TLS Setup
TLS Overview
Transport Layer Security (TLS) provides secure and reliable signaling and data transfer between two systems or devices, by using secure ports and certificate exchange. TLS secures and controls connections among Unified Communications Manager-controlled systems, devices, and processes to prevent access to the voice domain.
TLS Prerequisites
Before you configure the minimum TLS version, make sure that your network devices and applications both support the TLS version. Also, make sure that they are enabled for TLS that you want to configure with Unified Communications Manager and IM and Presence Services. If you have any of the following products deployed, confirm that they meet the minimum TLS requirement. If they do not meet this requirement, upgrade those products:
- Skinny Client Control Protocol (SCCP) Conference Bridge
- Transcoder
- Hardware Media Termination Point (MTP)
- SIP Gateway
- Cisco Prime Collaboration Assurance
- Cisco Prime Collaboration Provisioning
- Cisco Prime Collaboration Deployment
- Cisco Unified Border Element (CUBE)
- Cisco Expressway
- Cisco TelePresence Conductor
You will not be able to upgrade conference bridges, Media Termination Point (MTP), Xcoder, Prime Collaboration Assurance, Prime Collaboration Provisioning, Cisco Unity Connection, Cisco Meeting Server, Cisco IP Phones, Cisco Room Devices, Cloud services like Fusion Onboarding Service (FOS), Common Identity Service, Smart License Manager (SLM), Push REST service, and Cisco Jabber and Webex App clients along with other third-party applications.
Note: If you are upgrading from an earlier release of Unified Communications Manager, make sure that all your devices and applications support the higher version of TLS before you configure it. For example, Unified Communications Manager and IM and Presence Services, Release 9.x supports TLS 1.0 only.
TLS Configuration Task Flow
Complete the following tasks to configure Unified Communications Manager for TLS connections.
Procedure
| Step | Command or Action | Purpose |
|---|---|---|
| 1 | Set Minimum TLS Version, on page 3. | By default, Unified Communications Manager supports a minimum TLS version of 1.0. If your security needs require a higher version of TLS, reconfigure the system to use TLS 1.1 or 1.2. |
| 2 | (Optional) Set TLS Ciphers, on page 3. | Configure the TLS cipher options that Unified Communications Manager supports. |
| 3 | Configure TLS in a SIP Trunk Security Profile, on page 3. | Assign TLS connections to a SIP Trunk. Trunks that use this profile use TLS for signaling. You can also use the secure trunk to add TLS connections to devices, such as conference bridges. |
| 4 | Add Secure Profile to a SIP Trunk, on page 4. | Assign a TLS-enabled SIP trunk security profile to a SIP trunk to allow the trunk to support TLS. You can use the secure trunk to connect resources, such as conference bridges. |
| 5 | Configure TLS in a Phone Security Profile, on page 5. | Assign TLS connections to a phone security profile. Phones that use this profile use TLS for signaling. |
| 6 | Add Secure Phone Profile to a Phone, on page 5. | Assign the TLS-enabled profile that you created to a phone. |
| 7 | Add Secure Phone Profile to a Universal Device Template, on page 6. | Assign a TLS-enabled phone security profile to a universal device template. If you have the LDAP directory synchronization configured with this template, you can provision phones with security through the LDAP sync. |
Set Minimum TLS Version
By default, Unified Communications Manager supports a minimum TLS version of 1.0. Use this procedure to reset the minimum supported TLS version for Unified Communications Manager and the IM and Presence Service to a higher version, such as 1.1 or 1.2.
Make sure that the devices and applications in your network support the TLS version that you want to configure. For details, see TLS Prerequisites, on page 1.
Procedure
- Log in to the Command Line Interface.
- To confirm the existing TLS version, run the
show tls min-versionCLI command. - Run the
set tls min-version <minimum>CLI command where<minimum>represents the TLS version. For example, runset tls min-version 1.2to set the minimum TLS version to 1.2.
Note: Until Release 15SU1, perform Step 3 on all Unified Communications Manager and IM and Presence Service Service cluster nodes.
Set TLS Ciphers
You can disable the weaker cipher, by choosing available strongest ciphers for the SIP interface. Use this procedure to configure the ciphers that Unified Communications Manager supports for establishing TLS connections.
Procedure
- From Cisco Unified CM Administration, choose System > Enterprise Parameters.
- In Security Parameters, configure a value for the TLS Ciphers enterprise parameter. For help on the available options, refer to the enterprise parameter online help.
- Click Save.
Note: All TLS Ciphers will be negotiated based on client cipher preference
Configure TLS in a SIP Trunk Security Profile
Use this procedure to assign TLS connections to a SIP Trunk Security Profile. Trunks that use this profile use TLS for signaling.
Add Secure Profile to a SIP Trunk
Use this procedure to assign a TLS-enabled SIP trunk security profile to a SIP trunk. You can use this trunk to create a secure connection to resources, such as conference bridges.
Procedure
- From Cisco Unified CM Administration, choose System > Security > SIP Trunk Security Profile.
- Perform one of the following steps:
- Click Add New to create a new SIP trunk security profile.
- Click Find to search and select an existing profile.
- In the Name field, enter a name for the profile.
- Configure the Device Security Mode field value to Encrypted or Authenticated.
- Configure both the Incoming Transport Type and Outgoing Transport Type field values to TLS.
- Complete the remaining fields of the SIP Trunk Security Profile window. For help on the fields and their configuration, see the online help.
- Click Save.
Note: This Note is applicable from Release 15SU2 onwards. When the minimum supported TLS version on Unified CM is set to 1.3, the trunks with Authenticated Device Security Mode will fail to connect with the destination.
Configure TLS in a Phone Security Profile
If you are connecting the trunk to a secure device, you must upload a certificate for the secure device to Unified Communications Manager. For certificate details, see the Certificates section.
Use this procedure to assign TLS connections to a Phone Security Profile. Phones that use this profile use TLS for signaling.
Procedure
- From Cisco Unified CM Administration, choose System > Security > Phone Security Profile.
- Perform one of the following steps:
- Click Add New to create a new profile.
- Click Find to search and select an existing profile.
- If you are creating a new profile, select a phone model and protocol, and click Next.
- Note: If you want to use a universal device template and LDAP sync to provision security through the LDAP sync, select Universal Device Template as the Phone Security Profile Type.
- Enter a name for the profile.
- From the Device Security Mode drop-down list, select either Encrypted or Authenticated.
- (For SIP phones only) From the Transport Type, select TLS.
- Complete the remaining fields of the Phone Security Profile Configuration window. For help with the fields and their configuration, see the online help.
- Click Save.
Note: This Note is applicable from Release 15SU2 onwards. If you set the Device Security Mode to Authenticated, the phones switch to a TLS version lower than 1.3 for registration. When the minimum supported TLS version on the Unified CM is set to 1.3, the phones with Authenticated Device Security Mode will not register.
Add Secure Phone Profile to a Phone
Use this procedure to assign the TLS-enabled phone security profile to a phone.
Note: To assign a secure profile to a large number of phones at once, use the Bulk Administration Tool to reassign the security profile for them.
Add Secure Phone Profile to a Universal Device Template
Use this procedure to assign a TLS-enabled phone security profile to a universal device template. If you have LDAP directory sync configured, you can include this universal device template in the LDAP sync through a feature group template and user profile. When the sync occurs, the secure profile is provisioned to the phones.
Procedure
- From Cisco Unified CM Administration, choose Device > Phone.
- Perform one of the following steps:
- Click Add New to create a new phone.
- Click Find to search and select an existing phone.
- Select the phone type and protocol and click Next.
- From the Device Security Profile drop-down list, assign the secure profile that you created to the phone.
- Assign values for the following mandatory fields:
- MAC address
- Device Pool
- SIP Profile
- Owner User ID
- Phone Button Template
- Complete the remaining fields of the Phone Configuration window. For help with the fields and their configuration, see the online help.
- Click Save.
Procedure
- From Cisco Unified CM Administration, choose User Management > User/Phone Add > Universal Device Template.
- Perform one of the following steps:
- Click Add New to create a new template.
- Click Find to search and select an existing template.
- For the Name field, enter a name for the template.
- From the Device Pool drop-down list, select a device pool.
- From the Device Security Profile drop-down list, select the TLS-enabled security profile that you created.
- Note: The Phone Security Profile must have been created with Universal Device Template as the device type.
- Select a SIP Profile.
- Select a Phone Button Template.
TLS Interactions and Restrictions
This chapter provides information about the TLS Interactions and Restrictions.
TLS Interactions
Table 1: TLS Interactions
| Feature | Interaction |
|---|---|
| Common Criteria mode | You can enable Common Criteria mode along with configuration of minimum TLS version. If you do so, the applications continue to comply with Common Criteria requirements and disable TLS 1.0 secure connections at application level. When the common criteria mode is enabled, you can configure the minimum TLS version as either 1.1 or 1.2 for the applications. For details on Common Criteria mode, see the 'Compliance to Common Criteria' topic of the Command Line Interface Reference Guide for Cisco Unified Communications Solutions. |
TLS Restrictions
The following table highlights issues that you may run into when implementing Transport Layer Security (TLS) version 1.2 on legacy phones, such as 79xx, 69xx, 89xx, 99xx, 39xx, and IP Communicator. To verify whether your phone supports secure mode in this release, see the Phone Feature List Report in Cisco Unified Reporting. The feature restrictions on legacy phones and the workaround to implement the feature is listed in the following table:
Note: The workarounds are designed to get the impacted feature functioning in your system. However, they do not guarantee TLS 1.2 compliance for that feature.
Table 2: Transport Layer Security Version 1.2 Restrictions
| Feature | Restriction |
|---|---|
| Legacy phones in Encrypted Mode | Legacy phones in Encrypted Mode do not work. There is no workaround. |
| Legacy phones in Authenticated Mode | Legacy phones in Authenticated Mode do not work. There is no workaround. |
TLS Restrictions
| Feature | Restriction |
|---|---|
| IP Phone services using secure URLs based on HTTPS. | IP Phone services using secure URLs based on HTTPS do not work. Workaround to use IP Phone services: Use HTTP for all underlying service options. For example, corporate directory and personal directory. However, HTTP is not recommended as HTTP is not as secure if you need to enter sensitive data for features, such as Extension Mobility. The drawbacks of using HTTP include:
|
| Extension Mobility Cross Cluster (EMCC) on legacy phones | EMCC is not supported with TLS 1.2 on legacy phones. Workaround: Complete the following tasks to enable EMCC:
|
| Locally Significant Certificates (LSC) on legacy phones | LSC is not supported with TLS 1.2 on legacy phones. As a result, 802.1x and phone VPN authentication based on LSC are not available. Workaround for 802.1x: Authentication based on MIC or password with EAP-MD5 on older phones. However, those are not recommended. Workaround for VPN: Use phone VPN authentication based on end-user username and password. |
| Encrypted Trivial File Transfer Protocol (TFTP) configuration files | Encrypted Trivial File Transfer Protocol (TFTP) configuration files are not supported with TLS 1.2 on legacy phones even with Manufacturer Installed Certificate (MIC). There is no workaround. |
| CallManager certificate renewal causes legacy phones to lose trust | Legacy phones lose trust when the CallManager certificate is renewed. For example, a phone cannot get new configurations after renewing the certificate. This is applicable only in Unified Communications Manager 11.5.1 Workaround: To prevent legacy phones from losing trust, complete the following steps:
|
Table 3: Cisco Unified Communications Manager Ports Applicable for Transport Layer Security Version 1.2
| Application | Protocol | Destination / Listener | Cisco Unified Communications Manager Operating in Normal mode | Cisco Unified Communications Manager Operating in Common Criteria Mode | ||||
|---|---|---|---|---|---|---|---|---|
| Minimum TLS version 1.0 | Minimum TLS version 1.1 | Minimum TLS version 1.2 | Minimum TLS version 1.0 | Minimum TLS version 1.1 | Minimum TLS version 1.2 | |||
| Tomcat | HTTPS | 443 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS v1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| SCCP - Signalling SEC - SIG Connection Control Part (SCCP) | 2443 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 | |
| CTL-SERV | Proprietary | 2444 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| Computer Quick Telephony Integration Encoding (CTI) (QBE) | 2749 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 | |
| CAPF-SERV | Transmission Control Protocol (TCP) | 3804 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| Intercluster Lookup Service (ILS) | Not applicable | 7501 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| Administrative XML Access Protocol (SOAP) | Simple Object Access Protocol (SOAP) | 8443 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| High Available-Proxy (HA-Proxy) | TCP | 9443 | TLS 1.2 | TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.2 | TLS 1.2 |
| SIP-SIG Protocol (SIP) | Session Initiation Protocol (SIP) | 5061 (configurable) | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| HA Proxy | TCP | 6971, 6972 | TLS 1.2 | TLS 1.2 | TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.2 |
| Cisco Tomcat | HTTPS | 8080, 8443 | 8443: TLS 1.0, TLS 1.1, TLS 1.2 | 8443: TLS 1.1, TLS 1.2 | 8443: TLS 1.2 | 8443: TLS 1.1 | 8443: TLS 1.1, TLS 1.2 | 8443: TLS 1.2 |
Table 4: Instant Messaging & Presence Ports Applicable for Transport Layer Security Version 1.2
| Destination/Listener | Instant Messaging & Presence Operating in Normal mode | Instant Messaging & Presence Operating in Common Criteria mode | ||||
|---|---|---|---|---|---|---|
| Minimum TLS version 1.0 | Minimum TLS version 1.1 | Minimum TLS version 1.2 | Minimum TLS version 1.0 | Minimum TLS version 1.1 | Minimum TLS version 1.2 | |
| 443 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.2 |
| 5061 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.2 |
| 5062 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.2 |
| 5280 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.2 |
| 8083 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.2 |
| 8443 | TLS 1.0, TLS 1.1, TLS 1.2 | TLS 1.1 | TLS 1.1, TLS 1.2 | TLS 1.1, TLS 1.2 | TLS 1.2 | TLS 1.2 |
