Introduction
This document describes how to secure Real-time Transport Protocol (SRTP) Traffic in Contact Center Enterprise (CCE) comprehensive call flow.
Prerequisites
Certificates generation and import are out of the scope of this document, so certificates for Cisco Unified Communication Manager (CUCM), Customer Voice Portal (CVP) Call Server, Cisco Virtual Voice Browser (CVVB), and Cisco Unified Border Element (CUBE) have to be created and imported to the respective components. If you use self-signed certificates, certificate exchange has to be done among different components.
Requirements
Cisco recommends that you have knowledge of these topics:
Components Used
The information in this document is based on Package Contact Center Enterprise (PCCE), CVP, CVVB, and CUCM version 12.6, but it is also applicable to the previous versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Note: In the contact center comprehensive call flow, In order to enable secure RTP, secure SIP signals must be enabled. Therefore, configurations in this document enable both secure SIP and SRTP.
The next diagram shows the components engaged in SIP signals and RTP in the contact center comprehensive call flow. When a voice call comes to the system, it first comes via the ingress gateway or CUBE, so start the configurations on CUBE. Next, configure CVP, CVVB, and CUCM.
Task 1: CUBE Secure Configuration
In this task, you configure CUBE to secure SIP protocol messages and RTP.
Required configurations:
- Configure a Default Trustpoint for the SIP UA
- Modify the Dial-peers to use TLS and SRTP
Steps:
- Open an SSH session to CUBE.
- Run these commands to have the SIP stack use the CA certificate of the CUBE. CUBE establishes SIP TLS connection from/to CUCM (198.18.133.3) and CVP (198.18.133.13):
Conf t
Sip-ua
Transport tcp tls v1.2
crypto signaling remote-addr 198.18.133.3 255.255.255.255 trustpoint ms-ca-name
crypto signaling remote-addr 198.18.133.13 255.255.255.255 trustpoint ms-ca-name
exit
- Run these commands to enable TLS on the outgoing dial peer to CVP. In this example, dial-peer tag 6000 is used to route calls to CVP:
Conf t
dial-peer voice 6000 voip
session target ipv4:198.18.133.13:5061
session transport tcp tls
srtp
exit
Task 2: CVP Secure Configuration
In this task, configure the CVP call server to secure the SIP protocol messages (SIP TLS).
Steps:
- Login to the
UCCE Web Administration
.
- Navigate to
Call Settings > Route Settings > SIP Server Group
.
Based on your configurations, you have SIP Server Groups configured for CUCM, CVVB, and CUBE. You need to set secure SIP ports to 5061 for all of them. In this example, these SIP server groups are used:
cucm1.dcloud.cisco.com
for CUCM
vvb1.dcloud.cisco.com
for CVVB
cube1.dcloud.cisco.com
for CUBE
- Click
cucm1.dcloud.cisco.com
,and then in the Members
tab that shows the details of SIP Server Group Configurations. Set SecurePort
to 5061
and click
Save
.
- Click
vvb1.dcloud.cisco.com
and then in the Members
tab, set the SecurePort
to 5061
and click Save
.
Task 3: CVVB Secure Configuration
In this task, configure CVVB to secure the SIP protocol messages (SIP TLS) and SRTP.
Steps:
- Open the
Cisco VVB Admin
page.
- Navigate to
System > System Parameters
.
- On the
Security Parameters
section, choose Enable
for TLS (SIP)
. Keep the Supported TLS(SIP) version as TLSv1.2
and choose Enable
for SRTP
.
- Click
Update
. Click Ok
when prompted to restart the CVVB engine.
- These changes require a restart of the Cisco VVB engine. In order to restart the VVB engine, navigate to the
Cisco VVB Serviceability
, then click Go
.
- Navigate to
Tools > Control Center – Network Services
.
- Choose
Engine
and click Restart
.
Task 4: CUCM Secure Configuration
In order to secure SIP messages and RTP on CUCM, perform these configurations:
- Set CUCM Security Mode to Mixed Mode
- Configure SIP Trunk Security Profiles for CUBE and CVP
- Associate SIP Trunk Security Profiles to Respective SIP Trunks and enable SRTP
- Secure Agents’ device Communication with CUCM
Set CUCM Security Mode to Mixed Mode
CUCM supports two security modes:
- Non-secure mode (default mode)
- Mixed mode (secure mode)
Steps:
- Log in to the CUCM administration interface.
- When you log in to the CUCM, you can navigate to
System > Enterprise Parameters
.
- Under the
Security Parameters
section, check if the Cluster Security Mode
is set to 0
.
- If Cluster Security Mode is set to 0, this means cluster security mode is set to non-secure. You need to enable the mixed Mode from CLI.
- Open an SSH session to the CUCM.
- Upon successful login to CUCM via SSH, run this command:
utils ctl set-cluster mixed-mode
- Type
y
and click Enter
when prompted. This command sets cluster security mode to mixed mode.
- For the changes to take effect, restart the
Cisco CallManager
and the Cisco CTIManager
services.
- In order to restart the services, navigate and log in to
Cisco Unified Serviceability
.
- After successful login, navigate to
Tools > Control Center – Feature Services
.
- Choose the server and then click
Go
.
- Underneath CM services, choose the
Cisco CallManager
, then click Restart
button at the top of the page.
- Confirm the pop-up message and click
OK
. Wait for the service to successfully restart.
- After the successful restart of
Cisco CallManager
, choose the Cisco CTIManager
then click Restart
button to restart Cisco CTIManager
service.
- Confirm the pop-up message and click
OK
. Wait for the service to successfully restart.
- After successful services restart, in order to verify cluster security mode is set to mixed mode, navigate to CUCM administration as explained in Step 5. and then check the
Cluster Security Mode
. Now it must be set to 1
.
Configure SIP Trunk Security Profiles for CUBE and CVP
Steps:
- Log in to the CUCM administration interface.
- After successful login to CUCM, navigate to
System > Security > SIP Trunk Security Profile
in order to create a device security profile for CUBE.
- On the top left, click Add New to add a new profile.
- Configure
SIP Trunk Security Profile
as this image and then click Save
at the bottom left of the page.
5. Ensure to set the Secure Certificate Subject or Subject Alternate Name
to the Common Name (CN) of the CUBE certificate as it must match.
6. Click Copy
button and change the Name
to SecureSipTLSforCVP
. Change Secure Certificate Subject
to the CN of the CVP call server certificate as it must match. Click Save
button.
Associate SIP Trunk Security Profiles to Respective SIP Trunks and Enable SRTP
Steps:
- On the CUCM Administration page, navigate to
Device > Trunk
.
- Search for CUBE trunk. In this example, the CUBE trunk name is
vCube
, then click Find
.
- Click
vCUBE
to open the vCUBE trunk configuration page.
- In
Device Information
section, check the SRTP Allowed
check box in order to enable SRTP.
- Scroll down to the
SIP Information
section, and change the Destination Port
to 5061
.
- Change
SIP Trunk Security Profile
to SecureSIPTLSForCube
.
- Click
Save
then Rest
to save
and apply changes.
- Navigate to
Device > Trunk
, search for CVP trunk, in this example CVP trunk name is cvp-SIP-Trunk
. Click Find
.
- Click
CVP-SIP-Trunk
to open the CVP trunk configuration page.
- In
Device Information
section, check SRTP Allowed
check box in order to enable SRTP.
- Scroll down to the
SIP Information
section, change the Destination Port
to 5061
.
- Change
SIP Trunk Security Profile
to SecureSIPTLSForCvp
.
- Click
Save
then Rest
to save
and apply changes.
Secure Agents’ Device Communication with CUCM
In order to enable security features for a device, you must install a Locally Significant Certificate (LSC) and assign the security profile to that device. The LSC possesses the public key for the endpoint, which is signed by the CUCM CAPF private key. It is not installed on phones by default.
Steps:
- Log in to
Cisco Unified Serviceability
interface.
- Navigate to
Tools > Service Activation
.
- Choose the CUCM server and click
Go
.
- Check
Cisco Certificate Authority Proxy Function
and click Save
to activate the service. Click Ok
to confirm.
- Ensure the service is activated then navigate to CUCM administration.
- After successful login to CUCM administration, navigate to
System > Security > Phone Security Profile
in order to create a device security profile for the agent device.
- Find the security profile respective to your agent device type. In this example, a soft phone is used, so choose
Cisco Unified Client Services Framework - Standard SIP Non-Secure Profile
. Click copy icon in order to copy this profile.
- Rename the profile to
Cisco Unified Client Services Framework - Secure Profile
. Change the parameters as in this image then click Save
at the top left of the page.
- After the successful creation of the phone device profile, navigate to
Device > Phone
.
- Click
Find
to list all available phones then click agent phone.
- Agent phone configuration page opens. Find
Certification Authority Proxy Function (CAPF) Information
section. In order to install LSC, set Certificate Operation
to Install/Upgrade
and Operation Completes by
to any future date.
- Find
Protocol Specific Information
section and change the Device Security Profile
to Cisco Unified Client Services Framework – Secure Profile
.
- Click
Save
at the top left of the page. Ensure the changes are saved successfully, then click Reset
.
- A pop-up window opens, click
Reset
to confirm the action.
- After the agent device registers once again with CUCM, refresh the current page and verify the LSC is installed successfully. Check
Certification Authority Proxy Function (CAPF) Information
section, Certificate Operation
must be set to No Pending Operation
and Certificate Operation Status
is set to Upgrade Success
.
- Refer to the same steps from Step. 7 - 13 to secure other agents' devices that you want to use secure SIP and RTP with CUCM.
Verify
In order to validate RTP is properly secured, perform these steps:
- Make a test call to the contact center, and listen to IVR prompt.
- At the same time, open the SSH session to vCUBE, and run this command:
show call active voice brief
Tip: Check if the SRTP is on
between CUBE and VVB (198.18.133.143). If yes, this confirms RTP traffic between CUBE and VVB is secure.
- Make an agent available to answer the call.
.
- The agent gets reserved and the call is routed to the agent. Answer the call.
- The call gets connected to the agent. Go back to the vCUBE SSH session, and run this command:
show call active voice brief
Tip: Check if the SRTP is on
between CUBE and the agents' phones (198.18.133.75). If yes, this confirms RTP traffic between CUBE and Agent is secure.
- Also, once the call is connected, a security lock is displayed on the agent device. This also confirms the RTP traffic is secure.
To validate that the SIP signals are properly secured, refer to Configure Secure SIP Signaling article.