Introduction
Following on from my previous blog post, this post covers the installation of Gateway Certificates via SCEP and then the configuration for Secure SCCP Resources.
The following procedure will do the following:
- Generate an RSA key-pair for the Gateway
- Install the Root CA Certificate to the local Trustpoint
- Enroll with the CA Root and install the local identity certificate.
First, configure a hostname and domain name for the Gateway. This is needed to generate the RSA Key-Pair (You’ll get an error when trying to generate a key if you haven’t configured both of these).
router#conf t
router(config)#hostname VOICEGW1
VOICEGW1(config)#ip domain name mydomain.com
Next generate a set of RSA keys. I have used 2048 bit keys. You should use at a bare minimum 1024 bit keys.
VOICEGW1(config)#crypto key gen rsa modulus 2048
Browse to the Microsoft SCEP URL to get the challenge password and thumbprint of the CA. If you see the message “This password can be used multiple times and will not expire” then it means you have successfully enabled the “Use Single Password”option in the NDES Registry configuration. Otherwise it will be a password that can only be used for a single use. By default I believe Microsoft NDES stores up to 5 passwords that can be used in 60 minutes, so if you’re rolling out more gateways than this you may want to look at the previous post and adjust the registry entries there.
Next, create a Trustpoint for the Gateway. There are several configuration options where I have selected “none”. By defining these options in the Trustpoint, you prevent the need to interactively select them when you actually authenticate / enroll the trustpoint, making for a much simpler “copy / paste” config.
Note: The password and thumbprint must match the password you obtained from the MSCEP Admin page above (with no spaces).
VOICEGW1(config)#crypto pki trustpoint VOICEGW1
VOICEGW1(ca-trustpoint)#enrollment retry count 3
VOICEGW1(ca-trustpoint)#enrollment retry period 5
VOICEGW1(ca-trustpoint)#enrollment mode ra
VOICEGW1(ca-trustpoint)#enrollment url http://CAROOT:80/certSrv/mscep/mscep.dll
VOICEGW1(ca-trustpoint)#serial-number none
VOICEGW1(ca-trustpoint)#fqdn none
VOICEGW1(ca-trustpoint)#ip-address none
VOICEGW1(ca-trustpoint)#password <PASSWORD>
VOICEGW1(ca-trustpoint)#fingerprint <FINGERPRINT>
VOICEGW1(ca-trustpoint)#subject-name CN=VOICEGW1.mydomain.com
VOICEGW1(ca-trustpoint)#revocation-check none
VOICEGW1(ca-trustpoint)#exit
VOICEGW1(config)#
Authenticate the Trustpoint. This will communicate with the Root CA via the enrollment URL and if the presented fingerprint matches the Trustpoint configuration, it will install the Root CA certificate under that trustpoint.
VOICEGW1(config)#crypto pki authenticate VOICEGW1
May 17 13:15:52.568: CRYPTO_PKI: Certificate Request Fingerprint MD5: 2029FBCC 39DC1396 B06C2392 39DC1396
May 17 13:15:52.568: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 598AED73 EB9384A1 61AFDD82 C00769DD 1984EA23
May 17 13:16:06.517: %PKI-6-CERTRET: Certificate received from Certificate Authority
Enrol with the CA. If the password matches the “challenge enrollment” password for the Microsoft NDES service, the CA will issue a new certificate using the “Voice Gateway” template we created earlier.
crypto pki enroll VOICEGW1
%
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=VOICEGW1.mydomain.com
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose VOICEGW1' command will show the fingerprint.
May 17 14:16:40: CRYPTO_PKI: Certificate Request Fingerprint MD5: 2029FBCC 39DC1396 B06C2392 39DC1396
May 17 14:16:40: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
598AED73 EB9384A1 61AFDD82 C00769DD 1984EA23
May 17 14:16:55: %PKI-6-CERTRET: Certificate received from Certificate Authority
Very Important: If you’re configuring a Secure Conference Bridge, the X509 name (i.e. the subject-name) in the certificate you’re presenting MUST match the registered name of the Conference Bridge. This means, if you’re generating a certificate subject-name based on the FQDN of your Gateway, your Conferencing Resource in CUCM will also need to be the hostname, or registration will fail. If you’re dead-set on using a different name (if you want to follow a naming standard for your media resources), you’ll need to create a second trustpoint just for the conference bridge resource. Fortunately, secure transcoder and software mtp resources do not have this restriction – the registered name can be whatever you want (under 15 characters).
Here is an example configuration for a second trustpoint, using a different name for your conference bridge resource.
VOICEGW1(config)#crypto pki trustpoint VOICEGW1_CFB
VOICEGW1(ca-trustpoint)#enrollment retry count 3
VOICEGW1(ca-trustpoint)#enrollment retry period 5
VOICEGW1(ca-trustpoint)#enrollment mode ra
VOICEGW1(ca-trustpoint)#enrollment url http://CAROOT:80/certSrv/mscep/mscep.dll
VOICEGW1(ca-trustpoint)#serial-number none
VOICEGW1(ca-trustpoint)#fqdn none
VOICEGW1(ca-trustpoint)#ip-address none
VOICEGW1(ca-trustpoint)#password <PASSWORD>
VOICEGW1(ca-trustpoint)#fingerprint <FINGERPRINT>
VOICEGW1(ca-trustpoint)#subject-name CN=VOICEGW1_CFB
VOICEGW1(ca-trustpoint)#revocation-check none
VOICEGW1(ca-trustpoint)#exit
VOICEGW1(config)#crypto pki authenticate VOICEGW1_CFB
VOICEGW1(config)#crypto pki enrol VOICEGW1_CFB
Configure Media Resources on CUCM
First, create the resources on CUCM, otherwise you’ll be trying to register resources that don’t exist which will be rejected, and you’ll later need to stop and restart SCCP to get them registered.
To create a Media Termination Point go to CUCM Administration > Media Resources > Media Termination Point and click Add New. I also selected the Trusted Relay Point, which is commonly used to enforce QoS policy on Softphones or to hide endpoint addresses from each other.
To create a Secure Conference Bridge, go to CUCM Administration > Media Resources > Conference Bridge and click Add New.
Be sure to select the Cisco IOS Enhanced Conference Bridge and Encrypted Conference Bridge
To create a Secure Transcoder, go to CUCM Administration > Media Resources > Transcoder and click Add New.
Configure Cisco IOS Media Resources
Next is the actual media resources configuration. First you’ll need to define a list of CUCM servers to register with, then create some dspfarm profiles and finally associate them with a CCM group.
First enable dspfarm services so that you can actually create dspfarm profiles.
VOICEGW1(config)#voice-card 0
VOICEGW1(config-voicecard)#dsp services dspfarm
Next define your SCCP Interface (you could use a Loopback here, however I’ve just used the physical interface address) and CCM Group, and associate the profile names. These profile names must match what you’ve configured in CUCM.
Note: When defining the CUCM addresses, you can also specify a specific trustpoint. This would be common if you still had self-signed CallManager certs which were manually installed onto your Gateway as another trustpoint. In my experience, it seems if you don’t specify anything here the Gateway will search all configured trustpoints to authenticate your CUCM servers.
VOICEGW1(config)#sccp local GigabitEthernet0/0
VOICEGW1(config)#sccp ccm 10.1.1.1 identifier 1 version 7.0+
VOICEGW1(config)#sccp ccm 10.1.1.2 identifier 2 version 7.0+
VOICEGW1(config)#sccp
!
VOICEGW1(config)#sccp ccm group 1
VOICEGW1(config-sccp-ccm)#bind interface GigabitEthernet0/0
VOICEGW1(config-sccp-ccm)#associate ccm 1 priority 1
VOICEGW1(config-sccp-ccm)#associate ccm 2 priority 2
VOICEGW1(config-sccp-ccm)#associate profile 100 register VOICEGW1_CFB
VOICEGW1(config-sccp-ccm)#associate profile 200 register VOICEGW1_MTP
VOICEGW1(config-sccp-ccm)#associate profile 300 register VOICEGW1_XCODE
VOICEGW1(config-sccp-ccm)#switchback method graceful
!
Finally, setup your DSP Farm Profiles and use a “no shutdown”. Your session count will be dependent on how many PVDM resources you have. There are a few sizing guides which can provide guidance here when using FLEX mode, but that’s another topic by itself that I won’t be covering here.
VOICEGW1(config)#dspfarm profile 100 conference security
VOICEGW1(config-dspfarm-profile)#trustpoint VOICEGW1_CFB
VOICEGW1(config-dspfarm-profile)#codec g711ulaw
VOICEGW1(config-dspfarm-profile)#codec g711alaw
VOICEGW1(config-dspfarm-profile)#maximum sessions 4
VOICEGW1(config-dspfarm-profile)#associate application SCCP
VOICEGW1(config-dspfarm-profile)#no shutdown
!
VOICEGW1(config-dspfarm-profile)#dspfarm profile 200 mtp security
VOICEGW1(config-dspfarm-profile)#trustpoint VOICEGW1
VOICEGW1(config-dspfarm-profile)#codec g711ulaw
VOICEGW1(config-dspfarm-profile)#codec pass-through
VOICEGW1(config-dspfarm-profile)#maximum sessions software 50
VOICEGW1(config-dspfarm-profile)#associate application SCCP
VOICEGW1(config-dspfarm-profile)#no shutdown
!
VOICEGW1(config-dspfarm-profile)#dspfarm profile 300 transcode security
VOICEGW1(config-dspfarm-profile)#trustpoint VOICEGW1
VOICEGW1(config-dspfarm-profile)#codec g729abr8
VOICEGW1(config-dspfarm-profile)#codec g729ar8
VOICEGW1(config-dspfarm-profile)#codec g711alaw
VOICEGW1(config-dspfarm-profile)#codec g711ulaw
VOICEGW1(config-dspfarm-profile)#maximum sessions 4
VOICEGW1(config-dspfarm-profile)#associate application SCCP
VOICEGW1(config-dspfarm-profile)#no shutdown
!
If all went well, when you do a show sccp you should see everything correctly registered with ACTIVE. If you get “TCP_CONN_ERR” even after several seconds of restarting SCCP, then there’s probably some certificate issues. Other messages such as register reject will likely be a difference in configuration between CUCM and the Gateway. I found debug sccp tls to be quite a useful command.
Next Steps….
The final post in this series covers configuring SIP TLS between CUCM and your IOS Gateway.
