End-to-end authentication and encryption in Cisco Collaboration
Prerequisites
CUCM Version: 11.5
88X5 series phones
Jabber on-promise / off-promise all set
Unified CM tomcat / tomcat-trust Multi Server Certificate
Tomcat signed by CA and root certification uploaded as Tomcat and Tomcat-trust
CA Signed CallManager certification
Root certification uploaded as CallManager-trust
Provisioning and Registering On-Premise Desk Phones and Clients
Jabber CSF and 8845 phones associated with users
Activating Cisco Certificate Authority Proxy Function (CAPF)
Cisco Unified Serviceability, choose Tools > Service Activation
Configure desk phones (88x5) for CAPF enrollment via MIC authentication and confirm LSC install indicating successful CAPF enrollment
88x5: (Settings) > Admin settings > Security setup.
Move Unified CM Cluster to Mixed-Mode via CLI (soft e-Token) Method
SSH to the Unified CM
Note: hidden typing ‘y’ and enter
Verify ctl:
Verify cluster has moved to mixed-mode (Secure Mode) and that the desk phones have downloaded the new CTL.
Change the CUCM Cluster Security from Mixed Mode to Non-Secure Mode with the CLI
This configuration is only for CUCM Release 10.X and later. In order to set the CUCM Cluster Security mode to Non-Secure, enter the utils ctl set-cluster non-secure-mode command on Publisher CLI. After this is complete, restart the TFTP and Cisco CallManager services on all nodes in the cluster that run these services.
Here is sample CLI output that shows the use of the command.
admin:utils ctl set-cluster non-secure-mode
This operation will set the cluster to non secure mode. Do you want to continue? (y/n):
Moving Cluster to Non Secure Mode
Cluster set to Non Secure Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster that
run these services
admin:
More doc to read : here
Change the CUCM Cluster Security from Mixed Mode to Non-Secure Mode with the CLI
This configuration is only for CUCM Release 10.X and later. In order to set the CUCM Cluster Security mode to Non-Secure, enter the utils ctl set-cluster non-secure-mode command on Publisher CLI. After this is complete, restart the TFTP and Cisco CallManager services on all nodes in the cluster that run these services.
Here is sample CLI output that shows the use of the command.
admin:utils ctl set-cluster non-secure-mode
This operation will set the cluster to non secure mode. Do you want to continue? (y/n):
Moving Cluster to Non Secure Mode
Cluster set to Non Secure Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster that
run these services
admin:
More doc to read : here
Restart Cisco TFTP and Cisco CallManager services
88x5: Navigate to (Settings) > Admin settings > Status > Status messages
Unified CAPF Enrollment for Jabber Client
Sign out Jabber and sign in back again. the Jabber IP phone service will not connect until after the user has entered the authentication string and the CAPF enrollment operation has completed.
Create Secure Phone Security Profile and Apply to On-Premise Endpoints
Bulk phone update
88x5: Navigate to (Settings) > Admin settings > Security setup
Confirm Secure Calling (Phone to Phone, Jabber to Phone)
Answer the call at the 8845 and confirm that the encrypted “lock” icon is visible on both phone and jabber
No comments:
Post a Comment