[cisco-voip] Looking for advice on sRTP using tokenless CTL

Brian Meade bmeade90 at vt.edu
Thu Oct 19 15:08:37 EDT 2017


In 10.x, CTL/ITL are signed by the CallManager.pem if you do tokenless.
There's a recovery key in the ITL so you can run "utils itl reset localkey"
to resign the ITL with the recovery key to recover your cluster.  But this
doesn't help you with devices that don't support SBD like Jabber.

In 11.x, CTL/ITL are signed by the CallManager.pem if you do tokenless but
there's also a recovery key for the CTL.  You can run "utils ctl reset
localkey" to resign the CTL with the recovery key to recover your cluster.

So I'd recommend in your case that you upgrade to 11.x first or use
physical tokens.

The latest 11.5 SU requires you to order a free encryption license through
PUT as well.



On Tue, Oct 17, 2017 at 2:01 PM, Ryan Huff <ryanhuff at outlook.com> wrote:

> Looking at enabling sRTP on a 10.x cluster (CUCM, EXPRESSWAY, CXN, UCCX).
> As I have been researching this topic; I’ve found the “riskiest” task to be
> enabling CTL / Mixed Mode in CUCM. Specifically, if you have devices that
> do not support Security By Default.
>
> It’s my understanding that once the callmanager cert changes, any device
> that can’t negotiate with the TVS service to establish verification will
> not be able to download the new CTL, and therefore not be able to
> re-register to CUCM until their CTL is removed.
>
> The device/trunk security profile configurations seems straight forward as
> do the steps to take on CUBE and Expressway (regarding the trunk security).
>
> I haven’t completed my research into the CXN/UCCX requirements for SRTP
> with CUCM.
>
> Are their any other major/general pitfalls I should look out for? Anyone
> have any horror stories or lessons learned to share?
>
> Thanks,
>
> Ryan
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20171019/f180cbd8/attachment.html>


More information about the cisco-voip mailing list