Table Of Contents
Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Prerequisites for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Restrictions for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Information About Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Benefits of Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Feature Design of Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Security Technologies and DSP Farm Conferencing
Supported Platforms, DSP Modules, and Conference Provisioning
How to Configure Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Configuring an External CA Server
Exporting the Cisco Unified CM Certificate
Configuring a Trustpoint on the Secure DSP Farm Gateway
Authenticating and Enrolling the Certificate with the CA Server
Copying the CA Root Certificate of the DSP Farm Router to the Cisco Unified CallManager
Configuring the Cisco Unified CM Trustpoint and Loading the Certificate
Configuring the DSP Farm to Securely Register with Cisco Unified CM
Configuring Secure Conferencing on Cisco Unified CM
Verifying and Troubleshooting Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Configuration Examples for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing: Example
External Certificate Authority Router: Example
Feature Information for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
First Published: June 22, 2007Last Updated: November 25, 2008The Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature provides secure conferencing capability for Cisco Unified Communications Manager (Unified CM) networks, including authentication, integrity and encryption of voice media and related call control signaling to and from the digital signal processor (DSP) farm.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
•Restrictions for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
•Information About Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
•How to Configure Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
•Configuration Examples for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
•Feature Information for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Prerequisites for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Make sure that the following tasks have been completed before configuring the Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature:
•Cisco IOS gateways have the prerequisite Cisco IOS images installed. Voice security features are delivered on Advanced IP Services or Advanced Enterprise Services images.
•Cisco Unified Communications Manager 6.1 or a later release is running if the Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature is deployed in a Unified CM network. For more information on configuring Unified CM, refer to Cisco CallManager Security Guide, Release 5.0.
Restrictions for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
•Secure transcoding and secure media termination points (MTP) are not supported in Unified CM networks.
•Secure Real-Time Transport Protocol (RTCP) is not supported.
•Multicast (hoot-and-holler) conferencing is not supported.
•TI 549 and TI 5421 DSP-based conferencing is not secure.
•Calls to Cisco Unity Express are not secure.
•Music on Hold (MOH) is not secure.
•Video calls are not secure.
•Modem relay and T.3 fax relay calls are not secure.
•Media forking is not supported.
•Conversion between inband tone and RFC2833 DTMF is not supported. RFC2833 DTMF handling is supported when encryption keys are sent to secure DSP farm devices but is not supported for codec passthrough.
See the "Supported Platforms, DSP Modules, and Conference Provisioning" section on page 5 for supported gateways, network modules, codecs, and conference session for the Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature.
Information About Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
To configure Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature, you should understand the following concepts:
•Benefits of Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing, page 3
•Feature Design of Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing, page 3
Benefits of Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
The Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature provides privacy and confidentiality for secure conference calls by encrypting and decrypting media streams between the DSP farm and endpoints, and by protecting the signaling channel between the Unified CM and the DSP farm.
Feature Design of Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
With the new Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature, Cisco extends encryption of voice media and related call control signaling to secure conferencing for Cisco Unified Communications Manager networks using the secure DSP farm feature. Cisco enhances DSP farm conferencing by securing both the media and signaling paths between the Unified CM, and Cisco IOS gateways and endpoints.
Voice conferencing involves adding several parties to a phone conversation. In a traditional circuit-switched voice network, all voice traffic passes through a central device, such as a PBX, with conference services provided within this central device. In contrast, IP phones normally send voice signals directly between phones without going through a central device. Conference services, however, require a network-based conference bridge. In an IP telephony network using Cisco Unified Communications Manager, the DSP-based conferencing provides the conference-bridging service. Cisco Unified CallManager uses a DSP farm, a collection of DSP resources that support conference, transcoding, and media termination point (MTP) services, to mix voice streams from multiple participants into a single conference-call stream. The mixed stream is played out to all conference attendees, minus the voice of the receiving attendee. DSP farms are configured on the Cisco IOS voice gateway and managed by Cisco Unified CM through SCCP.
DSP farm profiles are created to allocate DSP farm resources. Under the DSP farm profile, you select the service type (conference, transcode, and MTP), associate an application, and specify service-specific parameters, such as codecs and maximum number of conferences. A DSP farm profile allows you to group DSP resources based on the service type. Applications associated with the DSP farm profile, such as SCCP, can use the resources allocated under the profile. You can configure multiple DSP farm profiles for the same service, each can register with one Cisco Unified CM group. The profile ID and service type uniquely identify a DSP farm profile, allowing the profile to uniquely map to a Unified CM group that contains a single pool of Cisco Unified CM servers.
DSP resources can reside on the voice gateway router in packet-voice DSP modules (PVDMs) installed in voice network modules, for example the NM-HDV2, or directly in the network module, for example the NM-HD-2V. Cisco 2800 series and 3800 series voice gateway routers have onboard DSP resources located on PVDM2s installed directly on the motherboard. Your router supports one or more voice network modules.
Figure 1 shows a typical topology where the Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature is deployed. Users establish a conference call across the public switched telephone network (PSTN) between locations. Tranport layer security (TLS) connections between the DSP farm and Unified CM secure SCCP signaling traffic, allowing for mutual authentication between the two. The DSP farm registers its resources with Cisco Unified CallManager and operates in secure mode to decrypt, decompress, mix, compress and encrypt voice packets. SRTP protected media streams connect to the DSP farm where they are mixed and played back to conference participants.
Figure 1 Secure DSP Farm Conferencing in the IP Telephony Network
Security Technologies and DSP Farm Conferencing
Cisco implements secure voice conferencing over the IP telephony network by establishing and maintaining authenticated and encrypted communications using the following security technologies:
•Signaling authentication validates that no tampering has occurred with signaling packets during transmission.
•Encryption, the process of converting clear-text data into enciphered data, provides data integrity and authentication.
•Call control signaling is encrypted using TLS, while Public Key Infrastructure (PKI) supports secure public key distribution. The DSP farm mutually authenticates with Unified CM through the use of certificates.
•Media encryption using standards-based SRTP ensures that media streams between supported devices are secure.
•Cisco IOS H.323 supports the AES_CM_128_HMAC_SHA1_32 cryptographic suite, which includes the AES-128-countermode encryption algorithm and the Hashed Message Authentication Codes (HMAC) Secure Hash Algorithm1 (SHA1) authentication algorithm.
•Cisco IOS H.323 supports H.235.8 compliant procedures for the signaling, negotiation, and transport of the SRTP cryptographic keys, authentication and encryption algorithm identifiers, and other session parameters between H.323 endpoints.
Supported Platforms, DSP Modules, and Conference Provisioning
The Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature is supported on the following platforms with on-board DSP modules or NM-HDV2 network modules:
•Cisco 2600XM
•Cisco 2691
•Cisco 2801
•Cisco 2811
•Cisco 2821
•Cisco 2851
•Cisco 3725
•Cisco 3745
•Cisco 3825
•Cisco 3845
DSP modules support the maximum number of TI 5510 DSPs listed:
•NM-HDV2: up to 16 TI 5510 DSPs in 4 PVDM2s
•Integrated Services Routers (ISRs) on-board PVDM2: up to 8 TI 5510 DSPs in 2 PVDM2s
The following network modules (NMs) provide the number of conferences and participants, up to the maximums listed by codec type:
Codec Type NM-HDV2
(16 TI 5510 DSPs) NM-HD-2VE
(3 TI 5510 DSPs) NM-HD-1V / NM-HD-2V
(1TI 5510 DSP)G.711
conferences
participants50
40012
964
32G.729
conferences
participants32
2566
482
16
The maximum number of conferences for a DSP farm profile is dependent on DSP resources.
How to Configure Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
This section contains the following procedures:
•Configuring an External CA Server, page 6
•Exporting the Cisco Unified CM Certificate
•Configuring a Trustpoint on the Secure DSP Farm Gateway, page 8
•Authenticating and Enrolling the Certificate with the CA Server, page 10
•Copying the CA Root Certificate of the DSP Farm Router to the Cisco Unified CallManager, page 11
•Configuring the DSP Farm to Securely Register with Cisco Unified CM, page 13
•Configuring the Cisco Unified CM Trustpoint and Loading the Certificate
•Configuring Secure Conferencing on Cisco Unified CM, page 16
•Verifying and Troubleshooting Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing, page 16
Prerequisites
Set the system clock using one of these methods:
•Configure Network Time Protocol (NTP).
•Manually set the software clock using the clock set command.
Both methods are explained in the "Performing Basic System Management" chapter of the Cisco IOS Network Management Configuration Guide for your Cisco IOS release.
Enabling HTTP server on both the external Cisco IOS certificate authority (CA) server and the Cisco IOS DSP farm gateway is required for TLS operation. Use the ip http server command to enable the Cisco web browser user interface.
Configuring an External CA Server
To configure an external CA server, perform the following steps:
SUMMARY STEPS
1. enable
2. configure terminal
3. ip http server
4. crypto pki server cs-label
5. database level {minimal | names | complete}
6. grant auto
7. database url root-url
8. no shutdown
9. exit
DETAILED STEPS
Exporting the Cisco Unified CM Certificate
To configure secure conferencing, you must first obtain a certificate from Cisco Unified CM. To select the certificate file from Cisco Unified CM Certificate Management and download it to your PC desktop (to later upload into the Cisco IOS configuration), perform the following steps.
SUMMARY STEPS
1. Go to Cisco Unified Communications Operating System Administration and choose Security>Certificate Management.
2. Click Find>File Name>Begins with and enter "CallManager" in the search field.
3. Click CallManager.pem. The Certificate Configuration screen appears.
4. Find the line that reads: CN=ccmhostname. Make note of the ccmhostname—You will need this name later in the configuration.
5. Click download and save this file to your PC desktop.
DETAILED STEPS
Configuring a Trustpoint on the Secure DSP Farm Gateway
To create a trustpoint on the Cisco IOS DSP farm gateway, perform the following steps.
Creating a Trustpoint
This trustpoint stores the digital certificate for the DSP farm. To create a trustpoint, perform the following steps:
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki trustpoint label
4. enrollment url ca-url
5. serial-number none
6. fqdn none
7. ip-address none
8. subject-name [x.500-name]
9. revocation-check none
10. rsakeypair key-label
DETAILED STEPS
Authenticating and Enrolling the Certificate with the CA Server
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki authenticate trustpoint-label
4. crypto pki enroll trustpoint-label
DETAILED STEPS
Copying the CA Root Certificate of the DSP Farm Router to the Cisco Unified CallManager
The DSP farm router and Unified CM router exchange certificates during the registration process. These certificates are digitally signed by the CA server of the respective router. For the routers to accept each other's digital certificate, they must have the CA root certificate for each other. Manually copy the CA root certificate of the DSP farm and the Unified CM router for each other.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki export trustpoint pem url flash:
4. You are prompted to confirm destination filenames for the CA certificate and router certificate. These file names are the same as the trustpoint name (with a .ca suffix and a .crt suffix, respectively) entered in step 3. To accept the names, press Enter after each prompt. The files are written to flash.
5. tftp-server flash:trustpoint.ca
6. tftp-server flash:trustpoint.crt
7. end
8. From your PC, connect to the router via TFTP and download the .ca and .crt files to your PC.
9. Go to Cisco Unified Communications Operating System Administration and choose Security>Certificate Management. Click Upload Certificate.
10. Upload the .ca and .crt files one at a time. Select CallManager-trust as the Certificate Name for both files. Leave the Root Certificate field blank for both files.
11. Restart CCM services on all nodes.
DETAILED STEPS
Configuring the Cisco Unified CM Trustpoint and Loading the Certificate
1. enable
2. configure terminal
3. crypto pki trustpoint cucm hostname
4. enrollment terminal pem
5. subject-name CN=ccmhostname
6. revocation-check none
7. Copy the contents of the CallManager.pem file downloaded into the cut and paste buffer.
8. crypto pki authenticate trustpoint-label
9. Paste in the certificate and hit enter. Type quit and press enter. Type yes and press enter when you are prompted to accept the certificate.
DETAILED STEPS
Configuring the DSP Farm to Securely Register with Cisco Unified CM
SUMMARY STEPS
1. enable
2. configure terminal
3. voice-card slot
4. dsp service dspfarm
5. dspfarm profile profile-identifier conference security
6. trustpoint trustpoint-label
7. codec {codec-type | pass-through}
8. maximum sessions number
9. associate application sccp
10. no shutdown
11. exit
12. sccp local interface-type interface-number
13. sccp ccm {ip-address | dns} identifier identifier-number
14. sccp
15. sccp ccm group group-number
16. associate ccm identifier-number priority priority-number
17. associate profile profile-identifier register device-name
18. exit
DETAILED STEPS
Configuring Secure Conferencing on Cisco Unified CM
Perform the following steps to configure secure conferencing on Unified CM.
SUMMARY STEPS
1. From the Unified CM Admistration page pulldown menu, choose Service, Media Resources, Conference Bridge Configuration.
2. Choose Add a New Conference Bridge.
3. Choose Cisco IOS Enhanced Conference Bridge , Conference Bridge Type.
4. Enter the conference identifier that you configured for Conference Bridge Name.
5. Select the default Device Pool.
6. Choose Insert and Reset the Conference Bridge.
7. Create an MRG and MRGL for the Conference Bridge. Use the same MRGL for participating IP Phones and gateways
DETAILED STEPS
Verifying and Troubleshooting Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Use the following commands to verify the configuration.
SUMMARY STEPS
1. show crypto ca trustpoints status
2. show dspfarm dsp stats id
3. show dspfarm profile id
4. show media resource status
5. show rtpspi statistics
6. show sccp
7. show sccp ccm group id
8. show sccp statistics
9. show voice dsp group slot
DETAILED STEPS
Step 1 Use the show crypto ca trustpoints command to display information about the trustpoints that are configured on the router.
Router# show crypto ca trustpoints status
Trustpoint dspfarm-mgcp:Issuing CA certificate configured:Subject Name:cn=IOSCAServer........Router General Purpose certificate configured:Subject Name:cn=sMgcpCFB,ou=ATG,o=Cisco.......State:Keys generated ............. Yes (General Purpose, ...)Issuing CA authenticated ....... YesCertificate request(s) ..... YesTrustpoint mgcp-ccm:Issuing CA certificate configured:Subject Name:cn=choc1.cisco.com...........State:Keys generated ............. NoIssuing CA authenticated ....... YesCertificate request(s) ..... NoneStep 2 Use the show dspfarm dsp stats id command to display configured digital signal processor (DSP) farm statistics for a specific conference bridge.
Router# show dspfarm dsp stats 1Gathering total stats...Bridge-id=0x1 Conferee-id=1 Call-id=0x2PacketsReceived=13089 PacketTransmitted=13126 PacketsTossed=0 AverageJitter=0 MaxObservedJitter=0 TalkerFrameCount=26267ConfereeStatus=1Srtp Stats:TotalPacketsEncrypted=13126 TotalPacketsDecrypted=13089 DecryptionFailurePacketCount=0 TotalPacketsAuthenticated=13089 AuthenticationFailurePacketCount=0 DuplicateReplayPacketCount=0 OutsideWindowReplayPacketCount=0 PacketsBadReceivedSSRC=0Conference Stats:ConferenceState=1ConfereeList=0x7 TalkerList=0x7Step 3 Use the show dspfarm profile id command to display configured digital signal processor (DSP) farm profile information for a selected Unified CM group.
Router# show dspfarm profile 22
Dspfarm Profile ConfigurationProfile ID = 22, Service = CONFERENCING, Resource ID = 1Profile Description :Profile Service Mode : secureTrustpoint : dspfarm-mgcpProfile Admin State : UPProfile Operation State : ACTIVEApplication : SCCP Status : ASSOCIATEDResource Provider : FLEX_DSPRM Status : UPNumber of Resource Configured : 16Number of Resource Available : 16Codec ConfigurationCodec : g711ulaw, Maximum Packetization Period : 30 , Transcoder: Not RequiredCodec : g711alaw,Step 4 Use the show media resource status command to display the current media resource status.
Step 5 Use the show rtpspi statistics command to display Real-Time Transport Protocol (RTP) statistics.
Step 6 Use the show sccp all and show sccp connections commands to display Skinny Client Control Protocol (SCCP) information about administrative and operational status.
Router# show sccpSCCP Admin State: UPGateway IP Address: 10.22.1.1, Port Number: 2000IP Precedence: 5User Masked Codec list: NoneCall Manager: 1.3.105.6, Port Number: 2000Priority: 2, Version: 5.0.1, Identifier: 2Call Manager: 1.3.105.5, Port Number: 2000Priority: 1, Version: 5.0.1, Identifier: 1Conferencing Oper State: ACTIVE - Cause Code: NONEActive Call Manager: 1.3.105.5, Port Number: 2000TCP Link Status: CONNECTED, Profile Identifier: 22Signaling Security: ENCRYPTED TLSMedia Security: SRTPSupported crypto suites :AES_CM_128_HMAC_SHA1_32Reported Max Streams: 128, Reported Max OOS Streams: 0Supported Codec: g711ulaw, Maximum Packetization Period: 30Step 7 Use the show sccp ccm group id command todisplay the groups that are configured on a specific Unified CM.
Step 8 Use theshow sccp statistics command to display statistical information for SCCP transcoding and conferencing applications.
Router# show sccp stat
SCCP Application Service(s) Statistics:Profile Identifier: 1, Service Type: TranscodingTCP packets rx 16, tx 19Unsupported pkts rx 0, Unrecognized pkts rx 0Register tx 1, successful 1, rejected 0, failed 0KeepAlive tx 13, successful 13, failed 0OpenReceiveChannel rx 0, successful 0, failed 0 Encrypted :0CloseReceiveChannel rx 0, successful 0, failed 0 Encrypted : 0StartMediaTransmission rx 0, successful 0, failed 0 Encrypted : 0StopMediaTransmission rx 0, successful 0, failed 0 Encrypted: 0PortReq rx 0PortRes tx 0, successful 0, failed 0PortClose rx 0Step 9 Use the show voice dsp group slot command to display the current status or selective statistics of digital signal processor (DSP) voice channels on the specified slot.
Router #show voice dsp group slot 1
dsp 13:State: UP, firmware: 4.4.706Max signal/voice channel: 16/16Max credits: 240Group: FLEX_GROUP_VOICE, complexity: FLEXShared credits: 180, reserved credits: 0Signaling channels allocated: 2Voice channels allocated: 0Credits used: 0Group: FLEX_GROUP_XCODE, complexity: SECURE MEDIUMShared credits: 0, reserved credits: 60Transcoding channels allocated: 0Credits used: 0dsp 14:State: UP, firmware: 1.0.6Max signal/voice channel: 16/16Max credits: 240Group: FLEX_GROUP_CONF, complexity: SECURE CONFERENCEShared credits: 0, reserved credits: 240Conference session: 1Credits used: 0Use the following debug commands to troubleshoot the secure DSPFarm conferencing configuration.
•debug dspfarm
•debug hpi all
•debug media resource provider
•debug sccp
•debug ssl
•debug voip confmsp
•debug voip dsmp
•debug voip xcodemsp
Configuration Examples for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
This section contains the following examples:
•Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing: Example, page 20
•External Certificate Authority Router: Example
Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing: Example
Router# show running-configBuilding configuration...Current configuration : 5874 bytes!! Last configuration change at 16:31:45 EDT Sun Mar 9 2008! NVRAM config last updated at 16:33:36 EDT Sun Mar 9 2008!version 12.4service configservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname sec2800-cfb!boot-start-markerboot-end-marker!enable secret *****!aaa new-model!!aaa authentication login default localaaa authentication enable default enable!!aaa session-id commonclock timezone EST -5clock summer-time EDT recurringno network-clock-participate wic 2!!!ip cef!!no ip domain lookupip host ps-611 10.1.69.61!multilink bundle-name authenticated!!!voice-card 0no dspfarmdsp services dspfarm!!crypto pki trustpoint sec2800-cfbenrollment url http://10.1.103.247:80serial-number nonefqdn noneip-address nonesubject-name cn=sec2800-cfbrevocation-check nonersakeypair sec2800-cfb!crypto pki trustpoint ps-611enrollment terminal pemsubject-name CN=ps-611revocation-check none!!crypto pki certificate chain sec2800-cfbcertificate 02308201AC 30820115 A0030201 02020102 300D0609 2A864886 F70D0101 0405003015311330 11060355 0403130A 736C6F77 33383030 2D31301E 170D3038 3033303931373136 33305A17 0D303930 33303931 37313633 305A3016 31143012 0603550403130B73 65633238 30302D63 6662305C 300D0609 2A864886 F70D0101 010500034B003048 024100E3 118E8F15 9D2FDB61 EDA795B1 DC99425C 73E6BC65 C9AE270D18524123 53FD79E2 14132298 9A78D88A 8DEEBA9D CCF33A4E 2A12E386 91048431E292A5B0 16014102 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F0603551D23 04183016 80141E6E 7779EEEC EB38ED13 534EC8B2 DB5B35F8 B241301D0603551D 0E041604 14694EFD 66E1E1D7 5BAB7F00 2A2CDE23 CCE58D4D 09300D06092A8648 86F70D01 01040500 03818100 0B51AC95 EA362BD6 4FD38CC8 C70614FE74A5E161 511C3AAB CBE2200C 6E1357AE DC59911A AAA3B53B 280F5EF7 2374BF456574E675 C6590767 7B281C53 A890E40B 0E24DEA7 3E15CA79 C066D478 604064958B308540 77DA5C51 72F8002C 4E19BD65 BF7269B0 29C14433 D91AE773 BB11040F20EA42F5 BA3021B3 6479FBF9 D94CC407quitcertificate ca 0130820203 3082016C A0030201 02020101 300D0609 2A864886 F70D0101 0405003015311330 11060355 0403130A 736C6F77 33383030 2D31301E 170D3038 3033303931373039 30315A17 0D313130 33303931 37303930 315A3015 31133011 0603550403130A73 6C6F7733 3830302D 3130819F 300D0609 2A864886 F70D0101 01050003818D0030 81890281 8100CC33 AC934AE8 C14D92DD E1DB6224 89F73AD2 26FBDB03FB2F9A97 07817BCC DF47413F 04310C37 0CA02435 AB92C9FB 32088007 85EFFDDEB2FED7D5 A35CFAAF 4986B87F AF9C5B4E 076E8DE1 519D0DD7 6C71588D 079B4640EA9805E4 51793023 5C2DBB45 18DD77BF 5ED443C7 079FD057 497B5FA4 C7D77D95B3EB63D7 0473B827 E6C90203 010001A3 63306130 0F060355 1D130101 FF040530030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680141E6E77 79EEECEB 38ED1353 4EC8B2DB 5B35F8B2 41301D06 03551D0E 041604141E6E7779 EEECEB38 ED13534E C8B2DB5B 35F8B241 300D0609 2A864886 F70D010104050003 81810049 3AA6B14F 86C49FC4 4AF9A235 87B4AA90 B6617980 720CE2D01E69719F 9B933051 7FE1BF14 D48B5741 F7ABC51C F2F46C75 480C951A 9825258042028CB2 713031F2 1BA9ECCE B42798A9 D7A4C8CB 92B45C4A 1C0CFF3F 1D47C551BB2AD9B8 1022F05A B0404EEC B6495105 0A4203E4 93D7C2F7 1B77C7D4 F6EFD414644C612D BB8438quitcrypto pki certificate chain ps-611certificate ca 43721CB69965859C30820210 30820179 A0030201 02020843 721CB699 65859C30 0D06092A 864886F70D010105 05003011 310F300D 06035504 03130670 732D3631 31301E17 0D30383033303532 33343633 375A170D 31333033 30353233 34363337 5A301131 0F300D0603550403 13067073 2D363131 30819F30 0D06092A 864886F7 0D010101 050003818D003081 89028181 00CB52A8 3B6E7CEE 90EAE54E C8A876A9 1E089F2A D29EE68509A70AB8 C4974915 78ECFCF0 318AC510 899AA401 88440791 8A1FBFC1 1FCF0727A8A7F937 840790DD B87D958E 551DD4EA 209CA0E3 8D7D5F19 B2A48490 EC392805274D76C9 1E624D30 55FA6FB5 7C07D4D0 14A0C54B E1B478CB AA1BA644 FF528245E30BEB70 8844899A 3F020301 0001A371 306F300B 0603551D 0F040403 0202BC3027060355 1D250420 301E0608 2B060105 05070301 06082B06 01050507 030206082B060105 05070305 30180603 551D1104 11300F86 0D736970 3A434E3D 70732D363131301D 0603551D 0E041604 140022A7 15A36D80 5AD42DDF 552A1BE5 E9505E193A300D06 092A8648 86F70D01 01050500 03818100 AF16B927 BEA287C4 11FCF90D6EB7D31E 0F78AF93 A582EDDC 451B34EA 0152A9A6 34FA8E59 9B87BCD8 F084478A8F2D9B0C 12F27C79 61CAC398 7890D66E 3D13C6CD 440050F9 EE67B6F9 CEC569CA006598DC 6788BCD6 8FDF6C19 4B04723B BC652932 C45C41E2 C282C4DB AFDA475E79FACE13 C99179A3 B1FC9822 BD3CCAD7 6A864C8Fquit!!!!username pslow password *****archivelog confighidekeys!!controller T1 0/2/0framing esflinecode b8zs!controller T1 0/2/1framing esflinecode b8zs!ip ssh version 1!!!!interface GigabitEthernet0/0ip address 10.1.20.29 255.255.255.0duplex autospeed auto!interface GigabitEthernet0/1no ip addressshutdownduplex autospeed auto!ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.1.20.1!!ip http serverno ip http secure-server!!!!!!tftp-server flash:sec2800-cfb.catftp-server flash:sec2800-cfb.crt!control-plane!!!!!sccp local GigabitEthernet0/0sccp ccm 10.1.69.61 identifier 58 version 6.0 trustpoint ps-611sccp!sccp ccm group 59associate ccm 58 priority 2associate profile 57 register sec2800-cfb!dspfarm profile 57 conference securitytrustpoint sec2800-cfbcodec g711ulawcodec g711alawcodec g729ar8codec g729abr8codec g729r8codec g729br8maximum sessions 2associate application SCCP!!!!!line con 0line aux 0line vty 0 4!scheduler allocate 20000 1000ntp clock-period 17180179ntp server 10.1.108.15!webvpn cef!endExternal Certificate Authority Router: Example
Router# show running-configBuilding configuration...Current configuration : 3017 bytes!! Last configuration change at 14:14:12 EDT Sun Mar 9 2008 by pslow! NVRAM config last updated at 14:14:14 EDT Sun Mar 9 2008 by pslow!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname slow3800-1!boot-start-markerboot-end-marker!enable secret 5 BLAH!aaa new-model!!aaa authentication login default localaaa authentication enable default enable!!aaa session-id commonclock timezone EST -5clock summer-time EDT recurringno network-clock-participate wic 0no network-clock-participate wic 1!ip cef!!no ip domain lookupmultilink bundle-name authenticated!!voice-card 0no dspfarm!!!!crypto pki server slow3800-1database level completegrant autodatabase url flash:!crypto pki trustpoint slow3800-1revocation-check crlrsakeypair slow3800-1!!crypto pki certificate chain slow3800-1certificate ca 0130820203 3082016C A0030201 02020101 300D0609 2A864886 F70D0101 0405003015311330 11060355 0403130A 736C6F77 33383030 2D31301E 170D3038 3033303931373039 30315A17 0D313130 33303931 37303930 315A3015 31133011 0603550403130A73 6C6F7733 3830302D 3130819F 300D0609 2A864886 F70D0101 01050003818D0030 81890281 8100CC33 AC934AE8 C14D92DD E1DB6224 89F73AD2 26FBDB03FB2F9A97 07817BCC DF47413F 04310C37 0CA02435 AB92C9FB 32088007 85EFFDDEB2FED7D5 A35CFAAF 4986B87F AF9C5B4E 076E8DE1 519D0DD7 6C71588D 079B4640EA9805E4 51793023 5C2DBB45 18DD77BF 5ED443C7 079FD057 497B5FA4 C7D77D95B3EB63D7 0473B827 E6C90203 010001A3 63306130 0F060355 1D130101 FF040530030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680141E6E77 79EEECEB 38ED1353 4EC8B2DB 5B35F8B2 41301D06 03551D0E 041604141E6E7779 EEECEB38 ED13534E C8B2DB5B 35F8B241 300D0609 2A864886 F70D010104050003 81810049 3AA6B14F 86C49FC4 4AF9A235 87B4AA90 B6617980 720CE2D01E69719F 9B933051 7FE1BF14 D48B5741 F7ABC51C F2F46C75 480C951A 9825258042028CB2 713031F2 1BA9ECCE B42798A9 D7A4C8CB 92B45C4A 1C0CFF3F 1D47C551BB2AD9B8 1022F05A B0404EEC B6495105 0A4203E4 93D7C2F7 1B77C7D4 F6EFD414644C612D BB8438quit!!username pslow password 7 BLAHarchivelog confighidekeys!!controller T1 0/0/0framing esflinecode b8zs!controller T1 0/0/1framing esflinecode b8zs!controller T1 0/1/0framing esflinecode b8zs!controller T1 0/1/1framing esflinecode b8zs!!!interface GigabitEthernet0/0no ip addressshutdownduplex autospeed automedia-type rj45no keepalive!interface GigabitEthernet0/1ip address 10.1.103.247 255.255.255.0duplex autospeed automedia-type rj45no keepalive!ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.1.103.1!!ip http serverno ip http secure-server!!!control-plane!!line con 0line aux 0line vty 0 4!scheduler allocate 20000 1000ntp clock-period 17179581ntp server 10.18.108.15!endAdditional References
The following sections provide references related to the Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing feature.
Related Documents
Related Topic Document TitleCisco Unified Communications Manager interoperability
Cisco IOS H.323 network secure calls
•Media and Signaling Authentication and Encryption Feature for Cisco IOS H.323 Gateways
Cisco Unified CME configuration
•Cisco Unified CallManager Express System Administrator Guide
Cisco IOS voice configuration
•Cisco IOS Voice Configuration Library
Phone documentation for Cisco Unified CME
Cisco Unified CM security configuration
Cisco CallManager Security Guide, Release 5.0
Cisco Unified CME and Cisco Unity Express integration
Integrating Cisco Unity Express with Cisco CallManager Express 3.0 and Later
Standards
Standard TitleNo new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
RFC TitleNo new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Voice Command Reference at http://www.cisco.com/en/US/docs/ios/voice/command/reference/vr_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.
•dspfarm profile
•show sccp
•trustpoint (DSP Farm profile)
Feature Information for Media and Signaling Encryption (SRTP/TLS) on DSP Farm Conferencing
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007-2008 Cisco Systems, Inc. All rights reserved.