McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 32

↗ View in doc context
page
32
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::16

Interactions and Restrictions If a Unified Communications Manager cluster has more than 39 certificates, then the ITL file size on Cisco IP Phone exceeds 64 kilobytes. Increase in the ITL file size affects the ITL to load properly on the phone causing the phone registration to fail with Unified Communications Manager. Trust Verification Service There are large number of phones in a network and Cisco Unified IP Phone have limited memory. Hence, Unified Communications Manager acts as a remote trust store through TVS and so that a certificate trust store doesn’t have to be placed on each phone. The Cisco Unified IP Phones contact TVS server for verification, because it cannot verify a signature or certificate through CTL or ITL files. Thus, having a central trust store is easier to manage than having the trust store on all the Cisco Unified IP Phones. TVS enables Cisco Unified IP Phone to authenticate application servers, such as EM services, directory, and MIDlet, during HTTPS establishment. TVS provides the following features: • Scalability—Cisco Unified IP Phone resources are not impacted by the number of certificates to trust. • Flexibility—Addition or removal of trust certificates are automatically reflected in the system. • Security by Default—Non-media and signaling security features are part of the default installation and don't require user intervention. When you enable secure signaling and media, create a CTL file and then set the cluster to mixed mode. To create a CTL file and set the cluster to mixed mode, use the CLI command utils ctl set-cluster mixed-mode. Note The following are the basic concepts that describe TVS: • TVS runs on the Unified Communications Manager server and authenticates certificates on behalf of the Cisco IP Phone. • Cisco Unified IP Phone only needs to trust TVS, instead of downloading all the trusted certificates. • The ITL file is generated automatically without user intervention. The ITL file is downloaded by Cisco Unified IP Phone and trust flows from there. Authentication, Integrity, and Authorization Integrity and authentication protect against the following threats: • TFTP file manipulation (integrity) • Modification of call-processing signaling between the phone and Unified Communications Manager (authentication) • Man-in-the-middle attacks (authentication), as defined in Acronyms section. • Phone and server identity theft (authentication) • Replay attack (digest authentication) Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 14 An Introduction to Unified CM Security Interactions and Restrictions