McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 30

↗ View in doc context
page
30
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::14

• Communicate securely to CAPF, a prerequisite to support the configuration file encryption. • Authenticate the configuration file signature • Authenticate application servers, such as EM services, directory, and MIDlet during HTTPS establishment using TVS. If the Cisco IP Phone does not have an existing CTL file, it trusts the first ITL file automatically. The TVS must be able to return the certificate corresponding to the signer. If the Cisco IP Phone has an existing CTL file, it uses the CTL file to authenticate the ITL file signature. The SHA-1or MD5 algorithm value changes only when there is a change in the Initial Trust List (ITL) file value. You can use the checksum value of the ITL files to identify the difference between the ITL file of Cisco IP Phone and Unified Communications Manager cluster. The checksum value of the ITL file changes only when you modify the ITL file. Note The Initial Trust List (ITL) file has the same format as the CTL file. However, it is a smaller and leaner version. The following attributes apply to the ITL file: • The system builds the ITL file automatically when the TFTP service is activated and you install the cluster. The ITL file is updated automatically if the content is modified. • The ITL file does not require eTokens. It uses a soft eToken (the private key associated with TFTP server's CallManager certificate). • The Cisco Unified IP Phone download the ITL file during a reset, restart, or after downloading the CTL file. The ITL file contains the following certificates: • ITLRecovery Certificate—This certificate signs the ITL File. • The CallManager certificate of the TFTP server—This certificate allows you to authenticate the ITL file signature and the phone configuration file signature. • All the TVS certificates available on the cluster—These certificates allow the phone to communicate to TVS securely and to request certificates authentication. • The CAPF certificate—These certificates support configuration file encryption. The CAPF certificate isn't required in the ITL File (TVS can authenticate it), however, it simplifies the connection to CAPF. The ITL file contains a record for each certificate. Each record contains: • A certificate • Pre-extracted certificate fields for easy lookup by the Cisco IP Phone • Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST) The TFTP server's CallManager certificate is present in two ITL records with two different roles: • TFTP or the TFTP and CCM role—To authenticate configuration file signature. • SAST role—To authenticate the ITL file signature. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 12 An Introduction to Unified CM Security Initial Trust List