PDF(277.1 KB) View with Adobe Reader on a variety of devices
ePub(259.8 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(315.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:July 23, 2021
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the use of encrypted configuration phone files on the Cisco Unified Communications Manager (CUCM).
The use of encrypted configuration files for phones is an optional security feature that is available in the CUCM.
You are not required to run the CUCM cluster in Mixed mode in order for this feature to function properly, as the Certificate Authority Proxy Function (CAPF) certificate information is contained within the Identity Trust List (ITL) file.
Note: This is the default location for all of the CUCM Versions 8.X and later. For CUCM versions prior to Version 8.X, you must ensure that the cluster runs in Mixed mode if you desire to use this feature.
Encrypted Configuration Feature Overview
This section describes the process that occurs when encrypted configuration phone files are used within the CUCM.
When you enable this feature, reset the phone, and download the configuration file, you receive a request for the file with a .cnf.xml.sgn extension:
However, after the encrypted configuration feature is enabled on the CUCM, the TFTP service no longer generates a full configuration file with the .cnf.xml.sgn extension. Instead, it generates the partial configuration file, as shown in the next example.
Note: When you use this method for the first time, the phone compares the MD5 hash of the phone certificate in the configuration file to the MD5 hash of the Locally Significant Certificate (LSC) or the Manufacturing Installed Certificates (MIC).
If the phone identifies a problem, it attempts to initiate a session with the CAPF, unless the CAPF authentication mode matches By Authentication Strings, in which case you must manually enter the string. Here are some problems that the phone might identify:
The hash does not match.
The phone does not contain a certificate.
The MD5 value is blank (as in the previous example).
Note: The phone initiates a Transport Layer Security (TLS) session to the CAPF service on port 3804 by default.
The CAPF certificate must be known for the phone, so it must be included in either the ITL file or Certificate Trust List (CTL) file (if the cluster runs in Mixed mode).
After the CAPF communication is established, the phone sends information to the CAPF about the LSC or MIC that is used. The CAPF then extracts the phone public key from the LSC or MIC, generates a MD5 hash, and stores the values for the public key and certificate hash in the CUCM database.
admin:run sql select md5hash,name from device where name='SEPA45630BBFA40' md5hash name ================================ =============== 6e566143c1c14566c9da943d949a79c8 SEPA45630BBFA40
After the public key is stored in the database, the phone resets and requests a new configuration file. The phone attempts to download the configuration file with the cnf.xml.sgn extension once again.
In order to enable the encrypted configuration phone files, you must create a new (or edit a current) Phone Security Profile and assign it to the phone. Complete these steps in order to enable the encrypted configuration feature on the CUCM:
Log into the CUCM Administration page and navigate to System > Security > Phone Security Profile:
Copy a current, or create a new, Phone Security Profile and check the TFTP Encrypted Config check box:
Assign the profile to the phone:
Complete these steps in order to troubleshoot system issues in regards to the encrypted configuration feature:
Ensure that the CAPF service is active and runs properly on the Publisher node in the CUCM cluster.
Download the partial configuration file and verify that the port and IP address of the CAPF service are reachable from the phone.
Verify the TCP communication on port 3804 to the Publisher node.
Run the previously mentioned Structured Query Language (SQL) command in order to verify whether the CAPF service has information about the LSC or MIC that is used by the phone.
If the issue still persists, you might be required to collect additional information from the system. Restart the phone and collect this information:
Phone Console logs
Cisco TFTP logs
Cisco CAPF logs
Packet captures from the CUCM and the phone
Refer to these resources for additional information about how to run packet captures from the CUCM and the phone: