Cisco Unified Communications Operating System Administration Guide, Release 9.1(1)
Security
Downloads: This chapterpdf (PDF - 1.43MB) The complete bookPDF (PDF - 3.24MB) | Feedback

Security

Contents

Security

This chapter provides information about certificate management and IPsec management and provides procedures for performing related tasks.

Set Up Internet Explorer Security Options

To download certificates from the Cisco Unified Communications Manager node, ensure that your Internet Explorer security settings are configured as follows:

Procedure
    Step 1   Start Internet Explorer.
    Step 2   Choose Tools > Internet Options.
    Step 3   Click the Advanced tab.
    Step 4   Scroll down to the Security area on the Advanced tab.
    Step 5   If necessary, uncheck the Do not save encrypted pages to disk check box.
    Step 6   Click OK.

    Manage Certificates

    The following topics describe the functions that you can perform from the Certificate Management menu.


    Note


    To access the Security menu items, you must sign in to Cisco Unified Communications Operating System Administration again using your administrator password.


    Restart the following services after regenerating or uploading certificates:

    Certificate Services to restart
    CUP Cisco SIP Proxy, Cisco Presence Engine
    cup-trust Cisco SIP Proxy, Cisco Presence Engine
    cup-xmpp Cisco XCP Connection Manager, Cisco XCP Web Connection Manager
    cup-xmpp-s2s Cisco XCP XMPP Federation Connection Manager
    cup-xmpp-trust Cisco XCP Connection Manager, Cisco XCP Web Connection Manager, Cisco XCP XMPP Federation Connection Manager
    tomcat Cisco Tomcat
    tomcat-trust Cisco Tomcat

    Show Certificates

    To display existing certificates, follow this procedure:

    Procedure
      Step 1   Choose Security > Certificate Management.

      The Certificate List window appears.

      Step 2   Use the Find controls to filter the certificate list.
      Step 3   To view details of a certificate or trust store, click the file name.

      The Certificate Configuration window displays information about the certificate.

      Step 4   To return to the Certificate List window, Choose Back To Find/List in the Related Links list; then, click Go.

      Download Certificate

      To download a certificate from the Cisco Unified Communications Operating System to your PC, follow this procedure:

      Procedure
        Step 1   Navigate to Security > Certificate Management.

        The Certificate List window displays.

        Step 2   You can use the Find controls to filter the certificate list.
        Step 3   Click the file name of the certificate.

        The Certificate Configuration window displays.

        Step 4   Click Download.
        Step 5   In the File Download dialog box, click Save.

        Install Intermediate Certificate

        Unified Intelligence Center supports only one level of intermediate certificate. To install an intermediate certificate you must install a root certificate first and then upload the signed certificate.

        Procedure
          Step 1   Navigate to Security > Certificate Management.

          The Certificate List window displays.

          Step 2   Click Upload Certificate.

          The Upload Certificate dialog box opens.

          Step 3   Select intelligenceCenter-srvr-trust from the Certificate name drop down list to install the root certificate.
          Step 4   Select the file to upload by performing one of the following steps:
          • In the Upload File text box, enter the path to the file.
          • Click the Browse button and navigate to the file; then click Open.
          Step 5   To upload the file to the server, click the Upload File button.
          Step 6   Navigate to Security > Certificate Management.

          The Certificate List window displays.

          Step 7   Click Upload Certificate.

          The Upload Certificate dialog box opens.

          Step 8   In the Upload certificate pop up window, select IntelligenceCenter-srvr from the Certificate name drop down list and enter the root certificate name.

          The root certificate name is the .pem filename that was generated when the root certificate was uploaded.

          Step 9   Select the file to upload by performing one of the following steps:
          • In the Upload File text box, enter the path to the file.
          • Click the Browse button and navigate to the file; then click Open.
          Step 10   To upload the file to the server, click the Upload File button.

          Troubleshooting Tips

          Note   

          After installing the customer certificate, access the Cisco Unified Intelligence Center URL using the FQDN. If you access the Cisco Unified Intelligence Center using an IP address you will get the message Click here to continue even after successfully installing the custom certificate.


          Delete and Regenerate Certificate

          These sections describe how to delete and regenerate a certificate.

          Delete Trust Certificate

          To delete a trust certificate, follow this procedure:


          Caution


          Deleting a certificate can affect your system operations. Deleting this certificate permanently may break a certificate chain if this certificate is part of an existing chain. You can verify this from the username and subject name of the relevant certificates in the Certificate List window. You cannot undo this action.


          Procedure
            Step 1   From the Cisco Unified Serviceability webpage, navigate to Tools > Control Center Network Services and stop the Cisco Certificate Change Notification service.
            Step 2   Navigate to Security > Certificate Management.

            The Certificate List window displays.

            Step 3   You can use the Find controls to filter the certificate list.
            Step 4   Click the file name of the certificate.

            The Certificate Configuration window displays.

            Step 5   Click Delete.

            For more information about deleting a certificate, see the caution.

            Step 6   Click OK.
            Step 7   Restart the Cisco Certificate Change Notification service.

            The selected certificate has been permanently deleted.


            Regenerate Certificate

            You can regenerate certificates from the Cisco Unified Communications Operating System as an operating system security function. For more information about regenerating certificates, see the Cisco Unified Communications Manager Security Guide.


            Caution


            Regenerating a certificate can affect your system operations. Regenerating a certificate overwrites the existing certificate including a third party signed certificate if one was uploaded.



            Note


            Certificate regeneration or upload a of third party signed certificates should be performed during maintenance.


            The following table describes the system security certificates you can regenerate from the Cisco Unified Communications Operating System and the related services that must be restarted. For information about regenerating the TFTP certificate, see the Cisco Unified Communications Manager Security Guide.

            Table 1 Certificate Names and Descriptions

            Name

            Description

            Related Services

            tomcat

            This self-signed root certificate is generated during installation for the HTTPS node.

            tomcat

            ipsec

            This self-signed root certificate is generated during installation for IPsec connections with MGCP and H.323 gateways.

            Cisco Disaster Recovery System (DRS) Local and Cisco DRF Master

            CallManager

            This self-signed root certificate is installed automatically when you install Cisco Unified Communications Manager. This certificate provides node identification, including the node name and the Global Unique Identifier (GUID).

            CallManager and CAPF

            CAPF

            The system copies this root certificate to your node or to all nodes in the cluster after you complete the Cisco client configuration.

            CallManager and CAPF

            TVS

            This is a self-signed root certificate.

            TVS

            If you regenerated the certificate for Cisco Certificate Authority Proxy Function (CAPF) or Cisco Unified Communications Manager and a CTL client is configured, rerun the CTL client.

            After you regenerate certificates in the Cisco Unified Communications Operating System, you must perform a system backup so that the latest backup contains the regenerated certificates. If your backup does not contain the regenerated certificates and you perform a system restoration task, you must manually unlock each phone in your system so that the phone can register with Cisco Unified Communications Manager. For information about performing a backup, see the Disaster Recovery System Administration Guide.

            Procedure
              Step 1   Navigate to Security > Certificate Management.

              The Certificate List window displays.

              Step 2   Click Generate New.

              The Generate Certificate dialog box opens.

              Step 3   From the Certificate Name drop-down list, choose a certificate name . For details about certificate names, see the Certificate Names and Descriptions table.
              Step 4   Click Generate New.

              What to Do Next

              Restart all services that are affected by the regenerated certificate as listed in the Certificate Names and Descriptions table.

              Rerun the CTL client (if configured) after you regenerate the CAPF or CallManager certificates.

              Perform a system backup to capture the newly regenerated certificates. For information about performing a backup, see the Disaster Recovery System Administration Guide.

              Certificate Regeneration If Intracluster Communication Is Enabled Using EMCC
              If intracluster communication is enabled using EMCC complete the following steps during certificate regeneration.
              Procedure
                 Command or ActionPurpose
                Step 1 Navigate to Advanced Features > EMCC > Intercluster Service Profile and deactivate EMCC Service.    
                Step 2Logout all remotely logged in devices from Device > Related Link > Remotely Logged In Device.    
                Step 3Regenerate certificates.    
                Step 4Perform the Bulk Certification operation.    
                Step 5Activate the EMCC Service.    

                Upload Certificate


                Caution


                Uploading a new certificate can affect your system operations. After you upload a new certificate or certificate trust list, you must restart the Cisco Unified Communications Manager service by navigating to Cisco Unified Serviceability > Tools > Service Activation. For more information, see the Cisco Unified Serviceability Administration Guide.


                The following sections describe how to upload a Certificate Authority (CA) root certificate and application certificate to the node.

                Upload Certificate or Certificate Chain


                Note


                You can upload the certificate or certificate chain to Certificate Trust or for a third-party signed certificate.


                Procedure
                  Step 1   Navigate to Security > Certificate Management.
                  Step 2   The Certificate List window displays.

                  Click Upload Certificate/Certificate Chain.

                  The Upload Certificate/Certificate Chain dialog box opens.

                  Step 3   Select the certificate name from the Certificate Name list.
                  Step 4   Select the file to upload by doing one of the following steps:
                  1. In the Upload File text box, enter the path to the file.
                  2. Click the Browse button and navigate to the file; then, click Open.

                    Cisco Unified Communications Manager Release 8.6 supports Privacy Enhanced Mail (PEM) Base64 encoded format of X.509 certificate (only one PEM certificate in a file), Distinguished Encoding Rules (DER) format of X509 Certificate and DER format of PKCS#7 (Public-Key Cryptography Standards) Certificate Chain. The system does not support PEM format of PKCS#7 Certificate Chain.

                  Step 5   To upload the file to the server, click the Upload File button.

                  Upload Third-Party CA Certificates

                  Cisco Unified Communications Operating System supports certificates that a third-party CA issues with PKCS#10 Certificate Signing Request (CSR).


                  Note


                  Cisco Unified Communications Manager supports SHA1 signed certificates exclusively.


                  The following table provides an overview of this process, with references to additional documentation:

                  Procedure
                    Step 1   Generate a CSR on the server.
                    Step 2   Download the CSR to your PC.
                    Step 3   Use the CSR to obtain an application certificate from a CA or PKCS#7 format certificate chain, which may contain application certificate along with CA certificate. Get information about obtaining a root certificate from your CA.
                    Step 4   Obtain the CA certificate or certificate chain. Get information about obtaining a root certificate from your CA.
                    Step 5   Upload third-party certificate.
                    Step 6   If you updated the certificate for CAPF or Cisco Unified Communications Manager, generate a new CTL (Certificate Trust List) file.

                    See the Cisco Unified Communications Manager Security Guide.

                    Rerun CTL client (if configured) after uploading third-party signed CAPF or CallManager certificate.

                    Step 7   Restart the services that are affected by the new certificate.

                    For all certificate types, restart the corresponding service (for example, restart the Tomcat service after regenerating the Tomcat certificate). In addition, if you updated the certificate for CAPF or Cisco Unified Communications Manager, restart the Cisco Certificate Authority Proxy Function and Cisco CallManager service.

                    Note   

                    After regenerating IPsec certificate, you must restart Cisco DRF Local and Cisco DRF Master services.

                    See the Cisco Unified Communications Manager Serviceability Administration Guide for information about restarting services.


                    Third-Party Signed Certificate or Certificate Chain

                    Upload the CA root certificate of the CA that signed an application certificate. If a subordinate CA signs an application certificate, you must upload the CA root certificate of the subordinate CA. You can also upload PKCS#7 format Certificate Chain of all CA Certificates.

                    You can upload CA root certificates and application certificates by using the same Upload Certificate dialog box. When you upload a CA root certificate or Certificate chain having only CA Certificates, choose the certificate name with the format certificate type-trust. When you upload an application certificate or Certificate chain having application certificate and CA Certificates, choose the certificate name that includes only the certificate type. For example, choose tomcat-trust when you upload a Tomcat CA Certificate or CA Certificate Chain; choose tomcat when you upload a Tomcat application certificate or Certificate chain having application certificate and CA Certificates.

                    When you upload a CAPF CA root certificate, it gets copied to the CallManager-trust store, so you do not need to upload the CA root certificate for CallManager separately.


                    Note


                    Successful upload of third party CA signed certificate deletes recently generated CSR that was used to obtain signed certificate and overwrites the existing certificate including third party signed certificate if one was uploaded.



                    Note


                    The system automatically replicates tomcat-trust, CallManager-trust and Phone-SAST-trust certificates to each node of the cluster.



                    Note


                    For the current release of the Cisco Unified Operating System, the Directory option no longer displays in the list of Certificate Names. However, you can still upload a Directory Trust certificate to tomcat-trust, which is required for the DirSync service to work in Secure mode.


                    Generate Certificate Signing Request

                    To generate a CSR, follow these steps:

                    Procedure
                      Step 1   Navigate to Security > Certificate Management.

                      The Certificate List window displays.

                      Step 2   Click Generate CSR.

                      The Generate Certificate Signing Request dialog box opens.

                      Step 3   From the Certificate Name drop-down list, choose a certificate name.

                      For details about certificate names, see the Certificate Names and Descriptions table.

                      Step 4   Click Generate CSR.
                      Note   

                      Generating CSR overwrites any existing CSR.


                      Download Certificate Signing Request

                      To download a Certificate Signing Request, follow this procedure:

                      Procedure
                        Step 1   Navigate to Security > Certificate Management.

                        The Certificate List window displays.

                        Step 2   Click Download CSR.

                        The Download Certificate Signing Request dialog box opens.

                        Step 3   Select the certificate name from the Certificate Name list.
                        Step 4   Click Download CSR.
                        Step 5   In the File Download dialog box, click Save.

                        Third-Party CA Certificates

                        To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA or PKCS#7 Certificate Chain (DER format) containing both the application certificate and CA certificates. Get information about obtaining these certificates from your CA. The process varies among CAs.

                        Cisco Unified Communications Operating System generates CSRs in PEM encoding format. It accepts certificates in DER and PEM encoding formats and PKCS#7 Certificate chain in PEM format. For all certificate types except CAPF, you must obtain and upload a CA root certificate and an application certificate on each node.

                        For CAPF, obtain and upload a CA root certificate and an application certificate only on the first node. CAPF and Cisco Unified Communications Manager CSRs include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:

                        • The CAPF CSR uses the following extensions:

                          X509v3 extensions:X509v3 Key Usage:
                          Digital Signature, Key Encipherment, Certificate Sign
                          X509v3 Extended Key Usage:
                          TLS Web Server Authentication, IPsec End System
                          
                        • The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions:

                          X509v3 extensions:X509v3 Key Usage:
                          Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
                          X509v3 Extended Key Usage:
                          TLS Web Server Authentication, TLS Web Client Authentication, IPsec End System
                          

                        Monitor Certificate Expiration

                        The system can automatically send you an e-mail message when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:

                        Procedure
                          Step 1   To view the current Certificate Expiration Monitor configuration, navigate to Security > Certificate Monitor.

                          The Certificate Monitor window displays.

                          Step 2   Enter the required configuration information. See the following table for a description of the Certificate Monitor Expiration fields.
                          Table 2 Certificate Monitor Field Descriptions

                          Field

                          Description

                          Notification Start Time

                          Enter the number of days before the certificate expires that you want to be notified.

                          Notification Frequency

                          Enter the frequency for notification, either in hours or days.

                          Enable E-mail Notification

                          Check the check box to enable e-mail notification.

                          Email IDs

                          Enter the e-mail address to which you want notifications sent.

                          Note   

                          For the system to send notifications, you must configure an SMTP host.

                          Step 3   To save your changes, click Save.

                          Certificate Revocation

                          The following topic describes the function that you can perform with the Certificate Revocation menu.

                          Configure Online Certificate Status Protocol

                          You can use the Online Certificate Status Protocol (OCSP) to obtain the revocation status of the certificate.

                          To configure OCSP, follow this procedure:

                          Procedure
                            Step 1   Navigate to Security > Certificate Revocation.

                            The Certificate Revocation window displays.

                            Step 2   Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area.
                            Step 3   Choose Use OCSP URI from Certificate if the certificate is configured with OCSP URI and that to be used to contact OCSP Responder.
                            Step 4   Choose Use configured OCSP URI if external or configured URI is used to contact OCSP Responder. Enter the URI of the OCSP Responder, where certificate revocation status is verified, in the OCSP Configured URI field.
                            Step 5   Click Save.
                            Warning   

                            You must upload the OCSP Responder certificate to tomcat-trust before enabling OCSP.

                            Note   

                            The Certificate revocation status check is performed only during upload of a Certificate or Certificate chain and the appropriate alarm will be raised if a certificate is revoked.


                            Troubleshoot Certificate Errors

                            If you encounter an error when attempting to access Cisco Unified Communications Manager services from an IM and Presence node or IM and Presence services from a Cisco Unified Communications Manager node, there may be a problem with the tomcat-trust certificate. The error message "Connection to the Server cannot be established (unable to connect to Remote Node)" will appear on the following Serviceability interface pages:

                            • Service Activation

                            • Control Center - Feature Services

                            • Control Center - Network Services

                            This procedure provides steps to help you resolve the certificate error. Start with the first step and proceed if necessary. In some cases, you may only have to complete the first step to resolve the error; in other cases, you will have to complete all steps.

                            Procedure
                              Step 1   From the Cisco Unified OS Administration interface, verify that the required tomcat-trust certificates are present: Security > Certificate Management.

                              If the required certificates are not present, wait 30 minutes before checking again.

                              Step 2   Select the certificate to obtain information about the certificate and verify that the content matches the contents of the same certificate on the remote node.
                              Step 3   From Cisco Unified Serviceability Administration, choose Tools > Control Center - Network Services.
                              Step 4   Under Platform Services, choose Cisco Certificate Change Notification.
                              Step 5   Click Restart.
                              Step 6   Wait 30 minutes. If the previous steps have not addressed the certificate error and an IM and Presence tomcat-trust certificate is present, delete the certificate. After you delete the certificate, you must manually exchange it by downloading the Tomcat certificate for each node, and uploading it to its peers as a tomcat-trust certificate. After the certificate exchange is complete, restart the Cisco Certificate Change Notification service on each affected node.

                              IPsec

                              The following topics describe the functions that you can perform with the IPsec menu.


                              Note


                              IPsec is not automatically set up between nodes in the cluster during installation.


                              Set Up IPsec Policy

                              To set up a new IPsec policy and association, follow this procedure:


                              Note


                              Because any changes that you make to an IPsec policy during a system upgrade will be lost, do not modify or create IPsec policies during an upgrade.



                              Note


                              IPSEC requires bi-directional provisioning, one peer for each host (or gateway).



                              Note


                              When provisioning the IPsec Policy on two Call Manager nodes with one Call Manager IPsec policy protocol set to ANY and the other Call Manager IPsec policy protocol set to UDP or TCP, the validation may result in a false negative if the validation is run from the Call Manager node using the "ANY" protocol.



                              Caution


                              IPsec, especially with encryption, will affect the performance of your system.


                              Procedure
                                Step 1   Navigate to Security > IPSEC Configuration.

                                The IPSEC Policy List window displays.

                                Step 2   Click Add New.

                                The IPSEC Policy Configuration window displays.

                                Step 3   Enter the appropriate information in the IPSEC Policy Configuration window. For a description of the fields in this window, see the following table.
                                Table 3 IPsec Policy and Association Field Descriptions

                                Field

                                Description

                                Policy Group Name

                                Specifies the name of the IPsec policy group. The name can contain only letters, digits, and hyphens.

                                Note   

                                Do not use more than one hyphen when creating the Policy Group Name.

                                Policy Name

                                Specifies the name of the IPsec policy. The name can contain only letters, digits, and hyphens.

                                Note   

                                Do not use more than one hyphen when creating the Policy Name.

                                Authentication Method

                                Specifies the authentication method.

                                The Authentication Method field has two options Preshared Key and Certificate.

                                If Preshared Key is selected, the Preshared Key field is editable.

                                If Certificate is selected, the Preshared Key field is dimmed and Certificate Name field is editable.

                                Preshared Key

                                Specifies the preshared key if you selected Preshared Key in the Authentication Name field.

                                Note   

                                Preshared IPsec keys can contain alphanumeric characters and hyphens only, not white spaces or any other characters. If you are migrating from a Windows-based version of Cisco Unified Communications Manager, you may need to change the name of your preshared IPsec keys so they are compatible with current versions of Cisco Unified Communications Manager.

                                Peer Type

                                Specifies that the peer type is different.

                                Certificate Name

                                If you choose Different for the peer type, enter the new certificate name.

                                Destination Address

                                Specifies the IP address of the destination (FQDN is not supported).

                                Destination Port

                                Specifies the port number at the destination.

                                Source Address

                                Specifies the IP address of the source (FQDN is not supported).

                                Source Port

                                Specifies the port number at the source.

                                Mode

                                Specifies Transport mode.

                                Remote Port

                                Specifies the port number to use at the destination.

                                Protocol

                                Specifies the specific protocol, or Any:

                                • TCP
                                • UDP
                                • Any

                                Encryption Algorithm

                                From the drop-down list, choose the encryption algorithm. Choices are:

                                • DES
                                • 3DES
                                • AES 128
                                • AES 256

                                Hash Algorithm

                                Specifies the hash algorithm:

                                • SHA1 - Hash algorithm that is used in Phase One IKE negotiation
                                • MD5 - Hash algorithm that is used in Phase One IKE negotiation

                                ESP Algorithm

                                From the drop-down list, choose the ESP algorithm. Choices are:

                                • NULL_ENC
                                • AES 128
                                • AES 256
                                • DES
                                • 3DES
                                • BLOWFISH
                                • RIJNDAEL

                                Phase One Life Time

                                Specifies the lifetime for Phase One IKE negotiation in seconds.

                                Phase One DH

                                From the drop-down list, choose the Phase One DH value. Choices include: 1, 2, and 5.

                                Phase Two Life Time

                                Specifies the lifetime for Phase Two IKE negotiation in seconds.

                                Phase Two DH

                                From the drop-down list, choose the Phase Two DH value. Choices include: 1, 2, and 5.

                                Enable Policy

                                Check the check box to enable the policy.

                                Step 4   To set up the new IPsec policy, click Save.

                                To validate the IPSEC, navigate to Services > Ping check the Validate IPSec check box and click Ping. This ping verifies the IPSec connection.

                                The following table lists the field names that are displayed when the system is in Non Federal Information Processing Standard (Non FIPS) mode.

                                The following table lists the field names that are displayed when the system is in FIPS mode.

                                Table 4 IPsec Policy and Association Field Descriptions

                                Field

                                Description

                                Policy Group Name

                                Specifies the name of the IPsec policy group. The name can contain only letters, digits, and hyphens.

                                Policy Name

                                Specifies the name of the IPsec policy. The name can contain only letters, digits, and hyphens.

                                Authentication Method

                                Specifies the authentication method. By default, certificate is selected.

                                Note   

                                Preshared key is not present in FIPS mode.

                                Peer Type

                                Specifies the peer type is different.

                                Certificate Name

                                If you choose Different for the Peer Type, enter the new certificate name.

                                Destination Address

                                Specifies the IP address or FQDN of the destination.

                                Destination Port

                                Specifies the port number at the destination.

                                Source Address

                                Specifies the IP address or FQDN of the source.

                                Source Port

                                Specifies the port number at the source.

                                Mode

                                Specifies Transport mode.

                                Remote Port

                                Specifies the port number to use at the destination.

                                Protocol

                                Specifies the specific protocol, or Any:

                                • TCP
                                • UDP
                                • Any

                                Encryption Algorithm

                                From the drop-down list, choose the encryption algorithm. Choices are:

                                • 3DES (default)
                                • AES 128
                                • AES 256

                                Hash Algorithm

                                Specifies the hash algorithm

                                SHA1 - Hash algorithm that is used in Phase One IKE negotiation

                                ESP Algorithm

                                From the drop-down list, choose the ESP algorithm. Choices are:

                                • 3DES (default)
                                • AES 128
                                • AES 256

                                Phase One Life Time

                                Specifies the lifetime for Phase One IKE negotiation in seconds.

                                Phase One DH

                                From the drop-down list, choose the Phase One DH value. Choices include: 1, 2, and 5.

                                Phase Two Life Time

                                Specifies the lifetime for Phase Two IKE negotiation in seconds.

                                Phase Two DH

                                From the drop-down list, choose the Phase Two DH value. Choices include: 1, 2, and 5.

                                Enable Policy

                                Check the check box to enable the policy.


                                Migration Characteristics

                                When the system switches from Non FIPS to FIPS mode, the following changes occur:

                                • If there is an existing IPsec policy that uses preshared keys authentication mode then the user has to remove this policy to move to FIPS mode.

                                • If there is an existing IPsec policy that uses certificate authentication mode and weak Encryption Algorithm as DES then the policy is migrated to stronger cipher AES128 to become operational in FIPS mode. The user is informed about this migration in the CLI.

                                • If there is an existing IPsec policy that uses certificate authentication mode and weak Hash Algorithm as MD5, then the policy is migrated to stronger cipher SHA1.

                                • If there is an existing IPsec policy that uses certificate authentication mode and weak ESP Algorithm as NULL, DES, BLOWFISH 448, RJINDAEL then the policy is migrated to stronger cipher AES128.

                                When system switches from FIPS to Non FIPS mode, the IPsec policy does not change.


                                Note


                                The migration from FIPS to Non FIPS or vice versa causes certificate regeneration for IPsec. Therefore, after importing the remote node's regenerated certificate, the IPsec policies need to be disabled and enabled explicitly.



                                Note


                                Compatible algorithm and authentication mode is required to set up an IPsec policy between two Non-FIPS systems or between a FIPS and a Non-FIPS system.



                                Note


                                Compatible authentication mode is required to set up a FIPS-based IPsec policy.


                                Manage IPsec Policies

                                To display, enable or disable, or delete an existing IPsec policy, follow this procedure:


                                Note


                                Because any changes that you make to an IPsec policy during a system upgrade are lost, do not modify or create IPsec policies during an upgrade.



                                Caution


                                IPsec, especially with encryption, affects the performance of your system.



                                Caution


                                Any changes that you make to existing IPsec policies can affect your normal system operations.



                                Caution


                                Any changes that you make to the existing IPsec certificate due to hostname/domain/IP address change would need the administrator to delete the IPsec policies and recreate IPsec policies if certificate names are changed. If certificate names are unchanged, then after importing the remote node's regenerated certificate, the IPsec policies need to be disabled and enabled explicitly.



                                Note


                                To access the Security menu items, you must sign in to Cisco Unified Communications Operating System Administration again using your Administrator password.


                                Procedure
                                  Step 1   Navigate to Security > IPSEC Configuration.

                                  The IPSEC Policy List window displays.

                                  Step 2   To display, enable, or disable a policy, follow these steps:
                                  1. Click the policy name.

                                    The IPSEC Policy Configuration window displays.

                                  2. To enable or disable the policy, check or uncheck the Enable Policy check box.
                                  3. Click Save.
                                  Step 3   To delete one or more policies, follow these steps:
                                  1. Check the check box next to each policy that you want to delete.

                                    You can click Select All to select all policies or Clear All to clear all the check boxes.

                                  2. Click Delete Selected.

                                  Bulk Certificate Management

                                  To support the Extension Mobility Cross Cluster (EMCC) feature, the system allows you to execute a bulk import and export operation to and from a common SFTP server that has been configured by the cluster administrator.


                                  Note


                                  If you have Cisco Unified IP Phone 8961, 9951, or 9971 Firmware Release 9.0(2) and your cluster is running in mixed mode, the Trust Certificate(s) for all clusters must be signed by a common set of security tokens in order for the EMCC feature to operate. You must have a minimum of one token that is the same among all clusters.


                                  Export Certificates

                                  To use Bulk Certificate Management to export certificates, use the following procedure:

                                  Procedure
                                    Step 1   Navigate to Security > Bulk Certificate Management.

                                    The Bulk Certificate Management window displays.

                                    Step 2   Enter the appropriate information on the Bulk Certificate Management window.
                                    Step 3   To save the values you entered, click Save.
                                    Step 4   To export certificates, click Export.

                                    The Bulk Certificate Export popup window displays.

                                    Step 5   From the drop-down menu, choose the type of certificate you want to export:
                                    • Tomcat

                                    • TFTP

                                    • Capf

                                    • All

                                    Step 6   Click Export.

                                    The system exports and stores the certificates you chose on the central SFTP server.


                                    Related References

                                    Import Certificates

                                    You can also use the Bulk Certificate Management window to import certificates that you have exported from other clusters. However, before the Import button displays, you must complete the following activities:

                                    • Export the certificates from at least two clusters to the SFTP server.

                                    • Consolidate the exported certificates.

                                    Field

                                    Description

                                    IP Address

                                    Enter the IP address of the common node where you want to export the certificates.

                                    Port

                                    Enter the port number.

                                    Default: 22

                                    User ID

                                    Enter the User ID you want to use to log into the node.

                                    Password

                                    Enter the appropriate password.

                                    Directory

                                    Enter a directory on the node where you want to save the certificates.

                                    Example:

                                    /users/cisco

                                    Configure the SSO Application

                                    To configure SSO, click Cisco Unified OS Administration > Security > Single Sign On.


                                    Note


                                    SSO is supported only for End User accounts, such as Agent Flow or SAML. SSO is not supported for Application User accounts.


                                    This application is split into three components:

                                    • Status

                                    • Select Applications

                                    • Server Settings

                                    Status

                                    A warning message displays indicating that the change in SSO settings causes Tomcat restart.

                                    The following error messages may display when enabling the SSO application:

                                    • Invalid Open Access Manger (Open AM) server URL - This error message displays when you give and invalid OpenAM server URL.
                                    • Invalid profile credentials - This error message displays when you give a wrong profile name or wrong profile password or both.
                                    • Security trust error - This error message displays when the OpenAM certificate has not been imported.

                                    If you get any of the above error messages while enabling SSO, then the status changes to the above errors.

                                    Select Applications

                                    You can select or deselect the application for enabling or disabling SSO for a specific application.

                                    The following applications are available:

                                    • Cisco Unified Communications Manager Administration - Enables SSO for Cisco Unified Communications Manager Administration, Cisco Unified Serviceability, and Cisco Unified Reporting
                                    • Cisco Unified Communications Manager User Options - Enables SSO for Cisco Unified Communications Manager User Options
                                    • Cisco Unified Operating System Administration - Enables SSO for Cisco Unified Operating System Administration and Disaster Recovery System
                                    • Cisco Unified Data Service - Enables SSO for Cisco UC Integration for Microsoft Office Communicator
                                    • RTMT - Enables the web application for Real-Time Monitoring Tool

                                    Server Settings

                                    The server settings are editable only when SSO is disabled for all applications.

                                    Use the following procedure:

                                    Procedure
                                      Step 1   Enter the following URL of the Open Access Manager (OpenAM) server:

                                      http://opensso.sample.com:443/opensso

                                      Step 2   Enter the relative path where the policy agent should be deployed. The relative path must be alphanumeric.
                                      Step 3   Enter the name of the profile that is configured for this policy agent.
                                      Step 4   Enter the password of the profile name.
                                      Step 5   Enter the login Module instance name that is configured for Windows Desktop SSO.
                                      Step 6   Click Save.
                                      Step 7   Click OK on the confirmation dialog box to restart Tomcat.