McDewey

Encryption for Phone Configuration File Task Flow To set up encryption for TFTP configuration files, verify that the phones in your cluster support manual key encryption and public key encryption, verify that the phones support SHA-1 and SHA-512, and complete the following tasks. If you enable SHA-512 clusterwide, and your phones don't support it, those phones do not work. Note Procedure Purpose Command or Action Enable the TFTP Configuration File option for your phones. You can enable this option in the Phone Security Profile. Enable TFTP Encryption, on page 107 Step 1 When TFTP file encryption is enabled, SHA-1 is configured by default as the signing algorithm. Use this procedure to update the system to use the stronger SHA-512 algorithm. Configure SHA-512 Signing Algorithm, on page 108 Step 2 For phones that use public keys, verify the certificate installation. Verify LSC or MIC Certificate Installation, on page 108 Step 3 After you complete your TFTP config file updates, regenerate the CTL file. Update CTL File, on page 109 Step 4 Restart the Cisco CallManager and Cisco TFTP services. Restart Services, on page 109 Step 5 After you complete your encrypted TFTP config file updates, reset your phones. Reset Phones, on page 110 Step 6 Enable TFTP Encryption You can enable this TFTP within the phone security profile for a given phone model. Perform this procedure to enable TFTP encryption for files downloaded from the TFTP server. Procedure Step 1 From Cisco Unified CM Administration, choose System > Security > Phone Security Profile. Step 2 Click Find and choose a phone security profile. Step 3 Check the TFTP Encrypted Config check box. Step 4 Click Save. Step 5 Repeat these steps for any other phone security profiles that are used in the cluster. Note Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 107 Basic System Security Encryption for Phone Configuration File Task Flow