Cisco Cisco TelePresence Video Communication Server Expressway
Connecting VCS to Unified CM Using TLS
These instructions explain how to take a system that is already configured and working using a TCP interconnection
between VCS and Unified CM, and to convert that connection to use TLS instead. This process involves:
between VCS and Unified CM, and to convert that connection to use TLS instead. This process involves:
■
Ensuring certificate trust between Unified CM and VCS
■
Setting the Cluster Security Mode of the Unified CM to 1 (Mixed Mode)
■
Configuring a SIP trunk security profile on Unified CM
■
Updating the Unified CM trunk to VCS to use TLS
■
Updating the VCS neighbor zone to Unified CM to use TLS
Ensuring Certificate Trust Between Unified CM and VCS
For Unified CM and VCS to establish a TLS connection with each other:
■
VCS and Unified CM must both have valid server certificates loaded (you must replace the VCS's default
server certificate with a valid server certificate)
server certificate with a valid server certificate)
■
VCS must trust Unified CM’s server certificate (the root CA of the Unified CM server certificate must be loaded
onto VCS)
onto VCS)
■
Unified CM must trust VCS’s server certificate (the root CA of the VCS server certificate must be loaded onto
Unified CM)
Unified CM)
generate CSRs on VCS to acquire certificates from a Certificate Authority (CA).
Note:
In a clustered environment, you must install CA and server certificates on each peer/node individually.
We strongly recommend that you do not use self-signed certificates in a production environment.
Loading Server and Trust Certificates on VCS
VCS Server Certificate
VCS has only one server certificate. By default, this is a certificate signed by a temporary certificate authority. We
recommend that it is replaced by a certificate generated by a trusted certificate authority.
recommend that it is replaced by a certificate generated by a trusted certificate authority.
To upload a server certificate:
1.
Go to Maintenance > Security certificates > Server certificate.
2.
Use the Browse button in the Upload new certificate section to select and upload the server certificate PEM
file.
file.
3.
If you used an external system to generate the Certificate Signing Request (CSR) you must also upload the
server private key PEM file that was used to encrypt the server certificate. (The private key file will have been
automatically generated and stored earlier if the VCS was used to produce the CSR for this server certificate.)
server private key PEM file that was used to encrypt the server certificate. (The private key file will have been
automatically generated and stored earlier if the VCS was used to produce the CSR for this server certificate.)
—
The server private key PEM file must not be password protected.
—
You cannot upload a server private key if a certificate signing request is in progress.
4.
Click Upload server certificate data.
Note:
If you are using Unified CM version 8.5(1) or earlier and are having problems establishing a TLS connection
between VCS and Unified CM, we recommend adding the following x509 extended key attributes into the CSR:
■
serverAuth (1.3.6.1.5.5.7.3.1) -- TLS Web server authentication
■
clientAuth (1.3.6.1.5.5.7.3.2) -- TLS Web client authentication
■
ipsecEndSystem (1.3.6.1.5.5.7.3.5) -- IP security end system
25
Cisco VCS SIP Trunk to Unified CM Deployment Guide