Cisco CallManager Security Guide, Release 4.1(3)
Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
Downloads: This chapterpdf (PDF - 227.0KB) The complete bookPDF (PDF - 1.94MB) | Feedback

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Table Of Contents

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

HTTPS Overview

Using Internet Explorer with HTTPS

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

Using Netscape with HTTPS

Using Netscape to Save the Certificate to the Trusted Folder

Using a Server Authentication Certificate from a Third-Party Certificate Authority


Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)


This chapter contains information on the following topics:

HTTPS Overview

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

Using Netscape to Save the Certificate to the Trusted Folder

Using a Server Authentication Certificate from a Third-Party Certificate Authority

HTTPS Overview

Hypertext Transfer Protocol over Secure Sockets Layer (SSL), which secures communication between the browser client and the IIS server, uses a certificate and a public key to encrypt the data that is transferred over the internet. HTTPS also ensures that the user login password transports securely via the web. The following Cisco CallManager applications support HTTPS, which ensures the identity of the server: Cisco CallManager Administration, Cisco CallManager Serviceability, the Cisco IP Phone User Option Pages, the Bulk Administration Tool (BAT), TAPS, Cisco CDR Analysis and Reporting (CAR), Trace Collection Tool, and the Real-Time Monitoring Tool.

When you install/upgrade Cisco CallManager, the HTTPS self-signed certificate, httpscert.cer, automatically installs on the IIS default website that hosts the Cisco CallManager virtual directories in Table 2-1:

Table 2-1 Cisco CallManager Virtual Directories

Cisco CallManager Virtual Directory
Corresponding Application

CCMAdmin

Cisco CallManager Administration

CCMService

Cisco CallManager Serviceability

CCMUser

Cisco IP Phone User Option Pages

AST

Real-Time Monitoring Tool (RTMT)

RTMTReports

RTMT reports archive

CCMTraceAnalysis

Trace Analysis Tool

PktCap

TAC troubleshooting tools

Note These troubleshooting tools use the virtual directory to get the trace files that contain the SCCP messages (phone) or UDP and TCP backhaul messages (gateway) traces.

ART

Cisco CDR Analysis and Reporting (CAR)

CCMServiceTraceCollectionTool

Trace Collection Tool

BAT

Bulk Administration Tool (BAT)

TAPS

Tool for Auto-Registration Phone Support (TAPS)


The HTTPS certificate gets stored in the C:\Program Files\Cisco\Certificates directory. If you prefer to do so, you can install a server authentication certificate from a certificate authority and use it instead of the HTTPS self-signed certificate. To use the certificate authority certificate after the Cisco CallManager installation/upgrade, you must delete the self-signed certificate, as described in the "Troubleshooting" section on page 9-1. Then, you install the server authentication certificate that is provided by the certificate authority, as described in the certificate authority documentation.


Note If you access the web application by using the hostname and install the certificate in the trusted folder and then try to access the application by using the localhost or IP address, the Security Alert dialog box displays to indicate that the name of the security certificate does not match the name of the site.

If you use the localhost, the IP address, or the hostname in the URL to access the application that supports HTTPS, you must save the certificate in the trusted folder for each of type of URL (with the local host, IP address, and so on); otherwise, the Security Alert dialog box displays for each type.


Related Topics

Cisco CallManager Administration Guide

Cisco CallManager System Guide

Bulk Administration Tool User Guide

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Customizing Your Cisco IP Phone on the Web

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

Using Internet Explorer with HTTPS

This section provides details on the following topics that are associated with using HTTPS with Internet Explorer:

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

The first time that you (or a user) accesses Cisco CallManager Administration or other Cisco CallManager SSL-enabled virtual directories after the Cisco CallManager 4.1 installation/upgrade from a browser client, a Security Alert dialog box asks whether you trust the server. When the dialog box displays, you must perform one of the following tasks:

By clicking Yes, you choose to trust the certificate for the current web session only. If you trust the certificate for the current session only, the Security Alert dialog box displays each time that you access the application; that is, until you install the certificate in the trusted folder.

By clicking View Certificate > Install Certificate, you intend to perform certificate installation tasks, so you always trust the certificate. If you install the certificate in the trusted folder, the Security Alert dialog box does not display each time that you access the web application.

By clicking No, you cancel the action. No authentication occurs, and you cannot access the web application. To access the web application, you must click Yes or install the certificate via the View Certificate > Install Certificate options.

Related Topics

HTTPS Overview

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

Troubleshooting HTTPS, page 9-4

Using Internet Explorer to Save the Certificate to the Trusted Folder

To save the HTTPS certificate in the trusted folder on the browser client, so the Security Alert dialog box does not display each time that you access the web application, perform the following procedure:

Procedure


Step 1 Browse to the application on the IIS server.

Step 2 When the Security Alert dialog box displays, click View Certificate.

Step 3 In the Certificate pane, click Install Certificate.

Step 4 Click Next.

Step 5 Click the Place all certificates in the following store radio button; click Browse.

Step 6 Browse to Trusted Root Certification Authorities.

Step 7 Click Next.

Step 8 Click Finish.

Step 9 To install the certificate, click Yes.

A message states that the import was successful. Click OK.

Step 10 In the lower, right corner of the dialog box, click OK.

Step 11 To trust the certificate, so you do not receive the dialog box again, click Yes.


Note If you use the localhost, the IP address, or the hostname in the URL to access the application that supports HTTPS, you must save the certificate in the trusted folder for each of type of URL (with the local host, IP address, and so on); otherwise, the Security Alert dialog box displays for each type.



Related Topics

HTTPS Overview

Viewing Details of the Certificate

Copying the Certificate to File

Viewing Details of the Certificate

To view the details of the certificate, perform one of the following tasks:

Click the View Certificate button and then the Details tab.

On the server where the certificate exists, right-click the certificate in C:\Program Files\Cisco\Certificates\httpscert.cer; click Open.


Tip You cannot change any data that displays for the settings in the pane. For descriptive information on the following settings, refer to Microsoft documentation.


The following certificate settings may display:

Version

Serial Number

Signature Algorithm

Issuer

Valid From

Valid To

Subject

Public key

Subject Key Installer

Key Usage

Enhanced Key Usage

Thumbprint Algorithm

Thumbprint

To display a subset of settings, if available, choose one of the following options:

All—All options display in the Details pane.

Version 1 Fields Only—Version, Serial Number, Signature Algorithm, Issuer, Valid From, Valid To, Subject, and the Public Key options display.

Extensions Only—Subject Key Identifier, Key Usage, and the Enhanced Key Usage options display.

Critical Extensions Only—Critical extensions, if any display.

Properties Only—Thumbprint algorithm and the thumbprint options display.

Related Topics

HTTPS Overview

Using Internet Explorer to Save the Certificate to the Trusted Folder

Copying the Certificate to File

Copying the Certificate to File

Copying the certificate to file allows you to restore the certificate whenever necessary. You can also use the following procedure to install a certificate file that another user sends you.

Performing the following procedure copies the certificate by using a standard certificate storage format. To copy the certificate contents to file, perform the following procedure:

Procedure


Step 1 In the Security Alert dialog box, click View Certificate.

Step 2 Click the Details tab.

Step 3 Click the Copy to File button.

Step 4 The Welcome Wizard displays. Click Next.

Step 5 The following list defines the file formats from which you can choose. Choose the file format that you want to use to export the file; click Next.

DER encoded binary X.509 (.CER)—Uses DER to transfer information between entities.

Base-64 encoded X.509 (.CER)—Sends secure binary attachments over the internet; uses ASCII text format to prevent corruption of file.

Cryptographic Message Syntax Standard-PKCS #7 Certificates (.P7B)—Exports the certificate and all certificates in the certification path to the chosen PC.

Step 6 Browse to the file that you want to export.

Step 7 Click Finish.

Step 8 When the successful export dialog box displays, click OK.


Related Topics

HTTPS Overview

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Using Netscape with HTTPS

When you use HTTPS with Netscape, you can view the certificate credentials, trust the certificate for one session, trust the certificate until it expires, or not trust the certificate at all.


Tip If you trust the certificate for one session only, you must repeat the "Using Netscape to Save the Certificate to the Trusted Folder" procedure each time that you access the HTTPS-supported application. If you do not trust the certificate, you cannot access the application.


Related Topics

HTTPS Overview

Using Netscape to Save the Certificate to the Trusted Folder

Troubleshooting HTTPS, page 9-4

Using Netscape to Save the Certificate to the Trusted Folder

Perform the following procedure to save the certificate to the trusted folder:

Procedure


Step 1 Access the application, for example, Cisco CallManager Administration, through Netscape.

Step 2 After the New Site Certificate window displays, click Next.

Step 3 After the next New Site Certificate window displays, click Next.


Tip To view the certificate credentials before you click Next, click More Info. Review the credentials, and click OK; then, click Next in the New Site Certificate window.


Step 4 Click one of the following radio buttons:

Accept this certificate for this session

Do not accept this certificate and do not connect

Accept this certificate forever (until it expires)

Step 5 Click Next.

Step 6 If you clicked the Do not accept this certificate... radio button, go to Step 8.

Step 7 If you want Netscape to warn you before sending information to other sites, check the Warn me before I send information to this site check box; then, click Next.

Step 8 Click Finish.


Related Topics

HTTPS Overview

Using Netscape with HTTPS

Troubleshooting HTTPS, page 9-4

Using a Server Authentication Certificate from a Third-Party Certificate Authority

To use a server authentication certificate from a third-party certificate authority instead of the certificate that is provided with Cisco CallManager, perform the following procedure:

Procedure


Step 1 Delete the HTTPS certificate, as described in the "Deleting the HTTPS Certificate" section on page 9-8.

Step 2 Install the certificate that you want to use.

Step 3 Right-click the certificate file.

Step 4 Choose the Install Certificate option.


Tip You can install by using the default setting.


Step 5 Install the certificate on the IIS default website by performing the following tasks:

a. Choose Start > Programs > Administrative Tools > Internet Service Manager.

b. Click the name of the server where you want to install the certificate.

c. Click the Directory Security tab.

d. Under Secure Communications, click the Server Certificate button.

e. Click Next.

f. Choose the Assign an Existing Certificate option.

g. Choose the certificate from Step 2.

h. Click Next.

i. Click Finish.

Step 6 Rename the Root CA certificate to httpscert.cer.

Step 7 Copy the certificate to C:\program files\cisco\certificates in DER format.


Related Topics

Troubleshooting, page 9-1

HTTPS Overview