Cisco Unified Communications Operating System Administration Guide, Release 8.6(1)
Security
Downloads: This chapterpdf (PDF - 215.0KB) The complete bookPDF (PDF - 1.51MB) | Feedback

Security

Table Of Contents

Security

Set Internet Explorer Security Options

Manage Certificates

Display Certificates

Download a Certificate

Delete and Regenerate a Certificate

Deleting a Trust Certificate

Regenerating a Certificate

Upload a Certificate or Certificate Chain

Uploading a Certificate or Certificate Chain

Using Third-Party CA Certificates

Uploading Third-Party Signed Certificate or Certificate Chain

Generating a Certificate Signing Request

Downloading a Certificate Signing Request

Obtaining Third-Party CA Certificates

Monitor Certificate Expiration Dates

Certificate Revocation

Configure Online Certificate Status Protocol

IPsec Management

Set Up a New IPsec Policy

Migration characteristics

Manage Existing IPsec Policies

Bulk Certificate Management

Exporting Certificates

Importing Certificates


Security


This chapter describes certificate management and IPsec management and provides procedures for performing the following tasks:

Set Internet Explorer Security Options

Manage Certificates

IPsec Management

Bulk Certificate Management

Set Internet Explorer Security Options

To download certificates from the server, ensure that your Internet Explorer security settings are configured as follows:

Procedure


Step 1 Start Internet Explorer.

Step 2 Choose Tools > Internet Options.

Step 3 Click the Advanced tab.

Step 4 Scroll down to the Security area on the Advanced tab.

Step 5 If necessary, uncheck the Do not save encrypted pages to disk check box.

Step 6 Click OK.


Manage Certificates

The following topics describe the functions that you can perform from the Certificate Management menu:

Display Certificates

Download a Certificate

Delete and Regenerate a Certificate

Upload a Certificate or Certificate Chain


Note To access the Security menu items, you must sign in to Cisco Unified Communications Operating System Administration again using your administrator password.


Display Certificates

To display existing certificates, follow this procedure:

Procedure


Step 1 Choose Security > Certificate Management.

The Certificate List window appears.

Step 2 Use the Find controls to filter the certificate list.

Step 3 To view details of a certificate or trust store, click the file name.

The Certificate Configuration window displays information about the certificate.

Step 4 To return to the Certificate List window, Choose Back To Find/List in the Related Links list; then, click Go.


Download a Certificate

To download a certificate from the Cisco Unified Communications Operating System to your PC, follow this procedure:

Procedure


Step 1 Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2 You can use the Find controls to filter the certificate list.

Step 3 Click the file name of the certificate.

The Certificate Configuration window displays.

Step 4 Click Download.

Step 5 In the File Download dialog box, click Save.


Delete and Regenerate a Certificate

These sections describe how to delete and regenerate a certificate:

Deleting a Trust Certificate

Regenerating a Certificate

Deleting a Trust Certificate

To delete a trust certificate, follow this procedure:


Caution Deleting a certificate can affect your system operations. Deleting this certificate permanently may break a certificate chain if this certificate is part of an existing chain. You can verify this from the username and subject name of the relevant certificates in the Certificate List window. You cannot undo this action.

Procedure


Step 1 Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2 You can use the Find controls to filter the certificate list.

Step 3 Click the file name of the certificate.

The Certificate Configuration window displays.

Step 4 Click Delete.

For more information about deleting a certificate, see the caution.

Step 5 Click OK.


Regenerating a Certificate

To regenerate a certificate, follow this procedure:


Note For more information about regenerating certificates, see Chapter 3, "Security by Default," in the Cisco Unified Communications Manager Security Guide.



Caution Regenerating a certificate can affect your system operations. Regenerating a certificate overwrites the existing certificate including third party signed certificate if one was uploaded.

Procedure


Step 1 Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2 Click Generate New.

The Generate Certificate dialog box opens.

Step 3 Choose a certificate name from the Certificate Name list. For details about certificate names, see Table 6-1.

Step 4 Click Generate New.



Note You must restart the services that are affected by the new certificate. For all certificate types, restart the corresponding service (for example, restart the Tomcat service after you regenerate the Tomcat certificate). In addition, if you updated the certificate for Cisco Certificate Authority Proxy Function(CAPF) or Cisco Unified Communications Manager, restart the CAPF and the Cisco CallManager service. Rerun CTL client (if configured) after you regenerate the CAPF or CallManager certificates. After you regenerate the IPsec certificate, you must restart Cisco Disaster Recovery System (DRS) Local and Cisco DRF Master services.



Note After you regenerate certificates in the Cisco Unified Communications Operating System, you must perform a backup so that the latest backup contains the regenerated certificates. If your backup does not contain the regenerated certificates and you must perform restoration tasks for any reason, you must manually unlock each phone in your system so that the phone can register with Cisco Unified Communications Manager. For information about performing a backup, refer to the Disaster Recovery System Administration Guide.


Table 6-1 Certificate Names and Descriptions

Name
Description

tomcat

This self-signed root certificate is generated during installation for the HTTPS server.

ipsec

This self-signed root certificate is generated during installation for IPsec connections with MGCP and H.323 gateways.

CallManager

This self-signed root certificate is installed automatically when you install Cisco Unified Communications Manager. This certificate provides server identification, including the server name and the Global Unique Identifier (GUID).

CAPF

The system copies this root certificate to your server or to all servers in the cluster after you complete the Cisco client configuration.

TVS

This is a self-signed root certificate.


Upload a Certificate or Certificate Chain


Caution Uploading a new certificate can affect your system operations. After you upload a new certificate or certificate trust list, you must restart the Cisco Unified Communications Manager service by navigating to Cisco Unified Serviceability > Tools > Service Activation. For more information, see the Cisco Unified Serviceability Administration Guide.

These sections describe how to upload a Certificate Authority (CA) root certificate and application certificate to the server:

Uploading a Certificate or Certificate Chain

Using Third-Party CA Certificates

Uploading a Certificate or Certificate Chain


Note You can upload the certificate or certificate chain to Certificate Trust or for a third-party signed certificate. For more information, see Using Third-Party CA Certificates.


Procedure


Step 1 Navigate to Security > Certificate Management.

Step 2 The Certificate List window displays.

Click Upload Certificate/Certificate Chain.

The Upload Certificate/Certificate Chain dialog box opens.

Step 3 Select the certificate name from the Certificate Name list.

Step 4 Select the file to upload by doing one of the following steps:

In the Upload File text box, enter the path to the file.

Click the Browse button and navigate to the file; then, click Open.

Cisco Unified Communications Manager Release 8.6 supports Privacy Enhanced Mail (PEM) Base64 encoded format of X.509 certificate (only one PEM certificate in a file), Distinguished Encoding Rules (DER) format of X509 Certificate and DER format of PKCS#7 (Public-Key Cryptography Standards) Certificate Chain. The system does not support PEM format of PKCS#7 Certificate Chain.

Step 5 To upload the file to the server, click the Upload File button.


Using Third-Party CA Certificates

Cisco Unified Communications Operating System supports certificates that a third-party CA issues with PKCS#10 Certificate Signing Request (CSR).


Note Cisco Unified Communications Manager supports SHA1 signed certificates exclusively.


The following table provides an overview of this process, with references to additional documentation:

 
Task
For More Information

Step 1 

Generate a CSR on the server.

See the "Generating a Certificate Signing Request" section.

Step 2 

Download the CSR to your PC.

See the "Downloading a Certificate Signing Request" section.

Step 3 

Use the CSR to obtain an application certificate from a CA or PKCS#7 format certificate chain, which may contain application certificate along with CA certificate.

Get information about obtaining application certificates from your CA. See "Obtaining Third-Party CA Certificates" section for additional notes.

Step 4 

Obtain the CA certificate or certificate chain.

Get information about obtaining a root certificate from your CA. See "Obtaining Third-Party CA Certificates" section for additional notes.

Step 5 

Upload third-party certificate.

See "Uploading Third-Party Signed Certificate or Certificate Chain" section

Step 6 

If you updated the certificate for CAPF or Cisco Unified Communications Manager, generate a new CTL (Certificate Trust List) file.

See the Chapter 4, "Configuring the Cisco CTL Client" in the Cisco Unified Communications Manager Security Guide.

Rerun CTL client (if configured) after uploading third-party signed CAPF or CallManager certificate.

Step 7 

Restart the services that are affected by the new certificate.

For all certificate types, restart the corresponding service (for example, restart the Tomcat service after regenerating the Tomcat certificate). In addition, if you updated the certificate for CAPF or Cisco Unified Communications Manager, restart the Cisco Certificate Authority Proxy Function and Cisco CallManager service.

Note After regenerating IPsec certificate, you must restart Cisco DRF Local and Cisco DRF Master services.

See the Cisco Unified Communications Manager Serviceability Administration Guide for information about restarting services.

Uploading Third-Party Signed Certificate or Certificate Chain

Upload the CA root certificate of the CA that signed an application certificate. If a subordinate CA signs an application certificate, you must upload the CA root certificate of the subordinate CA. You can also upload PKCS#7 format Certificate Chain of all CA Certificates.

You can upload CA root certificates and application certificates by using the same Upload Certificate dialog box. When you upload a CA root certificate or Certificate chain having only CA Certificates, choose the certificate name with the format certificate type-trust. When you upload an application certificate or Certificate chain having application certificate and CA Certificates, choose the certificate name that includes only the certificate type. For example, choose tomcat-trust when you upload a Tomcat CA Certificate or CA Certificate Chain; choose tomcat when you upload a Tomcat application certificate or Certificate chain having application certificate and CA Certificates.

When you upload a CAPF CA root certificate, it gets copied to the CallManager-trust store, so you do not need to upload the CA root certificate for CallManager separately.


Note Successful upload of third party CA signed certificate deletes recently generated CSR that was used to obtain signed certificate and overwrites the existing certificate including third party signed certificate if one was uploaded.



Note The system automatically replicates tomcat-trust, CallManager-trust and Phone-SAST-trust certificates to each node of the cluster.



Note For the current release of the Cisco Unified Operating System, the Directory option no longer displays in the list of Certificate Names. However, you can still upload a Directory Trust certificate to tomcat-trust, which is required for the DirSync service to work in Secure mode.


Generating a Certificate Signing Request

To generate a CSR, follow these steps:

Procedure


Step 1 Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2 Click Generate CSR.

The Generate Certificate Signing Request dialog box opens.

Step 3 Select the certificate name from the Certificate Name list.

Step 4 Click Generate CSR.


Note Generating CSR overwrites any existing CSR.



Downloading a Certificate Signing Request

To download a Certificate Signing Request, follow this procedure:

Procedure


Step 1 Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2 Click Download CSR.

The Download Certificate Signing Request dialog box opens.

Step 3 Select the certificate name from the Certificate Name list.

Step 4 Click Download CSR.

Step 5 In the File Download dialog box, click Save.


Obtaining Third-Party CA Certificates

To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA or PKCS#7 Certificate Chain (DER format) containing both the application certificate and CA certificates. Get information about obtaining these certificates from your CA. The process varies among CAs.

Cisco Unified Communications Operating System generates CSRs in PEM encoding format. It accepts certificates in DER and PEM encoding formats and PKCS#7 Certificate chain in PEM format. For all certificate types except CAPF, you must obtain and upload a CA root certificate and an application certificate on each node.

For CAPF, obtain and upload a CA root certificate and an application certificate only on the first node. CAPF and Cisco Unified Communications Manager CSRs include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:

The CAPF CSR uses the following extensions:

X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, IPsec End System
 
   

The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions:

X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement, Certificate 
Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, IPsec End System
 
   

Monitor Certificate Expiration Dates

The system can automatically send you an e-mail message when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:

Procedure


Step 1 To view the current Certificate Expiration Monitor configuration, navigate to Security > Certificate Monitor.

The Certificate Monitor window displays.

Step 2 Enter the required configuration information. See Table 6-2 for a description of the Certificate Monitor Expiration fields.

Step 3 To save your changes, click Save.


Table 6-2 Certificate Monitor Field Descriptions 

Field
Description

Notification Start Time

Enter the number of days before the certificate expires that you want to be notified.

Notification Frequency

Enter the frequency for notification, either in hours or days.

Enable E-mail Notification

Check the check box to enable e-mail notification.

Email IDs

Enter the e-mail address to which you want notifications sent.

Note For the system to send notifications, you must configure an SMTP host.


Certificate Revocation

The following topic describes the function that you can perform with the Certificate Revocation menu:

Configure Online Certificate Status Protocol

Configure Online Certificate Status Protocol

You can use the Online Certificate Status Protocol (OCSP) to obtain the revocation status of the certificate.

To configure OCSP, follow this procedure:

Procedure


Step 1 Navigate to Security > Certificate Revocation.

The Certificate Revocation window displays.

Step 2 Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area.

Step 3 Choose Use OCSP URI from Certificate if the certificate is configured with OCSP URI and that to be used to contact OCSP Responder.

Step 4 Choose Use configured OCSP URI if external or configured URI is used to contact OCSP Responder. Enter the URI of the OCSP Responder, where certificate revocation status is verified, in the OCSP Configured URI field.

Step 5 Click Save.



Warning You must upload the OCSP Responder certificate to tomcat-trust before enabling OCSP.

Note The Certificate revocation status check is performed only during upload of a Certificate or Certificate chain and the appropriate alarm will be raised if a certificate is revoked.


IPsec Management

The following topics describe the functions that you can perform with the IPsec menu:

Set Up a New IPsec Policy

Manage Existing IPsec Policies


Note IPsec is not automatically set up between nodes in the cluster during installation.


Set Up a New IPsec Policy

To set up a new IPsec policy and association, follow this procedure:


Note Because any changes that you make to an IPsec policy during a system upgrade will be lost, do not modify or create IPsec policies during an upgrade.



Note When provisioning the IPSec Policy on two Call Manager nodes with one Call Manager IPsec policy protocol set to ANY and the other Call Manager IPsec policy protocol set to UDP or TCP, the validation may result in a false negative if the validation is run from the Call Manager node using the "ANY" protocol.



Caution IPsec, especially with encryption, will affect the performance of your system.

Procedure


Step 1 Navigate to Security > IPSEC Configuration.

The IPSEC Policy List window displays.

Step 2 Click Add New.

The IPSEC Policy Configuration window displays.

Step 3 Enter the appropriate information in the IPSEC Policy Configuration window. For a description of the fields in this window, see Table 6-3.

Step 4 To set up the new IPsec policy, click Save.


The following table lists the field names that are displayed when the system is in Non Federal Information Processing Standard (Non FIPS) mode.

Table 6-3 IPSEC Policy and Association Field Descriptions 

Field
Description

Policy Group Name

Specifies the name of the IPsec policy group. The name can contain only letters, digits, and hyphens.

Policy Name

Specifies the name of the IPsec policy. The name can contain only letters, digits, and hyphens.

Authentication Method

Specifies the authentication method.

The Authentication Method field has two options Preshared Key and Certificate.

If Preshared Key is selected, the Preshared Key field is editable.

If Certificate is selected, the Preshared Key field is dimmed and Certificate Name field is editable.

Preshared Key

Specifies the preshared key if you selected Preshared Key in the Authentication Name field.

Note Preshared IPsec keys can contain alphanumeric characters and hyphens only, not white spaces or any other characters. If you are migrating from a Windows-based version of Cisco Unified Communications Manager, you may need to change the name of your preshared IPsec keys so they are compatible with current versions of Cisco Unified Communications Manager.

Peer Type

Specifies that the peer type is different.

Certificate Name

If you choose Different for the peer type, enter the new certificate name.

Destination Address

Specifies the IP address of the destination (FQDN is not supported).

Destination Port

Specifies the port number at the destination.

Source Address

Specifies the IP address of the source (FQDN is not supported).

Source Port

Specifies the port number at the source.

Mode

Specifies Transport mode.

Remote Port

Specifies the port number to use at the destination.

Protocol

Specifies the specific protocol, or Any:

TCP

UDP

Any

Encryption Algorithm

From the drop-down list, choose the encryption algorithm. Choices are:

DES

3DES

AES 128

AES 256

Hash Algorithm

Specifies the hash algorithm:

SHA1—Hash algorithm that is used in Phase One IKE negotiation

MD5—Hash algorithm that is used in Phase One IKE negotiation

ESP Algorithm

From the drop-down list, choose the ESP algorithm. Choices are:

NULL_ENC

AES 128

AES 256

DES

3DES

BLOWFISH

RIJNDAEL

Phase One Life Time

Specifies the lifetime for Phase One IKE negotiation in seconds.

Phase One DH

From the drop-down list, choose the Phase One DH value. Choices include: 1, 2, and 5.

Phase Two Life Time

Specifies the lifetime for Phase Two IKE negotiation in seconds.

Phase Two DH

From the drop-down list, choose the Phase Two DH value. Choices include: 1, 2, and 5.

Enable Policy

Check the check box to enable the policy.


The following table lists the field names that are displayed when the system is in FIPS mode.

Table 6-4 IPSEC Policy and Association Field Descriptions 

Field
Description

Policy Group Name

Specifies the name of the IPsec policy group. The name can contain only letters, digits, and hyphens.

Policy Name

Specifies the name of the IPsec policy. The name can contain only letters, digits, and hyphens.

Authentication Method

Specifies the authentication method. By default, certificate is selected.


Note Preshared key is not present in FIPS mode.


Peer Type

Specifies the peer type is different.

Certificate Name

If you choose Different for the Peer Type, enter the new certificate name.

Destination Address

Specifies the IP address or FQDN of the destination.

Destination Port

Specifies the port number at the destination.

Source Address

Specifies the IP address or FQDN of the source.

Source Port

Specifies the port number at the source.

Mode

Specifies Transport mode.

Remote Port

Specifies the port number to use at the destination.

Protocol

Specifies the specific protocol, or Any:

TCP

UDP

Any

Encryption Algorithm

From the drop-down list, choose the encryption algorithm. Choices are:

3DES (default)

AES 128

AES 256

Hash Algorithm

Specifies the hash algorithm

SHA1—Hash algorithm that is used in Phase One IKE negotiation

ESP Algorithm

From the drop-down list, choose the ESP algorithm. Choices are:

3DES (default)

AES 128

AES 256

Phase One Life Time

Specifies the lifetime for Phase One IKE negotiation in seconds.

Phase One DH

From the drop-down list, choose the Phase One DH value. Choices include: 1, 2, and 5.

Phase Two Life Time

Specifies the lifetime for Phase Two IKE negotiation in seconds.

Phase Two DH

From the drop-down list, choose the Phase Two DH value. Choices include: 1, 2, and 5.

Enable Policy

Check the check box to enable the policy.


Migration characteristics

When the system switches from Non FIPS to FIPS mode, the following changes occur:

If there are IPSEC policy existing that use preshared keys authentication mode then the user has to remove this policy to move to FIPS mode.

If there are IPSEC policy existing that use certificate authentication mode and weak Encryption Algorithm as DES then the policy are migrated to stronger cipher AES128 to become operational in FIPS mode. The user is informed about this migration in the CLI.

If there are IPSEC policy existing that use certificate authentication mode and weak Hash Algorithm as MD5, then the policy are migrated to stronger cipher SHA1.

If there are IPSEC policy existing that use certificate authentication mode and weak ESP Algorithm as NULL, DES, BLOWFISH 448, RJINDAEL then the policy are migrated to stronger cipher AES128.

When system switches from FIPS to Non FIPS mode, the IPsec policy does not change.


Note The migration from FIPS to Non FIPS or vice versa causes certificate regeneration for IPsec. Therefore, after importing the remote node's regenerated certificate, the IPsec policies need to be disabled and enabled explicitly.



Note Compatible algorithm and authentication mode is required to set up an IPSEC policy between two Non-FIPS systems or between a FIPS and a Non-FIPS system.



Note Compatible authentication mode is required to set up a FIPS-based IPSEC policy.


Manage Existing IPsec Policies

To display, enable or disable, or delete an existing IPsec policy, follow this procedure:


Note Because any changes that you make to an IPsec policy during a system upgrade are lost, do not modify or create IPsec policies during an upgrade.



Caution IPsec, especially with encryption, affects the performance of your system.


Caution Any changes that you make to existing IPsec policies can affect your normal system operations.


Caution Any changes that you make to the existing IPsec certificate due to hostname/domain/IP address change would need the administrator to delete the IPsec policies and recreate IPsec policies if certificate names are changed. If certificate names are unchanged, then after importing the remote node's regenerated certificate, the IPsec policies need to be disabled and enabled explicitly.


Note To access the Security menu items, you must sign in to Cisco Unified Communications Operating System Administration again using your Administrator password.


Procedure


Step 1 Navigate to Security > IPSEC Configuration.

The IPSEC Policy List window displays.

Step 2 To display, enable, or disable a policy, follow these steps:

a. Click the policy name.

The IPSEC Policy Configuration window displays.

b. To enable or disable the policy, check or uncheck the Enable Policy check box.

c. Click Save.

Step 3 To delete one or more policies, follow these steps:

a. Check the check box next to each policy that you want to delete.

You can click Select All to select all policies or Clear All to clear all the check boxes.

b. Click Delete Selected.


Bulk Certificate Management

To support the Extension Mobility Cross Cluster (EMCC) feature, the system allows you to execute a bulk import and export operation to and from a common SFTP server that has been configured by the cluster administrator.


Note If you have Cisco Unified IP Phone 8961, 9951, or 9971 Firmware Release 9.0(2) and your cluster is running in mixed mode, the Trust Certificate(s) for all clusters must be signed by a common set of security tokens in order for the EMCC feature to operate. You must have a minimum of one token that is the same among all clusters.


Exporting Certificates

To use Bulk Certificate Management to export certificates, use the following procedure:

Procedure


Step 1 Navigate to Security > Bulk Certificate Management.

The Bulk Certificate Management window displays.

Step 2 Enter the appropriate information on the Bulk Certificate Management window. For a description of the fields on this window, see Table 6-5.

Step 3 To save the values you entered, click Save.

Step 4 To export certificates, click Export.

The Bulk Certificate Export popup window displays.

Step 5 From the drop-down menu, choose the type of certificate you want to export:

Tomcat

TFTP

All

Step 6 Click Export.

The system exports and stores the certificates you chose on the central SFTP server.


Importing Certificates

You can also use the Bulk Certificate Management window to import certificates that you have exported from other clusters. However, before the Import button displays, you must complete the following activities:

Export the certificates from at least two clusters to the SFTP server.

Consolidate the exported certificates.

Table 6-5 Bulk Certificate Management Field Descriptions 

Field
Description

IP Address

Enter the IP address of the common server where you want to export the certificates.

Port

Enter the port number.

Default: 22

User ID

Enter the User ID you want to use to log into the server.

Password

Enter the appropriate password.

Directory

Enter a directory on the server where you want to save the certificates.

Example:

/users/cisco