Which Cisco Unified CM service is installed by default and authenticates certificates on behalf of IP
phones and other endpoints?
A.
Cisco CTL Provider
B.
Cisco Certificate Authority Proxy Function
C.
Cisco Trust Verification
D.
Cisco CallManager
E.
Cisco TFTP
Overview
Security by Default provides the following automatic security features for Cisco Unified IP Phones:
•Signing of the phone configuration files.
•Support for phone configuration file encryption.
•https with Tomcat and other Web services (Midlets)
For Cisco Unified Communications Manager Release 8.0, these security features are provided by default without running the CTL Client.
Note Secure Signaling and Media will still require running the CTL Client and using the hardware eTokens.
Trust Verification Service
Trust Verification Service (TVS) is the main component of Security by Default. TVS enables Cisco Unified IP Phones to authenticate application servers, such as EM services, directory, and MIDlet, during HTTPS establishment.
TVS provides the following features:
•Scalability—Cisco Unified IP Phone resources are not impacted by the number of certificates to trust.
•Flexibility—Addition or removal of trust certificates are automatically reflected in the system.
•Security by Default—Non-media and signaling security features are part of the default installation and do not require user intervention.
Note Enabling secure signaling and media requires the CTL Client.
TVS Overview
The following basic concepts describe the Trust Verification Service:
•TVS runs on the Cisco Unified Communications Manager server and authenticates certificates on behalf of the Cisco Unified IP Phone.
•Instead of downloading all the trusted certificates, Cisco Unified IP Phone only need to trust TVS.
•The TVS certificates and a few key certificates are bundled in a new file: the Identity Trust List file (ITL).
•The ITL file gets generated automatically without user intervention.
•The ITL file gets downloaded by Cisco Unified IP Phones and trust flows from there.
Initial Trust List
Cisco Unified IP Phones need an Initial Trust List (ITL) to perform the following tasks:
•Authenticate their configuration file signature.
•Talk securely to CAPF, a pre-requisite to support configuration files encryption.
•Trust TVS (which authenticates https certificates among other functions).
If the Cisco Unified IP Phone does not have an existing CTL file, it trusts the first ITL File automatically, like it does the CTL File. Subsequent ITL files must be either signed by the same TFTP private key or TVS must be able to return the certificate corresponding to the signer.
If the Cisco Unified IP Phone has an existing CTL file, it uses the CTL file to authenticate the ITL file signature.
ITL Files
The ITL file contains the initial trust list. The ITL file has the same format as the CTL file and is basically a smaller, leaner version of the CTL file. The following attributes apply to the ITL file:
•Unlike the CTL File, the system builds the ITL file automatically when you install the cluster, and the ITL file gets updated automatically if the contents need to be changed.
•The ITL File does not require eTokens. It uses a soft eToken (the TFTP private key).
• The ITL File is downloaded by Cisco Unified IP Phones at boot up time or during reset, right after downloading the CTL File (if present).
Contents of the ITL File
The ITL File contains the following certificates:
•The certificate of the TFTP server. This certificate allows to authenticate the ITL File signature and the phone configuration file signature.
•All the TVS certificates in the cluster. These certificates allow phone to talk to TVS securely to request certificates authentication.
•The CAPF certificate. This allows to support configuration file encryption. The CAPF certificate is not really required in the ITL File (TVS can authenticate it) but it simplifies the connection to CAPF.
Like the CTL File, the ITL File contains a record for each certificate. Each record contains:
•A certificate.
•Pre-extracted certificate fields for easy look up by the Cisco Unified IP Phone.
•Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)
The TFTP certificate is present in 2 ITL records with 2 different roles:
•TFTP or TFTP+CCM role: to authenticate configuration file signature.
•SAST role: to authenticate ITL file signature.
ITL and CTL File Interaction
The Cisco Unified IP Phone still relies on the CTL file to know the cluster security mode (nonsecure or mixed mode). The CTL File tracks the cluster security mode by including the Cisco Unified Communications Manager certificate in the Cisco Unified Communications Manager record.
The ITL File also contains the cluster security mode indication.