You are currently viewing Cisco IOS Secure Gateway Deployment with CA Signed Certificates – Part 2 (Gateway Secure SCCP Media Resources)

Cisco IOS Secure Gateway Deployment with CA Signed Certificates – Part 2 (Gateway Secure SCCP Media Resources)

Introduction

Following on from my previous blog post, this post covers the installation of Gateway Certificates via SCEP and then the configuration for Secure SCCP Resources.

Cisco IOS Gateway Certificate Installation

The following procedure will do the following:
  • Generate an RSA key-pair for the Gateway
  • Install the Root CA Certificate to the local Trustpoint
  • Enroll with the CA Root and install the local identity certificate.
First, configure a hostname and domain name for the Gateway. This is needed to generate the RSA Key-Pair (You’ll get an error when trying to generate a key if you haven’t configured both of these).
 router#conf t  
 router(config)#hostname VOICEGW1  
 VOICEGW1(config)#ip domain name mydomain.com  
Next generate a set of RSA keys. I have used 2048 bit keys. You should use at a bare minimum 1024 bit keys.
 VOICEGW1(config)#crypto key gen rsa modulus 2048  
Browse to the Microsoft SCEP URL to get the challenge password and thumbprint of the CA. If you see the message “This password can be used multiple times and will not expire” then it means you have successfully enabled the “Use Single Password”option in the NDES Registry configuration. Otherwise it will be a password that can only be used for a single use. By default I believe Microsoft NDES stores up to 5 passwords that can be used in 60 minutes, so if you’re rolling out more gateways than this you may want to look at the previous post and adjust the registry entries there.



Next, create a Trustpoint for the Gateway. There are several configuration options where I have selected “none”. By defining these options in the Trustpoint, you prevent the need to interactively select them when you actually authenticate / enroll the trustpoint, making for a much simpler “copy / paste” config.

Note: The password and thumbprint must match the password you obtained from the MSCEP Admin page above (with no spaces).

VOICEGW1(config)#crypto pki trustpoint VOICEGW1  
VOICEGW1(ca-trustpoint)#enrollment retry count 3  
VOICEGW1(ca-trustpoint)#enrollment retry period 5  
 VOICEGW1(ca-trustpoint)#enrollment mode ra  
 VOICEGW1(ca-trustpoint)#enrollment url http://CAROOT:80/certSrv/mscep/mscep.dll  
 VOICEGW1(ca-trustpoint)#serial-number none  
 VOICEGW1(ca-trustpoint)#fqdn none  
 VOICEGW1(ca-trustpoint)#ip-address none  
 VOICEGW1(ca-trustpoint)#password <PASSWORD>  
 VOICEGW1(ca-trustpoint)#fingerprint <FINGERPRINT>  
 VOICEGW1(ca-trustpoint)#subject-name CN=VOICEGW1.mydomain.com  
 VOICEGW1(ca-trustpoint)#revocation-check none  
 VOICEGW1(ca-trustpoint)#exit  
 VOICEGW1(config)#  




Authenticate the Trustpoint. This will communicate with the Root CA via the enrollment URL and if the presented fingerprint matches the Trustpoint configuration, it will install the Root CA certificate under that trustpoint.

 VOICEGW1(config)#crypto pki authenticate VOICEGW1  
 May 17 13:15:52.568: CRYPTO_PKI: Certificate Request Fingerprint MD5: 2029FBCC 39DC1396 B06C2392 39DC1396  
 May 17 13:15:52.568: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 598AED73 EB9384A1 61AFDD82 C00769DD 1984EA23  
 May 17 13:16:06.517: %PKI-6-CERTRET: Certificate received from Certificate Authority  



Enrol with the CA. If the password matches the “challenge enrollment” password for the Microsoft NDES service, the CA will issue a new certificate using the “Voice Gateway” template we created earlier.


 crypto pki enroll VOICEGW1  
 %  
 % Start certificate enrollment ..  
 % The subject name in the certificate will include: CN=VOICEGW1.mydomain.com  
 % Certificate request sent to Certificate Authority  
 % The 'show crypto pki certificate verbose VOICEGW1' command will show the fingerprint.  
 May 17 14:16:40: CRYPTO_PKI: Certificate Request Fingerprint MD5: 2029FBCC 39DC1396 B06C2392 39DC1396  
 May 17 14:16:40: CRYPTO_PKI: Certificate Request Fingerprint SHA1:  
 598AED73 EB9384A1 61AFDD82 C00769DD 1984EA23  
 May 17 14:16:55: %PKI-6-CERTRET: Certificate received from Certificate Authority  



Very Important: If you’re configuring a Secure Conference Bridge, the X509 name (i.e. the subject-name) in the certificate you’re presenting MUST match the registered name of the Conference Bridge. This means, if you’re generating a certificate subject-name based on the FQDN of your Gateway, your Conferencing Resource in CUCM will also need to be the hostname, or registration will fail. If you’re dead-set on using a different name (if you want to follow a naming standard for your media resources), you’ll need to create a second trustpoint just for the conference bridge resource. Fortunately, secure transcoder and software mtp resources do not have this restriction – the registered name can be whatever you want (under 15 characters).

Here is an example configuration for a second trustpoint, using a different name for your conference bridge resource.

 VOICEGW1(config)#crypto pki trustpoint VOICEGW1_CFB  
 VOICEGW1(ca-trustpoint)#enrollment retry count 3  
 VOICEGW1(ca-trustpoint)#enrollment retry period 5  
 VOICEGW1(ca-trustpoint)#enrollment mode ra  
 VOICEGW1(ca-trustpoint)#enrollment url http://CAROOT:80/certSrv/mscep/mscep.dll  
 VOICEGW1(ca-trustpoint)#serial-number none  
 VOICEGW1(ca-trustpoint)#fqdn none  
 VOICEGW1(ca-trustpoint)#ip-address none  
 VOICEGW1(ca-trustpoint)#password <PASSWORD>  
 VOICEGW1(ca-trustpoint)#fingerprint <FINGERPRINT>  
 VOICEGW1(ca-trustpoint)#subject-name CN=VOICEGW1_CFB  
 VOICEGW1(ca-trustpoint)#revocation-check none  
 VOICEGW1(ca-trustpoint)#exit  
 VOICEGW1(config)#crypto pki authenticate VOICEGW1_CFB  
 VOICEGW1(config)#crypto pki enrol VOICEGW1_CFB  

Configure Media Resources on CUCM

First, create the resources on CUCM, otherwise you’ll be trying to register resources that don’t exist which will be rejected, and you’ll later need to stop and restart SCCP to get them registered.
To create a Media Termination Point go to CUCM Administration > Media Resources > Media Termination Point and click Add New.  I also selected the Trusted Relay Point, which is commonly used to enforce QoS policy on Softphones or to hide endpoint addresses from each other.
To create a Secure Conference Bridge, go to CUCM Administration > Media Resources > Conference Bridge and click Add New.  
Be sure to select the Cisco IOS Enhanced Conference Bridge and Encrypted Conference Bridge
To create a Secure Transcoder, go to CUCM Administration > Media Resources > Transcoder and click Add New.

Configure Cisco IOS Media Resources

Next is the actual media resources configuration. First you’ll need to define a list of CUCM servers to register with, then create some dspfarm profiles and finally associate them with a CCM group.
First enable dspfarm services so that you can actually create dspfarm profiles.
 VOICEGW1(config)#voice-card 0  
 VOICEGW1(config-voicecard)#dsp services dspfarm  
Next define your SCCP Interface (you could use a Loopback here, however I’ve just used the physical interface address) and CCM Group, and associate the profile names. These profile names must match what you’ve configured in CUCM.

Note: When defining the CUCM addresses, you can also specify a specific trustpoint. This would be common if you still had self-signed CallManager certs which were manually installed onto your Gateway as another trustpoint. In my experience, it seems if you don’t specify anything here the Gateway will search all configured trustpoints to authenticate your CUCM servers.

 VOICEGW1(config)#sccp local GigabitEthernet0/0  
 VOICEGW1(config)#sccp ccm 10.1.1.1 identifier 1 version 7.0+  
 VOICEGW1(config)#sccp ccm 10.1.1.2 identifier 2 version 7.0+  
 VOICEGW1(config)#sccp  
 !  
 VOICEGW1(config)#sccp ccm group 1  
 VOICEGW1(config-sccp-ccm)#bind interface GigabitEthernet0/0  
 VOICEGW1(config-sccp-ccm)#associate ccm 1 priority 1  
 VOICEGW1(config-sccp-ccm)#associate ccm 2 priority 2  
 VOICEGW1(config-sccp-ccm)#associate profile 100 register VOICEGW1_CFB  
 VOICEGW1(config-sccp-ccm)#associate profile 200 register VOICEGW1_MTP  
 VOICEGW1(config-sccp-ccm)#associate profile 300 register VOICEGW1_XCODE  
 VOICEGW1(config-sccp-ccm)#switchback method graceful  
 !  
Finally, setup your DSP Farm Profiles and use a “no shutdown”. Your session count will be dependent on how many PVDM resources you have. There are a few sizing guides which can provide guidance here when using FLEX mode, but that’s another topic by itself that I won’t be covering here.
 VOICEGW1(config)#dspfarm profile 100 conference security  
 VOICEGW1(config-dspfarm-profile)#trustpoint VOICEGW1_CFB  
 VOICEGW1(config-dspfarm-profile)#codec g711ulaw  
 VOICEGW1(config-dspfarm-profile)#codec g711alaw  
 VOICEGW1(config-dspfarm-profile)#maximum sessions 4  
 VOICEGW1(config-dspfarm-profile)#associate application SCCP  
 VOICEGW1(config-dspfarm-profile)#no shutdown  
 !  
 VOICEGW1(config-dspfarm-profile)#dspfarm profile 200 mtp security  
 VOICEGW1(config-dspfarm-profile)#trustpoint VOICEGW1  
 VOICEGW1(config-dspfarm-profile)#codec g711ulaw  
 VOICEGW1(config-dspfarm-profile)#codec pass-through  
 VOICEGW1(config-dspfarm-profile)#maximum sessions software 50  
 VOICEGW1(config-dspfarm-profile)#associate application SCCP  
 VOICEGW1(config-dspfarm-profile)#no shutdown  
 !  
 VOICEGW1(config-dspfarm-profile)#dspfarm profile 300 transcode security  
 VOICEGW1(config-dspfarm-profile)#trustpoint VOICEGW1  
 VOICEGW1(config-dspfarm-profile)#codec g729abr8  
 VOICEGW1(config-dspfarm-profile)#codec g729ar8  
 VOICEGW1(config-dspfarm-profile)#codec g711alaw  
 VOICEGW1(config-dspfarm-profile)#codec g711ulaw  
 VOICEGW1(config-dspfarm-profile)#maximum sessions 4  
 VOICEGW1(config-dspfarm-profile)#associate application SCCP  
 VOICEGW1(config-dspfarm-profile)#no shutdown  
 !  
If all went well, when you do a show sccp  you should see everything correctly registered with ACTIVE. If you get “TCP_CONN_ERR” even after several seconds of restarting SCCP, then there’s probably some certificate issues. Other messages such as register reject will likely be a difference in configuration between CUCM and the Gateway. I found debug sccp tls to be quite a useful command.

Next Steps….

The final post in this series covers configuring SIP TLS between CUCM and your IOS Gateway.