/mcpPurpose Command or Action Configure SIP OAuth Mode to add security for Cisco Jabber clients and other devices. SIP OAuth Mode Step 2 Mixed Mode The mixed mode or secure mode supports secure and non-secure endpoints. When you install Unified Communications Manager fresh on a cluster or server, by default it's in non-secure mode. However, you can convert the security mode from non-secure to secure or mixed mode. To change a cluster from a non-secure mode to a mixed mode (secure mode), perform the following: • Enable Certificate Authority Proxy Function (CAPF) service on the publisher. • Enable Certificate Trust List (CTL) service on the publisher. When a Call Manager certificate is self-signed, the CTL file contains a server certificate, public key, serial number, signature, issuer name, subject name, server function, DNS name, and IP address for each server. In the case of a Multi-SAN Call Manager certificate, the CTL file contains the Publisher's Call Manager certificate. The next time that the phone initializes, it downloads the CTL file from the TFTP server. If the CTL file contains a TFTP server entry that has a self-signed certificate, the phone requests a signed configuration file in.sgn format. If no TFTP server contains a certificate, the phone requests an unsigned file. You can update the CTL file running the following commands: • utils ctl set-cluster mixed-mode Updates the CTL file and sets the cluster to mixed mode. • utils ctl set-cluster non-secure-mode Updates the CTL file and sets the cluster to non-secure mode. • utils ctl update CTLFile Updates the CTL file on each node in the cluster. For endpoint security, Transport Layer Security (TLS) is used for signaling and Secure RTP (SRTP) is used for media. Note To enable mixed mode, log in to the Command Line Interface on the publisher node and Run the CLI command utils ctl set-cluster mixed-mode. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 90 Basic System Security Mixed Mode