Effective Summer 2017, Imagicle Call Recording can record Encrypted calls, i.e. calls which are placed with Secure SIP (SIP/TLS) for the signalling and SRTP for the audio stream. Please note this requires with CuCM versions 11.0 or newer.
Before trying to record Secure calls, make sure Imagicle Call Recording is fully configured to record Non-Secure calls with clear RTP.
Mixed mode must be enabled on your Unified CallManager, and you must be able to effectively place and receive secure calls to and from the agents' phones.
Secure calls recording supports forking (Cisco Built-in-Bridge technology), Dial-in (direct call) and Network based (gateway) recording.
However, please consider that calls established in SRTP will be recorded by the phone (leveraging its built in bridge) althought the "Gateway Preferred" option is selected as recording preferred method on CUCM (see this Cisco article).
To be able to record secure calls, you need to:
Warning: if a firewall is set between the CallManager nodes and the Application Suite servers, the TCP port 5071 must be allowed on both sides.
The longest cipher key length supported by Imagicle Call Recording for SRTP voice encryption is 128 bit. Therefore, the SRTP cipher set configured on CUCM shall allow such key length.
On CUCM admin portal:
When Imagicle Call Recording service starts, it creates a security certificate which is valid for the IAS server on which it was generated. It must be downloaded from the web interface, and loaded onto CuCM.
To get the Imagicle Call Recording certificate:
Please follow the procedure highlighted here.
Warning: Changing the Computer Name will invalidate the certificate. If you change the IAS server computer name, you need to regenerate the Call Recording certificate.
Warning: The digital certificate will last 5 years from the day it was generated, which is the day the product was installed. If required, the certificate can be re-generated for additional 5 years, by following this procedure.
From the Cisco Unified CM Administration menu, select System, Security, Sip Trunk Security Profile.
Add a new item with the following properties:
Please mind the certificate name. Do not enter the certificate description. Do not enter the full Subject Name. Enter the Common Name.
If you are unsure, select System, Security, Certificate, and press the Find button. Locate the Imagicle certificate. The Common Name is displayed in the Subject Name column, just after CN=
NOTE: If you need to manage multiple Call Recording nodes, you must specify in the X.509 Subject Name of the SIP Trunk security profile the list of the involved certificates CN (one for each Imagicle server), separated by comma.
For instance: WIN-TN8S35M6791,WIN-TN3V45K2V27
A Secure Sip Trunk is a standard SIP trunk with the following properties:
The route pattern must:Create a new Route Pattern pointing to the the Imagicle Call Recording Sip Trunk for secure calls. Make sure you did not select the Call Recording Sip Trunk for standard calls.
The pattern should match the Pilot number in the Recording profile you are going to create.
Create a new Call Recording Profile for encrypted calls. Assign a Pilot number of your choice, and a suitable CSS. The CSS must allow the phones to reach the Route pattern you just created.
The IP Phone configuration to record secure calls is similar to the non-secure call recording. Just select the Call Recording Profile for Encrypted Calls. Please refer to non-secure calls configuration page of this guide.
Remember to enable IP phones for call recording even if you chose the "Gateway preferred" option in the line settings you need to record (the voice gateway cannot fork SRTP streams).
Before testing any other recording technology, try to record a Dial-In call.
You should hear a beep, or, in case of permission mismatch, a message informing that the calling number is not entitled for voice recording.
If the call does not seem to reach the Call Recording application, most probably there is a problem with the certificate. Ensure you referenced the correct certificate Common Name.
If you suspect a certificate problem, you can check the detailed error in the Call Recording voip stack log file.
To enable detailed voip logging:
Once the logs are enabled:
This means that the TLS certificate exchange failed. Please review the above steps.
Call Recording can manage on its secure SIP trunk only recordings done by secure IP phones.
If you need to record both secure and unsecure devices in the same insatllation, you need to:
that basically requires to define on CUCM: