Using the CTL Client

The Cisco CTL client software, available as a plug-in application on Cisco CallManager Administration, is used to create or update the Certificate Trust List (CTL). The CTL is a list of the trusted certificates in the CallManager cluster. When the list is accurate, the Cisco CTL client will ensure that the CTL is signed by the keys of the Cisco CTL client. These keys are stored on an external Universal Serial Bus (USB) devicethe security token. When the CTL needs to be signed, the Cisco CTL client passes the CTL to the security token, and the security token signs it and then returns the signed CTL to the Cisco CTL client application. The Cisco CTL client is needed in these situations:

• For the initial activation of security in your cluster
• For the deactivation or reactivation of security in your cluster
• After modifying Cisco CallManager or Cisco TFTP server configuration (which includes adding, removing, renaming, or restoring a server or changing the IP address or hostname of a server)
• After adding or removing a security token (due to theft or loss)
• After replacing or restoring a Cisco CallManager or Cisco TFTP server

In all the situations listed, the Cisco CTL client creates a new CTL and signs it by using a security token. The Cisco IP Phones load the new CTL and are then aware of the changes to the IP telephony system. Any changes that are not reflected in the CTL (for instance, if you change the IP address of a server but do not create a new CTL using the Cisco CTL client application) cause the Cisco IP Phones to treat the corresponding device as untrusted. From this perspective, the CTL can be seen as the certificate root store of your browser (listing all trusted certificate-issuing entities). If any device that was previously trusted is not trustworthy anymore (for instance, when a security token is lost), there is no need for a certificate revocation list (CRL). Instead, you will use the Cisco CTL client and update the CRL by removing the untrusted entry (for instance, a lost security token) from the list.

Installing the CTL Client

The Cisco CTL client application can be installed on any PC running Microsoft Windows 2000 or XP Workstation or Microsoft Windows 2000 or 2003 Server, as long as the PC has at least one Universal Serial Bus (USB) port. This device can be any Cisco CallManager server in your cluster or any client PC.

The Cisco CTL client application is installed from the Cisco CallManager Administration Install Plugins window. You can accomplish the installation just by walking through a simple wizard, as shown in Figure 27-2. During installation, you are prompted for the destination folder; you can set any directory of your choice or simply accept the default.

Figure 27-2. Installing the CTL Client

The Smart Card service has to be activated on the PC. To activate the Smart Card service under Microsoft Windows 2000, choose Start > Settings > Control Panel > Administrative Tools > Services to launch the Microsoft services administration tool. Then use the tool to verify the status of the Smart Card service. The service should have the startup type of Automatic and the Current Status should be Running.

After you have installed the CTL Client, you can access it from the icon automatically placed on your desktop. Initially, it will ask for the CallManager server information for the cluster, as shown in Figure 27-3.

Figure 27-3. Configuring the CTL Client

After entering the CallManager server information and successfully authenticating, you can either set the cluster security mode or update the CTL file. A Cisco CallManager cluster supports two security modes:

• Mixed mode This mode allows secure calls between two security-enabled devices and allows nonsecure calls between devices where at least one of the devices is not security-enabled.
• Nonsecure mode This is the default configuration, in which all calls are nonsecure.

Note

There is no secure-only mode. This setting would prevent Cisco IP Phones without security enabled from placing calls. Many Cisco IP Phones do not support security features and would not be able to operate in a secure-only environment.

In addition to setting the cluster security mode, you use the Cisco CTL client to update the CTL file. This update is needed after adding or removing components, such as servers or security tokens. After changing the list of CTL entries, you need to sign the new CTL using a security token.

Working with Locally Significant Certificates