Configuring Secure Hardware Conferencing

This blog is one of five dealing with the encryption of various Cisco UC devices. This particular piece deals with setting up Secure Hardware Conferencing. The other blogs in this series are Configuring Calling Encryption Between Cisco IP Phones, Configuring Calling Encryption Between Cisco IP Phones and Cisco Unity Connection, Configuring CUCM with Secure LDAP,  and Configuring a Secure Voice Gateway. The information in the LDAP article stands on its own, but the steps herein must be followed after following the steps in the article dealing with encryption on phones. This is because the CTL client must be run before any of the following steps can be completed.

The operations detailed in these blogs may not be the final word on all of the ins and outs of configuring the items. However, we discovered that there are very few, or no, articles dealing with these subjects written by someone who has actually performed the tasks. We, therefore, felt it would be a service to offer information about the steps that worked for us in our specific set of circumstances (particularly since we, apparently, fell into most of the traps).

Comments are certainly welcome, and we will be happy to update these blogs if need be.

Unlike the other configurations, secure conferencing requires the voice gateway to generate a certificate and that certificate must be installed on all servers. By the same token, certificates must be generated by CUCM servers that are imported into the voice gateways.

By the way, if you have one of the new G2 ISRs you’ll discover that you can’t do all of the following configurations unless the router has a security license.  Having the correct IOS is no longer enough.  A license must be loaded into flash, installed, and active.  Contact your friendly neighborhood Cisco guy or gal for guidance.

1. The first steps in the configuration of secure conferencing are the same as the steps required to configure secure calls as detailed in the article “Configuring Calling Encryption Between Cisco IP Phones.”
2. The next step is to download the CallManager certificates from the Publisher and from all Subscribers. Go into the OS Administration GUI on each of the servers, and select Security > Certificate Management. Select the certificate named CallManager.pem and take a look at the name in the “CN=” field. Write down the name exactly as it’s listed. If it’s called “server1” write that down. If it’s called “server1.verybigco.com”, write that down.
3. Click the “Download” button and download the certificate. Remember to get the CallManager certificates from the Publisher and all Subscribers.
4. Before going any further, it’s a good idea to consider the name of the voice gateway. When dealing with certificates in general, making sure that all names match is critical. A technician at TAC even stated that the case of the name makes a difference. So if the voice gateway’s hostname is “verybiggw”, the RSA keys should be named “verybiggw”, the trustpoint needs to be “verybiggw”, and everything else that has anything to do with cryptography from the router’s point of view has to be called “verybiggw” too.
5. The first actual piece of configuration deals with generating an RSA key on the router.  Type:
   verybiggw(config)# crypto key generate rsa general-keys label verybiggw modulus 1024
6. Next, create a trustpoint for the certificate, configure enrollment for it, and associate the RSA key to the trustpoint. Type:
   verybiggw(config)# crypto pki trustpoint verybiggw
   verybiggw(ca-trustpoint)# enrollment selfsigned
   verybiggw(ca-trustpoint)# rsakeypair verybiggw
7. The next configurations are optional, but recommended. They set the certificate to have no domain name, and ensure there is no check to see if the certificate has been revoked. It does, however, put the name of the router in the subject of the certificate. Type:
   verybiggw(ca-trustpoint)# fqdn none
   verybiggw(ca-trustpoint)# revocation-check none
   verybiggw(ca-trustpoint)# subject-name CN=verybiggw
8. The next configuration enrolls the certificate. Type:
   verybiggw(config)# crypto pki enroll verybiggw
9. When this command is issued, it asks if a router serial number is desired in the subject name and if an IP address is desired in the subject name. It’s suggested that the answer to each of these questions should be “no”. The next question however, will be whether a certificate should be generated, and the answer to that question should be “yes”.
10. Even though it has been mentioned already, it’s worth pointing out again that the name of the router “verybiggw” has been used throughout this exercise. This is a rule to which one must pay attention.
11. The next step is something that is very unusual. Open Wordpad (this actually is easier if Wordpad is the text editor that’s used) and set it off to the side. On the router, issue the command that will print the self-signed certificate to the screen:
    verybiggw(config)# crypto pki export verybiggw pem terminal
    The command will display both a self-signed CA certificate, and a General Purpose certificate. As it turns out, these are both the same. Copy either one of the certificates all of the way from
    —–BEGIN CERTIFICATE—–
    Through all of the numbers and letters and then through
    —–END CERTIFICATE—–
    Make sure you get the “—–BEGIN CERTIFICATE——” and the “—–END CERTIFICATE——” included in the copied information, otherwise the certificate won’t be read correctly. Remember, also, that only one of the displayed certificates must be copied. Paste the copied information to the text editor. Save the file using the name of the router and a “.pem” extension (e.g. verybiggw.pem). Make sure to use the exact name of the router (case sensitive).
12. Still on the voice gateway, create a trustpoint for each certificate from each CUCM server that was downloaded earlier. The following example will only show one trustpoint, but remember that this is something that will probably have to be done multiple times. Pay attention to names and cases. This is when the name of the servers written down in step 2 are required. Assuming that the name of the Publisher is “server1.verybigco.com”, the configurations will be:
    verybiggw(config)# crypto pki trustpoint server1
    verybiggw(ca-trustpoint)# enrollment terminal pem
    verybiggw(ca-trustpoint)# subject-name CN=server1.verybigco.com
    verybiggw(ca-trustpoint)# revocation-check none
    Notice that the trustpoint name is the only place where the entire domain name of the server is not required. The first part of the name (the server name itself), however, must still be exact.  Also, the second command may be just “enrollment terminal” depending on your IOS.  Do a “?” and see what options your have.  Regardless, you want “enrollment terminal pem” to show up in a running-config.
    If another trustpoint needs to be created, use the configuration “crypto pki trustpoint server2” (or whatever the name of the other server is) and create its trustpoint. And so on, and so on.
13. Open another instance of Wordpad and use it to look at the certificate(s) copied from the server(s) in step 3. The certificate(s) will look very much like the ones(s) generated on-screen by the voice gateway. In other words, there will be a bunch of numbers and letters preceded by —–BEGIN CERTIFICATE—– and succeeded by —–END CERTIFICATE—–. Copy the entire chunk of information. Then go back into the gateway’s CLI and issue the following command (again, assuming the name of the Publisher is “server1”):
    verybiggw(config)# crypto ca authenticate server1
    When the command is issued, a prompt will appear asking that the certificate be entered. Paste everything that was copied from the server certificate into the CLI, hit Enter, type “quit” (without the quotes) and hit Enter again. Information about the certificate will be displayed and a question will be asked about whether or not the certificate should be accepted. Say “yes”. The gateway should say that the certificate has been successfully imported. Issue the above command with the server name for each server, and – when prompted – copy the certificate from that server into the router.
14. Now it’s time to configure the conference bridge. This works basically the same as normal, but there are a couple of pitfalls. Start with the voice-card. Type:
    verybiggw(config)# voice-card 0
    verybiggw(config-voicecard)# dsp services dspfarm
15. Next is the profile. Notice the extra configuration at the end as well as the fact that one needs to bind it to the local trustpoint:
    verybiggw(config)# dspfarm profile 1 conference security
    verybiggw(config-dspfarm-profile)# trustpoint verybiggw
    verybiggw(config-dspfarm-profile)# maximum sessions 4
    verybiggw(config-dspfarm-profile)# associate application SCCP
    verybiggw(config-dspfarm-profile)# no shut
16. Configure SCCP, but add the CUCM trustpoint (notice in this example “version 7.0” is the version of CUCM we used, the version that’s specific to the environment is what should be entered):
    verybiggw(config)# sccp local gigabitEthernet 0/0
    verybiggw(config)# sccp ccm 10.1.1.1 identifier 1 version 7.0 trustpoint server1
    verybiggw(config)# sccp
17. Configure the SCCP Group and register the name of the conference bridge. This is something that trips up a lot of people. Normally, the name that is used for registration can be just about anything. However, certificates are being used, and certificates care a lot about nomenclature. Therefore, the name that’s used here must match the trustpoint, the router name, and everything else.
    verybiggw(config)# sccp ccm group 1
    verybiggw(config)# bind interface gigabitEthernet0/0
    verybiggw(config)# associate ccm 1 priority 1
    verybiggw(config)# associate profile 1 register verybiggw
18. At this point, the voice gateway configuration is complete, and it’s time to move on to CUCM. Start by getting into the OS Administration GUI and going to Security > Manage Certificates.
19. Upload the certificate(s) created from the router (in the example it was verybiggw.pem). These certificates need to be uploaded as “CallManager-trust” certificates. Leave the “Root Certificate” line blank.
20. Next, configure the conference bridge within CUCM. Get into the CM Administration GUI and to go Media Resources > Conference Bridge > Add New.
21. From the drop-down select “IOS Enhanced Conference Bridge”.
22. Enter the conference bridge name. This is the name put into the router in the line “associate profile 1” (in the example the line was “associate profile 1 register verybiggw”, so the name we entered was “verybiggw”). Most of the rest is the usual configuration stuff; however, in the Device Security Mode area, select Encrypted Conference Bridge.
23. Click Save, and hope to heck that the bridge registers. If it doesn’t, it’s almost always a problem with the names used everywhere. Double-check spelling and case.
24. Use the secure conference bridge(s) in the same way one would use a regular conference bridge. Put the bridge(s) into a Media Resource Group and put the group into a Media Resource List. Then assign the MRGL in the way that one would normally do so.
25. Test secure conferencing by setting up a conference using secure phones. Once in a conference, the padlock should still be displayed next to the caller ID. One non-secure participant will make the entire conference non-secure. Once the conference is set up, it’s also possible to go to the CLI of the router and issue the command “ show dspfarm dsp active”. The TYPE column should show something like: “s-conf 1” where the “s” stands for a secure conference.