Step 6 Copy the basic.txt configuration file (described in TFTP Resync, on page 41) onto the virtual root
directory of the HTTPS server.
Step 7 Verify proper server operation by downloading basic.txt from the HTTPS server by using a standard
browser from the local PC.
Step 8 Inspect the server certificate that the server supplies.
The browser probably does not recognize the certificate as valid unless the browser has been pre-configured
to accept Cisco as a root CA. However, the phones expect the certificate to be signed this way.
Modify the Profile_Rule of the test device to contain a reference to the HTTPS server, for example:
<Profile_Rule>
https://my.server.com/basic.txt
</Profile_Rule>
This example assumes the name of the HTTPS server is my.server.com.
Step 9 Click Submit All Changes.
Step 10 Observe the syslog trace that the phone sends.
The syslog message should indicate that the resync obtained the profile from the HTTPS server.
Step 11 (Optional) Use an Ethernet protocol analyzer on the phone subnet to verify that the packets are encrypted.
In this exercise, client certificate verification was not enabled. The connection between the phone and server
is encrypted. However, the transfer is not secure because any client can connect to the server and request the
file, given knowledge of the file name and directory location. For secure resync, the server must also authenticate
the client, as demonstrated in the exercise described in HTTPS with Client Certificate Authentication, on page
58.
HTTPS with Client Certificate Authentication
In the factory default configuration, the server does not request an SSL client certificate from a client. Transfer
of the profile is not secure because any client can connect to the server and request the profile. You can edit
the configuration to enable client authentication; the server requires a client certificate to authenticate the
phone before it accepts a connection request.
Because of this requirement, the resync operation cannot be independently tested by using a browser that
lacks the proper credentials. The SSL key exchange within the HTTPS connection between the test phone
and the server can be observed with the ssldump utility. The utility trace shows the interaction between client
and server.
Authenticate HTTPS with Client Certificate
Procedure
Step 1 Enable client certificate authentication on the HTTPS server.
Step 2 In Apache (v.2), set the following in the server configuration file:
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
58
Cisco IP Phone Provisioning
HTTPS with Client Certificate Authentication
To Next Page
Loading...
Need help?
General