Cisco CTL Client Setup
Cisco CTL Client Setup
This chapter provides information about Cisco CTL client setup.
• About Cisco CTL Client Setup, page 2
• Cluster Encryption Configuration Through CLI, page 2
• Remove eToken Run Time Environment 3.00 for CTL Client 5.0 Plug-In, page 4
• Cisco CTL Client Setup Tips, page 4
• Set Up Cisco CTL Client, page 5
• Activate Cisco CTL Provider Service, page 6
• Cisco CAPF Service Activation, page 7
• Set Up Ports for TLS Connection, page 7
• Cisco CTL Client Installation, page 8
• Upgrade Cisco CTL Client and Migrate Cisco CTL File, page 10
• Set Up Cisco CTL Client, page 10
• Update CTL File, page 14
• Delete CTL File Entry, page 16
• Update Cisco Unified Communications Manager Security Mode, page 16
• Cisco CTL Client Settings, page 17
• Verify Cisco Unified Communications Manager Security Mode, page 19
• Set Up Smart Card Service to Started or Automatic, page 20
• Security Token Password (eToken) Modification, page 20
• Delete CTL File on Cisco Unified IP Phone, page 21
• Determine Cisco CTL Client Version, page 22
• Verify or Uninstall Cisco CTL Client, page 22
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
1
Cisco CTL Client Setup
About Cisco CTL Client Setup
About Cisco CTL Client Setup
Device, file, and signaling authentication rely on the creation of the Certificate Trust List (CTL) file, which
is created when you install and configure the Cisco Certificate Trust List (CTL) Client on a single Windows
workstation or server that has a USB port.
Note
Supported Windows versions for Cisco CTL Client include Windows XP, Windows Vista, and Windows
7. Do not use Terminal Services to install the Cisco CTL Client. Cisco installs Terminal Services, so
Cisco Technical Assistance Center (TAC) can perform remote troubleshooting and configuration tasks.
The CTL file contains entries for the following servers or security tokens:
• System Administrator Security Token (SAST)
• Cisco CallManager and Cisco TFTP services that are running on the same server
• Certificate Authority Proxy Function (CAPF)
• TFTP server(s)
• ASA firewall
The CTL file contains a server certificate, public key, serial number, signature, issuer name, subject name,
server function, DNS name, and IP address for each server.
After you create the CTL file, you must restart the Cisco CallManager and Cisco TFTP services in Cisco
Unified Serviceability on all nodes that run these services. The next time that the phone initializes, it downloads
the CTL file from the TFTP server. If the CTL file contains a TFTP server entry that has a self-signed certificate,
the phone requests a signed configuration file in .sgn format. If no TFTP server contains a certificate, the
phone requests an unsigned file.
After the Cisco CTL Client adds a server certificate to the CTL file, you can display the certificate in the CTL
Client GUI.
When you configure a firewall in the CTL file, you can secure a Cisco ASA Firewall as part of a secure Cisco
Unified Communications Manager system. The Cisco CTL Client displays the firewall certificate as a “CCM”
certificate.
Cisco Unified Communications Manager Administration uses an etoken to authenticate the TLS connection
between the Cisco CTL Client and Cisco CTL Provider.
Cluster Encryption Configuration Through CLI
Through the CLI, you can manage the cluster security mode without using the Cisco CTL Client.
Consider the following points:
• With this option, the CTL file is generated using a CLI instead of through the Cisco CTL Client.
• No hardware tokens are required.
• The CTL file is signed using the CallManager certificate private key.
This encryption option consists of the following CLI commands:
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
2
OL-29848-01
Cisco CTL Client Setup
Return to CTL Client for Cluster Encryption
utils ctl set-cluster mixed-mode
Updates the CTL file and sets the cluster to mixed mode.
utils ctl set-cluster non-secure-mode
Updates the CTL file and sets the cluster to non-secure mode.
utils ctl update CTLFile
Updates the CTL file on each node in the cluster.
Note
• You must run the CLI commands on the publisher node.
• Be aware that regenerating the CallManager certificate changes the signer of the file. Phones that
do not support Security by Default will not accept the new CTL file unless CTL files are manually
deleted from the phone.
Related Topics
Obtain Cisco Unified IP Phone Support List
Return to CTL Client for Cluster Encryption
If you secured the cluster by using the CLI command set utils ctl, you can return to the Cisco CTL Client
option.
Follow this procedure to return to the Cisco CTL Client option for encryption or to return your cluster to
non-secure mode.
Procedure
Step 1
Set the cluster to non-secure mode by using the CLI command utils ctl set-cluster non-secure-mode.
Step 2
Delete CTLFile.tlv on the publisher node by using the CLI command file delete tftp CTLFile.tlv.
Step 3
On the windows machine, open the Safenet 8.2 utility and perform the following steps:
a) Go to Advanced View > Safenet Authentication Client Tools > Token.
b) Insert the first USB token and right click on the certificate.
c) Export it to any location on the PC.
d) Perform the same steps for the second USB token.
Step 4
On the Cisco Unified OS Administration GUI, go to Security > Certificate Management > Upload Certificate
and perform the following steps:
a) From Upload Certificate, choose the certificate name “Phone-SAST-Trust.”
b) Select the first certificate that was exported from the USB token in Step 3 that you want to import.
c) Import the remaining USB token certificates using the preceding steps.
After you import the two certificates into the trust folder, you can run the Cisco CTL Client and move the
cluster to secure mode.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
3
Cisco CTL Client Setup
Remove eToken Run Time Environment 3.00 for CTL Client 5.0 Plug-In
Remove eToken Run Time Environment 3.00 for CTL Client 5.0
Plug-In
If you are upgrading to the CTL Client 5.0 or 5.2 plug-in, you first need to remove eToken Run Time
Environment 3.00 by performing the following steps:
Procedure
Step 1
Download Windows Installer Cleanup Utility at the following URL:
http://support.microsoft.com/kb/290301
Step 2
Install the utility on your PC.
Step 3
Step 4
Step 5
Run the utility.
Find eToken rte3.0 in the list of programs and remove it.
Proceed with CTL Client installation.
Cisco CTL Client Setup Tips
Consider the following information when you configure the Cisco CTL Client in Cisco Unified Communications
Manager:
• The Cisco CTL Client limits the file size of a CTL file to 64 kilobytes because the phones cannot accept
a larger CTL file. The following factors affect the size of a CTL file:
◦The number of nodes in the cluster
More nodes require more certificates in the CTL file.
◦The number of firewalls that are used for TLS Proxy
Firewalls with TLS Proxy feature, which are the same as nodes, therefore get included in the CTL
file.
◦Whether an external certificate authority (CA) signs the CAPF and CallManager certificates
Because certificates (CAPF/CallManager) that are signed by an external CA are significantly larger
than default self-signed certificates, this can limit the maximum number of certificates that can fit
into the CTL file.
These factors directly limit the maximum number of certificates that you can fit in a 64-kilobyte
CTL file, so they dictate the maximum number of nodes or firewalls that you can have in a secure
Cisco Unified Communications Manager deployment.
• Ensure that the Cisco Unified Communications Manager node hostname or hostnames are resolvable
on the remote PC where the Cisco CTL Client is installed, or the Cisco CTL Client will not function
correctly.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
4
OL-29848-01
Cisco CTL Client Setup
Set Up Cisco CTL Client
• You must activate the Cisco CTL Provider service. If you have a cluster environment, you must activate
the Cisco CTL Provider service on all servers in the cluster.
• After you create or update the CTL file, you must restart the Cisco CallManager and Cisco TFTP services
in Cisco Unified Serviceability on all Cisco Unified Communications Manager servers that run these
services and on all TFTP servers in the cluster.
• When the Cisco CTL Client contains entries for off-cluster servers, such as alternate or centralized TFTP
server, you must also run the Cisco CTL Provider service on these servers.
• The alternate TFTP server section of the Cisco CTL Client GUI designates a Cisco TFTP server that
exists in a different cluster. Use the Alternate TFTP Server Tab settings to configure alternate and
centralized TFTP servers in the Cisco CTL Client.
Note
See “Cisco TFTP” in the Cisco Unified Communications Manager System Guide for information about
configuring off-cluster (alternate and centralized) TFTP servers with TFTP service parameters.
• For centralized TFTP configurations, all off-cluster TFTP servers that are operating in mixed mode must
add the Master TFTP server or Master TFTP server IP address to the off-cluster CTL file. The master
TFTP server serves configuration files from all alternate TFTP servers in the alternate file list that is
configured for the master TFTP server. Clusters in a centralized TFTP configuration do not need to use
the same security mode; each cluster can select its own mode.
Set Up Cisco CTL Client
Follow this procedure if you are using the CTL Client option.
Note
This procedure requires that you obtain at least two security tokens, as well as the passwords, hostnames/IP
addresses, and port numbers for the servers that you will configure for the Cisco CTL Client.
The following table provides a list of configuration tasks that you perform to install and configure the Cisco
CTL Client for the first time. See topics related to upgrading the Cisco CTL Client and migrating the Cisco
CTL file for more information about configuring the CTL file when you upgrade Cisco Unified Communications
Manager.
Procedure
Step 1
Step 2
Step 3
Step 4
Obtain at least two security tokens and the passwords, hostnames/IP addresses, and port numbers for the
servers that you will configure for the Cisco CTL Client.
Ensure that all the servers in the cluster are online and reachable from the PC on which the CTL Client will
run. If a server is configured with a hostname, ping the hostname to verify reachability.
Ensure that all of the hostnames of the cluster servers are defined in the DNS server that is configured on the
publisher server.
Activate the Cisco CTL Provider service in Cisco Unified Serviceability.
Activate the Cisco CTL Provider service on each Cisco Unified Communications Manager server in the
cluster.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
5
Cisco CTL Client Setup
Activate Cisco CTL Provider Service
If you activated this service prior to a Cisco Unified Communications Manager upgrade, you do not
need to activate the service again. The service automatically activates after the upgrade.
Activate the Cisco Certificate Authority Proxy service in Cisco Unified Serviceability.
Tip
Activate the Cisco Certificate Authority Proxy service only on the first node in the
cluster.
Timesaver
Performing this task before you install and configure the Cisco CTL Client ensures that you do
not have to update the CTL file to use CAPF.
If you do not want to use the default settings, configure ports for the TLS connection.
Tip
If you configured these settings prior to a Cisco Unified Communications Manager upgrade, the settings
migrate automatically.
Install the Cisco CTL Client.
Configure the Cisco CTL Client.
Tip
Step 5
Step 6
Step 7
Step 8
Related Topics
Activate Certificate Authority Proxy Function Service
Activate Cisco CTL Provider Service, on page 6
Cisco CTL Client Installation, on page 8
CTL Client, SSL, CAPF, and Security Token Installation
Set Up Ports for TLS Connection, on page 7
System Requirements
Upgrade Cisco CTL Client and Migrate Cisco CTL File, on page 10
Activate Cisco CTL Provider Service
After you configure the Cisco CTL Client, the Cisco CTL Provider service changes the security mode from
nonsecure to mixed mode and transports the server certificates to the CTL file. The service then transports
the CTL file to all Cisco Unified Communications Manager and Cisco TFTP servers.
If you activate this service and then upgrade Cisco Unified Communications Manager, Cisco Unified
Communications Manager automatically reactivates the service after the upgrade.
Tip
You must activate the Cisco CTL Provider service on all servers in the cluster.
To activate the service, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
In Cisco Unified Serviceability, choose Tools > Service Activation.
In the Servers drop-down list box, choose a server where you have activated the Cisco CallManager or Cisco
TFTP services.
Click the Cisco CTL Provider service radio button.
Click Save.
Tip
Perform this procedure on all servers in the
cluster.
Note
You can enter a CTL port before you activate the Cisco CTL Provider service. If you want to change
the default port number, see topics related to setting up ports for a TLS connection.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
6
OL-29848-01
Cisco CTL Client Setup
Cisco CAPF Service Activation
Step 5
Verify that the service runs on the servers. In Cisco Unified Serviceability, choose Tools > Control Center
- Feature Services to verify the state of the service.
Related Topics
Set Up Ports for TLS Connection, on page 7
Cisco CAPF Service Activation
Warning
Activating the Cisco certificate authority proxy function service before you install and configure the Cisco
CTL Client ensures that you do not have to update the CTL file to use CAPF.
Related Topics
Activate Certificate Authority Proxy Function Service
Set Up Ports for TLS Connection
You may have to configure a different TLS port number if the default port is currently being used or if you
use a firewall and you cannot use the port within the firewall.
• The Cisco CTL Provider default port for the TLS connection equals 2444. The Cisco CTL Provider port
monitors requests from the Cisco CTL Client. This port processes Cisco CTL Client requests, such as
retrieving the CTL file, setting the cluster security mode, and saving the CTL file to the TFTP server.
Note
Cluster security mode configures the security capability for your standalone server or a cluster.
• The Ethernet Phone Port monitors registration requests from the phone that is running SCCP. In nonsecure
mode, the phone connects through port 2000. In mixed mode, the Cisco Unified Communications
Manager port for TLS connection equals the value for the Cisco Unified Communications Manager port
number added to (+) 443; therefore, the default TLS connection for Cisco Unified Communications
Manager equals 2443. Update this setting only if the port number is in use or if you use a firewall and
you cannot use the port within the firewall.
• The SIP Secure Port allows Cisco Unified Communications Manager to listen for SIP messages from
phones that are running SIP. The default value equals 5061. If you change this port, you must restart
the Cisco CallManager service in Cisco Unified Serviceability and reset the phones that are running
SIP.
Tip
After you update the port(s), you must restart the Cisco CTL Provider service in Cisco Unified
Serviceability.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
7
Cisco CTL Client Setup
Cisco CTL Client Installation
Tip
You must open the CTL ports to the data VLAN from where the CTL Client runs.
To change the default setting, perform the following procedure:
Procedure
Step 1
Perform the following tasks, depending on the port that you want to change:
a) To change the Port Number parameter for the Cisco CTL Provider service, perform Step 2, on page 8
through Step 6, on page 8.
b) To change the Ethernet Phone Port or SIP Phone Secure Port settings, perform Step 7, on page 8 through
Step 11, on page 8.
Step 2
To change the Cisco CTL Provider port, choose System > Service Parameters in Cisco Unified
Communications Manager Administration.
In the Server drop-down list, choose a server where the Cisco CTL Provider service runs.
In the Service drop-down list box, choose Cisco CTL Provider service.
Tip
For information on the service parameter, click the question mark or the link
name.
To change the value for the Port Number parameter, enter the new port number in the Parameter Value field.
Click Save.
To change the Ethernet Phone Port or SIP Phone Secure Port settings, choose System > Cisco Unified CM
in Cisco Unified Communications Manager Administration.
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Find a server where the Cisco CallManager service runs, as described in the Cisco Unified Communications
Manager Administration Guide; after the results display, click the Name link for the server.
Step 9
After the Cisco Unified Communications Manager Configuration window displays, enter the new port numbers
in the Ethernet Phone Port or SIP Phone Secure Port fields.
Step 10 Reset the phones and restart the Cisco CallManager service in Cisco Unified Serviceability.
Step 11 Click Save.
Related Topics
Cisco CTL Client Installation
Note
This procedure is not required if you manage cluster security using the CLI.
You must use the client and update the CTL file when the following events occur:
• The first time that you set the cluster security mode
• The first time that you create the CTL file
• After the Cisco Unified Communications Manager installation
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
8
OL-29848-01
Cisco CTL Client Setup
Install Cisco CTL Client for Windows XP, Windows Vista, and Windows 7
• After you restore a Cisco Unified Communications Manager server or Cisco Unified Communications
Manager data
• After you change the IP address or hostname of the Cisco Unified Communications Manager server
• After you add or remove a security token, if using the Cisco CTL Client
• After you add or remove a ASA firewall
• After you add or remove a TFTP server
• After you add or remove a Cisco Unified Communications Manager server
• After you upload a third-party, CA-signed certificate to the platform
Tip
If the Smart Card service is not set to started and automatic on the server or workstation where you plan
to install the client, the installation fails.
Install Cisco CTL Client for Windows XP, Windows Vista, and Windows 7
To install the Cisco CTL Client for Windows XP, Windows Vista, and Windows 7 , perform the following
procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
From the Windows workstation or server where you plan to install the client, browse to Cisco Unified
Communications Manager Administration, as described in the Cisco Unified Communications Manager
Administration Guide.
In Cisco Unified Communications Manager Administration, choose Application > Plugins.
The Find and List Plugins window displays.
From the Plugin Type equals drop-down list box, choose Installation and click Find.
Locate the Cisco CTL Client.
To download the file, click Download on the left side of the window, directly opposite the Cisco CTL Client
plug-in name.
Click Save and save the file to a location that you will remember.
To begin the installation, double-click Cisco CTL Client (icon or executable depending on where you saved
the file).
Note
You can also click Open from the Download Complete
box.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
9
Cisco CTL Client Setup
Upgrade Cisco CTL Client and Migrate Cisco CTL File
Step 8
Step 9
Step 10
Step 11
The version of the Cisco CTL Client displays; click Next.
The installation wizard displays. Click Next.
Accept the license agreement and click Next.
Choose a folder where you want to install the client. If you want to do so, click Browse to change the default
location; after you choose the location, click Next.
Step 12 To begin the installation, click Next.
Step 13 After the installation completes, click Finish.
Upgrade Cisco CTL Client and Migrate Cisco CTL File
If you want to make changes to the CTL file after a Cisco Unified Communications Manager Release 5.x to
6.x upgrade, you must uninstall the Cisco CTL Client that you installed prior to the upgrade, install the latest
Cisco CTL Client and regenerate the CTL file. If you did not remove or add any servers before the upgrade,
you do not need to reconfigure the Cisco CTL Client after the upgrade. The Cisco Unified Communications
Manager upgrade automatically migrates the data in the CTL file.
When you upgrade from a Cisco Unified Communications Manager 4.x release to a 6.x release and security
is enabled on the cluster, you must uninstall the Cisco CTL Client that you installed prior to the upgrade,
install the latest Cisco CTL Client, and regenerate the CTL file. Follow this procedure to enable security on
the upgraded cluster:
Procedure
Step 1
Step 2
Step 3
Step 4
Uninstall the existing Cisco CTL Client.
Install the new Cisco CTL Client.
Run the Cisco CTL Client by using at least one of the previously used USB keys.
Restart the Cisco CallManager and Cisco TFTP services in Cisco Unified Serviceability on all Cisco Unified
Communications Manager servers that run these services and on all TFTP servers in the cluster.
Related Topics
Cisco CTL Client Installation, on page 8
Where to Find More Information
Set Up Cisco CTL Client
Important
This information applies to the CTL Client encryption option. You may also set up encryption by using
the utils ctl CLI command set. For more information about this option, see the Command Line Interface
Guide for Cisco Unified Communications Solutions.
The Cisco CTL Client performs the following tasks:
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
10
OL-29848-01
Cisco CTL Client Setup
Set Up Cisco CTL Client
• Sets the Cisco Unified Communications Manager security mode for a cluster or standalone server.
Note
You cannot set the Cisco Unified Communications Manager cluster security parameter to mixed mode
through the Enterprise Parameters Configuration window of Cisco Unified Communications Manager
Administration. You can set the cluster security mode through the Cisco CTL Client or the CLI command
set utils ctl.
• Creates the Certificate Trust List (CTL), which is a file that contains certificate entries for security
tokens, Cisco Unified Communications Manager, ASA firewall, and CAPF server.
The CTL file indicates the servers that support TLS for the phone connection. The client automatically
detects the Cisco Unified Communications Manager, Cisco CAPF, and ASA firewall and adds certificate
entries for these servers.
The security tokens that you insert during the configuration sign the CTL file.
Note
The Cisco CTL Client also provides supercluster support: up to 16 call processing servers, 1 publisher, 2
TFTP servers, and up to 9 media resource servers.
Tip
Configure the Cisco CTL Client during a scheduled maintenance window because you must restart the
Cisco CallManager services and Cisco TFTP services on all servers that run these services in the cluster.
After you complete the Cisco CTL Client configuration, the CTL Client performs the following tasks:
• Writes the CTL file to the Cisco Unified Communications Manager server(s).
• Writes CAPF capf.cer to all Cisco Unified Communications Manager subsequent nodes (not first node)
in the cluster.
• Writes CAPF certificate file in PEM format to all Cisco Unified Communications Manager subsequent
nodes (not first node) in the cluster.
• Writes the file to all configured TFTP servers.
• Writes the file to all configured ASA firewalls.
• Signs the CTL file with the private key of the security token that exists in the USB port at the time you
create the CTL file.
To configure the client, perform the following procedure:
Note
This procedure is not required if you manage cluster security through the CLI command set utils ctl.
Before You Begin
Tip
See topics related to upgrading the Cisco CTL Client and migrating the Cisco CTL file for more information
about configuring the CTL file when you upgrade Cisco Unified Communications Manager.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
11
Cisco CTL Client Setup
Set Up Cisco CTL Client
Before you configure the Cisco CTL Client, verify that you activated the Cisco CTL Provider service and the
Cisco Certificate Authority Proxy Function service in Cisco Unified Serviceability. Obtain at least two security
tokens; the Cisco certificate authority issues these security tokens. The security tokens must come from Cisco.
You will insert the tokens one at a time into the USB port on the server/workstation. If you do not have a USB
port on the server, you may use a USB PCI card.
Obtain the following passwords, hostnames/IP addresses, and port numbers:
• Administrative username and password for Cisco Unified Communications Manager
Tip
Ensure the administrative username is an application user, not an end user, and a member of a super user
group with super user roles.
• Security token administrative password
• Administrative username and password for the ASA firewall
See Table 1: CTL Client Configuration Settings, on page 17 for a description of the preceding information.
Tip
Before you install the Cisco CTL Client, verify that you have network connectivity to the server. To ensure
that you have network connectivity, issue a ping command, as described in the Cisco Unified
Communications Operating System Administration Guide. In a cluster configuration, verify you have
network connectivity to all servers in the cluster.
If you installed multiple Cisco CTL Clients, Cisco Unified Communications Manager accepts CTL configuration
information on only one client at a time, but you can perform configuration tasks on up to five Cisco CTL
Clients simultaneously. While you perform configuration tasks on one client, Cisco Unified Communications
Manager automatically stores the information that you entered on the other clients.
After you complete the Cisco CTL Client configuration, the CTL Client performs the following tasks:
• Writes the CTL file to the Cisco Unified Communications Manager server(s).
• Writes CAPF capf.cer to all Cisco Unified Communications Manager subsequent nodes (not first node)
in the cluster.
• Writes CAPF certificate file in PEM format to all Cisco Unified Communications Manager subsequent
nodes (not first node) in the cluster.
• Writes the file to all configured TFTP servers.
• Writes the file to all configured ASA firewalls.
• Signs the CTL file with the private key of the security token that exists in the USB port at the time you
create the CTL file.
To configure the client, perform the following procedure:
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
12
OL-29848-01
Cisco CTL Client Setup
Set Up Cisco CTL Client
Procedure
Step 1
Step 2
Obtain at least two security tokens that you purchased.
Perform one of the following tasks:
a) Double-click the Cisco CTL Client icon that exists on the desktop of the workstation/server where you
installed it.
b) Choose Start > Programs > Cisco CTL Client.
Step 3
Enter the configuration settings for the Cisco Unified Communications Manager server, as described in Table
1: CTL Client Configuration Settings, on page 17; click Next.
Click Set Cisco Unified Communications Manager Cluster to Mixed Mode, then click Next.
See Table 1: CTL Client Configuration Settings, on page 17 for field descriptions.
Step 4
Step 5
Perform the following tasks, depending on what you want to accomplish:
a) To add a security token, see Cisco CTL Client Setup, on page 1 through Cisco CTL Client Setup, on
page 1.
b) To complete the Cisco CTL Client configuration, see Cisco CTL Client Setup, on page 1 through Cisco
CTL Client Setup, on page 1.
Caution
You need a minimum of two security tokens the first time that you configure the client. Do
not insert the tokens until the application prompts you to do so. If you have two USB ports on
the workstation or server, do not insert two security tokens at the same time.
Step 6
Step 7
When the application prompts you to do so, insert one security token in an available USB port on the workstation
or server where you are currently configuring the Cisco CTL Client; click OK.
The security token information displays for the token that you inserted; click Add.
Step 8
Step 9
The detected certificate entries display in the pane.
To add other security token(s) to the certificate trust list, click Add Tokens.
Step 10 If you have not already done so, remove the token that you inserted into the server or workstation. When the
application prompts you to do so, insert the next token and click OK.
Step 11 The security token information for the second token displays; click Add.
Step 12 For all security tokens, repeat Cisco CTL Client Setup, on page 1 through Cisco CTL Client Setup, on
page 1.
Step 13 The certificate entries display in the pane.
Step 14 Enter the configuration settings.
See Table 1: CTL Client Configuration Settings, on page 17 for field descriptions.
Step 15 Click Next.
Step 16 Enter the configuration settings, then click Next.
See Table 1: CTL Client Configuration Settings, on page 17 for field descriptions.
Step 17 When you have added all security tokens and servers, click Finish.
Step 18 Enter the username password for the security token, then click OK.
See Table 1: CTL Client Configuration Settings, on page 17 for field descriptions.
Step 19 After the client creates the CTL file, a window displays the server, file location, and status of the CTL file on
each server. Click Finish.
Step 20 Reset all devices for your standalone server or cluster.
Step 21 In Cisco Unified Serviceability, restart the Cisco CallManager and Cisco Tftp services.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
13
Cisco CTL Client Setup
Update CTL File
Restart these services on all Cisco Unified Communications Manager servers that run these services
and on all TFTP servers in the cluster.
Step 22 After you create the CTL file through the CTL Client, you may remove the security token from the USB port.
Store all security tokens in a safe place that you will remember.
Tip
Related Topics
Cisco CTL Client Settings, on page 17
Reset Devices, Reboot Servers and Clusters, and Restart Services
Upgrade Cisco CTL Client and Migrate Cisco CTL File, on page 10
Where to Find More Information
Update CTL File
Note
This procedure is not required if you manage cluster security through the CLI command set utils ctl.
You must update the CTL file if the following scenarios occur:
• If you add a new Cisco Unified Communications Manager server to the cluster
Note
To add a node to a secure cluster, see Installing Cisco Unified Communications Manager,
which describes how to add a node and how to configure security for the new node.
• If you change the name or IP address of a Cisco Unified Communications Manager server
• If you change the IP address or hostname for any configured TFTP servers
• If you change the IP address or hostname for any configured ASA firewall
• If you enabled the Cisco Certificate Authority Function service in Cisco Unified Serviceability
• If you need to add or remove a security token
• If you need to add or remove a TFTP server
• If you need to add or remove a Cisco Unified Communications Manager server
• If you need to add or remove an ASA firewall
• If you restore a Cisco Unified Communications Manager server or Cisco Unified Communications
Manager data
• If you manually regenerate certificates on a Cisco Unified Communications Manager cluster that contains
a CTL file
• If you update from a CUCM version prior to 7.1.5 to a version 7.1.5 or later.
• After you upload a third-party, CA-signed certificate to the platform
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
14
OL-29848-01
Cisco CTL Client Setup
Update CTL File
Note
When a domain name is added or changed on a Cisco Unified Communications Manager cluster in mixed
mode, you must re-run the CTL Client or changes to the phone configuration files do not take effect.
Tip
Cisco strongly recommends that you update the file when minimal call-processing interruptions will occur.
Procedure
Step 1
Step 2
Step 3
Obtain one security token that you inserted to configure the latest CTL file.
Double-click the Cisco CTL Client icon that exists on the desktop of the workstation/server where you
installed it.
Enter the configuration settings for the Cisco Unified Communications Manager server, then click Next.
See Table 1: CTL Client Configuration Settings, on page 17 for field descriptions.
You make updates in this window for the Cisco Unified Communications Manager
server.
To update the CTL file, click Update CTL File, and then click Next.
See Table 1: CTL Client Configuration Settings, on page 17 for field descriptions.
Tip
Step 4
For all CTL file updates when using the CTL Client option, you must insert one security token
that already exists in the CTL file into the USB port. The client validates the signature of the CTL
file through this token. You cannot add new tokens until the Cisco CTL Client validates the
signature. If you have two USB ports on the workstation or server, do not insert both security
tokens at the same time.
If you have not already inserted one security token in an available USB port on the workstation or server
where you are currently updating the CTL file, insert one of the security tokens; click OK.
The security token information displays for the token that you inserted; click Next.
The detected certificate entries display in the pane.
Caution
Step 5
Step 6
You cannot update the Cisco Unified Communications Manager, Cisco TFTP, or ASA firewall entries
from this pane. To update the Cisco Unified Communications Manager entry, click Cancel and perform
Step 2, on page 15 through Step 6, on page 15 again.
Update existing Cisco CTL entries, or add or delete security tokens.
When you have finished updating the CTL file, restart the Cisco CallManager and Cisco TFTP services in
Cisco Unified Serviceability.
Tip
Restart the TFTP and Cisco CallManager services on all nodes in the cluster that run these services.
Tip
Step 7
Step 8
Related Topics
Delete CTL File Entry, on page 16
Where to Find More Information
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
15
Cisco CTL Client Setup
Delete CTL File Entry
Delete CTL File Entry
At any time, you can delete some CTL entries that display in the CTL Entries window of the Cisco CTL
Client.
You cannot delete servers that run Cisco Unified Communications Manager, Cisco TFTP, ASA firewall, or
Cisco CAPF from the CTL file.
Two security token entries must exist in the CTL file at all times. You cannot delete all security tokens from
the file. Alternatively, you can update the CTL file using the CLI command utils ctl update CTLFile.
Procedure
After you open the client and follow the prompts to display the CTL Entries window, highlight the item to
delete and click Delete Selected to delete the entry.
Related Topics
Update Cisco Unified Communications Manager Security Mode
You must use the Cisco CTL Client to configure the cluster security mode. You cannot change the Cisco
Unified Communications Manager security mode from the Enterprise Parameters Configuration window in
Cisco Unified Communications Manager Administration.
Note
Cluster security mode configures the security capability for a standalone server or a cluster.
To change the cluster security mode after the initial configuration of the Cisco CTL Client, you must update
the CTL file.
If you change the cluster security mode from mixed to nonsecure mode, the CTL file still exists on the server(s),
but the CTL file does not contain any certificates. Because no certificates exist in the CTL file, the phone
requests an unsigned configuration file and registers as nonsecure with Cisco Unified Communications
Manager.
Procedure
Navigate to the Cluster Security Mode window, change the mode setting, and click Next, then Finish.
See Table 1: CTL Client Configuration Settings, on page 17 for more information.
Related Topics
Update CTL File, on page 14
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
16
OL-29848-01
Cisco CTL Client Setup
Cisco CTL Client Settings
Cisco CTL Client Settings
Important
This information applies to the CTL Client encryption option. You may also set up encryption by using
the utils ctl CLI command set, which does not require security tokens. For more information about this
option, see the Command Line Interface Guide for Cisco Unified Communications Solutions.
You can set the cluster security mode to nonsecure or mixed mode, as described in the following table. Only
mixed mode supports authentication, encrypted signaling, and encrypted media.
Note
Cluster security mode configures the security capability for a standalone server or a cluster.
Use the following table to configure the Cisco CTL Client for the first time, to update the CTL file, or to
change the mode from mixed to nonsecure.
Table 1: CTL Client Configuration Settings
Setting
Description
Cisco Unified Communications Manager Server
Hostname or IP Address
Enter the hostname or IP address for the server for the first node.
Port
Enter the CTL port number for the Cisco CTL Provider service that runs on
this Cisco Unified Communications Manager server. The default port number
equals 2444.
Username and Password
Enter the same application username and password that has superuser
administrative privileges on the first node.
Security Mode
Set Cisco Unified
Communications Manager
Cluster to Mixed Mode
Mixed mode allows authenticated, encrypted, and nonsecure Cisco Unified
IP Phones to register with Cisco Unified Communications Manager. In this
mode, Cisco Unified Communications Manager ensures that authenticated
or encrypted devices use a secure port.
Note
Cisco Unified Communications Manager disables auto-registration
if you configure mixed mode.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
17
Cisco CTL Client Setup
Cisco CTL Client Settings
Setting
Description
Set Cisco Unified
If you configure nonsecure mode, all devices register as unauthenticated, and
Communications Manager
Cisco Unified Communications Manager supports image authentication only.
Cluster to Non-Secure Mode When you choose this mode, the Cisco CTL Client removes the certificates
for all entries that are listed in the CTL file, but the CTL file still exists in
the directory that you specified. The phone requests unsigned configuration
files and registers as nonsecure with Cisco Unified Communications Manager.
To revert the phone to the default nonsecure mode, you must delete
the CTL file from the phone and all Cisco Unified Communications
Manager servers.
You can use auto-registration in this mode.
Tip
Update CTL File
After you have created the CTL file, you must choose this option to make
any changes to the CTL file. Choosing this option ensures that the Cisco
Unified Communications Manager security mode does not change.
CTL Entries
Add Tokens
Click this button to add additional security token(s) to the certificate trust
list.
If you have not already done so, remove the token that you initially inserted
into the server or workstation. When the application prompts you to do so,
insert the next token and click OK. When the security token information for
the additional token displays, click Add. For all security tokens, repeat these
tasks.
Add TFTP Server
Click this button to add an Alternate TFTP server to the certificate trust list.
For information on the settings, click the Help button after the Alternate
TFTP Server tab settings display. After you enter the settings, click Next.
Add Firewall
Click this button to add an ASA firewall to the certificate trust list. For
information on the settings, click the Help button after the Firewall tab settings
display. After you enter the settings, click Next.
Alternate TFTP Server
Hostname or IP Address
Enter the hostname or IP address for the TFTP server.
Alternate TFTP server designates a Cisco TFTP server that exists in a different
cluster. If you use two different clusters for the alternate TFTP server
configuration, both clusters must use the same cluster security mode, which
means that you must install and configure the Cisco CTL Client in both
clusters. Likewise, both clusters must run the same version of Cisco Unified
Communications Manager.
Ensure that the path in the TFTP service parameter, FileLocation, is the same
for all servers in the cluster.
Port
Not required with this release of Cisco Unified Communications Manager.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
18
OL-29848-01
Cisco CTL Client Setup
Verify Cisco Unified Communications Manager Security Mode
Setting
Description
Username and Password
Not required with this release of Cisco Unified Communications Manager.
Firewall
Hostname or IP Address
Enter the hostname or IP address for the firewall.
Port
Not configurable. The system uses the Cisco Unified Communications
Manager port; the default port number equals 2444.
Username and Password
Not configurable. The system uses the administrator name and password that
you configured during Cisco Unified Communications Manager installation.
Security Token
User Password
The first time that you configure the Cisco CTL client, enter Cisco123, the
case-sensitive default password, to retrieve the private key of the certificate
and ensure that the CTL file gets signed.
Related Topics
Cisco CTL Client Setup Tips, on page 4
Where to Find More Information
Verify Cisco Unified Communications Manager Security Mode
To verify the cluster security mode, perform the following procedure:
Note
Cluster security mode configures the security capability for a standalone server or a cluster.
Procedure
Step 1
Step 2
In Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters
Configuration.
Locate the Cluster Security Mode field. If the value in the field displays as 1, you correctly configured Cisco
Unified Communications Manager for mixed mode. (Click the field name for more information.)
Tip
You cannot configure this value in Cisco Unified Communications Manager Administration. This
value displays after you configure the Cisco CTL Client.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
19
Cisco CTL Client Setup
Set Up Smart Card Service to Started or Automatic
Related Topics
Set Up Smart Card Service to Started or Automatic
If the Cisco CTL Client installation detects that the Smart Card service is disabled, you must set the Smart
Card service to automatic and started on the server or workstation where you are installing the Cisco CTL
Client plug-in.
Tip
You cannot add the security tokens to the CTL file if the service is not set to started and automatic.
Tip
After you upgrade the operating system, apply service releases, upgrade Cisco Unified Communications
Manager, and so on, verify that the Smart Card service is started and automatic.
To set the service to started and automatic, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
On the server or workstation where you installed the Cisco CTL Client, choose Start > Programs >
Administrative Tools > Services or Start > Control Panel > Administrative Tools > Services.
From the Services window, right-click the Smart Card service and choose Properties.
In the Properties window, verify that the General tab displays.
From the Startup type drop-down list box, choose Automatic.
Click Apply.
In the Service Status area, click Start.
Click OK.
Reboot the server or workstation and verify that the service is running.
Related Topics
Security Token Password (eToken) Modification
Note
This procedure is not required if you manage cluster security through the CLI command set utils ctl.
This administrative password retrieves the private key of the certificate and ensures that the CTL file is signed.
Each security token comes with a default password. You can change the security token password at any time.
If the Cisco CTL Client prompts you to change the password, you must change the password before you can
proceed with the configuration.
To review pertinent information on setting passwords, click the Show Tips button. If you cannot set the
password for any reason, review the tips that display.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
20
OL-29848-01
Cisco CTL Client Setup
Change eToken Password for Windows XP, Windows Vista, or Windows 7
Change eToken Password for Windows XP, Windows Vista, or Windows 7
Important
This information applies to the CTL Client encryption option. You may also set up encryption by using
the utils ctl CLI command set, which does not require security tokens. For more information about this
option, see the Command Line Interface Guide for Cisco Unified Communications Solutions.
To change the security token password on a Windows XP, Windows Vista, or Windows 7 server or workstation,
perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Verify that you have installed the Cisco CTL Client on a Windows server or workstation.
If you have not already done so, insert the security token into the USB port on the Windows server or
workstation where you installed the Cisco CTL Client.
If you have not already done so, insert the security token into the USB port on the Windows server or
workstation where you installed the Cisco CTL Client.
Choose Start > Programs > etoken > Etoken Properties, right-click etoken, and choose Change etoken
password.
In the Current Password field, enter the password that you originally created for the token.
Enter a new password.
Enter the new password again to confirm it.
Click OK.
Delete CTL File on Cisco Unified IP Phone
Caution
Cisco recommends that you perform this task in a secure lab environment, especially if you do not plan
to delete the CTL file from the Cisco Unified Communications Manager server(s).
Delete the CTL file on the Cisco Unified IP Phone for the following cases:
• You lose all security tokens that signed the CTL file.
• The security tokens that signed the CTL file appear compromised.
• You move a phone out of a secure environment; for example, to a storage area.
• You move a phone to a nonsecure cluster or to another secure cluster in a different domain.
• You move a phone from an area with an unknown security policy to a secure Cisco Unified
Communications Manager.
• You change the alternate TFTP server address to a server that does not exist in the CTL file.
To delete the CTL file on the Cisco Unified IP Phone, perform the tasks in the following table.
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
21
Cisco CTL Client Setup
Determine Cisco CTL Client Version
Table 2: Deleting the CTL File on the Cisco Unified IP Phone
Cisco Unified IP Phone
Model
Tasks
Cisco Unified IP Phones
7960G and 7940G
Under the Security Configuration menu on the phone, press CTL file, unlock
or **#, and erase.
Cisco Unified IP Phone
7970G and equivalent
Perform one of the following methods:
• Unlock the Security Configuration menu, as described in Cisco Unified
IP Phone Administration Guide for Cisco Unified Communications
Manager. Under the CTL option, press the Erase softkey.
• Under the Settings menu, press the Erase softkey.
Note
Pressing the Erase softkey under the Settings menu deletes other
information besides the CTL file. For additional information, refer
to the Cisco Unified IP Phone Administration Guide for Cisco
Unified Communications Manager.
Related Topics
Determine Cisco CTL Client Version
To determine which version of the Cisco CTL Client you are using, perform the following procedure:
Procedure
Step 1
Perform one of the following tasks:
a) Double-click the Cisco CTL Client icon that exists on the desktop.
b) Choose Start > Programs > Cisco CTL Client.
Step 2
Step 3
In the Cisco CTL Client window, click the icon in the upper, left corner of the window.
Choose About Cisco CTL Client. The version of the client displays.
Related Topics
Verify or Uninstall Cisco CTL Client
Uninstalling the Cisco CTL Client does not delete the CTL file. Likewise, the cluster security mode and the
CTL file do not change when you uninstall the client. If you choose to do so, you can uninstall the Cisco CTL
Client, install the client on a different Windows workstation or server, and continue to use the same CTL file.
To verify that the Cisco CTL Client installed, perform the following procedure:
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
22
OL-29848-01
Cisco CTL Client Setup
Verify or Uninstall Cisco CTL Client
Procedure
Step 1
Step 2
Step 3
Choose Start > Control Panel > Add Remove Programs.
To verify that the client installed, locate Cisco CTL Client.
To uninstall the client, click Remove.
Related Topics
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
OL-29848-01
23
Cisco CTL Client Setup
Verify or Uninstall Cisco CTL Client
Cisco Unified Communications Manager Security Guide, Release 10.0(1)
24
OL-29848-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising