Configure Secure RTP in Contact Center Enterprise

Introduction

This document describes how to secure Real-time Transport Protocol (SRTP) Traffic in Contact Center Enterprise (CCE) comprehensive call flow.

Prerequisites

Certificates generation and import are out of the scope of this document, so certificates for Cisco Unified Communication Manager (CUCM), Customer Voice Portal (CVP) Call Server, Cisco Virtual Voice Browser (CVVB), and Cisco Unified Border Element (CUBE) have to be created and imported to the respective components. If you use self-signed certificates, certificate exchange has to be done among different components.

Requirements

Cisco recommends that you have knowledge of these topics:

• CCE
• CVP
• CUBE
• CUCM
• CVVB

Components Used

The information in this document is based on Package Contact Center Enterprise (PCCE), CVP, CVVB, and CUCM version 12.6, but it is also applicable to the previous versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

Note: In the contact center comprehensive call flow, In order to enable secure RTP, secure SIP signals must be enabled. Therefore, configurations in this document enable both secure SIP and SRTP.

The next diagram shows the components engaged in SIP signals and RTP in the contact center comprehensive call flow. When a voice call comes to the system, it first comes via the ingress gateway or CUBE, so start the configurations on CUBE. Next, configure CVP, CVVB, and CUCM.

Task 1: CUBE Secure Configuration

In this task, you configure CUBE to secure SIP protocol messages and RTP.

Required configurations:

• Configure a Default Trustpoint for the SIP UA
• Modify the Dial-peers to use TLS and SRTP

Steps:

1. Open an SSH session to CUBE.

2. Run these commands to have the SIP stack use the CA certificate of the CUBE. CUBE establishes SIP TLS connection from/to CUCM (198.18.133.3) and CVP (198.18.133.13):

Conf t Sip-ua Transport tcp tls v1.2 crypto signaling remote-addr 198.18.133.3 255.255.255.255 trustpoint ms-ca-name crypto signaling remote-addr 198.18.133.13 255.255.255.255 trustpoint ms-ca-name exit

3. Run these commands to enable TLS on the outgoing dial peer to CVP. In this example, dial-peer tag 6000 is used to route calls to CVP:

Conf t dial-peer voice 6000 voip session target ipv4:198.18.133.13:5061 session transport tcp tls srtp exit

Task 2: CVP Secure Configuration

In this task, configure the CVP call server to secure the SIP protocol messages (SIP TLS).

Steps:

1. Login to the  UCCE Web Administration.
2. Navigate to  Call Settings > Route Settings > SIP Server Group.
   
   

Based on your configurations, you have SIP Server Groups configured for CUCM, CVVB, and CUBE. You need to set secure SIP ports to 5061 for all of them. In this example, these SIP server groups are used:

• cucm1.dcloud.cisco.com for CUCM
• vvb1.dcloud.cisco.com for CVVB
• cube1.dcloud.cisco.com  for CUBE

3. Click  cucm1.dcloud.cisco.com,and then in the  Members  tab that shows the details of SIP Server Group Configurations. Set SecurePort to  5061 and click Save.
   
   

4. Click vvb1.dcloud.cisco.com and then in the  Members  tab, set the  SecurePort to 5061  and click  Save.
   
   

Task 3: CVVB Secure Configuration

In this task, configure CVVB to secure the SIP protocol messages (SIP TLS) and SRTP.

Steps:

1. Open the Cisco VVB Admin  page.
2. Navigate to  System > System Parameters.
   
   

3. On the  Security Parameters section, choose Enable for  TLS (SIP) . Keep the Supported TLS(SIP) version as TLSv1.2  and choose  Enable  for  SRTP.
   
   

4. Click  Update. Click  Ok when prompted to restart the CVVB engine.
   
   

5. These changes require a restart of the Cisco VVB engine. In order to restart the VVB engine, navigate to the  Cisco VVB Serviceability , then click  Go.
   
   

6. Navigate to  Tools > Control Center – Network Services.
   
   

7. Choose  Engine and click  Restart.
   
   

Task 4: CUCM Secure Configuration

In order to secure SIP messages and RTP on CUCM, perform these configurations:

• Set CUCM Security Mode to Mixed Mode
• Configure SIP Trunk Security Profiles for CUBE and CVP
• Associate SIP Trunk Security Profiles to Respective SIP Trunks and enable SRTP
• Secure Agents’ device Communication with CUCM

Set CUCM Security Mode to Mixed Mode

CUCM supports two security modes:

• Non-secure mode (default mode)
• Mixed mode (secure mode)

Steps:

1. Log in to the CUCM administration interface.
   
   

2. When you log in to the CUCM, you can navigate to  System > Enterprise Parameters.
   
   

3. Under the  Security Parameters section, check if the Cluster Security Mode is set to  0.
   
   

4. If Cluster Security Mode is set to 0, this means cluster security mode is set to non-secure. You need to enable the mixed Mode from CLI.
5. Open an SSH session to the CUCM.
6. Upon successful login to CUCM via SSH, run this command:

utils ctl set-cluster mixed-mode

7. Type y and click Enter when prompted. This command sets cluster security mode to mixed mode.
   
   

8. For the changes to take effect, restart the Cisco CallManager and the  Cisco CTIManager services.
9. In order to restart the services, navigate and log in to  Cisco Unified Serviceability.
   
   

10. After successful login, navigate to  Tools > Control Center – Feature Services.
    
    

11. Choose the server and then click  Go.
    
    

12. Underneath CM services, choose the Cisco CallManager , then click  Restart  button at the top of the page.
    
    

13. Confirm the pop-up message and click  OK. Wait for the service to successfully restart.
    
    

14. After the successful restart of  Cisco CallManager, choose the  Cisco CTIManager then click  Restart button to restart  Cisco CTIManager service.
    
    

15. Confirm the pop-up message and click  OK. Wait for the service to successfully restart.
    
    

16. After successful services restart, in order to verify cluster security mode is set to mixed mode, navigate to CUCM administration as explained in Step 5. and then check the  Cluster Security Mode. Now it must be set to  1.
    
    

Configure SIP Trunk Security Profiles for CUBE and CVP

Steps:

1. Log in to the CUCM administration interface.
2. After successful login to CUCM, navigate to  System > Security > SIP Trunk Security Profile in order to create a device security profile for CUBE.
   
   

3. On the top left, click  Add New to add a new profile.
   
   

4. Configure  SIP Trunk Security Profile  as this image and then click  Save  at the bottom left of the page.
   
   

5. Ensure to set the  Secure Certificate Subject or Subject Alternate Name  to the Common Name (CN) of the CUBE certificate as it must match.

6. Click  Copy  button and change the  Name to  SecureSipTLSforCVP. Change  Secure Certificate Subject  to the CN of the CVP call server certificate as it must match. Click  Save  button.

Associate SIP Trunk Security Profiles to Respective SIP Trunks and Enable SRTP

Steps:

1. On the CUCM Administration page, navigate to  Device > Trunk.
   
   

2. Search for CUBE trunk. In this example, the CUBE trunk name is  vCube , then click  Find.
   
   

3. Click  vCUBE to open the vCUBE trunk configuration page.
4. In  Device Information section, check the SRTP Allowed check box in order to enable SRTP.
   
   

5. Scroll down to the SIP Information section, and change the  Destination Port to  5061.
6. Change  SIP Trunk Security Profile to  SecureSIPTLSForCube.
   
   

7. Click  Save then  Rest to save and apply changes.
   
   

8. Navigate to  Device > Trunk, search for CVP trunk, in this example CVP trunk name is  cvp-SIP-Trunk. Click  Find.
   
   

9. Click  CVP-SIP-Trunk to open the CVP trunk configuration page.
10. In  Device Information section, check  SRTP Allowed check box in order to enable SRTP.
    
    

11. Scroll down to the  SIP Information section, change the  Destination Port to  5061.
12. Change  SIP Trunk Security Profile to  SecureSIPTLSForCvp.
    
    

13. Click  Save  then  Rest to save and apply changes.
    
    

Secure Agents’ Device Communication with CUCM

In order to enable security features for a device, you must install a Locally Significant Certificate (LSC) and assign the security profile to that device. The LSC possesses the public key for the endpoint, which is signed by the CUCM CAPF private key. It is not installed on phones by default.

Steps:

1. Log in to  Cisco Unified Serviceability interface.
2. Navigate to  Tools > Service Activation.
   
   

3. Choose the CUCM server and click  Go.
   
   

4. Check  Cisco Certificate Authority Proxy Function and click  Save  to activate the service. Click  Ok to confirm.
   
   

5. Ensure the service is activated then navigate to CUCM administration.
   
   

6. After successful login to CUCM administration, navigate to  System > Security > Phone Security Profile in order to create a device security profile for the agent device.
   
   

7. Find the security profile respective to your agent device type. In this example, a soft phone is used, so choose  Cisco Unified Client Services Framework - Standard SIP Non-Secure Profile. Click copy icon in order to copy this profile.
   
   

8. Rename the profile to  Cisco Unified Client Services Framework - Secure Profile.  Change the parameters as in this image then click  Save  at the top left of the page.
   
   

9. After the successful creation of the phone device profile, navigate to  Device > Phone.
   
   

10. Click  Find to list all available phones then click agent phone.
11. Agent phone configuration page opens. Find  Certification Authority Proxy Function (CAPF) Information section. In order to install LSC, set  Certificate Operation to  Install/Upgrade and  Operation Completes by to any future date.
    
    

12. Find  Protocol Specific Information section and change the  Device Security Profile to  Cisco Unified Client Services Framework – Secure Profile.
    
    

13. Click  Save at the top left of the page. Ensure the changes are saved successfully, then click  Reset.
    
    

14. A pop-up window opens, click  Reset  to confirm the action.
    
    

15. After the agent device registers once again with CUCM, refresh the current page and verify the LSC is installed successfully. Check  Certification Authority Proxy Function (CAPF) Information section,  Certificate Operation must be set to  No Pending Operation and  Certificate Operation Status is set to  Upgrade Success.
    
    

16. Refer to the same steps from Step. 7 - 13 to secure other agents' devices that you want to use secure SIP and RTP with CUCM.

Verify

In order to validate RTP is properly secured, perform these steps:

1. Make a test call to the contact center, and listen to IVR prompt.
2. At the same time, open the SSH session to vCUBE, and run this command:
   show call active voice brief
   
   

Tip: Check if the SRTP is on between CUBE and VVB (198.18.133.143). If yes, this confirms RTP traffic between CUBE and VVB is secure.

3. Make an agent available to answer the call.
   .
4. The agent gets reserved and the call is routed to the agent. Answer the call.
5. The call gets connected to the agent. Go back to the vCUBE SSH session, and run this command:
   show call active voice brief
   
   

Tip: Check if the SRTP is on between CUBE and the agents' phones (198.18.133.75). If yes, this confirms RTP traffic between CUBE and Agent is secure.

6. Also, once the call is connected, a security lock is displayed on the agent device. This also confirms the RTP traffic is secure.
   
   

To validate that the SIP signals are properly secured, refer to Configure Secure SIP Signaling article.