Home » Cisco Manuals » Telephony » Cisco SPA2102-SF » Manual Viewer

Cisco SPA2102-SF Administration Guide - Page 73

Using a Mini-Certificate, Certificate, SRTP Private Key, Mini Certificate - downloads

Add to My Manuals
Save this manual to your list of manuals

Page 73 highlights

Configuring Voice Services Secure Call Implementation 4 Using a Mini-Certificate The Master Key and Master Salt are encrypted with the public key from the called party mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which is an empty message). The Mini-Certificate (MC) contains the following information: • User Name (32B) • User ID or Phone Number (16B) • Expiration Date (12B) • Public Key (512b or 64B) • Signature (1024b or 512B) The MC has a 512-bit public key used for establishing secure calls. The administrator must provision each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The MC is signed with a 1024-bit private key of the service provider, which acts as the CA of the MC. The 1024-bit public key of the CA signing the MC must also be provisioned for each subscriber. The CA public key is used to verify the MC received from the other end. If the MC is invalid, the call will not switch to secure mode. The MC and the 1024-bit CA public key are concatenated and base64 encoded into the single parameter Mini Certificate. The 512-bit private key is base64 encoded into the SRTP Private Key parameter, which should be kept secret, like a password. (Mini Certificate and SRTP Private Key are configured in the Line tabs.) Because the secure call establishment relies on exchange of information embedded in message bodies of SIP INFO requests/responses, the service provider must ensure that the network infrastructure allows the SIP INFO messages to pass through with the message body unmodified. Generating a Mini Certificate Cisco provides a Mini Certificate Generator for the generation of mini certificates and private keys. Partners can download the Mini Certificate Generator by going to Cisco Partner Central, Voice & Conferencing page, Technical Resources section. Use the following URL: http://www.cisco.com/web/partners/sell/smb/products/ voice_and_conferencing.html#~vc_technical_resources Cisco Small Business ATA Administration Guide 73

Section	Page
About This Document	11
Introducing Cisco Small Business Analog Telephone Adapters	16
Comparison of ATA Devices	17
ATA Connectivity Requirements	20
PAP2T Connectivity	21
SPA2102 Connectivity	22
SPA3102 Connectivity	23
SPA8000 Connectivity	24
SPA8800 Connectivity	25
ATA Software Features	26
Voice Supported Codecs	26
SIP Proxy Redundancy	28
Other ATA Software Features	28
Basic Administration and Configuration	36
Basic Services and Equipment Required	36
Downloading Firmware	37
Basic Installation and Configuration	37
Upgrading the Firmware for the ATA Device	37
Setting up Your ATA Device	38
Using the Administration Web Server	39
Connecting to the Administration Web Server	40
Setting Up the WAN Configuration for Your ATA Device	40
Registering to the Service Provider	42
Advanced Configurations	43
Upgrading, Rebooting, and Resyncing Your ATA Device	43
Upgrade URL	43
Resync URL	44
Reboot URL	44
Provisioning Your ATA Device	45
Provisioning Capabilities	45
Configuration Profile	46
Configuring Your System for ITSP Interoperability	47
Network Address Translation (NAT) and Voice over IP (VoIP)	47
NAT Mapping with Session Border Controller	48
NAT Mapping with SIP-ALG Router	48
Configuring NAT Mapping with a Static IP Address	48
Configuring NAT Mapping with STUN	50
Determining the Router’s NAT Mechanism	52
Firewalls and SIP	53
Configuring SIP Timer Values	53
Configuring Voice Services	54
Supported Codecs	54
Using a FAX Machine	55
Fax Troubleshooting	56
Managing Caller ID Service	58
Silence Suppression and Comfort Noise Generation	60
Configuring Dial Plans	61
About Dial Plans	61
Editing Dial Plans	70
Secure Call Implementation	71
Enabling Secure Calls	71
Secure Call Details	72
Using a Mini-Certificate	73
Generating a Mini Certificate	73
SIP Trunking and Hunt Groups on the SPA8000	75
About SIP Trunking	76
Setting the Trunk Group Call Capacity	78
Inbound Call Routing for a Trunk Group	78
Contact List for a Trunk Group	79
Outgoing Call Routing for a Trunk Group	81
Configuring a Trunk Group	82
Trunk Group Management	83
Setting the Hunt Policy	85
Additional Notes About Trunk Groups	85
Configuring Music on Hold	86
Using the Internal Music Source for Music On Hold	86
Using the Internal Music Source	86
Changing the Music File for the Internal Music Source	87
Configuring a Streaming Audio Server	88
About the Streaming Audio Server	88
Configuring the Streaming Audio Server	90
Using the IVR with an SAS Line	91
Configuring the PSTN (FXO) Gateway on the SPA3102	92
Connecting to PSTN and VoIP Services	92
How VoIP-To-PSTN Calls Work	93
One-Stage Dialing (SPA3102 and SPA8800)	93
Two-Stage Dialing (SPA3102)	94
How PSTN-To-VoIP Calls Work	95
Terminating Gateway Calls	96
VoIP Outbound Call Routing (SPA3102)	97
Configuring VoIP Failover to PSTN	98
Sharing One VoIP Account Between the FXS and PSTN Lines (SPA3102)	98
Other Options	99
PSTN Call to Ring Line 1 (SPA3102)	99
Symmetric RTP (SPA3102 and SPA8800)	99
Call Progress Tones (SPA3102 and SPA8800)	100
Call Scenarios	100
PSTN to VoIP Call with and Without Ring-Thru	101
VoIP to PSTN Call With and Without Authentication	101
Call Forwarding to PSTN Gateway (SPA3102 and SPA8800)	103
ATA Routing Field Reference	105
Router Status page	105
Product Information section	106
System Status section	106
WAN Status page	107
Internet Connection Settings section	107
Static IP Settings section	108
PPPoE Settings section	108
Optional Settings section	109
MAC Clone Settings section	110
Remote Management section	110
QOS Settings section	110
VLAN Settings section	111
LAN Status page	111
Networking Service section	111
LAN Networking Settings section	112
Static DHCP Lease Settings section	112
Application page	112
Port Forwarding Settings section	113
DMZ Settings section	113
Miscellaneous Settings section	114
System Reserved Ports Range section	114
ATA Voice Field Reference	115
Info page	116
Product Information section	116
System Status section	117
Line Status section	117
System Information section (PAP2T)	120
PSTN Line Status section (SPA3102)	120
Trunk Status section (SPA8000)	123
System page	124
System Configuration section	124
Internet Connection Type section (PAP2T)	125
Optional Network Configuration section (PAP2T)	125
Miscellaneous Settings section (not used with PAP2T)	126
SIP page	127
SIP Parameters section	127
SIP Timer Values (sec) section	129
Response Status Code Handling section	131
RTP Parameters section	132
SDP Payload Types section	134
NAT Support Parameters section	135
Trunking Parameters section (SPA8000)	138
Regional page	139
Call Progress Tones section	140
Distinctive Ring Patterns section	142
Distinctive Call Waiting Tone Patterns section	143
Distinctive Ring/CWT Pattern Names section	144
Ring and Call Waiting Tone Spec section	145
Control Timer Values (sec) section	146
Vertical Service Activation Codes section	148
Vertical Service Announcement Codes section (SPA2102, SPA8000)	154
Outbound Call Codec Selection Codes section	154
Miscellaneous section	156
Line page	160
Line Enable section	161
Streaming Audio Server (SAS) section	162
NAT Settings section	163
Network Settings section	164
SIP Settings section	165
Call Feature Settings section	168
Proxy and Registration section	169
Subscriber Information section	171
Supplementary Service Subscription section	172
Audio Configuration section	174
Gateway Accounts section (SPA3102)	179
VoIP Fallback to PSTN section (SPA3102 and SPA8800)	180
Dial Plan section	180
FXS Port Polarity Configuration section	182
VoIP-to-PSTN Gateway Setup section (SPA8800)	183
PSTN-To-VoIP Gateway Setup section (SPA8800)	183
FXO Timer Values (sec) section (SPA8800)	184
PSTN Disconnect Detection section (SPA8800)	185
International Control section (SPA8800)	188
Call Forward, Speed Dial, Supplementary Services, and Ring Settings (SPA8000 and SPA8800)	189
Trunk Group page (SPA8000)	190
Line Enable section	190
Network Settings section	190
SIP Settings section	191
Subscriber Information section	194
Dial Plan section	196
NAT Settings section	196
Proxy and Registration section	197
PSTN Line page (SPA3102)	198
Line Enable section	199
NAT Settings section	199
Network Settings section	200
SIP Settings section	201
Proxy and Registration section	204
Subscriber Information section	205
Audio Configuration section	206
Dial Plans section	210
VoIP-To-PSTN Gateway Setup section	210
VoIP Users and Passwords (HTTP Authentication) section	212
Ring Settings section	213
FXO (PSTN) Timer Values (sec) section	213
PSTN Disconnect Detection section	215
International Control (Settings) section	218
User page	220
Call Forward Settings section	221
Selective Call Forward Settings section	222
Speed Dial Settings section	222
Supplementary Service Settings section	223
Distinctive Ring Settings section	224
Ring Settings section	225
PSTN User page (SPA3102)	226
PSTN-To-VoIP Selective Call Forward Settings section	226
PSTN-To-VoIP Speed Dial Settings section	227
PSTN Ring Thru Line 1 Distinctive Ring Settings section	227
PSTN Ring Thru Line 1 Ring Settings section	227
Troubleshooting	229
Environmental Specifications	233
PAP2T	233
SPA2102	234
SPA3102	234
SPA8000	235
SPA8800	235
WRTP54G	236
Where to Go From Here	237
Product Resources	237

Match case Limit results 1 per page

Configuring Voice Services

Secure Call Implementation

Cisco Small Business ATA Administration Guide

Using a Mini-Certificate

The Master Key and Master Salt are encrypted with the public key from the called

party mini-certificate. The Master Key and Master Salt are used by both ends for

deriving session keys to encrypt subsequent RTP packets. The called party then

responds with a Callee Final message (which is an empty message).

The Mini-Certificate (MC) contains the following information:

•

User Name (32B)

•

User ID or Phone Number (16B)

•

Expiration Date (12B)

•

Public Key (512b or 64B)

•

Signature (1024b or 512B)

The MC has a 512-bit public key used for establishing secure calls. The

administrator must provision each subscriber of the secure call service with an

MC and the corresponding 512-bit private key. The MC is signed with a 1024-bit

private key of the service provider, which acts as the CA of the MC. The 1024-bit

public key of the CA signing the MC must also be provisioned for each subscriber.

The CA public key is used to verify the MC received from the other end. If the MC

is invalid, the call will not switch to secure mode. The MC and the 1024-bit CA

public key are concatenated and base64 encoded into the single parameter

Mini

Certificate

. The 512-bit private key is base64 encoded into the

SRTP Private Key

parameter, which should be kept secret, like a password. (

Mini Certificate

and

SRTP Private Key

are configured in the Line tabs.)

Because the secure call establishment relies on exchange of information

embedded in message bodies of SIP INFO requests/responses, the service

provider must ensure that the network infrastructure allows the SIP INFO

messages to pass through with the message body unmodified.

Generating a Mini Certificate

Cisco provides a Mini Certificate Generator for the generation of mini certificates

and private keys. Partners can download the Mini Certificate Generator by going

to Cisco Partner Central, Voice & Conferencing page, Technical Resources section.

Use the following URL:

http://www.cisco.com/web/partners/sell/smb/products/

voice_and_conferencing.html#~vc_technical_resources