Architecture for Voice, Video and Integrated Data

Cisco Unified Communications

Configurando chamadas criptografas no Callmanager Express

Posted by gvillarinho em 25/09/2010


Este artigo demonstrará como configurar “Secure Calls” em Callmanager Express, onde o próprio roteador gera a CA (Certification Authority).

Para que suas chamadas possam ficar criptografas, ou seja, com o ícone de cadeado ao lado da chamada é necessário criar uma CA e outros certificados para registro autenticado e também o media-path criptografado.

1º Passo: Passo: IOS com suporte a criptografia

Utilize uma IOS que tenha suporte a criptografia, utilizei em meu laboratório um roteador 2821 com a IOS c2800nm-adventerprisek9-mz.124-24.T3 e funcionou perfeitamente.

2º Passo: Passo: Pré-requisitos para a função

Clock do roteador: Altamente recomendável que se use um NTP Server externo para não perder a referencia do horário, pois caso venha a ocorrer e perder o horário pode fazer com que o certificado expire.

http Server: habilite o comando ip HTTP Server:
configure terminal
ip HTTP Server
exit

Type: É necessário definir qual o tipo do telefone que esta cadastrando dentro do comando ephone <tag>, exemplo se estiver configurando um telefone 7960:

Configure terminal
Ephone X
Type 7960
Exit

3º Passo: Passo: Configurando o roteador como CA Server

Adicione os comandos abaixo para criar um CA Server no roteador:

configure terminal
crypto pki server CA-SERVER
database level complete
database url flash
grant auto
exit
crypto pki trustpoint CA-SERVER
enrollment url
:80">http://<IP-DO-CME>:80
crypto pki server CA-SERVER
no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: DIGITE UM PASSWORD AQUI

Re-enter password: REPITA O PASSWORD

4º Passo: Criando certificados para funções do Callmanager Express

Devemos agora criar mais 2 certificados para o Callmanager Express:

Configure terminal
crypto pki trustpoint cme-servicos
enrollment url :80">http://<IP-DO-CME>:80
revocation-check none
rsakeypair cme-servicos
exit

crypto pki authenticate cme-servicos
% Do you accept this certificate? [yes/no]: DIGITE YES
crypto pki enroll cme-servicos
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.
Password: DIGITE UM PASSWORD AQUI
% The subject name in the certificate will include: AVVID
% Include the router serial number in the subject name? [yes/no]: DIGITE NO
% Include an IP address in the subject name? [no]: DIGITE NO
Request certificate from CA? [yes/no]: DIGITE YES

Realizar o mesmo procedimento acima para o trustpoint sast-bkp abaixo:

crypto pki trustpoint sast-bkp
enrollment url :80">http://<IP-DO-CME>:80
revocation-check
none
rsakeypair sast-bkp
exit

crypto pki authenticate sast-bkp
crypto pki enroll
sast-bkp

5º Passo: Configurações do telephony-service

Agora configuramos o telephony-service:

Configure terminal
telephony-service
secure-signaling trustpoint cme-servicos
tftp-server-credentials trustpoint cme-servicos
cnf-file perphone
no auto-reg-ephone

6º Passo: Configurando o CTL Client

O CTL client é responsável por gerar o arquivo CTLFile.tlv que contém as credenciais dos telefones para acesso ao callmanager Express:

Configure terminal
ctl-client
sast1 trustpoint cme-servicos
sast2 trustpoint sast-bkp
server cme-tftp IP-DO-CME trustpoint cme-servicos
server capf IP-DO-CME trustpoint cme-servicos
regenerate
exit

7º Passo: Configurando CAPF Server

CAPF Server é quem instala o LSC que gera a key e requerimento de uprade dos ephones com o callmanager Express:

Configure terminal
capf-server
trustpoint-label cme-servicos
cert-enroll-trustpoint CA-SERVER password 0 cisco123
source-addr IP-DO-CMEport 3804
auth-mode auth-str
auth-string generate all
cert-oper upgrade all
exit

8º Passo: Configurando manualmente os telefones

Agora que já configuramos os certificados, geramos as chaves e tudo mais, acesse o telephony-service e recrie os CNF-files:

Configure terminal
Telephony-service
Create-cnf-files
Exit

Feito isso, vá até um telefone fisicamente e acesse menu > Security Settings > LSC, desbloqueie o aparelho com o digitando **# ( repare que o cadeado no canto superior direito ira se destravar ) e clique em Update, irá aparecer um campo para você digitar uma senha. Esta senha foi gerada para todos os aparelhos que já estavam criados no callmanager-express através do comando “auth-string generate all” dentro do capf-server, para checar qual é a senha desse aparelho, execute um show-running e vá ate o ephone correspondente e irá terá um comando “capf-auth-str XXXX”. Esses XXXX correspondem ao que deve ser colocado no LSC no aparelho físico.

Feito isso, aguarde alguns minutos para gerar a chave.

OBS: Isso pode levar alguns minutos e se for feito vários ramais ao mesmo tempo pode gerar alto processamento no roteador e podendo ter má qualidade nas chamadas.

Realize esse procedimento em todos os ramais que terão criptografia.

9º Passo: Encriptar o ramal

Após o telefone exibir a mensagem de success, basta ir ao Callmanager Express e acessar o ephone correspondente e adicionar o camando device-security-mode encrypted e reiniciar o ramal:

ephone X
device-security-mode encrypted
reset
exit

Caso o telefone exiba registrantion rejected, acesse o execute o “create-cnf files” novamente com o comando abaixo:

Configure terminal
Telephony-service
Create-cnf-files
Exit

Segue um exemplo de configuração:

CME-LAB(config)#ip http server
CME-LAB(config)#crypto pki server IOS-CA
CME-LAB(cs-server)#database level complete
CME-LAB(cs-server)#database url flash
% Server database url was changed. You need to move the
% existing database to the new location.
CME-LAB(cs-server)#grant auto
CME-LAB(cs-server)#exit
CME-LAB(config)#crypto pki trustpoint IOS-CA
CME-LAB(ca-trustpoint)#enrollment url http://10.10.10.1:80
CME-LAB(ca-trustpoint)#exit
CME-LAB(config)#crypto pki server IOS-CA
CME-LAB(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:

% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
% Exporting Certificate Server signing certificate and keys…
% Certificate Server enabled.
CME-LAB(cs-server)#end
CME-LAB#show crypto pki server
Certificate Server IOS-CA:
Status: enabled
State: enabled
Server’s configuration is locked (enter "shut" to unlock it)
Issuer name: CN=IOS-CA

CA cert fingerprint: DC4715DE 8840428C DD20F34A 5A16B7B1
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 11:42:47 BRT Sep 16 2013
CRL NextUpdate timer: 17:42:48 BRT Sep 17 2010
Current primary storage dir: flash
Database Level: Complete – all issued certs written as <serialnum>.cer
CME-LAB#conf ter
CME-LAB(config)#crypto pki trustpoint primary-cme
CME-LAB(ca-trustpoint)#enrollment url http://10.10.10.1:80
CME-LAB(ca-trustpoint)#revocation-check none
CME-LAB(ca-trustpoint)#rsakeypair primary-cme
CME-LAB(ca-trustpoint)#exit
CME-LAB(config)#crypto pki authenticate primary-cme

Certificate has the following attributes:

Fingerprint MD5: DC4715DE 8840428C DD20F34A 5A16B7B1
Fingerprint SHA1: 951F3FAA 9A47F791 4374C2CE F941FE3C CFE0B77

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

CME-LAB(config)#crypto pki enroll primary-cme
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:

Re-enter password:

% The subject name in the certificate will include: CME-LAB
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The ‘show crypto pki certificate verbose primary-cme’ commandwill show the fingerprint.

CME-LAB(config)#crypto pki trustpoint sast-secondary
CME-LAB(ca-trustpoint)#enrollment url http://10.10.10.1:80
CME-LAB(ca-trustpoint)#revocation-check none
CME-LAB(ca-trustpoint)#rsakeypair sast-secondary
CME-LAB(ca-trustpoint)#exit
CME-LAB(config)#crypto pki authenticate sast-secondary
Certificate has the following attributes:
Fingerprint MD5: DC4715DE 8840428C DD20F34A 5A16B7B1
Fingerprint SHA1: 951F3FAA 9A47F791 4374C2CE F941FE3C 7CFE0B77
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
CME-LAB(config)#crypto pki enroll sast-secondary
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:

Re-enter password:

% The subject name in the certificate will include: CME-LAB
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority
% The ‘show crypto pki certificate verbose sast-secondary’ commandwill show the fingerprint.

CME-LAB(config)#end
CME-LAB#sh crypto pki trustpoints status
Trustpoint IOS-CA:
Issuing CA certificate configured:
Subject Name:
cn=IOS-CA
Fingerprint MD5: DC4715DE 8840428C DD20F34A 5A16B7B1
Fingerprint SHA1: 951F3FAA 9A47F791 4374C2CE F941FE3C 7CFE0B77
State:
Keys generated …………. Yes (General Purpose, non-exportable)
Issuing CA authenticated ……. Yes
Certificate request(s) ….. None
Trustpoint primary-cme:
Issuing CA certificate configured:
Subject Name:
cn=IOS-CA
Fingerprint MD5: DC4715DE 8840428C DD20F34A 5A16B7B1
Fingerprint SHA1: 951F3FAA 9A47F791 4374C2CE F941FE3C 7CFE0B77
Router General Purpose certificate configured:
Subject Name:
hostname=CME-LAB
Fingerprint MD5: F995FD8E 800C7EA5 C6412E1C E5A1C7E0
Fingerprint SHA1: 218355F4 59D63EE3 08FA22C1 C8BFD7DD D0A65655
Last enrollment status: Granted
State:
Keys generated …………. Yes (General Purpose, non-exportable)
Issuing CA authenticated ……. Yes
Certificate request(s) ….. Yes
Trustpoint sast-secondary:
Issuing CA certificate configured:
Subject Name:
cn=IOS-CA
Fingerprint MD5: DC4715DE 8840428C DD20F34A 5A16B7B1
Fingerprint SHA1: 951F3FAA 9A47F791 4374C2CE F941FE3C 7CFE0B77
Router General Purpose certificate configured:
Subject Name:
hostname=CME-LAB
Fingerprint MD5: A9E8350E 221E8F91 710BAC78 CD92E80F
Fingerprint SHA1: EAB2232F F00EC55A 3EBFC1C3 B8CB85BC D075FB8E
Last enrollment status: Granted
State:
Keys generated …………. Yes (General Purpose, non-exportable)
Issuing CA authenticated ……. Yes
Certificate request(s) ….. Yes

CME-LAB#conf ter
CME-LAB(config)#telephony-service
CME-LAB(config-telephony)# secure-signaling trustpoint primary-cme
CME-LAB(config-telephony)# tftp-server-credentials trustpoint primary-cme
CME-LAB(config-telephony)# cnf-file perphone
Updating CNF files
CNF files updating complete
CME-LAB(config-telephony)# no auto-reg-ephone
CME-LAB(config-telephony)#create cnf-files
Creating CNF files
CME-LAB(config-telephony)#exit
CME-LAB(config)#ctl-client
CME-LAB(config-ctl-client)# sast1 trustpoint primary-cme
CME-LAB(config-ctl-client)# sast2 trustpoint sast-secondary
CME-LAB(config-ctl-client)# server cme-tftp 10.10.10.1 trustpoint primary-cme
CME-LAB(config-ctl-client)# server capf 10.10.10.1 trustpoint primary-cme
CME-LAB(config-ctl-client)# regenerate
CME-LAB(config-ctl-client)#end
CME-LAB#dir flash:CTLFile.tlv
Directory of flash:/CTLFile.tlv
115 -rw- 2564 Sep 17 2010 11:48:04 -03:00 CTLFile.tlv
127918080 bytes total (45375488 bytes free)
CME-LAB#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
CME-LAB(config)#capf-server
CME-LAB(config-capf-server)# trustpoint-label primary-cme
CME-LAB(config-capf-server)# cert-enroll-trustpoint IOS-CA password 0 cisco123
CME-LAB(config-capf-server)# source-addr 10.10.10.1
CME-LAB(config-capf-server)# port 3804
CME-LAB(config-capf-server)# auth-mode auth-str
CME-LAB(config-capf-server)# auth-string generate all
CME-LAB(config-capf-server)# cert-oper upgrade all
CME-LAB(config-capf-server)#exit
CME-LAB#show run | b ephone 40
ephone 40
device-security-mode none
capf-auth-str 2697
cert-oper upgrade auth-mode auth-string
mac-address 0025.4593.0ACD
type 7975
keep-conference
button 1:40
CME-LAB#conf ter
CME-LAB(config)#ephone 40
CME-LAB(config-ephone)#device-security-mode encrypted
CME-LAB(config-ephone)#reset
CME-LAB(config-ephone)#exit
CME-LAB(config)#telephony-service
CME-LAB(config-telephony)#create cnf-files

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

 
%d blogueiros gostam disto: