Mike Sabo is responsible for Presidio Federal’s IT project delivery across all technologies. He has over a decade of experience consulting with customers as their trusted advisor around all things collaboration.
How Terraform Empowers Infrastructure as Code: Exploring Pre-Commit Hooks and Workflow Efficiency
January 8, 2024Discover How to Deploy AWS Cloud9 IDE on Ubuntu 22.04 LTS
June 6, 2024Introduction
As agencies adapt to the increasing security requirements in the federal government, encrypting VoIP traffic remains a critical necessity to maintain a robust security posture and comply with stringent standards such as STIG Guidelines.
When encryption is enabled in a CUCM cluster, it’s important to consider the requirements for Media Termination Points (MTP) and conferencing resources. This document will provide the step-by-step process for securing MTP and conference resources in CUCM and in Cisco IOS.
Scope
This document outlines the configuration required for IOS routers and CUCM to enable the use of secure local conference bridges and MTPs.
Caveats and Assumptions
It is assumed that the CUCM cluster is fully configured for end-to-end SRTP and is in mixed mode. TCP port 2443 must also be open on any firewalls between the IOS router and CUCM. The host names and IP addresses used in this document are for illustrative purposes only.
Versions Used
The following software versions were used in the tested configuration. Other versions and configurations may work but are not covered in this document. For support with those versions, please refer to the respective documentation.
Cisco UCM – 15.0.1.100000-32
Cisco IOS XE – 17.9.4a
Solution Overview – IOS Router
Prerequisites:
- IOS XE Version needs to be above 16.6 (earlier versions do not allow TLS 1.0 to be disabled, which is a requirement of STIGs).
- Available router DSP resources.
- TCP connectivity is required (Open port 2443 on any transit firewall).
- The IOS router must have the Security and UCK9 licenses installed.
The Cisco CUCM certificates must be signed and uploaded into the correct trust stores. If Cisco is managing your certificates, no further action is needed. If you are using your own internal CA, please refer to the provided guide to sign and upload CUCM certificates. https://community.cisco.com/t5/collaboration-voice-and-video/cucm-uploading-ccmadmin-web-gui-certificates/ta-p/3120166 - The following must be configured on IOS router:
- clock timezone <timezone>
- platform ipsec fips-mode
- ntp server x.x.x.x
- On the CUCM cluster, verify that the Root CA and any subordinate CA certificates that will be signing the IOS router certificate have been imported to the trust store and associated with the following services: CallManager-trust, Tomcat-trust, Phone-CTL-trust.
You can find the services associated with the Root CA and subordinates by navigating to System > Security > Certificate Management and clicking on the “Find Certificate” button.
This will display a list of the trusted root certificate authorities and any subordinate CAs that have been uploaded or generated. From there, you can view details about each CA, including the services or nodes that are associated with their certificates.
Configure IOS Router IOS PKI:
- Create an exportable 2048 modulus RSA key pair. One each for conferencing and MTP:
crypto key generate rsa general-keys modulus 2048 exportable label i.e
crypto key generate rsa general-keys modulus 2048 exportable label IOS-HW-CFB
crypto key generate rsa general-keys modulus 2048 exportable label IOS-HW-MTP
Use IOS CLI show crypto key mypubkey rsa to verify - Create a trust point for the IOS router:
Conference Bridge:
crypto pki trustpoint IOS-HW-CFB
enrollment terminal pem
subject-name CN= IOS-HW-CFB <-This must match the CM conference bridge name!
serial-number none
fqdn none
ip-address none
revocation-check none
rsakeypair IOS-HW-CFBMedia Termination Point:
crypto pki trustpoint IOS-HW-MTP
enrollment terminal pem
subject-name CN= IOS-HW-MTP <- This must match the CM media termination point name!
serial-number none
fqdn none
ip-address none
revocation-check none
rsakeypair IOS-HW-MTP - In the example below, the certificate was signed by a Root CA. However, if a Subordinate CA signed the certificate, a trust point for the Root CA must be created before proceeding, and the Subordinate CA will be used for the following commands. Each resource (CFB and MTP) requires its own certificate to register correctly. Authenticate the Root CA certificate that will be signing the CFB and MTP Certificate Signing Requests (CSRs) by copying and pasting the entire contents of the certificate file into the terminal. You can accomplish this by opening the certificate in a text editor.
Conference Bridge:
crypto pki authenticate IOS-HW-CFB
After you paste in the contents, you will need to press ENTER proceed. Type Yes to accept the certificate.
Media Termination Point:crypto pki authenticate IOS-HW-MTP
After you paste in the contents, you will need to press ENTER proceed. Type Yes to accept the certificate. - Generate a CSR for the CFB to be submitted to the CA for signing and select yes to display the CSR’s content to the terminal:
crypto pki enroll IOS-HW-CFB
Copy the text including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST into a text file and save with the proper name.
Generate a CSR for the MTP to be submitted to the CA for signing and select yes to display the CSR’s content to the terminal:
crypto pki enroll IOS-HW-MTP
Copy the text including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST into a text file and save with the proper name. - Sign both CSR’s by the proper Certificate Authority (CA). The cert needs to be signed using a template with a Server and Client Authentication purposes:
- Import certificates after they have been issued:
crypto pki import IOS-HW-CFB certificate
After you paste in the contents, you will need to press ENTER to proceed.crypto pki import IOS-HW-MTP certificate
- The certificate status can be verified by issuing:
show crypto pki certificates IOS-HW-CFB
show crypto pki certificates IOS-HW-MTP - Next, we must create a trust point for the CUCM Root CA. Authenticate the Root CA certificate signed the UCM server CSR’s by copy/pasting the entirety of the content in the certificate file into the terminal (you can do this by opening the certificate in a text editor)
(Note, there may be multiple certs in the chain, for simplicity, you only need to add the top-level Root CA cert provided by Cisco)
crypto pki trustpoint DST-RootCA-X3
enrollment terminal
revocation-check nonecrypto pki authenticate DST-RootCA-X3
This completes the IOS PKI section
Configuring Secure SCCP
Configure the following SCCP configuration:
voice-card 0/2
dsp services dspfarm
sccp local Port-channel10.11 <— Choose the proper CUCM facing interface
sccp ccm 10.100.0.151 identifier 1 priority 1 version 7.0+
sccp ccm 10.100.1.152 identifier 2 priority 2 version 7.0+
sccp
sccp ccm group 1
bind interface Port-channel10.11 <— Choose the proper CUCM facing interface
associate ccm 1 priority 1
associate ccm 2 priority 2
associate profile 2 register IOS-HW-MTP <— Must match cert name
associate profile 1 register IOS-HW-CFB <— Must match cert name
keepalive timeout 10
switchover method immediate
switchback method graceful
signaling dscp cs6
!
dspfarm profile 1 conference security
description LOCAL CONFERENCING RESOURCES
trustpoint IOS-HW-CFB <— Must match trustpoint name created
no codec g729br8 <— Optional – remove unused codecs
no codec g729r8 <— Optional – remove unused codecs
no codec g729abr8 <— Optional – remove unused codecs
no codec g729ar8 <— Optional – remove unused codecs
no codec g711alaw <— Optional – remove unused codecs
tls-version v1.2
maximum sessions 20 <— Based on DSP recourses
associate application SCCP
no shut
!
dspfarm profile 2 mtp security
description LOCAL MTP RESOURCES
trustpoint IOS-HW-MTP <— Must match trustpoint name created
codec g711ulaw
codec pass-through
tls-version v1.2
maximum sessions hardware 50 <— Based on DSP resourses
associate application SCCP
no shut
Solution Overview – CUCM
- The examples how to configure the conference bridge and MTP resources within CUCM
Conference Bridge Configuration
From the CUCM Administration page, go to Media Recourses –> Conference Bridge
Choose Add New:
Type will be a Cisco IOS Enhanced Conference Bridge. Conference Bridge Name will be the name of the cert/SCCP config and choose Encrypted Conference Bridge for the Device Security Mode:
Click Save
Media Termination Point Configuration
From the CUCM Administration page, go to Media Recourses –> Media Termination Point
Choose Add New:
Type will be a Cisco IOS Enhanced Software Media Termination Point. MTP name will be the name of the cert/SCCP config.
Click Save
Media Recourse Groups and Group Lists
Add the new resources to the proper Media Resource Groups (MRG) and Media Resource Group Lists (MRGL). For more information on MRG’s and MRGL’s, please refer to this document:
Verification
From the IOS router CLI issue a show sccp, you should see the state as Active:
In CUCM, go to Media Recourses –> Conference Bridge and find the new CFB. It will show registered to the IP of the router.
In CUCM, go to Media Recourses –> Media Termination Point and find the new MTP. It will show registered to the IP of the router.
Troubleshooting
If the MTP or CFB becomes unregistered:
- Verify SCCP is running but running a show sccp command in the router:
- Restart SCCP by doing a no sccp and then sccp:
- Verify the CFB and MTP are not shutdown:
- Verify certificates and proper names:
- Verify the certs are correct and not expired by issuing a show crypto pki certificates IOS-HW-CFB or show crypto pki certificates IOS-HW-MTP:
- TAC Debug Commands:
debug sccp message
debug sccp error
debug sccp event
debug sccp tls
debug credentials
debug ssl openssl errors
debug ssl openssl ext
debug ssl openssl msg
debug ssl openssl states
debug crypto pki validation
debug crypto pki transactions