New and Changed Information for Cisco Unified Communications Manager 8.0(x)
Security
Downloads: This chapterpdf (PDF - 647.0KB) The complete bookPDF (PDF - 11.5MB) | Feedback

Security

Table Of Contents

Security

Documentation Changes

Security by Default

Overview

Trust Verification Service

TVS Overview

Initial Trust List

ITL Files

Contents of the ITL File

ITL and CTL File Interaction

Autoregistration

Supported Cisco Unified IP Phones

Backing Up the System after Regenerating the TFTP Certificate

Regenerating Certificates

Regenerating the CAPF Certificate

Regenerating a TVS Certificate

Regenerating a TFTP Certificate

Upgrading from Cisco Unified Communications Manager Release 7.x to Release 8.0.

Rolling Back the Cluster to a Pre-8.0 Release

Switching Back to Release 8.0

Secure Call Monitoring and Recording

Secure Call Monitoring and Recording Overview

Configuring Secure Call Monitoring and Recording

Bulk Certificate Management

Exporting Certificates

Importing Certificates

Virtual Private Networks

Overview

Supported Devices

Configuring the VPN Feature

Configuring a VPN Gateway

Uploading VPN Concentrator Certificates

Configuring the VPN Gateway

Configuring a VPN Group

Finding a VPN Group

Configuring a VPN Group

Configuring a VPN Profile

VPN Profile Overview

Finding a VPN Profile

Configuring a VPN Profile

VPN Feature Configuration

Overview

VPN Feature Configuration Parameters

Certificate Configuration

Finding a Certificate

Displaying Certificate Configuration

HTTPS

Overview

Phone Configuration Settings

Enterprise Parameter Configuration Settings

Configuring Your Browser to Use HTTPS

Using Internet Explorer 8 to Save the Certificate to the Trusted Folder

Copying the Certificate to File

Using FireFox with HTTPS

Using Safari with HTTPS

Common Phone Profile Configuration Settings

IP Phone Services Configuration Settings


Security


This chapter contains information on the following topics:

Documentation Changes

Security by Default

Backing Up the System after Regenerating the TFTP Certificate

Backing Up the System after Regenerating the TFTP Certificate

Regenerating Certificates

Rolling Back the Cluster to a Pre-8.0 Release

Secure Call Monitoring and Recording

Bulk Certificate Management

Virtual Private Networks

Certificate Configuration

HTTPS

Common Phone Profile Configuration Settings

IP Phone Services Configuration Settings

Documentation Changes

This section highlights some documentation changes for the 8.0(1) release; for example, this section highlights new documents, new chapters in guides, and information that moved from one document to another document.

For Cisco Unified Communications Manager Release 8.0, the Cisco Unified Communications Manager Security Guide includes the following new chapters:

Certificate Configuration—See the "Certificate Configuration" section.

Configuring Virtual Private Networks—See the "Virtual Private Networks" section.

Configuring a VPN Profile—See the "Configuring a VPN Gateway" section.

Configuring a VPN Group—See the "Configuring a VPN Group" section.

Configuring a VPN Gateway—See the "Configuring a VPN Gateway" section.

VPN Feature Configuration—See the "Configuring a VPN Profile" section.

Security by Default

This section contains the following topics:

Overview

Trust Verification Service

Initial Trust List

Autoregistration

Supported Cisco Unified IP Phones

Backing Up the System after Regenerating the TFTP Certificate

Upgrading from Cisco Unified Communications Manager Release 7.x to Release 8.0.

Rolling Back the Cluster to a Pre-8.0 Release

Overview

Security provides the following automatic security features for Cisco Unified IP Phones:

Signing of the phone configuration files.

Phone configuration file encryption.

https with Tomcat and other Web services (Midlets)

For Cisco Unified Communications Manager Release 8.0, these security features are provided by default without running the CTL Client.


Note Secure Signaling and Media will still require running the CTL Client and using the hardware eTokens.


Trust Verification Service

Trust Verification Service (TVS) is the main component of Security by Default. TVS enables Cisco Unified IP Phones to authenticate application servers, such as EM services, directory, and MIDlet, during HTTPS establishment.

TVS provides the following features:

Scalability—Cisco Unified IP Phone resources are not impacted by the number of certificates to trust.

Flexibility—Addition or removal of trust certificates are automatically reflected in the system.

Security by Default—Non-media and signaling security features are part of the default installation and do not require user intervention.


Note Enabling secure signaling and media requires the CTL Client.


TVS Overview

The following basic concepts describe the Trust Verification Service:

TVS runs on the Cisco Unified Communications Manager server and authenticates certificates on behalf of the Cisco Unified IP Phone.

Instead of downloading all the trusted certificates, Cisco Unified IP Phone only need to trust TVS.

The TVS certificates and a few key certificates are bundled in a new file: the Identity Trust List file (ITL).

The ITL file gets generated automatically without user intervention.

The ITL file gets downloaded by Cisco Unified IP Phones and trust flows from there.

Initial Trust List

Cisco Unified IP Phones need an Initial Trust List (ITL) to perform the following tasks:

Authenticate their configuration file signature.

Talk securely to CAPF, a pre-requisite to support configuration files encryption.

Trust TVS (which authenticates https certificates among other functions).

If the Cisco Unified IP Phone does not have an existing CTL file, it trusts the first ITL File automatically, like it does the CTL File. Subsequent ITL files must be either signed by the same TFTP private key or TVS must be able to return the certificate corresponding to the signer.

If the Cisco Unified IP Phone has an existing CTL file, it uses the CTL file to authenticate the ITL file signature.

ITL Files

The ITL file contains the initial trust list. The ITL file has the same format as the CTL file and is basically a smaller, leaner version of the CTL file. The following attributes apply to the ITL file:

Unlike the CTL File, the system builds the ITL file automatically when you install the cluster, and the ITL file gets updated automatically if the contents need to be changed.

The ITL File does not require eTokens. It uses a soft eToken (the TFTP private key).

The ITL File is downloaded by Cisco Unified IP Phones at boot up time or during reset, right after downloading the CTL File (if present).

Contents of the ITL File

The ITL File contains the following certificates:

The certificate of the TFTP server. This certificate allows to authenticate the ITL File signature and the phone configuration file signature.

All the TVS certificates in the cluster. These certificates allow phone to talk to TVS securely to request certificates authentication.

The CAPF certificate. This allows to support configuration file encryption. The CAPF certificate is not really required in the ITL File (TVS can authenticate it) but it simplifies the connection to CAPF.

Like the CTL File, the ITL File contains a record for each certificate. Each record contains:

A certificate.

Pre-extracted certificate fields for easy look up by the Cisco Unified IP Phone.

Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)

The TFTP certificate is present in 2 ITL records with 2 different roles:

TFTP or TFTP+CCM role: to authenticate configuration file signature.

SAST role: to authenticate ITL file signature.

ITL and CTL File Interaction

The Cisco Unified IP Phone still relies on the CTL file to know the cluster security mode (nonsecure or mixed mode). The CTL File tracks the cluster security mode by including the Cisco Unified Communications Manager certificate in the Cisco Unified Communications Manager record.

The ITL File also contains the cluster security mode by setting the role of the TFTP record:

TFTP role: cluster is nonsecure.

TFTP+CCM role: cluster is in mixed mode.


Note The Cisco Unified IP Phone uses the ITL file to infer security mode only when it is in EMCC mode.


Autoregistration

If the cluster is in nonsecure mode, the system supports autoregistration. The default configuration file will also be signed. Cisco Unified IP Phones that do not support Security by Default will be served a nonsigned default configuration file.


Note The system does not support autoregistration in mixed mode.


Supported Cisco Unified IP Phones

You can obtain a list of the Cisco Unified IP Phones that support security by default by using Cisco Unified Reporting. To use Cisco Unified Reporting, follow this procedure:

Procedure


Step 1 From the Cisco Unified Reporting main window, click System Reports.

Step 2 From the System Reports list, click Unified CM Phone Feature List.

Step 3 Choose the appropriate feature from the Feature pull-down menu.

Step 4 Click Submit.


For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Backing Up the System after Regenerating the TFTP Certificate

The trust anchor for the ITL File is a software entity: the TFTP private key. If the server crashes, the key gets lost, and phones will not be able to validate new ITL File.

In Cisco Unified Communications Manager Release 8.0, the TFTP certificate and private key both get backed up by the Disaster Recover System. The system encrypts the backup package to keep the private key secret. If the server crashes, the previous certificates and keys will be restored.

Whenever the TFTP certificate gets regenerated, you must create a new system backup. For backup procedures, see the Disaster Recovery System Administration Guide.

Regenerating Certificates

If you regenerate one of the Cisco Unified Communications Manager certificates, you must perform the steps in this section.


Caution After you regenerate a certificate, you must back up your cluster using the Disaster Recovery System (DRS) to be able to recover the cluster.

Regenerating the CAPF Certificate

To regenerate the CAPF certificate, perform the following steps:

 
Step
Additional Information

Step 1 

Regenerate the CAPF certificate.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Step 2 

Restart the CAPF service.

See the "Activating the Certificate Authority Proxy Function Service" section in the Cisco Unified Communications Manager Security Guide.

Step 3 

Restart the TFTP service on the servers on which it is currently running.

See the "Restart the Cisco TFTP Service on the TFTP Servers" section.

Step 4 

Reset the Cisco Unified IP Phones.

See the "Reset all Cisco Unified IP Phones" section.

Regenerating a TVS Certificate

To regenerate a TVS certificate, perform the following steps:


Note If you regenerate all the TVS certificates in the cluster, you can perform these steps after you regenerate all the certificates.



Note If both the TVS and TFTP certificates are regenerated, always perform these steps before regenerating the TFTP certificate. You might need to manually delete the ITL File from all Cisco Unified IP Phones if you do not follow this procedure.


 
Step
Additional Information

Step 1 

Regenerate the TVS certificate.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Step 2 

Restart the TFTP service on the servers on which it is currently running.

See the "Restart the Cisco TFTP Service on the TFTP Servers" section.

Step 3 

Reset the Cisco Unified IP Phones.

See the "Reset all Cisco Unified IP Phones" section.

I

Regenerating a TFTP Certificate

To regenerate a TFTP certificate, follow these steps:


Note If you regenerate all the TFTP certificates in the cluster, you can perform these steps after you regenerate all the certificates.



Note If both the TFTP and TVS certificates are regenerated, always perform these steps before regenerating the TVS certificate. You might need to manually delete the ITL File from all Cisco Unified IP Phones if you do not follow this procedure.


 
Step
Additional Information

Step 1 

Regenerate the TFTP certificate.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Step 2 

If your cluster is in mixed mode, run the CTL client.

See Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.

Step 3 

Restart the Cisco TFTP service on the servers on which it is currently running.

See the "Restart the Cisco TFTP Service on the TFTP Servers" section.

Step 4 

If your cluster is in mixed mode, restart the following services if they had been started:

Cisco CallManager

Cisco CTL Provider

Cisco CTL Manager

See Chapter 11, "Configuring Services," in the Cisco Unified Serviceability Administration Guide.

Step 5 

Reset the Cisco Unified IP Phones.

See the "Reset all Cisco Unified IP Phones" section.

Step 6 

If the cluster is part of an EMCC deployment, repeat the steps for bulk certificate provisioning.

See Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Upgrading from Cisco Unified Communications Manager Release 7.x to Release 8.0.

To upgrade your cluster from Release 7.x to Release 8.0, follow this procedure:

Procedure

Step 1 Follow the normal procedure for upgrading a cluster. For more information, see Chapter 7, "Software Upgrades," in the Cisco Unified Communications Operating System Administration Guide.


Tip After you finish upgrading all nodes in the cluster to Cisco Unified Communications Manager Release 8.0, you must also follow all the steps in this procedure to ensure that your Cisco Unified IP Phones register with the system.


Step 2 If you are running one of the following releases in mixed mode, you must run the CTL client:

Cisco Unified Communications Manager Release 7.1(2)

All regular releases of 7.1(2)

All ES releases of 712 prior to 007.001(002.32016.001)

Cisco Unified Communications Manager Release 7.1(3)

All regular releases of 713 prior to 007.001(003.21900.003) = 7.1(3a)su1a

All ES releases of 713 prior to 007.001(003.21005.001)


Note For more information about running the CTL client, see Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.


Restart the Cisco TFTP Service on the TFTP Servers

Step 3 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 4 Restart the Cisco Tftp service on each node on which it is active.

Step 5 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones


Note You must reset all the Cisco Unified IP Phones in the cluster to ensure that the phones have the most current configuration.


Step 6 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 7 Click Reset.

Step 8 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.

Back Up Your Cluster


Caution You must back up your cluster using the Disaster Recovery System (DRS) to be able to recover the cluster.

Step 9 To backup your cluster using DRS, see the Disaster Recovery System Administration Guide.


Rolling Back the Cluster to a Pre-8.0 Release

Before you roll back a cluster to a pre-8.0 release of Cisco Unified Communications Manager, you must prepare the cluster for rollback using the Prepare Cluster for Rollback to pre-8.0 enterprise parameter.


Caution If a cluster is downgraded to a pre-8.0 release of Cisco Unified Communications Manager without preparing it for rollback, Cisco Unified IP Phones that use Security by Default will be in a loop requesting the CTL, ITL, and signed configuration files while they try to register with Cisco Unified Communications Manager. Cisco Unified IP Phones in this state will not recognize any changes you make to their configuration files, and you may need to manually delete the ITL file on each Cisco Unified IP Phone in the system.

To prepare the cluster for rollback, follow this procedure on each server in the cluster:

Procedure


Step 1 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Set the Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True.


Note Enable this parameter only if you are preparing to rollback your cluster to a pre-8.0 release of Cisco Unified Communications Manager. Phone services that use https (for example, extension mobility) will not work while this parameter is enabled. However, users will be able to continue making and receiving basic phone calls while this parameter is enabled.


Restart the Cisco Trust Verification Service on all Nodes


Note You must restart services in the order that is specified in this procedure.


Step 2 From Cisco Unified Serviceability, choose Tools > Control Center - Network Services.

The Control Center - Network Services window displays.

Step 3 To restart the Cisco Trust Verification Service, click the Restart button at the bottom of the window.

Step 4 Restart the Cisco Trust Verification Service on all nodes in the cluster.

Restart the Cisco TFTP Service on the TFTP Servers

Step 5 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 6 Restart the Cisco Tftp service on each node on which it is active.

Step 7 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones


Note You must reset all the Cisco Unified IP Phones in the cluster to ensure that the phones have the most current configuration.


Step 8 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 9 Click Reset.

Step 10 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.

Revert the Cluster to the Previous Release

Step 11 Revert each server in the cluster to the previous release. For more information about reverting a cluster to a previous version, see Chapter 7, "Software Upgrades" in the Cisco Unified Communications Operating System Administration Guide.

Step 12 Wait until the cluster finishes switching to the previous version.

Step 13 If you are running one of the following releases in mixed mode, you must run the CTL client:

Cisco Unified Communications Manager Release 7.1(2)

All regular releases of 7.1(2)

All ES releases of 712 prior to 007.001(002.32016.001)

Cisco Unified Communications Manager Release 7.1(3)

All regular releases of 713 prior to 007.001(003.21900.003) = 7.1(3a)su1a

All ES releases of 713 prior to 007.001(003.21005.001)


Note For more information about running the CTL client, see Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.


Restart the Cisco TFTP Service on the TFTP Servers

Step 14 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 15 Restart the Cisco Tftp service on each node on which it is active.

Step 16 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones

Step 17 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 18 Click Reset.

Step 19 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.


Switching Back to Release 8.0

If you decide to switch back to the Release 8.0 partition after you revert the cluster to Release 7.x, follow the procedure in this section.

Procedure


Step 1 Follow the procedure for switching the cluster back to the inactive partition. For more information, see the Cisco Unified Communications Operating System Administration Guide.

Step 2 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Set the Prepare Cluster for Rollback to pre-8.0 enterprise parameter to False.

Step 3 If you were running one of the following releases in mixed mode, you must run the CTL client:

Cisco Unified Communications Manager Release 7.1(2)

All regular releases of 7.1(2)

All ES releases of 712 prior to 007.001(002.32016.001)

Cisco Unified Communications Manager Release 7.1(3)

All regular releases of 713 prior to 007.001(003.21900.003) = 7.1(3a)su1a

All ES releases of 713 prior to 007.001(003.21005.001)


Note For more information about running the CTL client, see Chapter 4, "Configuring the CTL Client," in the Cisco Unified Communications Manager Security Guide.


Restart the Cisco Trust Verification Service on all Nodes


Note You must restart services in the order that is specified in this procedure.


Step 4 From Cisco Unified Serviceability, choose Tools > Control Center - Network Services.

The Control Center - Network Services window displays.

Step 5 To restart the Cisco Trust Verification Service, click the Restart button at the bottom of the window.

Step 6 Restart the Cisco Trust Verification Service on all nodes in the cluster.

Restart the Cisco TFTP Service on the TFTP Servers

Step 7 From Cisco Unified Serviceability, choose Tools > Control Center - Feature Services.

The Control Center - Feature Services window displays.

Step 8 Restart the Cisco Tftp service on each node on which it is active.

Step 9 Wait five minutes for TFTP to rebuild the files.

Reset all Cisco Unified IP Phones


Note You must reset all the Cisco Unified IP Phones in the cluster to ensure that the phones have the most current configuration.


Step 10 From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.

The Enterprise Parameters Configuration window displays.

Step 11 Click Reset.

Step 12 Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.


Secure Call Monitoring and Recording

This chapter contains information on the following topics:

Secure Call Monitoring and Recording Overview

Configuring Secure Call Monitoring and Recording

Secure Call Monitoring and Recording Overview

Secure calls can be monitored and recorded, as described in this section:

A supervisor can establish a secured monitoring session for a secured or a non-secured call.

The call security of the original call is never impacted or downgraded as a result of a call monitoring request.

The monitoring call is allowed to proceed only when it can be established and maintained at the same security level as the device capability of the agent.

The original call between the agent and customer must have different cryptographic keys than that of monitoring call. In a monitoring session, the system encrypts the mixed voices of the agent and customer with the new key first before sending to the supervisor.


Note The system does not support secure recording on authenticated phones.


Configuring Secure Call Monitoring and Recording

To configure Secure Call Monitoring and Recording, use the following procedure:

Table 3-1 Configuring Secure Call Monitoring and Recording

 
Step
Notes

Step 1 

Provision secure capability on agent and supervisor phones.

See the "Phone Security Configuration Checklist" in Chapter 5S of the Cisco Unified Communications Manager Security Guide.

Step 2 

Create a secure SIP trunk with the following configuration:

Set the Device Security Mode to Encrypted.

Check the Transmit Security Status check box.

Check the Allow SRTP check box.

Configure the TLS SIP trunk to the recorder.

For more information, see the "Configuring the SIP Trunk Security Profile" chapter in the Cisco Unified Communications Manager Security Guide.

Step 3 

Configure monitoring and recording in the same way you would for non-secure monitoring and recording:

Configure a built-in bridge for the agent phone.

Configure the Call Recording option (enable Automatic Application) using the DN page on the agent phone.

Create a route pattern for the recorder.

Add a call recording profile to the DN.

Provision monitoring and recording tones as needed.

For more information and detailed procedures, see the "Monitoring and Recording" chapter in the Cisco Unified Communications Manager Features and Services Guide.


Bulk Certificate Management

To support the Extension Mobility Cross Cluster (EMCC) feature, the system allows you to execute a bulk import and export operation to and from a common SFTP server that has been configured by the cluster administrator.


Note To support EMCC, the CTLs for all clusters must be signed by a common set of security tokens, with a minimum of one token that is the same among all clusters.


This section contains the following information:

Exporting Certificates

Importing Certificates

Exporting Certificates

To use Bulk Certificate Management to export certificates, use the following procedure:

Procedure


Step 1 Navigate to Security > Bulk Certificate Management.

The Bulk Certificate Management window displays.

Step 2 Enter the appropriate information on the Bulk Certificate Management window. For a description of the fields on this window, see Table 3-2.

Step 3 To save the values you entered, click Save.

Step 4 To export certificates, click Export.

The Bulk Certificate Export popup window displays.

Step 5 From the drop-down menu, choose the type of certificate you want to export:

Tomcat

TFTP

All

Step 6 Click Export.

The system exports and stores the certificates you chose on the central SFTP server.


Importing Certificates

You can also use the Bulk Certificate Management window to import certificates that you have exported from other clusters. However, before the Import button displays, you must complete the following activities:

Export the certificates from at least two clusters to the SFTP server.

Consolidate the exported certificates.

Table 3-2 Bulk Certificate Management Field Descriptions 

Field
Description

IP Address

Enter the IP address of the common server where you want to export the certificates.

Port

Enter the port number.

Default: 22

User ID

Enter the User ID you want to use to log into the server.

Password

Enter the appropriate password.

Directory

Enter a directory on the server where you want to save the certificates.

Example:

/users/cisco


Virtual Private Networks

This section contains the following topics:

Overview

Supported Devices

Configuring the VPN Feature

Configuring a VPN Gateway

Configuring a VPN Group

Configuring a VPN Profile

Configuring a VPN Profile

Overview

The Cisco VPN Client for Cisco Unified IP Phones adds another option for customers attempting to solve the remote telecommuter problem by complementing other Cisco remote telecommuting offerings.

Easy to DeployAll settings configured via CUCM administration.

Easy to UseAfter configuring the phone within the Enterprise, the user can take it home and plug it into their broadband router for instant connectivity, without any difficult menus to configure.

Easy to Manage—Phone can receive firmware updates and configuration changes remotely.

Secure—VPN tunnel only applies to voice and IP phone services. A PC connected to the PC port is responsible for authenticating and establishing it own tunnel with VPN client software.

Supported Devices

You can use Cisco Unified Reporting to determine which Cisco Unified IP Phones support the VPN client. From Cisco Unified Reporting, click Unified CM Phone Feature List. For the Feature, choose Virtual Private Network Client from the pull-down menu. The system displays a list of products that support the feature.

For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Configuring the VPN Feature

To configure the VPN feature for supported Cisco Unified IP Phones, follow the steps in

Table 3-3 VPN Configuration Checklist

Configuration Steps
Notes and Related Procedures

Step 1 

Set up the VPN concentrators for each VPN Gateway.

For configuration information, refer to the documentation for the VPN concentrator; such the following:

SSL VPN Client (SVC) on ASA with ASDM Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

Note The ASA software must be version 8.0.4 or later, and the "AnyConnect Cisco VPN Phone" license must be installed.

Note To avoid long delays when the user upgrades the firmware or configuration information on a remote phone, Cisco recommends that you set up the VPN concentrator close in the network to the TFTP or Cisco Unified Communications Manager server. If this is not feasible in your network, you can set up an alternate TPTP or load server that is next to the VPN concentrator.

Step 2 

Upload the VPN concentrator certificates.

Configuring a VPN Gateway

Step 3 

Configure the VPN Gateways.

Configuring a VPN Gateway

Step 4 

Create a VPN Group using the VPN Gateways.

Configuring a VPN Group

Step 5 

Configure the VPN Profile

Configuring a VPN Profile

Step 6 

Add the VPN Group and VPN Profile to a Common Phone Profile.

In Cisco Unified Communications Manager Administration, choose Device > Device Settings > Common Phone Profile. For more information, see the "Common Phone Profile Configuration" chapter in the Cisco Unified Communications Manager Administration Guide.

Note If you do not associate a VPN Profile with the Common Phone Profile, VPN uses the default settings defined in the VPN Feature Configuration window.

Step 7 

Upgrade the firmware for Cisco Unified IP Phones to a version that supports VPN.

To run the Cisco VPN client, a supported Cisco Unified IP Phone must be running firmware release 9.0(2) or higher. For more information about upgrading firmware, see the Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager for your Cisco Unified IP Phone model.

Note Before you can upgrade to firmware release 9.0(2), supported Cisco Unified IP Phones must be running firmware release 8.4(4) or later.

Step 8 

Using a supported Cisco Unified IP Phone, establish a VPN connection.

For more information about configuring a Cisco Unified IP Phone and establishing a VPN connection, see the Cisco Unified IP Phone Administration Guide for Cisco Unified Communications Manager for your Cisco Unified IP Phone model.


Configuring a VPN Gateway

To configure a VPN gateway, you must first upload the VPN concentrator certificates and then configure the VPN gateway.

This chapter contains the following sections:

Uploading VPN Concentrator Certificates

Configuring the VPN Gateway

Uploading VPN Concentrator Certificates

Cisco recommends that you generate a certificate on the ASA when you set it up to support the VPN feature. Download the generated certificate to your PC or workstation and then upload it to Cisco Unified Communications Manager using the procedure in this section. Cisco Unified Communications Manager saves the certificate in the Phone-VPN-trust list.

The ASA will send this certificate during the SSL handshake and the Cisco Unified IP Phone compares it against the values stored in the Phone-VPN-trust list.

The Cisco Unified IP Phone sends its Manufacturer Installed Certificate (MIC) by default, or if you configure the CAPF service, the Cisco Unified IP Phone sends its Locally Significant Certificate (LSC).

If you want to use device level certificate authentication, then they you need to install the root MIC or CAPF certificate in the ASA, so that the Cisco Unified IP Phones are trusted.

You upload certificates to the system using the Cisco Unified Communications Operating System. Follow this procedure to upload VPN concentrator certificates:

Procedure


Step 1 From Cisco Unified Communications Operating System Administration, choose Security > Certificate Management.

The Certificate List window displays.

Step 2 Click Upload Certificate.

The Upload Certificate popup window displays.

Step 3 From the Certificate Name pull-down menu, choose Phone-VPN-trust.

Step 4 Click Browse to choose the file you want to upload.

Step 5 Click Upload File.

Step 6 Choose another file to upload or click Close.


For more information about certificate management, see Chapter 6, "Security," in the Cisco Unified Communications Operating System Administration Guide.

Configuring the VPN Gateway

This section includes the following topics:

Finding a VPN Gateway

Configuring a VPN Gateway

Finding a VPN Gateway

To find a VPN gateway, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Gateway.

The Find and List VPN Gateways window displays. Records from an active (prior) query may also display in the window.

Step 2 To find all records in the database, ensure the dialog box is empty; go to Step 3.

To filter or search records

From the first drop-down list box, choose a search parameter.

From the second drop-down list box, choose a search pattern.

Specify the appropriate search text, if applicable.


Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.


Step 3 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 4 From the list of records that display, click the link for the record that you want to view.


Note To reverse the sort order, click the up or down arrow, if available, in the list header.


The window displays the item that you choose.


Configuring a VPN Gateway

To add, update, or copy a VPN Gateway, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Gateway.

Step 2 Perform one of the following tasks:

To add a new profile, click Add New in the Find window and continue with Step 3.

To copy an existing VPN gateway, locate the appropriate profile as described in "Finding a VPN Gateway" section, click the Copy button next to the VPN gateway that you want to copy, and continue with Step 3.

To update an existing profile, locate the appropriate VPN gateway as described in "Finding a VPN Gateway" section and continue with Step 3.

When you click Add New, the configuration window displays with the default settings for each field. When you click Copy, the configuration window displays with the copied settings.

Step 3 Enter the appropriate settings as described in Table 3-4.

Step 4 Click Save.


Table 3-4 VPN Gateway Configuration Settings

Field
Description

VPN Gateway Name

Enter the name of the VPN gateway.

VPN Gateway Description

Enter a description of the VPN gateway.

VPN Gateway URL

Enter the URL for the main VPN concentrator in the gateway.

Note You must configure the VPN concentrator with a group-URL and use this URL as the gateway URL.

For configuration information, refer to the documentation for the VPN concentrator; such the following:

SSL VPN Client (SVC) on ASA with ASDM Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

VPN Certificates for this Gateway

Use the up and down arrow keys to assign certificates to the gateway. If you do not assign a certificate for the gateway, the VPN client will fail to connect to that concentrator.

Note You can assign up to 10 certificates to a VPN Gateway, and you must assign at least one certificate to each gateway. Only certificates that are associated with the Phone-VPN-trust role display in the available VPN certificates list.


Configuring a VPN Group

This chapter provides instructions for creating a VPN group. After you create a VPN group, you can add one of the VPN gateways you just configured to it.

This chapter includes the following sections:

Finding a VPN Group

Configuring a VPN Group

Finding a VPN Group

To find a VPN group, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Group.

The Find and List VPN Groups window displays. Records from an active (prior) query may also display in the window.

Step 2 To find all records in the database, ensure the dialog box is empty; go to Step 3.

To filter or search records

From the first drop-down list box, choose a search parameter.

From the second drop-down list box, choose a search pattern.

Specify the appropriate search text, if applicable.


Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.


Step 3 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 4 From the list of records that display, click the link for the record that you want to view.


Note To reverse the sort order, click the up or down arrow, if available, in the list header.


The window displays the item that you choose.


Configuring a VPN Group

To add, update, or copy a VPN group, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Group.

Step 2 Perform one of the following tasks:

To add a new profile, click Add New in the Find window and continue with Step 3.

To copy an existing VPN group, locate the appropriate profile as described in "Finding a VPN Group" section, click the Copy button next to the VPN group that you want to copy, and continue with Step 3.

To update an existing profile, locate the appropriate VPN group as described in "Configuring a VPN Group" section and continue with Step 3.

When you click Add New, the configuration window displays with the default settings for each field. When you click Copy, the configuration window displays with the copied settings.

Step 3 Enter the appropriate settings as described in Table 3-5.

Step 4 Click Save.


Table 3-5 VPN Group Configuration Settings

Field
Definition

VPN Group Name

Enter the name of the VPN group.

VPN Group Description

Enter a description of the VPN group.

All Available VPN Gateways

Scroll to see all available VPN gateways.

VPN Gateways in this VPN Group

Use the up and down arrow buttons to move available VPN gateways into and out of this VPN group.

If the VPN client encounters a critical error and cannot connect to a particular VPN gateway, it will attempt to move to the next VPN gateway in the list.

Note You can add up to a maximum of three VPN gateways to a VPN group. Also, the total number of certificates in the VPN group cannot exceed 10.


Configuring a VPN Profile

This chapter contains information on the following topics:

VPN Profile Overview

Finding a VPN Profile

Configuring a VPN Profile

VPN Profile Overview

Use the VPN Profile window to create a profile that you assign to the Cisco Unified IP Phone by using the Common Phone Profile Configuration window.

Finding a VPN Profile

To find a VPN profile, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Profile.

The Find and List VPN Profiles window displays. Records from an active (prior) query may also display in the window.

Step 2 To find all records in the database, ensure the dialog box is empty; go to Step 3.

To filter or search records

From the first drop-down list box, choose a search parameter.

From the second drop-down list box, choose a search pattern.

Specify the appropriate search text, if applicable.


Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.


Step 3 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 4 From the list of records that display, click the link for the record that you want to view.


Note To reverse the sort order, click the up or down arrow, if available, in the list header.


The window displays the item that you choose.


Configuring a VPN Profile

To add, update, or copy a VPN profile, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Profile.

Step 2 Perform one of the following tasks:

To add a new profile, click Add New in the Find window and continue with Step 3.

To copy an existing profile, locate the appropriate profile as described in "Finding a VPN Profile" section, click the Copy button next to the VPN profile that you want to copy, and continue with Step 3.

To update an existing profile, locate the appropriate VPN profile as described in "Finding a VPN Profile" section and continue with Step 3.

When you click Add New, the configuration window displays with the default settings for each field. When you click Copy, the configuration window displays with the copied settings.

Step 3 Enter the appropriate settings as described in Table 3-6.

Step 4 Click Save.


Table 3-6 VPN Profile Configuration Settings 

Field
Definition

Name

Enter a name for the VPN profile.

Description

Enter a description for the VPN profile.

Enable Auto Network Detection

When you check this check box, the VPN client can only run when it detects that it is out of the corporate network.

Default: Disabled.

MTU

Enter the size, in bytes, for the Maximum Transmission Unit (MTU).

Default: 1290 bytes.

Fail to Connect

This field specifies the amount of time to wait for log-in or connect operations to complete while the system creates the VPN tunnel.

Default: 30 seconds

Enable Host ID Check

When you check this check box, the gateway certificate subjectAltName or CN must match the URL to which the VPN client is connected.

Default: Enabled

Client Authentication Method

From the drop-down list, choose the client authentication method:

User and password

Password only

Certificate (LSC or MIC)

Enable Password Persistence

When you check this check box, a user password gets saved in the phone until either a failed log-in attempt occurs, a user manually clears the password, or the phone resets or loses power.


VPN Feature Configuration

This chapter describes the VPN feature configuration parameters and includes the following section:

Overview

VPN Feature Configuration Parameters

Overview

The VPN Feature Configuration window contains the common configuration settings for the VPN feature that the system uses when you do not associate a VPN Profile with a Common Phone Profile. If you define a VPN Profile as part of configuring a Common Phone Profile, the VPN Profile settings take precedence over the VPN Feature Configuration settings.

VPN Feature Configuration Parameters

To edit the VPN feature configuration parameters, follow this procedure:


Step 1 In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Feature Configuration.

The VPN Feature Configuration Window Displays.

Step 2 Accept the suggested values or enter a new value, as described in Table 3-7.

Step 3 Click Save.


Table 3-7 VPN Feature Configuration Parameters 

Field
Default

Enable Auto Network Detect

When True, the VPN client can only run when it detects that it is out of the corporate network.

Default: False

MTU

This field specifies the maximum transmission unit:

Default: 1290 bytes

Minimum: 256 bytes

Maximum: 1406 bytes

Keep Alive

This field specifies the rate at which the system sends the keep-alive message.

Note If it is non-zero and less than the value specified in Cisco Unified Communications Manager, the keep-alive setting in the VPN concentrator overwrites this setting.

Default: 60 seconds

Minimum: 0

Maximum: 120 seconds

Fail to Connect

This field specifies the amount of time to wait for log-in or connect operations to complete while the system creates the VPN tunnel.

Default: 30 seconds

Minimum: 0

Maximum: 600 seconds

Client Authentication Method

From the drop-down list, choose the client authentication method:

User and password

Password only

Certificate (LSC or MIC)

Default: User And Password

Enable Password Persistence

When True, a user password gets saved in the phone until either a failed log-in attempt occurs, a user manually clears the password, or the phone resets or loses power.

Default: False

Enable Host ID Check

When True, the gateway certificate subjectAltName or CN must match the URL to which the VPN client is connected.

Default: True


Certificate Configuration

Use the Certificate Configuration window to view the certificates on your system. All fields on the Certificate Configuration window are read-only, except Duration in Cache.

This section contains the following topics:

Finding a Certificate

Displaying Certificate Configuration

Finding a Certificate

To find a certificate, perform the following procedure:

Procedure


Step 1 In Cisco Unified Communications Manager Administration, choose System > Security > Certificate.

The Find and List Certificates window displays. Records from an active (prior) query may also display in the window.

Step 2 To find all records in the database, ensure the dialog box is empty; go to Step 3.

To filter or search records

From the first drop-down list box, choose a search parameter.

From the second drop-down list box, choose a search pattern.

Specify the appropriate search text, if applicable.


Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.


Step 3 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 4 From the list of records that display, click the link for the record that you want to view.


Note To reverse the sort order, click the up or down arrow, if available, in the list header.


The window displays the item that you choose.


Displaying Certificate Configuration

All fields on the Certificate Management window are read-only, except Duration in Cache.

Table 3-8 VPN Profile Configuration Settings 

Field
Definition

Subject Name (read only)

Displays the subject name for the certificate.

Issuer Name (read only)

Displays the issuer name for the certificate.

Serial Number (read only)

Displays the serial number (MAC address).

IPv4 Address (read only)

Displays the IPv4 address.

IPv6 Address (read only)

Displays the IPv6 address.

Duration in Cache

Enter the time, in hours, that the certificate can persist in the phone cache. A value of zero indicates that the certificate does not get cached. Leave blank to accept the system default value.

Maximum: 720 hours

Selected Roles

Displays the roles currently associated with the certificate.

Selected Services

Displays the services currently associated with the certificate.


HTTPS

This section contains the following topics:

Overview

Phone Configuration Settings

Enterprise Parameter Configuration Settings

Configuring Your Browser to Use HTTPS

Using Internet Explorer 8 to Save the Certificate to the Trusted Folder

Using FireFox with HTTPS

Using Safari with HTTPS

Overview

Prior to Cisco Unified Communications Manager Release 8.0, Cisco Unified IP Phones and services did not support HTTPS communication over port 8443.

For Cisco Unified Communications Manager Release, the following features support HTTPS:

Extension Mobility

Extension Mobility Cross Cluster

Manager Assistant

IP Phone Services (See the "Phone Configuration Settings" section.

Personal Directory (CCMPD)

Change Credentials

Phone Configuration Settings

To support HTTPS in Cisco Unified Communications Manager Release 8.0(1), the Phone Configuration Settings include the secure URL parameters shown in Table 3-9.

Table 3-9 Phone Configuration Settings for Secure URLs 

Field
Description

Secure Authentication URL

Enter the secure URL that the phone uses to validate requests that are made to the phone web server.

Note If you do not provide a Secure Authentication URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.

By default, this URL accesses a Cisco Unified CM User Options window that was configured during installation.

Leave this field blank to accept the default setting.

Maximum length: 255

Secure Directory URL

Enter the secure URL for the server from which the phone obtains directory information. This parameter specifies the URL that secured Cisco Unified IP Phones use when you press the Directory button.

Note If you do not provide a Secure Directory URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.

Leave this field blank to accept the default setting.

Maximum length: 255

Secure Idle URL

Enter the secure URL for the information that displays on the Cisco Unified IP Phone display when the phone is idle, as specified in Idle Timer field. For example, you can display a logo on the LCD when the phone has not been used for 5 minutes.

Note If you do not provide a Secure Idle URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.

To accept the default setting, leave this field blank.

Maximum length: 255

Secure Information URL

Enter the secure URL for the server location where the Cisco Unified IP Phone can find help text information. This information displays when the user presses the information (i) button or the question mark (?) button.

Note If you do not provide a Secure Information URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.

To accept the default setting, leave this field blank.

Maximum length: 255

Secure Messages URL

Enter the secure URL for the messages server. The Cisco Unified IP Phone contacts this URL when the user presses the Messages button.

Note If you do not provide a Secure Messages URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.

To accept the default setting, leave this field blank.

Maximum length: 255

Secure Services URL

Enter the secure URL for Cisco Unified IP Phone services. The is the location that the secure Cisco Unified IP Phone contacts when the user presses the Services button.

Note If you do not provide a Secure Services URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.

To accept the default setting, leave this field blank.

Maximum length: 255


Enterprise Parameter Configuration Settings

To support HTTPS, Cisco Unified Communications Manager Release 8.0(1) supports the following new Enterprise Parameters:

Secured Authentication URL

Secured Directory URL

Secured Idle URL

Secured Information URL

Secured Messaged URL

Secured Services URL

Configuring Your Browser to Use HTTPS

The section provides the following procedures for setting up your browser to use HTTPS:

Using Internet Explorer 8 to Save the Certificate to the Trusted Folder

Using Safari with HTTPS

Using Safari with HTTPS

Using Internet Explorer 8 to Save the Certificate to the Trusted Folder

Be sure to import the Cisco Unified Communications Manager certificate to Internet Explorer 8 to secure access without having to reload the certificate every time that you restart the browser. If you continue to a website that has a certificate warning and the certificate is not in the trust store, Internet Explorer 8 remembers the certificate for the current session only.

After you download the server certificate, Internet Explorer 8 continues to display certificate errors for the website. You can ignore the security warnings when the Trusted Root Certificate Authority trust store for the browser contains the imported certificate.

The following procedure describes how to import the Cisco Unified Communications Manager certificate to the root certificate trust store for Internet Explorer 8.

Procedure


Step 1 Browse to application on the Tomcat server (for example, enter the hostname, localhost, or IP address for Cisco Unified Communications Manager Administration in the browser).

The browser displays a Certificate Error: Navigation Blocked message to indicate that this website is untrusted.

Step 2 To access the server, click Continue to this website (not recommended).

The Cisco Unified Communications Manager Administration window displays, and the browser displays the address bar and Certificate Error status in red.

Step 3 To import the server certificate, click the Certificate Error status box to display the status report. Click the View Certificates link in the report.

Step 4 Verify the certificate details.

Step 5 Select the General tab in the Certificate window and click Install Certificate.

The Certificate Import Wizard launches.

Step 6 To start the Wizard, click Next.

The Certificate Store window displays.

Step 7 Verify that the Automatic option, which allows the wizard to select the certificate store for this certificate type, is selected and click Next.

Step 8 Verify the setting and click Finish.

A security warning displays for the import operation.

Step 9 To install the certificate, click Yes.

The Import Wizard displays "The import was successful."

Step 10 Click OK. The next time that you click the View certificates link, the Certification Path tab in the Certificate window displays "This certificate is OK."

Step 11 To verify that the trust store contains the imported certificate, click Tools > Internet Options in the Internet Explorer toolbar and select the Content tab. Click Certificates and select the Trusted Root Certifications Authorities tab. Scroll to find the imported certificate in the list.

After importing the certificate, the browser continues to display the address bar and a Certificate Error status in red. The status persists even if you reenter the hostname, localhost, or IP address or refresh or relaunch the browser.


Copying the Certificate to File

Copying the certificate to a file and storing it locally allows you to restore the certificate whenever necessary.

Performing the following procedure copies the certificate by using a standard certificate storage format. To copy the certificate contents to file, perform the following procedure:

Procedure


Step 1 Click the Certificate Error status box.

Step 2 Click View Certificates.

Step 3 Click the Details tab.

Step 4 Click the Copy to File button.

Step 5 The Certificate Export Wizard displays. Click Next.

Step 6 The following list defines the file formats from which you can choose. Choose the file format that you want to use for the exported file; click Next.

DER encoded binary X.509 (.CER)—Uses DER to transfer information between entities.

Base-64 encoded X.509 (.CER)—Sends secure binary attachments over the internet; uses ASCII text format to prevent corruption of file.

Cryptographic Message Syntax Standard-PKCS #7 Certificates (.P7B)—Exports the certificate and all certificates in the certification path to the chosen PC.

Step 7 Browse to the location to which you want to export the file copy and name the file. Click Save.

Step 8 The file name and path display in the Certificate Export Wizard pane. Click Next.

Step 9 Your file and settings display. Click Finish.

Step 10 When the successful export dialog box displays, click OK.


Using FireFox with HTTPS

The first time that you (or a user) accesses Cisco Unified Communications Manager Administration or other Cisco Unified Communications Manager SSL-enabled virtual directories (after the Cisco Unified Communications Manager installation/upgrade) from a browser client, a Security Alert dialog box asks whether you trust the server.

When the dialog box displays, you must perform one of the following tasks:

By clicking I Understand The Risks, you choose to trust the certificate for the current web session only. If you trust the certificate for the current session only, the Security Alert dialog box displays each time that you access the application; that is, until you install the certificate in the trusted folder.

By clicking Get Me Out Of Here, you cancel the action. No authentication occurs, and you cannot access the web application. To access the web application, you must click I Understand The Risks.

The following sections tell you how to use HTTPS with Internet Explorer:

Using FireFox 3.x to Save the Certificate to the Trusted Folder

Copying the Certificate to File

Using FireFox 3.x to Save the Certificate to the Trusted Folder

Perform the following procedure to save the HTTPS certificate in the trusted folder in the browser client.

Procedure


Step 1 Access the Tomcat server (for example, enter the hostname, localhost, or IP address for Cisco Unified Communications Manager Administration in the browser).

Step 2 When the Security Alert dialog box displays, click I Understand The Risks.

Step 3 Click Add Exception.

The Add Exception dialog box displays.

Step 4 Click Get Certificate.

Step 5 Check the Permanently store this exception check box.

Step 6 Click Confirm Security Exception.

Step 7 To view the details of the certificate by performing the following steps:

a. From the FireFox browser, click Tools > Options.

The Options dialog box displays

b. Click Advanced.

c. Click View Certificates.

The Certificate Manager dialog box displays.

d. Highlight the certificate that you want to view and click View.

The Certificate Viewer dialog box displays.

e. Click the Details tab.

f. In the Certificate Fields field, highlight the field that you want to view.

Details display in the Field Values field.

g. From the Certificate Viewer dialog box, click Close.

h. From the Certificate Manager dialog box, click OK.

Copying the Certificate to File

Copying the certificate to a file and storing it locally allows you to restore the certificate whenever necessary.

Performing the following procedure copies the certificate by using a standard certificate storage format. To copy the certificate contents to file, perform the following procedure:

Procedure


Step 1 From the FireFox browser, click Tools > Options.

The Options dialog box displays.

Step 2 If it is not already selected, click Advanced.

Step 3 Click the Encryption tab and click View Certificates.

The Certificate Manager dialog box displays.

Step 4 Click the Servers tab.

Step 5 Highlight the certificate you want to copy and click Export.

The Save Certificate to File dialog box displays.

Step 6 Browse to the location to which you want to copy the file.

Step 7 From the Save as type drop-down list, choose the file type from the following options:

X.509 Certificate (PEM)—Uses PEM to transfer information between entities.

X.509 Certificate with chain (PEM)—Uses Privacy Enhanced Mail to verify the certificate chain and transfer information between entities.

X.509 Certificate (DER)—Uses DER to transfer information between entities.

X.509 Certificate (PKCS#7)—PKCS#7 is a standard for signing or encrypting data. Since the certificate is needed to verify signed data, it is possible to include it in the SignedData structure. A .P7C-file is just a degenerated SignedData structure, without any data to sign.

X.509 Certificate with chain (PKCS#7)—Uses PKCS#7 to verify the certificate chain and transfer information between entities.

Step 8 Click Save.

Step 9 Click OK.


Using Safari with HTTPS

The first time that you (or a user) accesses Cisco Unified Communications Manager Administration or other Cisco Unified Communications Manager SSL-enabled virtual directories (after the Cisco Unified Communications Manager installation/upgrade) from a browser client, a Security Alert dialog box asks whether you trust the server.

When the dialog box displays, you must perform one of the following tasks:

By clicking Yes, you choose to trust the certificate for the current web session only. If you trust the certificate for the current session only, the Security Alert dialog box displays each time that you access the application; that is, until you install the certificate in the trusted folder.

By clicking Show Certificate > Install Certificate, you intend to perform certificate installation tasks, so you always trust the certificate. If you install the certificate in the trusted folder, the Security Alert dialog box does not display each time that you access the web application.

By clicking No, you cancel the action. No authentication occurs, and you cannot access the web application. To access the web application, you must click Yes or install the certificate via the Show Certificate > Install Certificate options.


Note The address that you use to access Cisco Unified Communications Manager must match the name on the certificate, or a message will display by default. If you access the web application by using the localhost or IP address after you install the certificate in the trusted folder, a security alert indicates that the name of the security certificate does not match the name of the site that you are accessing.


The following sections tell you how to use HTTPS with Internet Explorer:

Using FireFox 3.x to Save the Certificate to the Trusted Folder

Copying the Certificate to File

Using Safari 4.x to Save the Certificate to the Trusted Folder

Perform the following procedure to save the HTTPS certificate in the trusted folder in the browser client.

Procedure


Step 1 Access the Tomcat server (for example, enter the hostname, localhost, or IP address for Cisco Unified Communications Manager Administration in the browser).

Step 2 When the Security Alert dialog box displays, click Show Certificate.

You can click the Details tab to view the details of the certificate if you choose to verify the certificate data. To display a subset of settings, if available, choose one of the following options:

All—All options display in the Details pane.

Version 1 Fields Only—Version, Serial Number, Signature Algorithm, Issuer, Valid From, Valid To, Subject, and the Public Key options display.

Extensions Only—Subject Key Identifier, Key Usage, and the Enhanced Key Usage options display.

Critical Extensions Only—Critical Extensions, if any, display

Properties Only—Thumbprint algorithm and the thumbprint options display.

Step 3 In the Certificate pane, click Install Certificate.

Step 4 When the Certificate Import Wizard displays, click Next.

Step 5 Click the Place all certificates in the following store radio button; click Browse.

Step 6 Browse to Trusted Root Certification Authorities; select it and click OK.

Step 7 Click Next.

Step 8 Click Finish.

A Security Warning Box displays the certificate thumbprint for you.

Step 9 To install the certificate, click Yes.

A message states that the import was successful. Click OK.

Step 10 In the lower, right corner of the dialog box, click OK.

Step 11 To trust the certificate, so you do not receive the dialog box again, click Yes.


Tip You can verify the certificate was installed successfully by clicking the Certification Path tab in the Certificate pane.



Copying the Certificate to File

Copying the certificate to a file and storing it locally allows you to restore the certificate whenever necessary.

Performing the following procedure copies the certificate by using a standard certificate storage format. To copy the certificate contents to file, perform the following procedure:

Procedure


Step 1 In the Security Alert dialog box, click Show Certificate.


Tip In Safari, click the Certificate Error status box to display the Show Certificate option.


Step 2 Click the Details tab.

Step 3 Click the Copy to File button.

Step 4 The Certificate Export Wizard displays. Click Next.

Step 5 The following list defines the file formats from which you can choose. Choose the file format that you want to use for the exported file; click Next.

DER encoded binary X.509 (.CER)—Uses DER to transfer information between entities.

Base-64 encoded X.509 (.CER)—Sends secure binary attachments over the internet; uses ASCII text format to prevent corruption of file.

Cryptographic Message Syntax Standard-PKCS #7 Certificates (.P7B)—Exports the certificate and all certificates in the certification path to the chosen PC.

Step 6 Browse to the location to which you want to export the file copy and name the file. Click Save.

Step 7 The file name and path display in the Certificate Export Wizard pane. Click Next.

Step 8 Your file and settings display. Click Finish.

Step 9 When the successful export dialog box displays, click OK.


Common Phone Profile Configuration Settings

For Cisco Unified Communications Manager Release 8.0(1), the Common Phone Profile Configuration Settings include the VPN parameters shown in Table 3-10.

Table 3-10 Common Phone Profile Configuration Settings for VPN 

Field
Description

VPN Group

From the drop-down list, choose the VPN Group for the phone.

VPN Profile

From the drop-down list, choose the VPN profile for the phone.


IP Phone Services Configuration Settings

For Cisco Unified Communications Manager Release 8.0, the IP Phone Services Configuration Settings include the Secure Service URL parameter shown in Table 3-11.

Table 3-11 Secure Services URL in IP Phone Services Configuration Settings

Field
Description

Secure-Service URL

Enter the secure URL of the server where the Cisco Unified IP Phone services application is located. Make sure that this server remains independent of the servers in your Cisco Unified Communications Manager cluster. Do not specify a Cisco Unified Communications Manager server or any server that is associated with Cisco Unified Communications Manager (such as a TFTP server or directory database publisher server).

For the services to be available, the phones in the Cisco Unified Communications Manager cluster must have network connectivity to the server.

Note If you do not provide a Secure-Service URL, the device uses the nonsecure URL. If you provide both a secure URL and a nonsecure URL, the device chooses the appropriate URL, based on its capabilities.