displays the default or existing configured parameters, as described in Table 3-1. If this is the first time that you have used CAPF, the utility automatically generates a 1024-bit key pair and a self-signed certificate for CAPF; the self-signed certificate automatically gets added to C:\Program Files\Cisco\Certificates on all servers in the cluster.

If this is not your first time to use CAPF, be aware that a key pair/certificate is not generated unless you enter an explicit command during the configuration.

Step 4 If you want to change the existing parameters that display, for example, the listening port for the phone, enter the appropriate commands, as described in Table 3-1.

Step 5 Update the CTL file with the CAPF information, as described in “Updating the CTL File” section on page 2-17. Verify that you rebooted the server after you made the updates.

Tip To update the CTL file, you need at least one security token that exists in the CTL file.

Step 6 If the CAPF CLI continues to display, go to Step 10.


OL-5109-01


Step 7 If CAPF utility does not display because you rebooted the server after you updated the CTL file, perform one of the following tasks:





Step 10 Perform the following tasks, depending on the method for issuing certificates for the phones:

• If the CAPF utility will issue the certicates, go to Step 11.

• If a Cisco-approved, third-party certificate authority will issue certificates, enter issue cert ca, as described in Table 3-1; press Enter.

• Enter set ca-server ip <IP Address of the CA Server>, as described in Table 3-1; press Enter.

• Go to Step 11.

Step 11 At the CAPF prompt, enter get phone-info, as described in Table 3-1.

If you add phones to the database after the initial retrieval from the Cisco CallManager database, you must issue this command again.

Step 12 At the CAPF prompt, enter set cert upgrade all, as described in Table 3-1; press Enter.

This command configures all devices for the certificate upgrade. To configure a specific phone for upgrade, issue the following command: set cert upgrade id <device name>,

Step 13 At the CAPF prompt, perform the following task, depending on what you want to accomplish:

• If you plan to use the authentication string that the get phone-info command creates, go to Step 14.

• If you want to generate an authentication string for a specific phone, issue the following command: set auth-string id <device name>


OL-5109-01


Caution If you want to set the authentication string to Null or if you want to generate new authentication strings, enter the command, set auth-string <id | all > <value> [<type>], at the CAPF prompt; press Enter.

Cisco strongly recommends that you use null authentication only in closed, secure environments.

Step 14 At the next CAPF prompt, enter show auth-string all, as described in Table 3-1; press Enter.

The phone information from the database displays for each phone. If thousands of phones exist in the cluster, all phones may not display in the CLI. The CAPF utility logs the phone record information in C:\Program Files\Cisco\CAPF\Trace\CAPF.csv. If you have access to software that converts CSV files, such as Microsoft Excel, you can convert the CAPF.csv file and view the records by using that software. The utility also writes the entries to the log file.

To display a single device name and authentication string, issue the following command: show auth-string id <device name>

Step 15 Determine the phone user that is associated with the Device Name by performing the following procedure:

a. On the server where you installed the CAPF utility, obtain the CSV file, CAPF.csv, from C:\Program Files\Cisco\CAPF\Trace.

b. By using software that converts CSV files, export this file to a format in which you can view the phone record information.

Step 16 Install the locally significant certificate on the phone; see the “Installing the Locally Significant Certificate on Supported Phones” section on page 3-18.

Related Topics







OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionUpdating CAPF Settings






Updating CAPF SettingsUse Table 3-1 as a reference when you update the settings. To update any configured CAPF setting, such as the listening ports for the phone or CTL Provider port, or to generate an updated key pair or CAPF certificate, perform the following procedure:

Procedure






CAPF displays the default or existing configured parameters, as described in Table 3-1. If this is not your first time to use CAPF, be aware that a key pair/certificate is not generated unless you enter an explicit command during the configuration.

Step 4 Enter ? to obtain a list and descriptions of commands that are entered during the configuration; press Enter.

Step 5 Depending on the settings that you want to change or issue, enter the commands that are described in Table 3-1; after you issue each command, press Enter.


OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionCAPF Settings and Commands

Related Topics










CAPF Settings and CommandsTable 3-1 contains a list of commands and settings for the CAPF utility.

Tip To display the list of all CAPF commands, enter ? in the CAPF CLI and press Enter.

Table 3-1 CAPF Settings and Commands

Command/Setting Description

Username Enter the login Windows login username that has administrative privileges for the server where you installed CAPF.

Password Enter the password for the username.

Cert Issuing Method The setting specifies whether you are using CAPF or a third-party certificate authority to issue certificates.

abort cert-upgrade <id | all> <value>

This command aborts the certificate upgrade process for a specific phone or for all phones.


OL-5109-01


debug capf <events | all | states>

This command enables the following CAPF debugging settings:

• debug capf events—This command enables the CAPF event debug tracing for phone to CAPF utility to CA interactions.

• Debug capf all—This command turns on all debugging capabilities of an accepted level.

• Debug capf states —This command enables debug tracing for CAPF FSM state transitions.

debug capf <phone-msg | scep-msg> [brief | detail]

This command dumps the decrypted and hexdump messages between CAPF and the phone and/or CAPF and the CA server.

exit This command allows you to exit from the CAPF CLI.

gen cert This command generates a new CAPF certificate.

gen key This command generates a key pair for CAPF.

get phone-info This command retrieves the directory number for line 1, Device Name, and Description for each Cisco IP Phone 7960 and 7940 in the Cisco CallManager database.

This command generates an authentication string for each phone and saves this string in the CAPF utility.

This command generates a CSV file that is named CAPF.csv. This file, which exists in C:\Program Files\Cisco\CAPF\CAPF\Trace\CAPF.csv, contains all information that the command generates or obtains from the database.

Tip Subsequent issuing of this command causes the CAPF utility to update the information if new or deleted phones exist in the database; the command also generates new authentication strings for new phones and regenerates the CAPF.csv file with the updated information.

help This command displays help for a command.

help commands This command displays a list of all commands.

issue cert <self | ca > This command sets the mode for issuing certificates to either CAPF or the third-party certificate authority server.

Table 3-1 CAPF Settings and Commands (continued)



OL-5109-01


set auth-string <id | all > <value> [<type>]

This command sets the authentication string and type.

Caution Only configure null authentication for secure, closed environments. If you do not plan to enter the authentication string on the phone and the phone exists in a secure, closed environment, you can set the type to null-string for null authentication.

set ca-server [user <name> password <passwd>] <IP <address> | DNS <name>>

This command sets the certificate authority server.

set cert <upgrade | fetch | delete> phone <id | all> <value>

This command requests that a certificate be upgrade, requests that a certificate be fetched, or requests that a certificate be deleted.

set config <>

Tip For example, enter Listening port - phone, Listening port - ctl, Key size- phone, or Key size- CAPF.

This command sets CAPF configuration values. Issue this command when you want to change the default values. Default values display between the brackets, [ ].

Tip If you want to change the default settings, enter the command in the CLI, enter the new setting, and press Enter. If you do not want to change the default setting and the setting displays in the CLI, press Enter.

CAPF provides the following commands:

• Listening port - phone [3804]:—This command changes the listening port on which the CAPF connects to the phone.

• Listening port - ctl [3805]:—This command changes the listening port on which the CAPF connects to the CTL client. When you change the value, update the CTL file with the new value.

• Key size- phone [1024]:—This command changes the key size for the phone.

• Key size- CAPF [1024]:—This command changes the key size for CAPF.




OL-5109-01


set config <>

Tip For example, enter Generate cert locally [Y]:.

The command, Generate cert locally [Y]:, generates a local certificate for CAPF.

If you enter N for the command, the CLI prompts you for certificate authority server configuration information.

• CA Server- IP/DNS: Enter the IP address or hostname of the CA server.

If you enter Y for the command, Generate cert locally [Y]:, the CLI provides the following prompts:

• Get phone records from CCM[Y]: This command provides the same results as the get-phone info command.

• Generate auth string [Y]: This command provides the same results as the set auth-string all command.

• Set upgrade duration [240]: This command provides the same results as the set upgrade-duration phone <id | all > <value> command.

• Select all phones for Upgrade [Y]: This command provides the same results as the set cert upgrade all command.

set key-size <phone | capf> <id |all>] <value>

This command sets the key size for phone/CAPF.

[no] set logging [console | syslog | both] [<filename>]

This command sets where the logging will occur. To disable logging, issue the command, no set logging.

Tip CAPF sets the default setting to console. By default, CAPF enables logging.

set max-retries keygen-poll <value>

This command sets the maximum number of times that CAPF will attempt to poll the phone while in key generation state.

Tip CAPF sets the default to 3. Valid range goes from 1 through 10.

set port < phone | ctl > <value>

This command sets the listening port for the phone and CTL client.




OL-5109-01


Related Topics







set retry-timer keygen-poll <value>

This command sets the time in minutes for guarding the key generation response from the phone. If the time expires, CAPF restarts the timer to the maximum number of attempts that are configured and then ends the session with the phone.

Tip CAPF sets the default to 30 minutes. Valid range goes from1 through 30 minutes.

set upgrade-duration phone <id | all > <value>

This command sets the time in hours in which you can perform the phone certificate installation/upgrade. The default duration equals 240 hours. You must perform the certificate installation/upgrade before the duration expires. If you want to increase or decrease the time, enter this command.

show auth-string <all | id> <value>

This command displays the authentication strings that you should enter on the phone to initiate the certificate installation/upgrade.

show capf This command displays the configured CAPF settings and the status of certificate upgrades that are in progress.

show debug capf This command shows the debugging that you enabled.

show status phone <[id <value>| all> [pending]

This command displays the status of the phone certificate upgrade. The pending option displays certificate upgrades that are not completed.

show version This command displays the CAPF version that is installed on the server.

Source <command file>

This command executes user interface (UI) commands from a file. For example, you can copy a set of CAPF commands into a file and all commands execute one after the other. Enter this command when you must repeatedly issue some commands.




OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionInstalling the Locally Significant Certificate on Supported Phones



Installing the Locally Significant Certificate on Supported Phones

After you determine the phone user for the device, you must install the locally significant certificate on the phone.

Timesaver The phone user can perform the following procedure to install the certificate.

Before You Begin

• Verify that you updated the Cisco CTL file with the appropriate CAPF information.

• Verify that the CAPF certificate exists in the certificate folder on the Cisco CallManager server; on the server, browse to C:\Program Files\Cisco\Certificates.

• Verify that you restarted the Cisco CallManager service after the CAPF certificate installation; for information on how to perform this task, refer to the Cisco CallManager Serviceability Administration Guide.

• Verify that the server where you installed CAPF is running and functional. Ensure that the server runs for each certificate installation.

• Verify that a signed image exists on the phone; refer to Cisco IP Phone Administration Guide for Cisco CallManager, Cisco IP Phone Models 7960G and 7940G.

• Obtain the authentication string that the CAPF workstation/server created during the configuration process.

Tip To determine whether you performed a certificate installation on the phone, issue the command, show status phone all, in the CAPF CLI and press Enter.


OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionInstalling the Locally Significant Certificate on Supported Phones

Procedure

Step 1 Obtain the CAPF authentication string that was set when the CAPF utility was configured.

Step 2 On the Cisco IP Phone 7960 and 7940, press the Settings button to access the Settings menu.

Step 3 Scroll to the Certificate option; press the Select softkey.

Step 4 Scroll to the Update Certificates option; press the Select softkey.

Step 5 Choose the Auth. String option; press the Select softkey.

The phone prompts you for an authentication string.

Step 6 Enter the authentication string for your phone and press the Validat. softkey.

The phone installs, updates, or remove the certificate, depending on the current CAPF configuration.

Monitor the progress of the certificate installation by viewing the messages in the status line on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade; see the “Troubleshooting” section on page 5-1.

At any time, you can stop the process by choosing the Cancel Operation option on the Certificates menu.

You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting.

Tip The authentication string is for one-time use only.

Related Topics






OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionUpgrading the Locally Significant Certificate on the Phone


• Upgrading the Locally Significant Certificate on the Phone, page 3-20

• Deleting the Locally Significant Certificate on the Phone, page 3-21


Upgrading the Locally Significant Certificate on the Phone

The CAPF utility does not upgrade certificates that Cisco manufacturing installed on the phone. The utility only upgrades certificates that the CAPF utility or Cisco-approved, third-party certificate authority issued.

Issuing the appropriate command in the following procedure generates a new authentication string for each phone. The CAPF utility also updates the CSV file with the new information.

Review the “Before You Begin” section on page 3-18 because the requirements apply to upgrading the locally significant certificate.

To upgrade a locally significant certificate on the phone, perform the following procedure:

Procedure






Step 4 At the CAPF prompt, enter the command, set cert upgrade phone <id | all> <value>; press Enter.


OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionDeleting the Locally Significant Certificate on the Phone

Step 5 Perform the procedure in “Installing the Locally Significant Certificate on Supported Phones” section on page 3-18. This procedure applies to upgrading and installing certificates on the phone.

Related Topics



• Before You Begin, page 3-18



Deleting the Locally Significant Certificate on the Phone

The CAPF utility does not delete certificates that Cisco manufacturing installed on the phone. The utility only deletes certificates that the CAPF utility or Cisco-approved, third-party certificate authority issued.

In the CAPF CLI, you can issue the deletion command, as described in the following procedure. Perform the following procedure:

Procedure







OL-5109-01

Chapter 3 Certificate Authority Proxy FunctionDeleting the Locally Significant Certificate on the Phone

Step 4 At the CAPF prompt, enter the command, set cert delete phone <id | all> <value>; press Enter.

Step 5 If you used a Cisco-approved, third-party certificate authority to issue the certificates, verify that the certificate authority revoked the certificate. Contact the third-party certificate authority vendor for information on how to perform this task.

Related Topics






OL-5109-01


C H A P T E R 4
Phone Hardening
To tighten security on the phone, you can perform tasks in the Phone Configuration window of Cisco CallManager Administration.


• Disabling the Gratuitous ARP Setting, page 4-1

• Disabling Web Access Setting, page 4-2

• Disabling the PC Voice VLAN Access Setting, page 4-2

• Disabling the Setting Access Setting, page 4-3

• Disabling the PC Port Setting, page 4-3

• Performing Phone Hardening Tasks, page 4-4

Disabling the Gratuitous ARP SettingBy default, Cisco IP Phones accept Gratuitous ARP, or GARP, packets. GARPs, which are used by devices, announce the presence of the device on the network. However, attackers can use these packets to spoof a valid network device; for example, an attacker could send out a GARP that claims to be the default router. If you choose to do so, you can disable Gratuitous ARP in the Phone Configuration window of Cisco CallManager Administration.

Note Disabling GARP does not prevent the phone from identifying its default router.


Chapter 4 Phone HardeningDisabling Web Access Setting

Related Topics



• Cisco IP Phone Administration Guide for Cisco CallManager

Disabling Web Access SettingDisabling the web server functionality for the phone blocks access to the phone internal web pages, which provide statistics and configuration information. Features, such as Cisco Quality Report Tool, do not function properly without access to the phone web pages. Disabling the web server also affects any serviceability application, such as CiscoWorks, that relies on web access.

Note Phone users cannot access the Cisco User Option Pages if you disable this option.

To determine if the web services are disabled, the phone parses a parameter in the configuration file that indicates whether the services are disabled or enabled. If the web services are disabled, the phone does not open the HTTP port 80 for monitoring purposes and blocks access to the phone internal web pages.

Related Topics




Disabling the PC Voice VLAN Access SettingBy default, Cisco IP phones forward all packets that are received on the switch port (the one that faces the upstream switch) to the PC port. If you choose to disable the PC Voice VLAN Access setting in the Phone Configuration window of Cisco CallManager Administration, packets received from the PC port that use voice VLAN functionality will drop. This functionality allows a device that is attached to the PC port to use 802.1Q (if available) but not have access to the voice VLAN.


OL-5109-01

Chapter 4 Phone HardeningDisabling the Setting Access Setting

Related Topics




Disabling the Setting Access SettingBy default, pressing the Settings button on a Cisco IP Phone provides access to a variety of information, including phone configuration information. Disabling the Setting Access setting in the Phone Configuration window of Cisco CallManager Administration prohibits access to all options that normally display when you press the Settings button on the phone; for example, the Contrast, Ring Type, Network Configuration, Model Information, and Status settings.

The preceding settings do not display on the phone if you disable the setting in Cisco CallManager Administration. If you disable this setting, the phone user cannot save the settings that are associated with the Volume button; for example, the user cannot save the volume.

Disabling this setting automatically saves the current Contrast, Ring Type, Network Configuration, Model Information, Status, and Volume settings that exist on the phone. To change these phone settings, you must enable the Setting Access Setting in Cisco CallManager Administration.

Related Topics




Disabling the PC Port SettingBy default, Cisco CallManager enables the PC port on all Cisco IP Phones that have a PC port. If you choose to do so, you can disable the PC Port setting in the Phone Configuration window of Cisco CallManager Administration. Disabling the PC port proves useful for lobby or conference room phones.


OL-5109-01

Chapter 4 Phone HardeningPerforming Phone Hardening Tasks

Related Topics




Performing Phone Hardening Tasks

Caution The following procedure disables functionality for the phone.

Perform the following procedure:

Procedure

Step 1 In Cisco CallManager Administration, choose Device > Phone.

Step 2 Specify the criteria to find the phone and click Find or click Find to display a list of all phones.

Step 3 To open the Phone Configuration window for the device, click the device name.

Step 4 Locate the following product-specific parameters:

• PC Port

• Settings Access

• Gratuitous ARP

• PC Voice VLAN Access

• Web Access

Tip To review information on these settings, click the "i" button help that displays next to the parameters on the Phone Configuration window.


OL-5109-01


Step 5 From the drop-down list box for each parameter that you want to disable, choose Disabled.


Related Topics


• Disabling the Gratuitous ARP Setting, page 4-1

• Disabling Web Access Setting, page 4-2

• Disabling the PC Voice VLAN Access Setting, page 4-2

• Disabling the Setting Access Setting, page 4-3

• Disabling the PC Port Setting, page 4-3


OL-5109-01



OL-5109-01


C H A P T E R 5
Troubleshooting

• Using Alarms, page 5-2

• Using Microsoft Performance Monitor Counters, page 5-3

• Reviewing the Log Files, page 5-3

• Troubleshooting the Cisco CTL Client, page 5-4

• Troubleshooting the CAPF Utility, page 5-24

Tip This chapter does not describe how to reset the Cisco IP Phone if it has been corrupted by bad loads, security bugs, and so on. For information on resetting the phone, refer to the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.

This chapter describes how to delete the CTL file from Cisco IP Phone models 7970, 7960, and 7940 only; for information on how to perform this task, see Table 5-3 or the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.


Chapter 5 TroubleshootingUsing Alarms

Using AlarmsCisco CallManager Serviceability generates alarms for the following cases:

• An authenticated device attempts to register by using a non-TLS SCCP connection, or an unauthenticated phone attempts to register by using a TLS SCCP connection.

• If the device name in subject line of the peer certificate does not match the the device name that is used for device registration.

• If device attempts to register to Cisco CallManager by using TLS connection that is not compatible with the Cisco CallManager configuration.

Alarms may get generated on the phone under the following conditions:

• TFTP Not Authorized: <IP address>

The phone generates this alarm when the TFTP server information (alternate or otherwise) does not exist in the CTL file. The phone may issue the alarm twice if DHCP has provided primary and backup server addresses and neither address exists in the CTL file. Verify that you entered the CTL file information correctly and that you configured the DHCP server with the correct address.

• File Auth Failed

The phone may generate this alarm for a variety of reasons; for example, the CTL file appears corrupt. If the CTL file is corrupt, you may need to use a sniffer trace to troubleshoot the network. If you cannot identify the problem, you may need to debug by using a console cable, as described in Cisco IP Phone Administration Guide for Cisco CallManager (available for Cisco IP Phone Models 7970, 7960, and 7940, unless otherwise indicated in the administration documentation that supports your phone model).

Tip For additional alarms that get generated on the phone, refer to the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone and to the “Troubleshooting the Phone When a Problem Exists with the CTL File” section on page 5-14.


OL-5109-01

Chapter 5 TroubleshootingUsing Microsoft Performance Monitor Counters

Related Topics




Using Microsoft Performance Monitor CountersMicrosoft Performance Monitor counters exist to monitor the number of authenticated phones that register with Cisco CallManager, the number of authenticated calls that are completed, and the number of authenticated calls that are active at any time.

Related Topics



Reviewing the Log FilesBefore you contact the team that provides technical assistance for this product, for example, your Cisco AVVID Partner or the Cisco Technical Assistance Center (TAC), obtain and review the following log files:

• Cisco CallManager—C:\Program Files\Cisco\Trace\CCM

• TFTP—C:\Program Files\Cisco\Trace\TFTP

• DBL—C:\Program Files\Cisco\Trace\DBL

– C:\Program Files\Cisco\Trace\DBL\DBLR*

– C:\Program Files\Cisco\Trace\DBL\DBLRT*

– C:\Program Files\Cisco\Trace\DBL\DBL_CCM*

– C:\Program Files\Cisco\Trace\DBL\DBL_TFTP*

– C:\Program Files\Cisco\Trace\DBL\DBL_CTLPROVIDER*


OL-5109-01

Chapter 5 TroubleshootingTroubleshooting the Cisco CTL Client

• Cisco CallManager SDL Traces—C:\Program Files\Cisco\Trace\SDL\CCM

Tip If the locally significant certificate validation fails, review the SDL trace files.

• CTL Provider Service—C:\Program Files\Cisco\Trace\CTLProvider

• Cisco CTL client—C:\Program Files\Cisco\CTL Client\Trace

By default, the Cisco CTL client installs in C:\Program Files\Cisco\CTL File.

– Cisco CTL plugin installation file—C:\ctlinstall.log

• CAPF utility—C:\Program Files\cisco\capf\Trace\capf.log (or D:\Program Files\capf\Trace\capf.log if administrator specifies a different directory during the installation)

Tip While the CAPF utility is running, if you configure logging for a different file in the CAPF CLI, subsequent logging occurs in that file.

Related Topics



Troubleshooting the Cisco CTL ClientThe section contains information on the following topics:

• Changing the Security Token Password (Etoken), page 5-5


• Error Messages for the Cisco CTL Client, page 5-7

• Troubleshooting the Phone When a Problem Exists with the CTL File, page 5-14

• Comparing CTL File Versions on the Cisco IP Phone and Server, page 5-17

• Deleting the CTL File on the Cisco IP Phone, page 5-17

• Deleting the CTL File on the Server, page 5-19


OL-5109-01


• Troubleshooting If You Lose One Security Token (Etoken), page 5-20

• Troubleshooting If You Lose All Security Tokens (Etoken), page 5-21

• Verifying or Uninstalling the Cisco CTL Client, page 5-23

• Verifying the Security Mode for the Cisco CallManager Cluster, page 5-22

Changing the Security Token Password (Etoken)This administrative password retrieves the private key of the certificate and ensures that the CTL file gets signed. Each security token comes with a default password. You can change the security token password at any time. If the Cisco CTL client prompts you to change the password, you must change the password before you can proceed with the configuration.

To review pertinent information on setting passwords, click the Show Tips button. If you cannot set the password for any reason, review the tips that display.

To change the security token password, perform the following procedure:

Procedure

Step 1 Verify that you have installed the Cisco CTL client on a Windows 2000 server or workstation.

Step 2 If you have not already done so, insert the security token into the USB port on the Windows 2000 server or workstation where you installed the Cisco CTL client.

Step 3 Choose Start > Programs > etoken > Etoken Properties; right-click etoken and choose Change etoken password.

Step 4 In the Current Password field, enter the password that you originally created for the token.

Step 5 Enter a new password.

Step 6 Enter the new password again to confirm it.

Step 7 Click OK.


OL-5109-01


Related Topics





Setting the Smart Card Service to Started and AutomaticIf the Cisco CTL client installation detects that the Smart Card service is disabled, you must set the Smart Card service to automatic and started on the server or workstation where you are installing the Cisco CTL plugin.

Tip You cannot add the security tokens to the CTL file if the service is not set to started and automatic.

After you upgrade the operating system, apply service releases, upgrade Cisco CallManager, and so on, verify that the Smart Card service is started and automatic.

To set the service to started and automatic, perform the following procedure:

Procedure

Step 1 On the server or workstation where you installed the Cisco CTL client, choose Start > Programs > Administrative Tools > Services.

Step 2 From the Services window, right-click the Smart Card service and choose Properties.

Step 3 In the Properties window, verify that the General tab displays.

Step 4 From the Startup type drop-down list box, choose Automatic.

Step 5 Click Apply.

Step 6 In the Service Status area, click Start.


OL-5109-01


Step 7 Click OK.

Step 8 Reboot the server or workstation and verify that the service is running.

Related Topics








Error Messages for the Cisco CTL ClientTable 5-1 displays the error messages and the corresponding corrective actions for the Cisco CTL client installation.

Table 5-1 Error Messages for CTL Client

Error Message Corrective Action

If you have installed intrusion detection software, you must stop and disable these applications from the Service Control Console before you continue with the Cisco CTL Client installation. Failure to do so could result in unrecoverable errors.

The error message provides the corrective action.


OL-5109-01


Error 1920: Service ‘Etoksrv’ failed to start. Make sure that the Smart Card service or its dependent services are enabled and you have sufficient privileges on the system. Click Retry to continue.

The error message provides the corrective action.

Invalid Port Number Make sure that port number field in the CTL client user interface is not blank.

Invalid range for Port Number

Choose a port number in the range from 0 through 99999.

Invalid HostName or IP Address

Verify that the length of the hostname ranges from 0 through 256 characters.

Invalid Username Verify that the length of the username ranges between 0 through 256 characters.

User could not be authenticated

Enter a valid username and password.

Please insert a Security Token. Click Ok when done.

Perform the action as stated in the error message.

Please insert another Security Token. Click Ok when done.


You have selected to exit the CTL Client application. Are you sure you want to exit?

Choose the option that you want the application to perform.

Table 5-1 Error Messages for CTL Client (continued)



OL-5109-01


No CTL File exists on the server but the CallManager Cluster Security Mode is in Secure Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Secure Mode.

When the clusterwide security mode is mixed mode, the CTL file should always exist on the server.

Update the CTL file; see the “Updating the CTL File” section on page 2-17.

There are no Security Tokens in CTL File. You must insert at least 2 security tokens. Select Update CTL File to add security Tokens.


Failed to create CTL File on server(s):<LIST_OF_SERVERS>

Make sure that the CTL Provider service is running on all the Cisco CallManager servers that the error message specifies.

Make sure that the Cisco CallManager or TFTP service is running on all the servers that the error message specifies.

Make sure that the alternate TFTP paths are mapped to the correct drives and that the mappings are valid.

Could not Sign CTL File. Possible Reasons:\n1. User cancelled the operation\n2.The security token does not contain signature in valid format.

Verify that you did not press Cancel. Make sure that the Cisco Certificate Authority issued the security token.




OL-5109-01


The CTL File signature is invalid. The CTL File has been signed with a security token that does not exist in the CTL File.

You must re-create the CTL File. All existing security tokens in the CTL file will be deleted.

The CTL file appears corrupt; re-create the CTL file. See the “Updating the CTL File” section on page 2-17.

The Security Token you have inserted does not exist in the CTL File.

Insert a security token that you previously used to create or update the CTL file.

The Security Token you have inserted already exists in the CTL File.

Insert a security token that you have not used to create or update the CTL file.

The Security Token is not issued by Cisco CA.

Insert a security token that the Cisco Certificate Authority issued.

Cannot run CTL Client from Terminal Services

You must run the CTL client locally.

Could not get Certificates from CallManager <server name>

Perform the following actions:

• Make sure that the CTL Provider service runs on all the Cisco CallManager servers in the cluster.

• Make sure that the Administrator username and password or the super username and password are the same on all servers in the cluster.

• Make sure that you have network connectivity to the server that is specified in the error message; make sure that the server is running.

Error Occurred creating the dialog

Uninstall the Cisco CTL client; reinstall the client.




OL-5109-01


Could not add CAPF Server Perform the following actions:

• Verify that the port number for CAPF is correct.

• Verify that the Administrator username and password or the super username and password are the same on all servers in the cluster.

• Verify that you have network connectivity to the server that the error message specifies; make sure that the server is running.

Could not add TFTP Server If an entry for the alternate TFTP server exists, delete the entry and add it again to the file.

You must insert at least 2 Security Tokens.

Verify that you inserted the appropriate security token; insert the correct security token and complete the configuration tasks.

You must have at least one CallManager server in the cluster.

Verify that the Cisco CallManager service or Cisco TFTP service runs on at least one server in the cluster.

The Security Token currently inserted will be used to sign the CTL File and it does not exist in the CTL File. Please insert the token in the CTL File before you click Finish.


Please select an item to delete.

Click on an entry in the CTL file and delete the entry.

You cannot delete Cisco TFTP Servers.

You can delete only alternate TFTP servers.

CAPF Certificate already exists in CTL File.

A CAPF server with the same hostname or IP address already exists in the CTL file. Enter a new CAPF server if you want to add another CAPF server.




OL-5109-01


Invalid Date Range Verify the dates in the Valid From and Valid Until fields for the security token.

Delete <CERTIFICATE_ISSUER_NAME>

Click Yes to delete the CTL entry; click No if you do not want to delete the CTL entry.

An Entry for TFTP Server <TFTP_SERVER_NAME> already exists in CTL File

A TFTP server with the same hostname or IP address already exists in the new CTL file. Enter a new TFTP server if you want to add another TFTP server.

Could not get Certificates from CallManager servers because <WINDOWS_SOCKET_REASON>

The error message specifies the reason why the Cisco CallManager server could not obtain the certificate.

Verify that the CTL Provider service runs on all servers in the Cisco CallManager cluster.

Verify that the administrator username and password or the super username and password are the same on all servers in the cluster.

Cannot connect to server <SERVER_NAME> on port <CTLPORT_#>

Perform the following procedure:

1. From Cisco CallManager Administration, choose Service > Service Parameters.

2. Choose the server and the CTL Provider service in which you are connecting to the Cisco CTL client.

3. Verify that the port number in the window matches the port number that exists in the Cisco CTL client.

4. If the ports do not match, update the CTL file. See “Updating the CTL File” section on page 2-17.

5. Verify that you have network connectivity to the server. Configure DNS or add to the hosts file.




OL-5109-01


The computer is locked. Only administrator can unlock this computer.

When you remove the security token from the USB port, the computer locks because the NT LM Support Security Provider service is running. Perform one of the following tasks:

• If you are not using the NT LM Support Security Provider service, stop and disable the service on the computer.

• Unlock the computer by entering the password that has administrative privileges.

• If a prompt asks you for the security token password, click Cancel in the dialog box; then, unlock the computer by entering the password that has administrative privileges.

You cannot delete this item. You can only delete security tokens, CAPF and alternate TFTP.

You can only delete the types that are specified in the error message.

TFTP certificate already exists in the CTL file.

A TFTP server with the same hostname or IP address already exists in the CTL file. To add a new TFTP server, enter a different hostname or IP address.

Could not get certificate from a CAPF server. Make sure that you are connecting to a CAPF server or the port number is correct and try again.

The error message specifies the corrective action.

You must connect to the Cisco CTL Provider service. Make sure that you are connecting to a CCM server or the port number is correct and try again.

The error message specifies the corrective action.




OL-5109-01


Related Topics







Troubleshooting the Phone When a Problem Exists with the CTL File

The errors in Table 5-2 may display on the phone when a problem exists with the CTL file.

To perform the corrective actions in Table 5-2, you must obtain at least one security token that you used to create the original CTL file. If you need to update the CTL file, see the “Updating the CTL File” section on page 2-17.

Table 5-2 CTL File Errors That Affect the Phone

Error Possible Cause Corrective Action

Phone cannot authenticate CTL file.

The security token that signed the updated CTL file does not exist in the CTL file on the phone.

By using at least one security token that exists in the CTL file, update the CTL file.

Phone cannot authenticate any of the configuration files other than the CTL file.

The TFTP entry in the CTL file is wrong, and the security token does not exist in the CTL file.

By using at least one security token that exists in the CTL file, update the TFTP entry in the CTL file.


OL-5109-01


Phone reports TFTP authorization failure.

Consider the following causes:

• The TFTP address for the phone does not exist in the CTL file.

• If you created a new CTL file with a new TFTP record, the existing CTL file on the phone may not contain a record for the new TFTP server.

By using at least one security token that exists in the CTL file, update the TFTP entry in the CTL file.

If the new CTL file contains different TFTP information than the existing CTL file on the phone, delete the existing CTL file from the phone; see the “Deleting the CTL File on the Cisco IP Phone” section on page 5-17.

Phone does not register with Cisco CallManager.

The CTL file does not contain the correct information for the Cisco CallManager server.

Auto-registration may be enabled.

Verify that auto-registration is disabled.

By using at least one security token that exists in the CTL file, update the Cisco CallManager entries for the CTL file.

Table 5-2 CTL File Errors That Affect the Phone (continued)



OL-5109-01


Related Topics







Phone does not interact with the correct CAPF server to obtain the locally significant certificate.

A TLS handshake error occurs.


• The CAPF utility runs on a different workstation/server than is specified in the CTL file.

• The CAPF certificate has changed since the last update of the CTL file.

By using at least one security token that exists in the CTL file, update the CAPF IP address or hostname in the CTL file.

Phone does not request signed configuration files.


• The CTL file does not contain any TFTP server entry.

• The CTL file contains a TFTP entry that does not have a certificate with it.

By using at least one of the security tokens that exists in the original CTL file, update the TFTP entry in the CTL file.

When you update the CTL file, verify that you set the Cisco CallManager clusterwide security mode to Mixed Mode.

Table 5-2 CTL File Errors That Affect the Phone (continued)



OL-5109-01


Comparing CTL File Versions on the Cisco IP Phone and ServerYou can identify the version of the CTL file on the phone by calculating the MD5 hash, which is a cryptographic hash computed on the file contents.

On the phone, an option exists for CTL file; this option provides the MD5 hash value. An MD5 application allows you to compute the MD5 hash of files on disc. When you compare the hash values for saved CTL files on disc with the value that displays on the phone, you can determine which version is installed on the phone.

After you determine the version of the CTL file exists on the phone, you can run an MD5 check on the server CTL file to verify that the phone uses the correct CTL file.

Tip To obtain an MD5 application, perform a search on the web. Cisco does not recommend or support any MD5 application with Cisco CallManager or the Cisco IP Phone. If you need assistance with the MD5 application, contact the MD5 software vendor directly.

Related Topics





Deleting the CTL File on the Cisco IP Phone

Caution Cisco recommends that you perform this task in a secure lab environment, especially if you do not plan to delete the CTL file from the Cisco CallManager servers in the cluster.

Delete the CTL file on the Cisco IP Phone if the following cases occur:

• You lose all security tokens that signed the CTL file.

• The security tokens that signed the CTL file appear compromised.


OL-5109-01


• You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

• You move a phone from an area with an unknown security policy to a secure cluster.

• You change the alternate TFTP server address to a server that does not exist in the CTL file.

To delete the CTL file on the Cisco IP Phone, perform the tasks in Table 5-3.

Related Topics







Table 5-3 Deleting the CTL File on the Cisco IP Phone

Cisco IP Phone Model Tasks

Cisco IP Phones 7960 and 7940

Press**##**2 on the phone where you want to delete the file.

Cisco IP Phone 7970 Perform one of the following methods:

• Unlock the Security Configuration menu, as described in Cisco IP Phone Administration Guide for Cisco CallManager. Under the CTL option, press the Erase softkey.

• Under the Settings menu, press the Erase softkey.

Note Pressing the Erase softkey under the Settings menu deletes other information besides the CTL file. For additional information, refer to the Cisco IP Phone Administration Guide for Cisco CallManager.


OL-5109-01


Deleting the CTL File on the ServerDelete the CTL file that exists on the server if the following cases occur:

• You lose all security tokens that signed the CTL file.

• The security tokens that signed the CTL file appear compromised.

Tip Remember to delete the file from all servers in the cluster where the Cisco CallManager or Cisco TFTP services run.

To delete the CTL file, perform the following procedure:

Procedure

Step 1 Browse to C:\Program Files\Cisco\tftppath (the default location) or to the location where you saved the CTLFile.tlv.

Step 2 Right-click CTLFile.tlv, and choose Delete.

Step 3 Perform this procedure on all servers in the cluster where the Cisco CallManager and Cisco TFTP services run.

Related Topics








OL-5109-01


Troubleshooting If You Lose One Security Token (Etoken)If you lose one security token, perform the following procedure:

Procedure

Step 1 Purchase a new security token.

Step 2 Using a token that signed the CTL file, update the CTL file by performing the following tasks:

a. Add the new token to the CTL file.

b. Delete the lost token from the CTL file.

For more information on how to perform these tasks, see the “Updating the CTL File” section on page 2-17.

Step 3 Reset all phones, as described in “Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster” section on page 1-9.

Related Topics








OL-5109-01


Troubleshooting If You Lose All Security Tokens (Etoken)

Tip Perform the following procedure during a scheduled maintenance window because you must reboot all servers in the cluster for the changes to take effect.

If you lose the security tokens and you need to update the CTL file, perform the following procedure:

Procedure

Step 1 On every Cisco CallManager, Cisco TFTP, or alternate TFTP server, browse to directory where the file, CTLFile.tlv, exists.

The following location designates the default directory: C:\program files\cisco\tftppath. To identify where you stored the CTL file, locate the File Location service parameter for the TFTP service in the Service Parameters window of Cisco CallManager Administration.

Step 2 Delete CTLFile.tlv.

Step 3 Repeat Step 1 and Step 2 for every Cisco CallManager, Cisco TFTP, and alternate TFTP server.

Step 4 Obtain at least two new security tokens.

Step 5 By using the Cisco CTL client, create the CTL File, as described in “Installing the Cisco CTL Client” section on page 2-10 and “Configuring the Cisco CTL Client” section on page 2-12.

Tip If the clusterwide security mode exists in mixed mode, the Cisco CTL client displays the message, “No CTL File exists on the server but the CallManager Cluster Security Mode is in Mixed Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Mixed Mode." Click OK; then choose Set Call Manager Cluster to Mixed Mode and complete the CTL file configuration.


OL-5109-01


Step 6 After you create the CTL file on all the servers, delete the CTL file from the phone, as described in “Deleting the CTL File on the Cisco IP Phone” section on page 5-17.

Step 7 Reboot all the servers in the cluster.

Related Topics







Verifying the Security Mode for the Cisco CallManager ClusterTo verify the security mode for the Cisco CallManager cluster, perform the following procedure:

Procedure

Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 Locate the Cluster Security Mode field. If the value in the field displays as 1, you correctly configured the Cisco CallManager cluster for mixed mode.

Related Topics






OL-5109-01




Verifying or Uninstalling the Cisco CTL ClientUninstalling the Cisco CTL client does not delete the CTL file. Likewise, the clusterwide security mode and the CTL file do not change when you uninstall the client. If you choose to do so, you can uninstall the CTL client, install the client on a different Windows 2000 workstation or server, and continue to use the same CTL file.

To verify that the Cisco CTL client installed, perform the following procedure:

Procedure

Step 1 Choose Start > Control Panel > Add Remove Programs.

Step 2 Double-click Add Remove Programs.

Step 3 To verify that the client installed, locate Cisco CTL Client.

Step 4 To delete the client, click Remove.

Related Topics








OL-5109-01

Chapter 5 TroubleshootingTroubleshooting the CAPF Utility

Determining the Cisco CTL Client VersionTo determine which version of the Cisco CTL client you are using, perform the following procedure:

Procedure


• Double-click the Cisco CTL Client icon that exists on the desktop.

• Choose Start > Programs > Cisco CTL Client.

Step 2 In the Cisco CTL client window, click the icon in the upper, left corner of the window.

Step 3 Choose About Cisco CTL Client. The version of the client displays.

Related Topics




Troubleshooting the CAPF UtilityThis section contains information on the following topics:

• Error Messages for the CAPF Utility, page 5-25

• Verifying or Uninstalling the CAPF Utility, page 5-28

• Troubleshooting If You Incorrectly Enter the Authentication String on the Phone, page 5-29

• Troubleshooting If the Locally Significant Certificate Validation Fails, page 5-29

• Verifying That You Installed the Locally Significant Certificate on the Phone, page 5-30


OL-5109-01


Error Messages for the CAPF UtilityTable 5-4 displays error messages and corrective actions for the CAPF utility:

Table 5-4 Error Messages for the CAPF Utility

Error Corrective Action

Error listening on socket for phone connection

Configure a new port number for the phone connection.

Error listening on socket for CTL connection

Configure a new port number for the CTL connection.

Failed to load Cert/Private key to SSL lib

Generate key and certificate through the user interface and restart the CAPF server.

No User Credentials available for CAPF login

Enter a username and password that has administrative privileges on the CAPF workstation/server.

Couldn't connect to CCM data base

Check the connectivity to the publisher database server.

Upgrade duration expired for phoneId.

Change upgrade duration through the user interface.

Could not open/read file "CAPF.cer".

Generate certificate through the user interface.

File capfPriv.key/ capfPubKey doesn't exist

Generate key pair for the user interface.

Can not create TLS session Generate certificate through the user interface and restart the CAPF server.

Couldn't find WinSock.DLL Verify that the file, WinSock.DLL, exists in directory winnt\system32

Unsupported key size for phone /CAPF

Choose one of the following key sizes: 512, 1024, or 2048.

Could not connect to CTL client.

Verify that the Cisco CTL client uses the CAPF port number that is configured for the CTL connection.


OL-5109-01


Malloc failed In the Task Manager, verify the memory and handles for the process. If the usage appears high, reboot the CAPF server.

Unable to get a new SCB In the Task Manager, verify the memory and handles for the process. If the usage appears, restart the CAPF server.

Could not open/read file "CAPF.phone"

Generate phone record through the user interface.

Phone displays Timeout message as soon as you enter the authentication string on the phone.

The CAPF CLI may exist in Select Mode, as indicated in the title bar of the window. Press Enter in the CLI window. To disable the Select Mode, perform the following procedure:

1. Right-click the title bar.

2. Choose Properties > Options.

3. Uncheck the Quick Edit Mode check box and click OK.

CAPF cert file could not be copied to the CCM

Verify the server configuration and the username and password for the server. Ensure that the username and password that is used has administrative privileges in the cluster. Manually copy the certificate to all servers in the cluster, as per the instructions that display in the CAPF CLI.

Table 5-4 Error Messages for the CAPF Utility (continued)



OL-5109-01


Related Topics







Phones do not connect to CAPF

Verify that the phone contains a CTL file; verify that the CTL file contains a CAPF entry.

Unknown error occurred. Issue the command, debug capf all; press Enter.

Tip These commands write all traces to C:\Program Files\Cisco\CAPF\capf*.log.

Tip If you need to contact the team that provides technical support for this product, for example, your Cisco AVVID Partner or Cisco Technical Assistance Center (TAC), issue the command, show capf all, and press Enter. The technical support team may ask for the trace file.

Table 5-4 Error Messages for the CAPF Utility (continued)



OL-5109-01


Verifying or Uninstalling the CAPF UtilityUninstalling the CAPF utility removes all files that exist in the CAPF directory, including certificates and keys. If you uninstall the utility and do not reinstall it, no CAPF functionality exists; that is, certificates do not get issued and certificate requests do not occur on behalf of the phone.

To verify or uninstall the CAPF utility, perform the following procedure:

Procedure

Step 1 Choose Start > Control Panel > Add Remove Programs.

Step 2 Double-click Add Remove Programs.

Step 3 To verify that the CAPF utility installed, locate CAPF Utility.

Step 4 To delete the utility, click Remove.

Related Topics








OL-5109-01


Troubleshooting If You Incorrectly Enter the Authentication String on the Phone

If you incorrectly enter the authentication string on the phone, an error displays on the phone. Enter the correct authentication string on the phone.

Related Topics




Troubleshooting If the Locally Significant Certificate Validation Fails

On the phone, the locally significant certificate validation may fail if the certificate is not the version that CAPF issued, the certificate has expired, the CAPF certificate does not exist on all servers in the cluster, the CAPF certificate does not exist in the CAPF directory, and so on. If the locally significant certificate validation fails, review the SDL trace files and the CAPF trace files for errors.

Related Topics







OL-5109-01


Verifying That You Installed the Locally Significant Certificate on the Phone

You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting. The LSC setting displays Yes.

Related Topics





OL-5109-01

Cisco IP Phone Authentication and EnOL-5109-01

I N D E X

A

authentication

configuring devices for 2-25

device security mode configuration settings (table) 2-29

installation 1-10

interactions 1-4

overview 2-2

restrictions 1-4

authentication string 3-2

C

Certificate Authority Proxy Function (CAPF)


authentication string entered incorrectly on phone 5-29

commands (table) 3-13

configuration settings (table) 3-13

configuring 3-8

downloading 3-6

error messages (table) 5-25

installing 3-6

overview 3-2

uninstalling 5-28

upgrading 3-7

verifying 5-28

verifying the locally significant certificate installation 5-30

Cisco CTL client

changing security token password 5-5

comparing CTL files 5-17


configuring 2-12

deleting CTL file on phone 5-17

deleting CTL file on server 5-19

determining version 5-24


installing 2-10

losing all security tokens 5-21

losing one security token 5-20

setting the Smart Card service 5-6

troubleshooting the phone 5-14

uninstalling 5-23

verifying 5-23

verifying security mode 5-22

Cisco IP Phone


calculating MD5 hash 5-17

configuring hardening 4-4

IN-1cryption for Cisco CallManager 4.0(1)

Index

deleting CTL file 5-17

disabling the GARP setting 4-1

disabling the PC Port setting 4-3

disabling the PC Voice VLAN Access setting 4-2

disabling the Setting Access setting 4-3

disabling the Web Access setting 4-2

troubleshooting for CTL errors 5-14

using MD5 application 5-17

verifying locally significant certificate installation 5-30

CTL client

changing security token password 5-5

comparing CTL files 5-17


configuring 2-12



determining version 5-24


installing 2-10



setting the Smart Card service 5-6

troubleshooting the phone 5-14

uninstalling 5-23

verifying 5-23

verifying security mode 5-22

IN-2Cisco IP Phone Authentication and Encryption for Ci

CTL file

comparing 5-17

deleting entry from 2-24

deleting on phone 5-17

deleting on server 5-19



updating 2-17

D

device authentication


installation 1-10

overview 2-2

document

audience viii

conventions x

organization ix

purpose viii

related documentation ix

documentation

related ix

sco CallManager 4.0(1)OL-5109-01

Index

E

encryption


device security mode configuration settings (table) 2-29

installation 1-10

interactions 1-4

overview 2-5

restrictions 1-4

F

file authentication


overview 2-2

I

image authentication

overview 2-2

integrity

overview 2-2

IP Phone






Cisco IP Phone AuthenticatioOL-5109-01








L

locally significant certificate



deleting 3-21

installing 3-18

upgrading 3-20

verifying installation 5-30

M

media encryption


installation 1-10

overview 2-5

IN-3n and Encryption for Cisco CallManager 4.0(1)

Index

P

phone













phone hardening

configuring 4-4







S

security

best practices 1-8

configuration checklist (table) 1-11

Etoken 2-10

installation 1-10

interactions 1-4

rebooting the cluster 1-9

rebooting the server 1-9

resetting devices 1-9

restarting Cisco CallManager service 1-9

restrictions 1-4

system requirements 1-4

terminology 1-2

token 2-10

where to find more information 1-12

signaling authentication


installation 1-10

overview 2-2

signaling encryption


installation 1-10

overview 2-5

signaling integrity

overview 2-2

sco CallManager 4.0(1)OL-5109-01

Index

T

troubleshooting

alarms 5-2




locally significant certificate validation fails 5-29

log files 5-3



performance monitor counters 5-3


Cisco IP Phone AuthenticatioOL-5109-01
IN-5
n and Encryption for Cisco CallManager 4.0(1)

Index

sco CallManager 4.0(1)
OL-5109-01

Date post:	09-Jul-2020
Category:	Documents
Upload:	others
View:	15 times
Download:	0 times

Cisco IP Phone Authentication and Encryption for …...Resetting the Devices, Restarting Cisco...

Documents