The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
FIPS, or Federal Information Processing Standard, is a U.S. and Canadian government certification standard that defines requirements that cryptographic modules must follow. A cryptographic module is a set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.
Certain versions of Unified Communications Manager are FIPS 140-2 compliant, in accordance with the U.S. National Institute of Standards (NIST), and can operate in FIPS mode, level 1 compliance. Cisco Prime Collaboration Deployment meets FIPS 140-2 requirements by using Cisco-verified libraries.
For information about which releases are FIPS-compliant and to view their certifications, see http://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html.
For details on EnhancedSecurityMode, see EnhancedSecurityMode Support.
Note | Elliptic Curve Digital Signature Algorithm (ECDSA) ciphers are not supported in Cisco Prime Collaboration Deployment. Hence, during TLS connection, the server does not negotiate the ECDSA certificates even though the show cert list own CLI command may show the ECDSA self-signed certificate. |
Enabling the EnhancedSecurityMode does not enable these features by default and you have to configure them separately.
Password length should be between 14 to 127 characters.
Password should have at least 1 lowercase, 1 uppercase, 1 digit and 1 special character.
Any of the previous 24 passwords cannot be reused.
Minimum age of the password is 1 day and Maximum age of the password is 60 days.
Any newly generated password's character sequence should differ by at least 4 characters from the old password's character sequence.
Once this mode is enabled, the system enforces a stricter credential policy for all password changes automatically.
The encryption and decryption of application passwords is done in the platformConfig.xml file. During installation, the application password is re-encrypted through the Advanced Encryption Standard (AES) algorithm and is saved in the platformConfig.xml file.
utils fips enable—Enable FIPS mode. For details, see the Enable FIPS Mode procedure.
utils fips disable—Disable FIPS mode. For details, see the Disable FIPS Mode procedure.
utils fips status—Provide the details whether FIPS mode is enabled or disabled on a server.
Note | The disaster recovery system CLI commands are supported in FIPS mode. For details on these commands, see the CLI Commands and Disaster Recovery System chapter of the Cisco Prime Collaboration Deployment Administration Guide at http://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html. |
You can enable the FIPS mode through CLI.
Caution | Before you enable FIPS mode, we strongly recommend that you perform a system backup. If FIPS checks fail at start-up, the system halts and requires a recovery CD to be restored. |
You can disable FIPS mode through the CLI using the following procedure:
As part of EnhancedSecurityMode requirement, audit framework is introduced in Cisco Prime Collaboration Deployment. The audit framework includes audit activities, which are both in local server and remote server. The login sessions are limited for each user based on the CLI command configuration in the EnhancedSecurityMode.
Note | By default, auditing is not enabled in Cisco Prime Collaboration Deployment. If you wish to have audit logs, you can enable auditing with or without being in FIPS mode or EnhancedSecurityMode. |
For details on audit framework and audit activities, see Audit Framework and Audit Activities.
As part of audit framework, you can configure logging audit details from the Cisco Prime Collaboration Deployment application.
If you configure audit logs for any of the above options, the updates made in the field values trigger an audit log into the local server or remote syslog server. Examples of audit log activities include enabling log rotation, configuring maximum number of files and file size, and configuring addition and modification of log files.
For details on how to configure audit logs, see the Configure Audit Logs procedure.
Use this procedure to configure audit logs for local and remote syslog server through the Cisco Prime Collaboration Deployment application.
Step 1 | From the Cisco Prime Collaboration Deployment application, click the open and close navigation button and choose . | ||
Step 2 | Choose one of the options from the Application Audit Event Level drop down list to configure an audit level. | ||
Step 3 | Enter the name of remote syslog server or the IP address for the Remote Syslog Server Name / IP field so that the audit logs are logged into this remote server. | ||
Step 4 | (Optional) Check or uncheck the Enable Local Audit Log check box to enable or disable the local audit log. | ||
Step 5 | (Optional)
Check or uncheck the
Enable
Log Rotation check box to enable or disable the log rotation.
| ||
Step 6 | Enter an integer value for the Maximum No of Files field to configure the maximum number of files that can be created on the server. | ||
Step 7 | Enter a value for the Maximum File Size (MB) field to configure the maximum file size of each log that is created on the server. | ||
Step 8 | Enter the warning threshold value for the Warning Threshold for Approaching Log Rotation Overwrite(%) field. | ||
Step 9 | Click Save. | ||
Step 10 | (Optional) Click Reset. The page is reset with the default values. |
Setting |
Description |
||
---|---|---|---|
Audit Level Settings section |
|||
Application Audit Event Level |
|
||
Remote SysLog Settings section |
|||
Remote Syslog Server Name / IP |
Enter the name of remote syslog server or the IP address for the audit logs to be logged in to this remote server. |
||
Local Audit Log Settings |
|||
Enable Local Audit Log |
Check or uncheck this check box to enable or disable the local audit log.
|
||
Enable Log Rotation |
Check or uncheck this check box to enable or disable the log rotation.
|
||
Maximum No of Files |
Enter an integer value for the Maximum No of Files field to configure the maximum number of files that can be created on the server.
|
||
Maximum File Size(MB) |
Enter a value for the Maximum File Size (MB) field to configure the maximum file size of each log that is created on the server.
|
||
Warning Threshold for Approaching Log Rotation Overwrite(%) |
Enter the warning threshold value for the Warning Threshold for Approaching Log Rotation Overwrite(%) field. After the configured warning threshold value is reached, an email notification is sent to users to take back up of the audit log files. These files are deleted or overwritten during log rotation.
For details, see the Email notification topic in the Cisco Prime Collaboration Deployment Administration Guide. |
||
Save |
Click this button to save the changes you have made on this page. |
||
Reset |
Click this button to set the default values on this page. |
This topic from the Cisco Prime Collaboration Deployment Administration Guide is updated with the following information:
You can choose to send an email notification to a user after the value that is configured in the Warning Threshold for Approaching Log Rotation Overwrite(%) field from the Audit Log Configuration window is reached. The email notification informs the user to take back up of the audit log files because they will be deleted or overwritten.
For details on how to configure audit logs, see the Configure Customized Logon Message procedure.
Use this procedure to configure customized logon messages when a user signs into the Cisco Prime Collaboration Deployment application.
Step 1 | From the Cisco Prime Collaboration Deployment application, click the open and close navigation button and choose . |
Step 2 | For the Upload File field, browse to the location of file that includes the customized logon message. |
Step 3 | (Optional) Check or uncheck the Require User Acknowledgement check box to enable or disable user acknowledgment for the file that the user receives. If this field is enabled, users get an acknowledgment as an alert message on the Cisco Prime Collaboration Deployment sign-in page after they sign out for the first time from the same web browser instance. |
Step 4 | Click Upload File. The file with the customized logon message is uploaded and a pop-up appears showing the file upload status. |
Step 5 | (Optional) Click Delete. The file with the customized logon message is deleted and a pop-up appears showing the file deletion status. |
Setting |
Description |
---|---|
Upload Customized Logon File |
|
Upload File |
Click the Browse button to browse to the location of file that includes the customized sign-on message. |
Require User Acknowledgment |
Check or uncheck this check box to enable or disable user acknowledgment for the file that the user receives. If this field is enabled, users get an acknowledgment as an alert message on the Cisco Prime Collaboration Deployment sign-in page. This message appears after they sign out for the first time from the same web browser instance. |
Upload File |
Click this button to upload the file with the customized sign-on message to the server. After you upload the file, a popup appears showing the file upload status. |
Delete |
Click this button to delete the file with the customized sign-on message. After you delete the file, popup appears showing the file deletion status. |
An administrator can configure the sign-in session limit for each user. A user can sign in to the Cisco Prime Collaboration Deployment application through multiple windows and web browsers up to the configured number of sign-in sessions. If a user exceeds the limit of configured the number of sign-in sessions, an error message appears on the sign-in page and the user is not allowed to sign in.
An administrator can configure the limit of sign-in sessions through the following CLI command:
set session maxlimit <value>
Where the default value is 10 and maximum value is 100.
Note | When users exceed the limit of configured number of sign-in sessions, they must sign out from the application in that session and sign in to another session. In case the session closes due to abrupt exit from web browser, users need to restart the Tomcat server on Cisco Prime Collaboration Deployment to allow sign-in to the new session. |
You can use the command line interface (CLI) to enable the EnhancedSecurityMode in Cisco Prime Collaboration Deployment. To enable this mode, create a status file and run the scripts for applications. The applications read the status file and respond accordingly when the system is restarted.
Sign in banner appears prior to interface sign-in prompt
The Department of Defense (DoD) sign-in banner appears prior to console sign-in prompts
File Transfer Protocol Secure (FTPS) or File Transfer Protocol (FTP) service and SSH are configured with the DoD sign-in banner
The banner appears on the screen until a user signs on for further access
Audit tools are secured from unauthorized modification
Audit records are used through reports
New password is verified, as per EnhancedSecurityMode credential policy, when a user changes password
Note | For credential policy for EnhancedSecurityMode, see Credential Policy for EnhancedSecurityMode. |
For details, see the Configure EnhancedSecurityMode procedure.
An administrator can use this procedure on Cisco Prime Collaboration Deployment to configure EnhancedSecurityMode. When this mode is enabled, the following system enhancements are updated automatically:
User Sign-in Scenario |
Result of Sign-in Attempt |
---|---|
Sign-in with the valid credentials |
Sign-in is successful and the application home page is accessible |
Sign-in with invalid credentials |
Sign-in fails |
Sign-in after exceeded number of attempts on the application |
Account is locked after three consecutive unsuccessful attempts |
Sign-in after exceeded number of attempts on the CLI |
CLI sign-in fails due to locked account even though the user types in the correct password |
Sign-in to the application after the lockout period expires |
After 5 minutes of lockout period, the application is available for you to sign-in |
Sign-in to CLI after the lockout period expires |
After 5 minutes of lockout period expiry, the account gets unlocked and you can sign-in to the CLI |
Sign-in to the application when the account is locked due to inactivity |
Account gets locked due to inactivity of the session |
Sign-in to the application after account lockout, which is caused due to inactivity, is resolved |
Sign-in is successful |
Complete the following tasks to add remote audit logging support for platform audit logs, remote support logs, and csv files. For these types of logs, the FileBeat client and logstash server are used.
Ensure that you have set up an external logstash server.
Step 1 | Configure the FileBeat client with the external logstash server details, such as IP addresses, ports, and file types. For procedure, see Configure Logstash Server Information. |
Step 2 | Enable the FileBeat client for remote audit logging. For procedure, see Configure the FileBeat Client. |
Use this procedure to configure the FileBeat client with the external logstash server information, such as IP address, port number, and downloadable file types.
Make sure that you have set up your external logstash server.
Use this procedure to enable or disable the FileBeat client for uploads of platform audit logs, remote support logs, and csv files.
file view activelog<audit log file name>
file get activelog <audit log file name>
file delete activelog<audit log file name>
file dump activelog<audit log file name>
file tail activelog <audit log file name>
file search activelog<audit log file name><search string>
file view inactivelog <audit log file name>
file get inactivelog <audit log file name>
file delete inactivelog <audit log file name>
file dump inactivelog <audit log file name>
file tail inactivelog <audit log file name>
file search inactivelog <audit log file name><search string>
utils auditd enable
utils auditd disable
utils auditd status
Note | In a non-EnhancedSecurityMode, the group ownership is ccmsyslog when the permission is 640. However, as part of EnhancedSecurityMode requirement, the file permission is modified to 600 with file group ownership by root. Hence, by default, the files saved at the /var/log/active/syslog location are changed to the permission of 600 with the ownership to root. |