Example Configure SIP TLS
Before you Begin
Ensure that:
-
The endpoints have the same date and time. You can synchronize endpoints by using a Network Time Protocol (NTP) server.
-
You have TCP connectivity.
-
The CUBE has the security and UCK9 licenses installed.
-
Create a trustpoint to hold the self-signed certificate of the CUBE:
crypto pki trustpoint CUBEtest(can be any name) enrollment self-signed serial-number none fqdn none i p-address none subject-name cn= ISR4451-B.cisco.lab !(match the hostname of the router) revocation-check none rsakeypair ISR4451-B.cisco.lab !(match the hostname of the router)
-
Generate a self-signed certificate:
crypto pki enroll CUBEtest % The fully-qualified domain name will not be included in the certificate Generate Self Signed Router Certificate? [yes/no]: yes
-
Export the certificate:
crypto pki export CUBEtest pem terminal
-
Copy the self-signed certificate that you exported and save it as a text file with the
.pem
file extension. -
Upload the self-signed CUBE certificate to Webex Contact Center:
-
Copy the certificate from Webex Contact Center:
-
Upload the Webex Contact Center certificate to CUBE:
crypto pki trustpoint HOSTNAME enrollment terminal revocation-check none crypto pku authenticate HOSTNAME (PASTE THE CJP CERT HERE AND THEN PRESS ENTER TWICE)
Enter
yes
when you are prompted to accept the certificate. -
Configure SIP to use the self-signed certificate trustpoint that you created in step 1:
crypto signaling default trustpoint CUBEtest
-
Configure the dial peers with transport layer security: voice class sip-options-keepalive 100 transport tcp tls dial-peer voice 9999 voip answer-address 35.. destination-pattern 9999 session protocol sipv2 session target ipv4:<Webex CC SBC IPs> session transport tcp tls voice-class sip options-keepalive profile 100 srtp