Cisco Cisco TelePresence Video Communication Server Expressway
Connecting VCS to Unified CM using TLS
These instructions explain how to take a system that is already configured and working using a TCP
interconnection between VCS and Unified CM, and to convert that connection to use TLS instead. This
process involves:
interconnection between VCS and Unified CM, and to convert that connection to use TLS instead. This
process involves:
n
ensuring that Unified CM trusts the VCS server certificate
n
configuring a SIP trunk security profile on Unified CM
n
updating the Unified CM trunk to VCS to use TLS
n
updating the VCS neighbor zone to Unified CM to use TLS
Ensuring that Unified CM trusts the VCS server certificate
For Unified CM to make a TLS connection to VCS, Unified CM must trust the VCS’s server certificate.
Unified CM must therefore trust a root certificate that in turn trusts the VCS’s certificate. See Certificate
Creation and Use with VCS Deployment Guide for details of generating CSRs on VCS to acquire certificates
from a Certificate Authority (CA), as well as information about operating private Certificate Authorities.
Unified CM must therefore trust a root certificate that in turn trusts the VCS’s certificate. See Certificate
Creation and Use with VCS Deployment Guide for details of generating CSRs on VCS to acquire certificates
from a Certificate Authority (CA), as well as information about operating private Certificate Authorities.
If VCS and Unified CM have both been loaded with valid certificates and the root CA of the VCS certificate is
already loaded onto Unified CM, then no further work is required.
already loaded onto Unified CM, then no further work is required.
Otherwise, if the VCS does not have a certificate from an authority that is accepted by a root CA certificate
on Unified CM (typically if the VCS has a self-signed certificate), the VCS's server certificate must be loaded
onto Unified CM:
on Unified CM (typically if the VCS has a self-signed certificate), the VCS's server certificate must be loaded
onto Unified CM:
1. On VCS, go to
Maintenance > Security certificates > Server certificate
.
2. In the
Server certificate data
section, click Show server certificate.
3. Copy the entire contents of the displayed certificate into a text file and save it with the extension .pem.
4. On Unified CM, select
Cisco Unified OS Administration
, click Go and log in.
5. Go to
Security > Certificate Management
then click Upload Certificate/Certificate chain.
6. Configure the fields as follows:
Certificate Name
Enter CallManager-trust.
Description
Enter a textual description as required.
Upload File
Click Browse... and select the .pem file containing the CA certificate collected above.
7. Click Upload File.
8. Click Close.
Note that in a clustered environment, you must install CA and server certificates on each peer/node
individually.
individually.
Configuring a SIP trunk security profile on Unified CM
On Unified CM:
1. Select
Cisco Unified CM Administration
, click Go and log in.
2. Go to
System > Security > SIP Trunk Security Profile
.
Unified CM with Cisco VCS (SIP Trunk) Deployment Guide (X7.2)
Page 28 of 49
Connecting VCS to Unified CM using TLS