Secure SRST | SRST and MGCP Gateway Fallback

CallManager supports secure communication with IP phones. SRST 3.3 added support for secure communication when an IP phone is registered to an SRST router. The security features include support for authentication, integrity, and media encryption. Authentication assures to one device that the other device is who it claims to be. Integrity assures that the data exchanged between two devices has not been altered. Media encryption provides a level of confidentiality by scrambling the data so that only the intended recipient can read it.

Configuring Secure SRST

Follow these steps to configure Secure SRST:

Step 1.

Configure a certification authority (CA).

To support secure communications, the network must have a CA server. The CA server can be a Cisco IOS certificate server or a third-party server. Example 13-13 illustrates how to configure a Cisco IOS certificate server.

Example 13-13. Configuring a Cisco IOS Certificate Server

CA_Rtr#config t
!
! Enable the certificate server
!
CA_Rtr(config)#crypto pki server srstca
CA_Rtr(cs-server)#database level minimum
CA_Rtr(cs-server)#database url nvram
CA_Rtr(cs-server)#issurer-name CN=srstca
CA_Rtr(cs-server)#grant auto
*May 2 16:51:12.664: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be
automatically granted.
CA_Rtr(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:MiamiSRST

Re-enter password:MiamiSRST
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.
CA_Rtr(cs-server)#
*May 2 16:53:45.800: %SSH-5-ENABLED: SSH 1.99 has been enabled
*May 2 16:53:47.288: %PKI-6-CS_ENABLED: Certificate server now enabled.

Note

The password entry, MiamiSRST, is shown in the example for illustration purposes. The password you type will not be visible.

The database level command sets what type of data is stored in the certificate database. The default is minimal, which stores the minimal information to continue issuing new certificates. The other options are names, which adds the serial number and name of each certificate, and complete, which writes each certificate issued. If you use the complete option, you should store the data on an external TFTP server. The database url command specifies where the database entries will be stored. The default is flash memory, but it is recommended that you store the entries in nvram.

Step 2.

Autoenroll and authenticate the Secure SRST router to the CA server.

The SRST router must obtain a device certificate from the CA server. Example 13-14 illustrates the procedure for enrolling the Secure SRST router to a Cisco IOS certificate server. If you are using a third-party certificate server, you need to cut and paste in the certificate or use TFTP.

Example 13-14. Autoenroll the Secure SRST Router
[View full width] Miami#config t Miami(config)#crypto pki trustpoint srst Miami(ca-trustpoint)#enrollment url http://10.1.10.1 Miami(ca-trustpoint)#revocation-check none Miami(ca-trustpoint)#exit Miami(config)#crypto pki authenticate srst ! ! Note: The crypto pki authenticate command is not necessary if the ! IOS CA server is configured on the SRST router. ! Certificate has the following attributes: Fingerprint MD5: 4C324B3D 71ABD56F 54532FE7 782D2C4A Fingerprint SHA1: 5C3B6B9E EFA40927 9DF6A826 58DA618A BF39F291 % Do you accept this certificate? [yes/no]: y Trustpoint CA certificate accepted. Miami(config)#crypto pki enroll srst % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: MiamiSRST Re-enter password: MiamiSRST % The fully-qualified domain name in the certificate will be: Miami .cisco.com % The subject name in the certificate will be: Miami.cisco.com % Include the router serial number in the subject name? [yes/no]: Y % The serial number in the certificate will be: D0B9E79C % Include an IP address in the subject name? [no]: n Request certificate from CA? [yes/no]: y % Certificate request sent to Certificate Authority % Certificate request sent to file system % The 'show crypto ca certificate srst verbose' command will show the fingerprint. Miami(config)#Writing file to flash:srst.req May 2 18:54:53.843: CRYPTO_PKI: Certificate Request Fingerprint MD5: E7DE5ADE 1C9FE495 543783C0 85D369A4 May 2 18:54:53.843: CRYPTO_PKI: Certificate Request Fingerprint SHA1: C008A45 7 8FBFD73A E48E7232 AED19BD1 A857C47A Miami(config)#end

After you enroll the SRST router with the CA server, enter the no auto grant command on the Cisco IOS certificate server. You must shut down the certificate server to turn off auto grant.

Step 3.

Enable credentials service on the SRST router.

Enabling credentials service allows CallManager to retrieve the device certificate of the SRST router and place it in the IP phone configuration files. Example 13-15 illustrates how to enable credentials service.

Example 13-15. Enabling Credentials Service
Miami#conf t Miami(config)#credentials Miami(config-credentials)#ip source address 10.10.25.1 Miami(config-credentials)#trustpoint srst Miami(config-credentials)#end

The ip source address is a local address on the SRST router that you will use as the source address when communicating with CallManager. You can also modify the port number for retrieving certificates by using the port option on the ip source address command. The default port is 2445.

Step 4.

Import phone certificate files.

For the SRST router to authenticate the IP phones, it must retrieve the certificate of the phone. The SRST router must manually import the phone certificates. The certificates required vary by phone model and version of CallManager you are running. Example 13-16 illustrates importing a certificate for 7960 phones with CallManager 4.1.3. Prior to entering the SRST configuration, you should obtain the appropriate certificates on CallManager. The certificates are stored in C:Program FilesCiscoCertificates and have a .0 extension. Open the appropriate certificate with WordPad and copy the contents between "-BEGIN CERTIFICATE-" and "-END CERTIFICATE-".

Example 13-16. Importing Phone Certificate Files

Miami#config
Miami(config)#crypto pki trustpoint 7960
Miami(ca-trustpoint)#revocation-check none
Miami(ca-trustpoint)#enrollment terminal
Miami(ca-trustpoint)#exit
Miami(config)#crypto pki authenticate 7960

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

MIIDqDCCApCgAwIBAgIQNT+yS9cPFKNGwfOprHJWdTANBgkqhkiG9w0BAQUFADAu
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMjAe
Fw0wMzEwMTAyMDE4NDlaFw0yMzEwMTAyMDI3MzdaMC4xFjAUBgNVBAoTDUNpc2Nv
IFN5c3RlbXMxFDASBgNVBAMTC0NBUC1SVFAtMDAyMIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEAxCZlBK19w/2NZVVvpjCPrpW1cCY7V1q9lhzI85RZZdnQ
2M4CufgIzNa3zYxGJIAYeFfcRECnMB3f5A+x7xNiEuzE87UPvK+7S80uWCY0Uhtl
AVVf5NQgZ3YDNoNXg5MmONb8lT86F55EZyVac0XGne77TSIbIdejrTgYQXGP2MJx
Qhg+ZQlGFDRzbHfM84Duv2Msez+l+SqmqO80kIckqE9Nr3/XCSj1hXZNNVg8D+mv
Hth2P6KZqAKXAAStGRLSZX3jNbS8tveJ3Gi5+sj9+F6KKK2PD0iDwHcRKkcUHb7g
lI++U/5nswjUDIAph715Ds2rn9ehkMGipGLF8kpuCwIBA6OBwzCBwDALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUpIr4ojuLgmKTn5wLFal
mrTUm5YwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovL2NhcC1ydHAtMDAyL0NlcnRF
bnJvbGwvQ0FQLVJUUC0wMDIuY3Jshi9maWxlOi8vXFxjYXAtcnRwLTAwMlxDZXJ0
RW5yb2xsXENBUC1SVFAtMDAyLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG
9w0BAQUFAAOCAQEAVoOM78TaOtHqj7sVL/5u5VChlyvU168f0piJLNWip2vDRihm
E+DlXdwMS5JaqUtuaSd/m/xzxpcRJm4ZRRwPq6VeaiiQGkjFuZEe5jSKiSAK7eHg
tup4HP/ZfKSwPA40DlsGSYsKNMm3OmVOCQUMH02lPkS/eEQ9sIw6QS7uuHN4y4CJ
NPnRbpFRLw06hnStCZHtGpKEHnY213QOy3h/EWhbnp0MZ+hdr20FujSI6G1+L39l
aRjeD708f2fYoz9wnEpZbtn2Kzse3uhU1Ygq1D1x9yuPq388C18HWdmCj4OVTXux
V6Y47H1yv/GJM8FvdgvKlExbGTFnlHpPiaG9tQ==
quit
Certificate has the following attributes:
 Fingerprint MD5: F7E150EA 5E6E3AC5 615FC696 66415C9F
 Fingerprint SHA1: 1BE2B503 DC72EE28 0C0F6B18 798236D8 D3B18BE6

% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
% Certificate successfully imported

Miami(config)#end

Step 5.

Configure CallManager.

After the SRST router has the appropriate phone certificates, you must enable Secure SRST on CallManager. You do this by checking the Is SRST Secure? checkbox in the SRST Reference configuration page in CallManager. You should also modify the Certificate Provider port if you did not use the default port in Step 3. If the IP phones are already registered, you must reset them for this change to take effect.

Step 6.

Configure SRST.

After you have completed and verified the certificate configuration, you configure SRST the same as if certificates were not in use.

Part I: Voice Gateways and Gatekeepers

Gateways and Gatekeepers

Part II: Gateways

Media Gateway Control Protocol

H.323

Session Initiation Protocol

Circuit Options

Connecting to the PSTN

Connecting to PBXs

Connecting to an IP WAN

Dial Plans

Digit Manipulation

Influencing Path Selection

Configuring Class of Restrictions

SRST and MGCP Gateway Fallback

DSP Resources

Using Tcl Scripts and VoiceXML

Part III: Gatekeepers

Deploying Gatekeepers

Gatekeeper Configuration

Part IV: IP-to-IP Gateways

Cisco Multiservice IP-to-IP Gateway

Appendix A. Answers to Chapter-Ending Review Questions

Appendix A. Answers to Chapter-Ending Review Questions

Index