McDewey

C H A P T E R 4 Default Security • Default Security Overview, on page 11 • Encryption, on page 20 • Default Security Administration Tasks, on page 29 Default Security Overview The Default Security features provides a basic level of security for supported Cisco Unified IP Phone without any extra configuration requirement. This feature provides the following default security for supported IP Phones: • Default Authentication of TFTP • Optional Encryption • Certificate Verifications Default Security uses the following components to provide basic security in non secure environments: • Identity Trust List (ITL)—this file is created only after TFTP service is activated at cluster installation and is used by Cisco Unified IP Phone to establish trust. • Trust Verification Service—This service runs on all Unified Communications Manager nodes and authenticates certificates for Cisco Unified IP Phone. The TVS certificate, along with a few other key certificates, is bundled in the ITL file. Initial Trust List The Initial Trust List (ITL) file is used for the initial security, so that the endpoints can trust Unified Communications Manager. ITL does not need any security features to be enabled explicitly. The ITL file is automatically created when the TFTP service is activated and the cluster is installed. The Unified Communications Manager's TFTP server’s private key is used to sign the ITL file. When the Unified Communications Manager cluster or server is in non-secure mode, the ITL file is downloaded on every supported Cisco Unified IP Phone. You can view the contents of an ITL file using the CLI command admin:show itl. Cisco Unified IP Phone need the ITL file to perform the following tasks: Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 11