Cisco Unified Communications Manager Security Guide, Release 6.0(1)
Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
Downloads: This chapterpdf (PDF - 387.0KB) The complete bookPDF (PDF - 4.97MB) | Feedback

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Table Of Contents

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

HTTPS Overview

Using Internet Explorer with HTTPS

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

Using Netscape with HTTPS

Using Netscape to Save the Certificate to the Trusted Folder

Where to Find More Information


Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)


This chapter contains information on the following topics:

HTTPS Overview

Using Internet Explorer with HTTPS

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

Using Netscape to Save the Certificate to the Trusted Folder

Where to Find More Information

HTTPS Overview

Hypertext Transfer Protocol over Secure Sockets Layer (SSL), which secures communication between the browser client and the tomcat server, uses a certificate and a public key to encrypt the data that is transferred over the Internet. HTTPS also ensures that the user login password transports securely via the web. The following Cisco Unified Communications Manager applications support HTTPS, which ensures the identity of the server: Cisco Unified Communications Manager Administration, Cisco Unified Serviceability, the Cisco Unified IP PhoneUser Option Pages, Cisco Unified Communications Manager Auto-Register Phone Tool, Cisco Unified Communications Manager CDR Analysis and Reporting, Dialed Number Analyzer, and the Cisco Unified Real-Time Monitoring Tool.

When you install/upgrade Cisco Unified Communications Manager, the HTTPS self-signed certificate (tomcat_cert) generates in the platform. The self-signed certificate migrates during upgrades. A copy of the certificate gets made in .DER and .PEM formats. Table 2-1 shows the applications that use HTTPS in Cisco Unified Communications Manager.

Table 2-1 Cisco Unified Communications Manager HTTPS Applications 

Cisco Unified Communications Manager HTTPS Application
Web Application

CMAdmin

Cisco Unified Communications Manager Administration

CMService

Cisco Unified Serviceability

CMUser

Cisco Personal Assistant

AST

Cisco Unified Real-Time Monitoring Tool

RTMTReports

Cisco Unified Real-Time Monitoring Tool reports archive

PktCap

TAC troubleshooting tools that are used for packet capturing

ART

Cisco Unified Communications Manager CDR Analysis and Reporting

TAPS

Cisco Unified Communications Manager Auto-Register Phone Tool

dna

Dialed Number Analyzer

drf

Disaster Recovery System

SOAP

Simple Object Access Protocol API for reading from and writing to the Cisco Unified Communications Manager database

Note For security, all Web applications using SOAP require HTTPS. HTTP is not supported for SOAP applications. Existing applications that use HTTP will fail; they cannot be converted to HTTPS by changing directories.



Note If you access the web application by using the hostname and install the certificate in the trusted folder and then try to access the application by using the localhost or IP address, the Security Alert dialog box displays to indicate that the name of the security certificate does not match the name of the site.

If you use the localhost, the IP address, or the hostname in the URL to access the application that supports HTTPS, you must save the certificate in the trusted folder for each of type of URL (with the local host, IP address, and so on); otherwise, the Security Alert dialog box displays for each type.


Using Internet Explorer with HTTPS

This section provides details on the following topics about using HTTPS with Internet Explorer:

Using Internet Explorer to Save the Certificate to the Trusted Folder

Viewing Details of the Certificate

Copying the Certificate to File

The first time that you (or a user) accesses Cisco Unified Communications Manager Administration or other Cisco Unified Communications ManagerSSL-enabled virtual directories (after the Cisco Unified Communications Manager installation/upgrade) from a browser client, a Security Alert dialog box asks whether you trust the server.

When the dialog box displays, you must perform one of the following tasks:

By clicking Yes, you choose to trust the certificate for the current web session only. If you trust the certificate for the current session only, the Security Alert dialog box displays each time that you access the application; that is, until you install the certificate in the trusted folder.

By clicking View Certificate > Install Certificate, you intend to perform certificate installation tasks, so you always trust the certificate. If you install the certificate in the trusted folder, the Security Alert dialog box does not display each time that you access the web application.

By clicking No, you cancel the action. No authentication occurs, and you cannot access the web application. To access the web application, you must click Yes or install the certificate via the View Certificate > Install Certificate options.

Using Internet Explorer to Save the Certificate to the Trusted Folder

To save the HTTPS certificate in the trusted folder on the browser client, so the Security Alert dialog box does not display each time that you access the web application, perform the following procedure:

Procedure


Step 1 Browse to the application on the tomcat server (for example, Cisco Unified Communications Manager Administration).

Step 2 When the Security Alert dialog box displays, click View Certificate.

Step 3 In the Certificate pane, click Install Certificate.

Step 4 When the Certificate Import Wizard displays, click Next.

Step 5 Click the Place all certificates in the following store radio button; click Browse.

Step 6 Browse to Trusted Root Certification Authorities; select it and click OK.

Step 7 Click Next.

Step 8 Click Finish.

Step 9 A Security Warning Box displays the certificate thumbprint for you.

To install the certificate, click Yes.

A message states that the import was successful. Click OK.

Step 10 In the lower, right corner of the dialog box, click OK.

Step 11 To trust the certificate, so you do not receive the dialog box again, click Yes to proceed.


Note If you use the localhost, the IP address, or the hostname in the URL to access the application that supports HTTPS, you must save the certificate in the trusted folder for each of type of URL (with the local host, IP address, and so on); otherwise, the Security Alert dialog box displays for each type.



Tip You can verify the certificate was installed successfully by clicking the Certification Path tab in the Certificate pane.


Additional Information

See the "Related Topics" section.

Viewing Details of the Certificate

When the Security Alert dialog box displays, click the View Certificate button and then the Details tab to view the details of the certificate.


Tip You cannot change any data that displays for the settings in the pane.


The following certificate settings may display:

Version

Serial Number

Signature Algorithm

Issuer

Valid From

Valid To

Subject

Public key

Subject Key Installer

Key Usage

Enhanced Key Usage

Thumbprint Algorithm

Thumbprint

To display a subset of settings, if available, choose one of the following options:

All—All options display in the Details pane.

Version 1 Fields Only—Version, Serial Number, Signature Algorithm, Issuer, Valid From, Valid To, Subject, and the Public Key options display.

Extensions Only—Subject Key Identifier, Key Usage, and the Enhanced Key Usage options display.

Critical Extensions Only—Critical Extensions, if any, display

Properties Only—Thumbprint algorithm and the thumbprint options display.


Note You can regenerate the self-signed certificate by using the Cisco Unified Communications Operating System Administration Guide.


Copying the Certificate to File

Copying the certificate to a file and storing it locally allows you to restore the certificate whenever necessary.

Performing the following procedure copies the certificate by using a standard certificate storage format. To copy the certificate contents to file, perform the following procedure:

Procedure


Step 1 In the Security Alert dialog box, click View Certificate.

Step 2 Click the Details tab.

Step 3 Click the Copy to File button.

Step 4 The Certificate Export Wizard displays. Click Next.

Step 5 The following list defines the file formats from which you can choose. Choose the file format that you want to use for the exported file; click Next.

DER encoded binary X.509 (.CER)—Uses DER to transfer information between entities.

Base-64 encoded X.509 (.CER)—Sends secure binary attachments over the internet; uses ASCII text format to prevent corruption of file.

Cryptographic Message Syntax Standard-PKCS #7 Certificates (.P7B)—Exports the certificate and all certificates in the certification path to the chosen PC.

Step 6 Browse to the location to which you want to export the file copy and name the file. Click Save.

Step 7 The file name and path display in the Certificate Export Wizard pane. Click Next.

Step 8 Your file and settings display. Click Finish.

Step 9 When the successful export dialog box displays, click OK.


Additional Information

See the "Related Topics" section.

Using Netscape with HTTPS

This section provides details on the following topics about using HTTPS with Netscape.

When you use HTTPS with Netscape, you can view the certificate credentials, trust the certificate for one session, trust the certificate until it expires, or not trust the certificate at all.

Netscape does not provide a certificate export utility for copying certificates to a file.


Tip If you trust the certificate for one session only, you must repeat the "Using Netscape to Save the Certificate to the Trusted Folder" procedure each time that you access the HTTPS-supported application. If you do not trust the certificate, you cannot access the application.


Using Netscape to Save the Certificate to the Trusted Folder

Perform the following procedure to save the certificate to the trusted folder:

Procedure


Step 1 Access the application, for example, Cisco Unified Communications Manager Administration, by using Netscape.

The certificate authority dialog box displays.

Step 2 Click one of the following radio buttons:

Accept this certificate for this session

Do not accept this certificate and do not connect

Accept this certificate forever (until it expires)


Note If you choose Do not accept, the application does not display.



Note To view the certificate credentials before you continue, click Examine Certificate. Review the credentials, and click Close.


Step 3 Click OK.

The Security Warning dialog box displays.

Step 4 Click OK.



Note You can regenerate the self-signed certificate by using the Cisco Unified Communications Operating System GUI.


Additional Information

See the "Related Topics" section.

Where to Find More Information

Related Topics

Certificates, page 1-14

Related Cisco Documentation

Cisco Unified Serviceability Administration Guide

Cisco Unified Communications Manager Administration Guide

Microsoft documentation that is available on HTTPS