Cisco PIX 500 Series Configuration Manual page 547

Chapter 25 Configuring Application Layer Protocol Inspection
3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default
•
cipher used by the Cisco Unified CallManager and Cisco IP Phone.
To configure the security appliance for TLS proxy, perform the following steps:
Step 1 (Optional) Set the maximum number of TLS proxy sessions to be supported by the security appliance
using the following command, for example:
hostname(config)# tls-proxy maximum-sessions 1200
Note
Create necessary RSA key pairs using the following commands, for example:
Step 2
hostname(config)# crypto key generate rsa label ccm_proxy_key modulus 1024
hostname(config)# crypto key generate rsa label ldc_signer_key modulus 1024
hostname(config)# crypto key generate rsa label phone_common modulus 1024
We recommend to use a different key pair for each role.
Create the proxy certificate for the Cisco Unified CallManager cluster using the following commands,
Step 3
for example:
hostname(config)# ! for self-signed CCM proxy certificate
hostname(config)# crypto ca trustpoint ccm_proxy
hostname(config-ca-trustpoint)# enrollment self
hostname(config-ca-trustpoint)# fqdn none
hostname(config-ca-trustpoint)# subject-name cn=EJW-SV-1-Proxy
hostname(config-ca-trustpoint)# keypair ccm_proxy_key
hostname(config)# crypto ca enroll ccm_proxy
The Cisco Unified CallManager proxy certificate could be self-signed or issued by a third-party CA. The
certificate is exported to the CTL client.
Note
Step 4 Create an internal local CA to sign the LDC for Cisco IP Phones using the following commands, for
example:
hostname(config)# ! for the internal local LDC issuer
hostname(config)# crypto ca trustpoint ldc_server
hostname(config-ca-trustpoint)# enrollment self
OL-12172-03
The tls-proxy maximum-sessions command controls the memory size reserved for
cryptographic applications such as TLS proxy. Crypto memory is reserved at the time of system
boot. You may need to reboot the security appliance for the configuration to take effect if the
configured maximum sessions number is greater than the currently reserved.
Cisco IP Phones require certain fields from the X.509v3 certificate to be present to validate the
certificate via consulting the CTL file. Consequently, the subject-name entry must be
configured for a proxy certificate trustpoint. The subject name must be composed of the ordered
concatenation of the CN, OU and O fields. The CN field is mandatory; the others are optional.
Each of the concatenated fields (when present) are separated by a semicolon, yielding one of the
following forms:
CN=xxx;OU=yyy;O=zzz
CN=xxx;OU=yyy
CN=xxx;O=zzz
CN=xxx
TLS Proxy for Encrypted Voice Inspection
Cisco Security Appliance Command Line Configuration Guide
25-83