Introduction
This document describes how to secure Session Initiation Protocol (SIP) signaling in Contact Center Enterprise (CCE) comprehensive call flow.
Prerequisites
Certificates generation and import are out of the scope of this document, so certificates for Cisco Unified Communication Manager (CUCM), Customer Voice Portal (CVP) call server, Cisco Virtual Voice Browser (CVVB), and Cisco Unified Border Element (CUBE) have to be created and imported to the respective components. If you use self-signed certificates, certificate exchange has to be done among different components.
Requirements
Cisco recommends that you have knowledge of these topics:
Components Used
The information in this document is based on Package Contact Center Enterprise (PCCE), CVP, CVVB, and CUCM version 12.6, but it is also applicable to the earlier versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
The next diagram shows the components engaged in SIP signaling in the contact center comprehensive call flow. When a voice call comes to the system, first comes via the ingress gateway or CUBE, so start secure SIP configurations on CUBE. Next, configure CVP, CVVB, and CUCM.
![Inbound SIP Call Flow](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-00.png)
Task 1. CUBE Secure Configuration
In this task, configure CUBE to secure the SIP protocol messages.
Required configurations:
- Configure a Default Trustpoint for the SIP User Agent (UA)
- Modify the Dial-peers to use Transport Layer Security (TLS)
Steps:
- Open Secure Shell (SSH) session to CUBE.
- Run these commands to have the SIP stack use the Certificate Authority (CA) certificate of the CUBE. CUBE establishes a SIP TLS connection from/to CUCM (198.18.133.3) and CVP (198.18.133.13).
conf t
sip-ua
transport tcp tls v1.2
crypto signaling remote-addr 198.18.133.3 255.255.255.255 trustpoint ms-ca-name
crypto signaling remote-addr 198.18.133.13 255.255.255.255 trustpoint ms-ca-name
exit
![CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-01.png)
- Run these commands to enable TLS on the outgoing dial peer to CVP. In this example, dial-peer tag 6000 is used to route calls to CVP.
Conf t
dial-peer voice 6000 voip
session target ipv4:198.18.133.13:5061
session transport tcp tls
exit
![CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-02.png)
Task 2. CVP Secure Configuration
In this task, configure the CVP call server to secure the SIP protocol messages (SIP TLS).
Steps:
- Log in to
UCCE Web Administration
.
- Navigate to
Call Settings > Route Settings > SIP Server Group
.
![SIP Server Group Configuration on CCE Admin Portal](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-03.png)
Based on your configurations, you have SIP Server Groups configured for CUCM, CVVB, and CUBE. You need to set secure SIP ports to 5061 for all of them. In this example, these SIP server groups are used:
cucm1.dcloud.cisco.com
for CUCM
vvb1.dcloud.cisco.com
for CVVB
cube1.dcloud.cisco.com
for CUBE
- Click
cucm1.dcloud.cisco.com
and then in the Members
tab, which shows the details of the SIP Server Group Configuration. Set SecurePort
to 5061
and click Save
.
![Setting Secure SIP Port for CUCM Server Group](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-04.png)
- Click
vvb1.dcloud.cisco.com
and then in the Members
tab. Set SecurePort to 5061
and click Save
.
![Setting Secure SIP Port for VVB Server Group](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-05.png)
Task 3. CVVB Secure Configuration
In this task, configure CVVB to secure the SIP protocol messages (SIP TLS).
Steps:
- Log in to
Cisco VVB Administration
page.
- Navigate to
System > System Parameters
.
![VVB System Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-06.png)
- In the
Security Parameters
section, choose Enable
for TLS(SIP)
. Keep Supported TLS(SIP) version
as TLSv1.2
.
![VVB Security Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-07.png)
- Click Update. Click
Ok
when prompted to restart CVVB engine.
![Update Security Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-08.png)
- These changes require a restart of the Cisco VVB engine. In order to restart the VVB engine, navigate to
Cisco VVB Serviceability
then click Go
.
![Cisco VVB Serviceability](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-09.png)
- Navigate to
Tools > Control Center – Network Services
.
![Control Center - Network Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-10.png)
- Choose
Engine
and click Restart
.
![Control Center - Network Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-11.png)
Task 4. CUCM Secure Configuration
In order to secure SIP messages on CUCM, perform the next configurations:
- Set CUCM Security Mode to Mixed Mode
- Configure SIP Trunk Security Profiles for CUBE and CVP
- Associate SIP Trunk Security Profiles to Respective SIP Trunks
- Secure Agents’ Device Communication with CUCM
Set CUCM Security Mode to Mixed Mode
CUCM supports two security modes:
- Non-secure mode (default mode)
- Mixed mode (secure mode)
Steps:
- In order to set the security mode to Mixed Mode, log in to
Cisco Unified CM Administration
interface.
![CUCM Administration Interface](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-12.png)
- After you have successfully logged in to CUCM, navigate to
System > Enterprise Parameters
.
![CUCM Enterprise Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-13.png)
- Underneath the
Security Parameters
Section, check if Cluster Security Mode
is set to 0
.
![CUCM Security Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-14.png)
- If Cluster Security Mode is set as 0, this means cluster security mode is set to non-secure. You need to enable the mixed Mode from CLI.
- Open an SSH session to the CUCM.
- After you have successfully logged to CUCM via SSH, run this command:
utils ctl set-cluster mixed-mode
- Type
y
and click Enter when prompted. This command sets cluster security mode to mixed mode.
![CUCM SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-15.png)
- For the changes to take effect, restart
Cisco CallManager
and Cisco CTIManager
services.
- In order to restart the services, navigate and log in to
Cisco Unified Serviceability
.
![Cisco Unified Serviceability](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-16.png)
- After you have successfully logged in, navigate to
Tools > Control Center – Feature Services
.
![Control Center - Feature Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-17.png)
- Choose the server then click
Go
.
![Select Server](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-18.png)
- Underneath the CM services, choose
Cisco CallManager
then click Restart
button on top of the page.
![Restarting Cisco Call Manager Services](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-19.png)
- Confirm the pop-up message and click
OK
. Wait for the service to successfully restart.
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-20.png)
- After a successful restart of
Cisco CallManager
, choose Cisco CTIManager
then click Restart
button to restart Cisco CTIManager
service.
![Restarting Cisco CTI Manager Service](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-21.png)
- Confirm the pop-up message and click
OK
. Wait for the service to successfully restart.
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-22.png)
- After services successfully restart, verify cluster security mode is set to mixed mode, navigate to CUCM administration as explained in Step 5. then check the
Cluster Security Mode
. Now it must be set to 1
.
![Cluster Security Mode is to the Value of '1'](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-23.png)
Configure SIP Trunk Security Profiles for CUBE and CVP
Steps:
- Log in to
CUCM administration
interface.
- After successful login to CUCM, navigate to
System > Security > SIP Trunk Security Profile
in order to create a device security profile for CUBE.
![CUCM SIP Trunk Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-24.png)
- On the top left, click
Add New
in order to add a new profile.
![Add New CUCM SIP Trunk Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-25.png)
- Configure
SIP Trunk Security Profile
as shown in this image then click Save
at the bottom left of the page to Save
it.
![Add CUCM SIP Trunk Security Profile for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-26.png)
5. Ensure to set the Secure Certificate Subject or Subject Alternate Name
to the Common Name (CN) of the CUBE certificate as it must match.
6. Click Copy
button and change the Name
to SecureSipTLSforCVP
and the Secure Certificate Subject
to the CN of the CVP call server certificate as it must match. Click Save
button.
![Add CUCM SIP Trunk Security Profile for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-27.png)
Associate SIP Trunk Security Profiles to Respective SIP Trunks
Steps:
- On the CUCM Administration page, navigate to
Device > Trunk
.
![CUCM Trunk Configuration for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-28.png)
- Search for CUBE trunk. In this example, the CUBE trunk name is
vCube
. Click Find
.
![Find SIP Trunks on CUCM for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-29.png)
- Click vCUBE to open the vCUBE trunk configuration page.
- Scroll down to
SIP Information
section, and change the Destination Port
to 5061
.
- Change
SIP Trunk Security Profile
to SecureSIPTLSForCube
.
![SIP Trunk Configuration for CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-30.png)
- Click
Save
then Rest
in order to Save
and apply changes.
![Save Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-31.png)
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-32.png)
- Navigate to
Device > Trunk
, and search for CVP trunk. In this example, the CVP trunk name is cvp-SIP-Trunk
. Click Find
.
![CUCM Trunk Configuration for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-33.png)
- Click
CVP-SIP-Trunk
in order to open the CVP trunk configuration page.
- Scroll down to
SIP Information
section, and change Destination Port
to 5061
.
- Change
SIP Trunk Security Profile
to SecureSIPTLSForCvp
.
![Find SIP Trunks on CUCM for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-34.png)
- Click
Save
then Rest
in order to save
and apply changes.
![SIP Trunk Configuration for CVP](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-35.png)
![Save Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-36.png)
Secure Agents’ Device Communication with CUCM
In order to enable security features for a device, you must install a Locally Significant Certificate (LSC) and assign a security profile to that device. The LSC possesses the public key for the endpoint, which is signed by the Certificate Authority Proxy Function (CAPF) private key. It is not installed on phones by default.
Steps:
- Log in to
Cisco Unified Serviceability Interface
.
- Navigate to
Tools > Service Activation
.
![Info Message](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-37.png)
- Choose the CUCM server and Click
Go
.
![CUCM Service Activation](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-38.png)
- Check
Cisco Certificate Authority Proxy Function
and click Save
to activate the service. Click Ok
to confirm.
![Select Server](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-39.png)
- Ensure the service is activated then navigate to
Cisco Unified CM Administration
.
![Activate Cisco Certificate Authority Proxy Function Service](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-40.png)
- After you have successfully logged in to CUCM administration, navigate to
System > Security > Phone Security Profile
in order to create a device security profile for the agent device.
![CUCM Administration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-41.png)
- Find the security profiles respective to your agent device type. In this example, a soft phone is used, so choose
Cisco Unified Client Services Framework - Standard SIP Non-Secure Profile
. Click Copy
in order to copy this profile.
![Copy Existing Phone Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-43.png)
- Rename the profile to
Cisco Unified Client Services Framework - Secure Profile
,change the parameters as shown in this image, then click Save
at the top left of the page.
![Add New Phone Security Profile](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-44.png)
- After the successful creation of the phone device profile, navigate to
Device > Phone
.
![Phone Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-45.png)
- Click
Find
in order to list all available phones, then click agent phone.
- Agent phone configuration page opens. Find
Certification Authority Proxy Function (CAPF) Information
section. In order to install LSC, set Certificate Operation
to Install/Upgrade
and Operation Completes by
to any future date.
![Setting CAPF Parameters](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-46.png)
- Find
Protocol Specific Information
section. Change Device Security Profile
to Cisco Unified Client Services Framework – Secure Profile
.
![Assigning Device Security Profile to IP Phone](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-47.png)
- Click
Save
at the top left of the page. Ensure the changes are saved successfully and click Reset
.
![Save Configuration](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-48.png)
- A pop-up window opens, click
Reset
to confirm the action.
![Phone Reset](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-49.png)
- After the agent device registers once again with CUCM, refresh the current page and verify the LSC is installed successfully. Check
Certification Authority Proxy Function (CAPF) Information
section, Certificate Operation
must be set to No Pending Operation
, and Certificate Operation Status
is set to Upgrade Success
.
![CAPF Information is Updated](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-50.png)
- Refer Steps. 7-13 in order to secure other agents devices that you want to use to secure SIP with CUCM.
Verify
In order to validate SIP signaling is properly secured, perform these steps:
- Open SSH session to vCUBE, run the command
show sip-ua connections tcp tls detail
, and confirm that there is no TLS connection established at the moment with CVP (198.18.133.13).
![show sip-ua connections tcp tls detail Output on CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-51.png)
Note: At this moment, only one active TLS session with CUCM, for SIP Options is enabled on CUCM (198.18.133.3). If no SIP Options are enabled, no SIP TLS connection exists.
- Log in to CVP and start Wireshark.
- Make a test call to contact center number.
- Navigate to the CVP session; on Wireshark, run this filter in order to check SIP signaling with CUBE:
ip.addr == 198.18.133.226 && tls && tcp.port==5061
![Packet Capture Filtering CVP Secure SIP Signals Between CVP and CUBE](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-52.png)
Check: Is SIP over TLS connection established? If yes, the output confirms SIP signals between CVP and CUBE are secured.
5. Check the SIP TLS connection between CVP and CVVB. In the same Wireshark session, run this filter:
ip.addr == 198.18.133.143 && tls && tcp.port==5061
![Packet Capture Filtering CVP Secure SIP Signals Between CVP and VVB](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-53.png)
Check: Is SIP over TLS connection established? If yes, the output confirms SIP signals between CVP and CVVB are secured.
6. You can also verify the SIP TLS connection with CVP from CUBE. Navigate to the vCUBE SSH session, and run this command to check secure sip signals:
show sip-ua connections tcp tls detail
![SIP TLS Connection Between CVP and CUBE from CUBE SSH Console](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-54.png)
Check: Is SIP over TLS connection established with CVP? If yes, the output confirms SIP signals between CVP and CUBE are secured.
7. At this moment, the call is active and you hear Music on Hold (MOH) as there is no agent available to answer the call.
8. Make the agent available to answer the call.
.![Make Agent Ready on Finesse Agent Desktop](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-55.png)
9. Agent gets reserved and the call is routed to him/her. Click Answer
to answer the call.
![Answer Incoming Call on Finesse Desktop](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-56.png)
10. Call connects to the agent.
11. In order to verify SIP signals between CVP and CUCM, navigate to the CVP session, and run this filter in Wireshark:
ip.addr == 198.18.133.3 && tls && tcp.port==5061
![Packet Capture Filtering Secure SIP Signals between CVP and CUCM](/c/dam/en/us/support/docs/contact-center/unified-contact-center-enterprise/218434-configure-secure-sip-signaling-in-contac-57.png)
Check: Are all SIP communications with CUCM (198.18.133.3) over TLS? If yes, the output confirms SIP signals between CVP and CUCM are secured.
Troubleshoot
If TLS is not established, run these commands on CUBE to enable debug TLS to troubleshoot:
Debug ssl openssl errors
Debug ssl openssl msg
Debug ssl openssl states