Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 10 – Connecting Cisco VCS to CUCM using TLS (rather than TCP)
Cisco VCS Deployment Guide: CUCM v6.1, 7 and 8 with Cisco VCS X7.1 using a SIP trunk
Page 48 of 53
Appendix 10 – Connecting Cisco VCS to CUCM
using TLS (rather than TCP)
using TLS (rather than TCP)
These instructions explain how to take a system that is already configured and working using a TCP
interconnection between Cisco VCS and CUCM, and to convert that connection to use TLS instead.
interconnection between Cisco VCS and CUCM, and to convert that connection to use TLS instead.
The process involves:
ensuring that CUCM trusts the Cisco VCS server certificate
configuring a SIP trunk security profile on CUCM
updating the CUCM trunk to Cisco VCS to use TLS
updating the Cisco VCS neighbor zone to CUCM to use TLS
update the Cisco VCS search rule to use port 5061 instead of port 5060
Ensure that CUCM trusts the Cisco VCS server
certificate
certificate
For CUCM to make a TLS connection to Cisco VCS, CUCM must trust the VCS’s server certificate.
CUCM must therefore have a root certificate that trusts the VCS’s certificate.
CUCM must therefore have a root certificate that trusts the VCS’s certificate.
If VCS and CUCM have both been loaded with valid certificates from the same certificate authority and
the root CA is already loaded onto CUCM, then no further work is required.
the root CA is already loaded onto CUCM, then no further work is required.
If VCS does not have a certificate from an authority that is accepted by the root CA certificate on
CUCM:
CUCM:
The preferred solution is to obtain a valid certificate for the Cisco VCS from an authority accepted
by the CUCM root CA certificate, and then load this new certificate onto Cisco VCS (see the
Certificate creation and use with Cisco VCS deployment guide).
by the CUCM root CA certificate, and then load this new certificate onto Cisco VCS (see the
Certificate creation and use with Cisco VCS deployment guide).
An alternative solution is to have CUCM validate the Cisco VCS’s existing server certificate. You
can do this by taking the server certificate off the VCS and loading it into CUCM. To do this:
can do this by taking the server certificate off the VCS and loading it into CUCM. To do this:
a. Copy the server certificate from VCS to a text file and save the file with a suffix of .pem.
i.
Go to the Cisco VCS’s
Security certificates
page (
Maintenance > Certificate
management > Security certificates
).
ii.
Click Show server certificate.
iii. Copy all the information displayed including the
“-----BEGIN CERTIFICATE-----“ and ”-----END CERTIFICATE-----” lines into a text file
named in the format, for example, VCS<IPaddress>-cert.pem.
named in the format, for example, VCS<IPaddress>-cert.pem.
b. On CUCM, select Cisco Unified OS Administration, click Go and log in.
c.
Go to
Security > Certificate management
then Upload Certificate.
d. Configure the fields as follows:
Certificate Name
CallManager-trust.
Root Certificate
<leave blank>
Description
Enter a textual description as required.
Upload File
Click Browse… and select the .pem file you created in step 1.
e. Click Upload File.
f.
Click Close.