The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the configuration and verification of the secure SIP connection between the Cisco Unified Communication Manager (CUCM) and Cisco Unity Connection (CUC) server using Next Generation Encryption.
Next Generation Security over SIP interface restricts SIP interface to use Suite B ciphers based on TLS 1.2, SHA-2 and AES256 protocols. It allows the various combinations of ciphers based on the priority order of RSA or ECDSA ciphers. During the communication between Unity Connection and Cisco Unified CM, both ciphers and third party certificates are verified at both the ends. Below is the configuration for Next Generation Encryption support.
If you plan to use the certificates signed by third party Certification Authority then start with Certificate signing at the end of the configuration section (Configure - Signing the EC key based certificates by third party CA)
The information in this document is based on these software and hardware versions:
CUCM version 11.0 and later in Mixed mode
CUC version 11.0 and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This diagram briefly explains the process that helps establish a secure connection between CUCM and CUC once the Next generation encryption support is enabled:
These are the certificate exchange requirements once the Next generation encryption support is enabled on Cisco Unity Connection.
CUCM certificate used |
CUC certificate used | Certs to upload to CUCM | Certs to upload to CUC |
CallManager.pem (self-signed) | Tomcat.pem (self-signed) | Tomcat.pem to be uploaded into CUCM > CallManger-trust | None. |
CallManager.pem (CA signed) | Tomcat.pem (CA signed) | CUC root & intermediate CA certificate*1 to be uploaded into CUCM > CallManager-trust | CUCM root & intermediate CA certificate*2 to be uploaded into CUC > CallManager-trust. |
CallManager.pem (CA signed) | Tomcat.pem (self-signed) | Tomcat.pem to be uploaded into CUCM > CallManger-trust | CUCM root & intermediate CA certificate to be uploaded into CUC > CallManager-trust. |
CallManager.pem (self-signed) | Tomcat.pem (CA signed) | CUC root & intermediate CA certificate to be uploaded into CUCM > CallManager-trust | None. |
*1CUC root & intermediate CA certificate refers to CA certificate which signed the Unity connection Tomcat certificate (Tomcat.pem).
*2CUCM root & intermediate CA certificate refers to CA certificate which signed the CUCM CallManager certificate (Callmanager.pem).
CUCM certificate used | CUC certificate used | Certs to upload to CUCM | Certs to upload to CUC |
CallManager-ECDSA.pem (self-signed) | Tomcat-ECDSA.pem (self-signed) | Tomcat-ECDSA.pem to be uploaded into CUCM > CallManger-trust | None. |
CallManager-ECDSA.pem (CA signed) | Tomcat-ECDSA.pem (CA signed) | CUC root & intermediate CA certificate*1 to be uploaded into CUCM > CallManager-trust | CUCM root & intermediate CA certificate*2 to be uploaded into CUC > CallManager-trust. |
CallManager-ECDSA.pem (CA signed) | Tomcat-ECDSA.pem (self-signed) | Tomcat-ECDSA.pem to be uploaded into CUCM > CallManger-trust. | CUCM root & intermediate CA certificate to be uploaded into CUC > CallManager-trust. |
CallManager-ECDSA.pem (self-signed) | Tomcat-ECDSA.pem (CA signed) | CUC root & intermediate CA certificate to be uploaded into CUCM > CallManager-trust | None. |
*1 CUC root & intermediate CA certificate refers to CA certificate which signed the Unity connection EC based Tomcat certificate (Tomcat-ECDSA.pem).
*2 CUCM root & intermediate CA certificate refers to CA certificate which signed the CUCM CallManager certificate (CallManager-ECDSA.pem).
Navigate to Cisco Unity Connection Administration page > Telephony integration > Port group and Click on Add New. Make sure to check the Enable Next Generation Encryption checkbox.
On the Port Group Basics page, navigate to Edit > Servers and add FQDN of TFTP server of your CUCM cluster. FQDN/Hostname of the TFTP server must match the Common name (CN) of CallManager certificate. IP address of the server will not work and it will result in failure to download the ITL file. The DNS name must be therefore resolvable via configured DNS server.
Restart Connection Conversation Manager on each node by navigating to Cisco Unity Connection Serviceability > Tools > Service Management. This is mandatory for the configuration to take effect.
Navigate back to Telephony integration > Port group > Port Group Basics configuration page and reset your newly added Port group.
Navigate back to Telephony integration > Port and click on Add new to add port to your newly created port group.
In case of third party certificates, you must upload the Root and Intermediate certificate of the third party Certification Authority on CallManager-trust of Unity Connection. This is needed only if 3rd party CA signed your Call Manager certificate. Perform this action by navigating to Cisco Unified OS Administration > Security > Certificate Management and click on Upload Certificate.
Navigate to CUCM Administration > System > Security > SIP Trunk Security Profile and add a new profile. X.509 Subject Name must match the FQDN of the CUC server.
Navigate to Device > Trunk > Click and Add new and create a standard SIP trunk which will be used for secure integration with Unity Connection.
The negotiation between Unity Connection and Cisco Unified Communications Manager depends on the TLS cipher configuration with the following conditions:
Navigate to Cisco Unified CM > Systems > Enterprise Parameters and select the appropriate cipher option from the TLS and SRTP Ciphers from drop-down list.
Restart the Cisco Call Manager service on each node by navigating to Cisco Unified Serviceability page, Tools > Control Centre-Feature Services and select Cisco Call Manager under CM Services
Navigate to Cisco Unity Connection Administration page > System Settings > General Configurations and select the appropriate cipher option from the TLS and SRTP Ciphers from drop-down list.
Restart Connection Conversation Manager on each node by navigating to Cisco Unity Connection Serviceability > Tools > Service Management.
TLS Cipher options with Priority order
TLS Cipher Options | TLS Ciphers in Priority Order |
Strongest- AES-256 SHA-384 Only: RSA Preferred |
|
Strongest-AES-256 SHA-384 Only: ECDSA Preferred |
|
Medium-AES-256 AES-128 Only: RSA Preferred |
|
Medium-AES-256 AES-128 Only: ECDSA Preferred |
|
All Ciphers RSA Preferred (Default) |
|
All Ciphers ECDSA Preferred |
|
SRTP Cipher Options in Priority order
SRTP Cipher Option | SRTP in Priority Order |
All supported AES-256, AES-128 ciphers |
|
AEAD AES-256, AES-28 GCM-based ciphers |
|
AEAD AES256 GCM-based ciphers only |
|
Navigate to OS Administration > Security > Certificate Management and upload both CUC Tomcat certificates (RSA & EC based) into the CallManager-trust store.
In case of third party certificates, you must upload the root and Intermediate certificate of the third party Certification Authority. This is needed only if 3rd party CA signed your Unity Tomcat certificate.
Restart the Cisco Call Manager process on all nodes to apply the changes.
Configure a route pattern that points to the configured trunk by navigating to Call Routing > Route/Hunt > Route Pattern. Extension entered as a route pattern number can be used as a voicemail pilot.
Create a voice mail pilot for the integration by going to Advanced Features > Voice Mail > Voice Mail Pilot.
Create a voice mail profile in order to link all the settings together Advanced Features > Voice Mail > Voice Mail Profile
Assign the newly created voice mail profile to the DNs intended to use the secure integration by going to Call Routing > Directory number
The certificates might be signed by a third party CA before setting up the secure integration between the systems. Follow the following steps to sign the certificates on both systems.
Cisco Unity Connection
Cisco Unified CM
The same process will be used to sign RSA key based certificates where CSR is generated for CUC Tomcat certificate and CallManager certificate and uploaded into the tomcat store and callmanager store respectively.
Use this section to confirm that your configuration works properly.
Press the Voice Mail button on the phone to call voice mail. You should hear the opening greeting if the user's extension is not configured on the Unity Connection system.
Alternatively, you can enable SIP OPTIONs keepalive to monitor the SIP trunk status. This option can be enabled in the SIP profile assigned to the SIP trunk. Once this is enabled you can monitor the Sip trunk status via Device > Trunk as shown below:
Verify whether the padlock icon is present on calls to Unity Connection. It means RTP stream is encrypted (Device Security profile must be secure in order for it to work) as shown in this image