Installation and Administration Guide for Cisco Unified Mobility Advantage, Release 7.0
Managing Server Security in Cisco Unified Mobility Advantage
Downloads: This chapterpdf (PDF - 211.0KB) The complete bookPDF (PDF - 4.1MB) | Feedback

Managing Server Security in Cisco Unified Mobility Advantage

Table Of Contents

Managing Server Security in Cisco Unified Mobility Advantage

About Secure Connections and SSL Certificates

Signed Certificate Information

About Required and Recommended SSL Certificates

Required and Recommended Signed Certificates

Required and Recommended Self-Signed Certificates

Explanation of Security Contexts

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

Deploying Self-Signed Certificates for Internal Servers: Example

Creating Security Contexts

Importing Self-Signed Certificates from Trusted Servers

Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage

How to Obtain and Deploy a Signed Certificate for the Cisco Unified Mobility Advantage Server

Obtaining and Deploying a Signed Certificate for the Cisco Unified Mobility Advantage Server

Creating a Certificate To Be Signed by a Certificate Authority

Importing Intermediate Certificates

Importing Certificates Signed by a Certificate Authority

Certificate Uploads and Downloads

Viewing Certificate Details

Deleting Security Contexts And Certificates


Managing Server Security in Cisco Unified Mobility Advantage


Revised Date: April 17, 2009

This chapter describes the concepts and processes for establishing server identity.

About Secure Connections and SSL Certificates

About Required and Recommended SSL Certificates

Explanation of Security Contexts

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

Deploying Self-Signed Certificates for Internal Servers: Example

Creating Security Contexts

Importing Self-Signed Certificates from Trusted Servers

Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage

How to Obtain and Deploy a Signed Certificate for the Cisco Unified Mobility Advantage Server

Certificate Uploads and Downloads

Viewing Certificate Details

Deleting Security Contexts And Certificates

About Secure Connections and SSL Certificates

In order for a client to connect securely to a server, the client generally requires that the server verify its identity. A client can be a browser, a mobile device running Cisco Unified Mobile Communicator, or any server that initiates a connection with another server. Servers can have both client and server relationships with each other.

A client connects securely to a server using SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol. Secure connections require digital certificates to verify the identity of the server.

Several types of digital certificates can be used to establish trust between a client and a server:

Self-signed certificates are generated from the server; a copy of the certificate must reside on the client. When a client connects to a server, it compares the certificate that the server presents to the copy of the certificate in its own trust store.

Certificates signed by a recognized Certificate Authority (CA) such as VeriSign enable clients to trust servers without having a to import a certificate from each server onto the client, as long as the client recognizes certificates that are signed by the particular Certificate Authority.

Certificates can be signed by other authorities, such as an in-house corporate signing authority that guarantees servers within the corporate firewall.

You can also configure each server behind the your corporate firewall to trust the identity of other servers behind the same firewall without explicitly requiring certificates.

Signed Certificate Information

Signed certificates generally consist of up to three sub-certificates:

A root certificate which declares the identity of the signing Certificate Authority.

An intermediate certificate, which is provided by many certificate authorities to accompany a signed certificate.

The signed certificate which identifies the server being authenticated.

Certificates signed by a corporate signing authority may also include root and intermediate certificates.

About Required and Recommended SSL Certificates

Required and Recommended Signed Certificates

Required and Recommended Self-Signed Certificates

Required and Recommended Signed Certificates

Some clients (such as Cisco Unified Mobile Communicator or standard web browsers) require or request certificates that are signed by a recognized Certificate Authority in order to connect to a server.

Necessity
Description
For
Do This

Required

For the Cisco Adaptive Security Appliance.

Cisco Unified Mobile Communicator clients require this certificate.

New installations

You must purchase this certificate after you configure the Cisco Adaptive Security Appliance, but before you can test Cisco Unified Mobility Advantage.

It may take up to 24 hours to receive your certificate from the signing authority.

See (For New Installations) How to Obtain and Import the Cisco Adaptive Security Appliance-to-Client Certificate, page 2-10.

Upgrades from Release 3.x

You may be able to reuse the signed certificate from the proxy server in Cisco Unified Mobility Advantage Release 3.1.2.

Before you upgrade Cisco Unified Mobility Advantage from Release 3.x, review the restrictions and process overview in Saving the SSL Certificate from the Proxy Server, page 5-8, then perform the procedure if applicable.

Recommended

For the Cisco Unified Mobility Advantage server.

This certificate prevents users from seeing an "Untrusted certificate" warning when they access the User Portal.

Browsers generate this warning when they connect to a server that does not have a signed certificate.

New installations

You must install Cisco Unified Mobility Advantage before you can obtain a signed certificate for this purpose.

You can use a self-signed certificate for initial configuration and testing, and then obtain and deploy a signed certificate later.

See How to Obtain and Deploy a Signed Certificate for the Cisco Unified Mobility Advantage Server.

Upgrades from Release 3.x

If you had a signed certificate on the managed server in Cisco Unified Mobility Advantage Release 3.1.2, you may be able to reuse this certificate.

See:

Downloading a Self-Signed Certificate from Cisco Unified Mobility Advantage for Import into the Cisco Adaptive Security Appliance, page 5-15

Downloading a Self-Signed Certificate from Cisco Unified Mobility Advantage for Import into the Cisco Adaptive Security Appliance, page 5-15.


Related Topics

About Secure Connections and SSL Certificates

How To Deploy Required And Recommended Certificates for the Cisco Adaptive Security Appliance, page 2-8

Required and Recommended Self-Signed Certificates

If your company has a corporate signing authority, you can use certificates signed by the corporate authority instead of self-signed certificates.

Certificate
More Information

A certificate (self-signed or signed) from Cisco Unified Mobility Advantage is required for the Cisco Adaptive Security Appliance to communicate with Cisco Unified Mobility Advantage.

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

If you followed the instructions for the Configuration Wizard in Chapter 7, "Using the Configuration Wizard in Cisco Unified Mobility Advantage," you must import a certificate from the Cisco Adaptive Security Appliance to Cisco Unified Mobility Advantage.

This configuration is recommended for all deployments.

Cisco Unified Mobility Advantage does not require certificates from other enterprise servers in order to run, but your corporate security requirements and settings on other servers may require you to deploy certificates in both directions.

See Deploying Self-Signed Certificates for Internal Servers: Example.


Explanation of Security Contexts

Each client and server may have security policies that govern the type of identity verification required for connections with other clients and servers. In Cisco Unified Mobility Advantage, you specify security policies in one or more Security Contexts. You then associate one Security Context with each enterprise server that Cisco Unified Mobility Advantage connects to. In addition, each enterprise server may have security policies of its own that require Cisco Unified Mobility Advantage to verify its identity. Servers verify their identities using certificates.

Security Contexts in Cisco Unified Mobility Advantage do the following:

Determine the level and type of identity verification that Cisco Unified Mobility Advantage requires from each server and client with which it connects.

For example, servers behind your corporate firewall (most enterprise servers with which Cisco Unified Mobility Advantage communicates) may require less stringent identity verification because they are already in a presumably secure environment. Communications with a server in a DMZ (for example, the Cisco Adaptive Security Appliance) generally require stricter identity verification because a DMZ environment is less secure.

Store copies of trusted certificates. Depending on your security choices, certificates that other servers present must match their corresponding certificates stored in the Security Context that you assigned to that server.

Store the certificate that Cisco Unified Mobility Advantage presents when identifying itself to other servers.

Collect the information needed to create certificates, and use that information to generate certificates to provide to other servers for their store of trusted certificates, or to generate a Certificate Signing Request for a signed certificate.

In general, if you set the Connection Type for an enterprise server to TLS or SSL (secure), you must specify a Security Context for connections with that server. You specify the certificate requirements in the Security Context.

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

Use the following set of procedures to deploy self-signed certificates for communications between Cisco Unified Mobility Advantage and the Cisco Adaptive Security Appliance.

Before You Begin

Determine your certificate needs. See How To Deploy Required And Recommended Certificates for the Cisco Adaptive Security Appliance, page 2-8.

Procedure

 
Do This
For Instructions, See

Step 1 

In Cisco Unified Mobility Advantage, create a Security Context that specifies Trusted Certificates for the Trust Policy.

If you followed the instructions for the Configuration Wizard in Chapter 7, "Using the Configuration Wizard in Cisco Unified Mobility Advantage," you have already created the cuma Security Context.

Creating Security Contexts.

Step 2 

In System Management > Network Properties, specify the Security Context from Step 1 in this table.

If you followed the instructions for the Configuration Wizard, you have already completed this step.

Step 3 

Generate a self-signed certificate from Cisco Unified Mobility Advantage.

If you followed the instructions for the Configuration Wizard:

Downloading the Self-Signed Certificate (After Running the Configuration Wizard), page 7-25

Otherwise:

Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage.

Step 4 

Import this certificate to the trust store of the Cisco Adaptive Security Appliance.

Importing a Self-Signed Certificate from Cisco Unified Mobility Advantage, page 2-12.

Step 5 

Generate a self-signed certificate from the Cisco Adaptive Security Appliance.

Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance, page 2-14.

Step 6 

Import this certificate into the trust store of Cisco Unified Mobility Advantage.

Importing Self-Signed Certificates from Trusted Servers

Step 7 

In the Cisco Adaptive Security Appliance, complete remaining configurations

Setting up the TLS Proxy, page 2-15 and the remaining procedures in that chapter.

Deploying Self-Signed Certificates for Internal Servers: Example

Secure connections between internal servers are not required by default for Cisco Unified Mobility Advantage to operate. However, your corporate security policies may require them.

If you assign a Security Context that has the Trust Policy set to Trusted Certificates for an enterprise server, then you must deploy a certificate to verify the identity of that server. Generally, if your security policies are consistent, this will be a reciprocal requirement, so you will also need to provide a certificate from Cisco Unified Mobility Advantage to verify its identity to the other server.

You can use self-signed certificates or certificates signed by an in-house corporate signing authority to verify the identities of servers behind the corporate firewall.

This configuration example describes one option to configure security for internal servers, using self-signed certificates. Use the same basic procedure for each enterprise server that supports secure connections.

Before You Begin

We recommend that you verify that all features that you deployed are functioning properly before you introduce security to the configuration.

For the following servers, use different instructions instead of this topic:

For Cisco Adaptive Security Appliance, see Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance.

For Cisco Unified Communications Manager, see How to Configure Server Security for Connections with Cisco Unified Communications Manager, page 3-13.

For Cisco Unified Presence, see How To Configure Server Security for Cisco Unified Presence, page 4-3.

Procedure

 
Do This
For Instructions, See

Step 1 

In Cisco Unified Mobility Advantage, create a Security Context that specifies Trusted Certificates for the Trust Policy.

You can use this Security Context for all enterprise servers that have the same security requirements.

If you followed the instructions for the Configuration Wizard you can use the cuma Security Context.

Creating Security Contexts.

Step 2 

In the Enterprise Adapter for the server, select TLS or SSL as the Transport Type, then specify the Security Context from Step 1 in this table.

Viewing and Changing Enterprise Adapter Settings, page 10-4

Appendix A, "Page References: Enterprise Adapter Settings in Cisco Unified Mobility Advantage"

Step 3 

On the enterprise server, require secure communications.

See the documentation for the server.

Step 4 

Generate a self-signed certificate from Cisco Unified Mobility Advantage.

Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage.

Step 5 

Import this certificate to the trust store of the enterprise server.

See the documentation for the server.

Step 6 

Generate a certificate from the enterprise server.

See the documentation for the server.

Step 7 

Import this certificate to the trust store of Cisco Unified Mobility Advantage.

Importing Self-Signed Certificates from Trusted Servers

Creating Security Contexts

Security Contexts manage security policies and server identity-verification certificates for connections between Cisco Unified Mobility Advantage and other enterprise servers. You can use them to generate and store digital certificates that verify server identity.

Create a security context for each different type of security you require in order to allow other servers to communicate with Cisco Unified Mobility Advantage.

For example, if you require no imported certificates from internal servers and a self-signed certificate from the Cisco Adaptive Security Appliance in the DMZ, create two Security Contexts. If you followed the documentation for the Configuration Wizard, you created these two Security Contexts.

You can use a single security context to govern relationships with multiple servers, if the requirements are the same for all of those servers.

You may need to create multiple security contexts in order to satisfy the security requirements of all enterprise servers. For example, some servers may require Cisco Unified Mobility Advantage to present a trusted certificate.

Before You Begin

Determine the two-letter ISO country code for the location of your Cisco Unified Mobility Advantage server. Visit http://www.iso.org/iso/country_codes/iso_3166_code_lists/english_country_names_and_code_elements.htm.

Procedure


Step 1 Sign in to the Cisco Unified Mobility Advantage Admin portal.

Step 2 Select the [+] beside Security Context Management.

Step 3 Select Security Contexts.

Step 4 Select Add Context.

Step 5 Enter information:

Field
Description

Context Name

Enter a name for the certificate.

The name cannot contain spaces or special characters.

Description

Enter a description for the certificate.

Trust Policy

This value determines the type of certificate Cisco Unified Mobility Advantage requires of an enterprise server with which it initiates communication, such as Cisco Adaptive Security Appliance and Cisco Unified Communications Manager.

Options are:

Trusted Certificates— The other server must present one of the following:

A self-signed certificate that you will have already imported into Cisco Unified Mobility Advantage.

A certificate signed by a recognized Certificate Authority that Cisco Unified Mobility Advantage supports.

A certificate signed by another authority, such as a corporate signing authority. In this case, you must import the certificates of the signing authority into Cisco Unified Mobility Advantage.

All Certificates — Choose this option if you do not want to verify certificates that each server presents.

Cisco Unified Mobility Advantage trusts certificates from each server whose enterprise adapter is associated with this Security Context. You do not need to import certificates in this case.

Default — All servers must present certificates that are signed by a recognized Certificate Authority.

Client Authentication Policy

This setting determines whether Cisco Unified Mobility Advantage requires a certificate from clients or other servers that initiate a connection to it.

Typically, communications using the TLS protocol do not require a certificate in this situation.

Cisco Unified Mobility Advantage uses the Client Authentication Policy when it is acting as a server (for example, in communications with the Cisco Adaptive Security Appliance.)

Options are:

None — Cisco Unified Mobility Advantage does not request a certificate from the client.

Optional — Cisco Unified Mobility Advantage requests but does not require a certificate from the client.

Required — Cisco Unified Mobility Advantage requires a certificate from the client.

The type of certificate required is specified in the Trust Policy field, described above.

Certificate Password

Enter the password you want to assign to this certificate. The password must be at least six characters in length.

If you are upgrading from Release 3.x and you upload a certificate from Cisco Unified Mobility Advantage Release 3.x, you must enter the same password, which you noted before you performed the upgrade.

Note this password in a safe place. You may need it later.

Server Name

Enter the fully qualified hostname of this server.

Department Name

Enter the name of the department that will be using Cisco Unified Mobility Advantage, if restricted to one department.

For the Security Context that you will associate with the Cisco Adaptive Security Appliance, this value must match the OU value you entered when you generated the Certificate Signing Request for the signed certificate from the Cisco Adaptive Security Appliance.

Company Name

Enter your company name.

If you will use the information in this Security Context to obtain a signed certificate, use the name under which your company or organization is officially registered to conduct business. VeriSign validates this name against official business registration documents.

If the company name includes symbols requiring the shift key, see instructions at your Certificate Authority website.

City

Enter the city where the department or company is located.

State

Enter the state or province where the city is located.

Check with your supported Certificate Authority to determine exact requirements for this value. At publication, the requirements are:

For locations in the United States and Canada, spell out the full name. For example: California (not CA).

For other installations, there are no restrictions on this value.

Country Code

Enter the two-letter code for the country where the company is located.

You obtained this value while completing the prerequisites for this procedure.


Step 6 Select Submit.


What To Do Next

For each enterprise server that requires a TLS or SSL connection, specify an appropriate Security Context. A single Security Context can be associated with multiple servers if the security requirements are the same for all.

For the Cisco Adaptive Security Appliance: Assign a Security Context on the System Management > Network Properties page.

For other enterprise servers: Assign an appropriate Security Context on the Enterprise Adapter page for each server. See Appendix A, "Page References: Enterprise Adapter Settings in Cisco Unified Mobility Advantage" and Chapter 10, "Configuring Connections to Enterprise Servers from Cisco Unified Mobility Advantage."

If the Trust Policy is Trusted Certificates and you will use self-signed certificates to establish trust:

See Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

Deploying Self-Signed Certificates for Internal Servers: Example

If the Trust Policy is Trusted Certificates and you will use a certificate signed by a nonrecognized authority such as an in-house corporate signing authority:

Follow the procedures at your company to obtain the required certificate chain.

Import the certificates into Cisco Unified Mobility Advantage. See Importing Intermediate Certificates and Importing Certificates Signed by a Certificate Authority.

Import the root certificate into the trust store of the other server.

If the Trust Policy is Default or Trusted Certificates and you will use a certificate signed by a recognized certificate authority, follow the instructions in How to Obtain and Deploy a Signed Certificate for the Cisco Unified Mobility Advantage Server.

Importing Self-Signed Certificates from Trusted Servers

Use this procedure:

To import a self-signed certificate from the Cisco Adaptive Security Appliance.

To import self-signed certificates from other enterprise servers, if you specified for any Enterprise Adapter TLS connection, and the associated server will present a self-signed certificate.

You can import multiple certificates into a single Security Context.

Before You Begin

Generate a self-signed certificate from each enterprise server whose Enterprise Adapter in Cisco Unified Mobility Advantage has a Security Context that specifies Trusted Certificates for the Trust Policy.

For the Cisco Adaptive Security Appliance, see Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance, page 2-14.

For Cisco Unified Communications Manager, see Obtaining a Certificate from Cisco Unified Communications Manager, page 3-16.

The certificate files will be named CallManager.pem and tomcat.pem.

For Cisco Unified Presence, see the documentation for that product.

There are three separate certificates:

- sipproxy.pem

- tomcat.pem (You can rename this file to a unique name to avoid confusion.)

- PresenceEngine.pem

For Cisco Unity Connection, you need the tomcat.pem file. (You can rename this file to a unique name to avoid confusion.)

For other servers, see the documentation for each server.

Identify the name of the Security Context that is associated with the server whose certificate you want to import:

For the Cisco Adaptive Security Appliance: This is the Security Context specified on the System Management > Network Properties page.

For other servers: This is the Security Context specified on the Enterprise Adapter page of the server whose certificate you want to import.

Make sure the Security Context has the Trust Policy set to Trusted Certificates.

Procedure


Step 1 Open the certificate in WordPad (not Notepad).

Step 2 Select the [+] beside Security Context Management in the Admin Portal.

Step 3 Select Security Contexts.

Step 4 Select Manage Context for the Security Context into which you want to import the certificate.

If you used the Configuration Wizard, this is the cuma security context.

Step 5 Select Import on the Trusted Certificate(s) line.

Step 6 Enter the certificate name (no spaces).

Step 7 Copy and paste the text from the certificate into the Certificate field.

Include the following lines. Make sure that there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 8 Select Import.

Step 9 Restart Cisco Unified Mobility Advantage.


Related Topics

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

Deploying Self-Signed Certificates for Internal Servers: Example

Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage

If any server with which Cisco Unified Mobility Advantage communicates requires identity verification, you can create and deploy a self-signed certificate.

The Cisco Adaptive Security Appliance requires identity verification.

This procedure downloads a PEM- encoded certificate with a .cer filename extension.

Before You Begin

Make sure that a self-signed certificate meets your needs. See Required and Recommended Self-Signed Certificates.

Create at least one security context. Complete all fields in the form.

Note that this procedure is different from the procedure for downloading a keystore file, as described in Certificate Uploads and Downloads and Downloading the Proxy Server Certificate and Preparing It for Use on the Cisco Adaptive Security Appliance, page 5-14.

Procedure


Step 1 Select the [+] beside Security Context Management.

Step 2 Select Security Contexts.

Step 3 Select Manage Context beside the security context that holds the certificate to download.

Step 4 Select Download Certificate.

If the certificate is a chain (has associated root or intermediate certificates), only the first certificate in the chain is downloaded. This is sufficient for self-signed certificates.

Step 5 Save the file.


Related Topics

About Secure Connections and SSL Certificates

Creating Security Contexts

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance

Deploying Self-Signed Certificates for Internal Servers: Example

Downloading the Self-Signed Certificate (After Running the Configuration Wizard), page 7-25

What To Do Next

Import this certificate to the server or servers that require it:

For the Cisco Adaptive Security Appliance: See Importing a Self-Signed Certificate from Cisco Unified Mobility Advantage, page 2-12.

For Cisco Unity: See the documentation for the Internet Information Server (IIS) on the platform on which Cisco Unity is installed.

For other Cisco products: See Importing Certificates into Cisco Unified Operating System Servers, page 3-16.

For other servers: See the documentation for each server for instructions.

How to Obtain and Deploy a Signed Certificate for the Cisco Unified Mobility Advantage Server

Obtaining and Deploying a Signed Certificate for the Cisco Unified Mobility Advantage Server

Creating a Certificate To Be Signed by a Certificate Authority

Importing Intermediate Certificates

Importing Certificates Signed by a Certificate Authority

Obtaining and Deploying a Signed Certificate for the Cisco Unified Mobility Advantage Server

There are two ways to obtain signed certificate, depending on your situation:

To
Do This

(If you upgraded from Release 3.1.2) Determine whether you can re-use an existing signed certificate

See Downloading a Self-Signed Certificate from Cisco Unified Mobility Advantage for Import into the Cisco Adaptive Security Appliance, page 5-15.

Obtain a signed certificate for Cisco Unified Mobility Advantage

Follow these procedures in order, as applicable:

1. Creating a Certificate To Be Signed by a Certificate Authority

2. Importing Intermediate Certificates

3. Importing Certificates Signed by a Certificate Authority


Related Topics

Required and Recommended Signed Certificates

Creating a Certificate To Be Signed by a Certificate Authority

You can obtain signed certificates for Cisco Unified Mobility Advantage from the following Certificate Authorities: VeriSign and GeoTrust. These certificates are supported because they are generally available on all mobile devices.

Before You Begin

Determine your certificate needs. See About Required and Recommended SSL Certificates.

Visit the web site of your Certificate Authority (VeriSign or GeoTrust) to determine the process and requirements for purchasing a signed certificate.

We recommend that you become generally familiar with the policies of the Certificate Authority. For example, check the requirements for extending the certificate so that you maintain the necessary records.

Procedure


Step 1 Create or navigate to a security context that is associated with a server which requires a signed certificate.

If you followed the instructions for the Configuration Wizard, use the cuma Security Context.

Step 2 Select Manage Context.

Step 3 Select Retrieve CSR to generate a Certificate Signing Request.

The CSR appears.

Step 4 Follow the instructions on the web site of the Certificate Authority to purchase the signed certificate.

You will need the CSR you just retrieved.

You will receive an email message with the signed certificate information.

This process may take up to 24 hours.

Step 5 Note your certificate password in a safe place for future reference.


What To Do Next

When you receive the signed certificate from the Certificate Authority, follow the instructions in Importing Intermediate Certificates.

Importing Intermediate Certificates

Before you import a signed certificate, you may need to import an intermediate certificate if the signing Certificate Authority tells you to do so.

Before You Begin

Determine whether your Certificate Authority requires an intermediate certificate.

Follow the procedure in Creating a Certificate To Be Signed by a Certificate Authority.

Receive the signed certificate by email from the Certificate Authority. This email message may also contain information about an intermediate certificate if one is required.

Review any instructions from the Certificate Authority.

Identify the name of the Security Context that is associated with the server that requires a signed certificate from Cisco Unified Mobility Advantage. For the Cisco Adaptive Security Appliance, this is the Security Context specified on the System Management > Network Properties page. You must import the certificate into this Security Context.

Procedure


Step 1 Select the [+] beside Security Context Management.

Step 2 Select Security Contexts.

Step 3 Select Manage Context beside the Security Context into which you will import the signed certificate.

If you followed the instructions for the Configuration Wizard, this will be the cuma Security Context.

Step 4 Select Import in the Trusted Certificates bar.

Step 5 Paste the intermediate certificate text.

Step 6 Name the certificate.

Step 7 Select Import.


What To Do Next

Import the signed certificate. See Importing Certificates Signed by a Certificate Authority.

Importing Certificates Signed by a Certificate Authority

After you receive the signed certificate from the Certificate Authority, you must import it into Cisco Unified Mobility Advantage.

You do not need to import it into any other server.

Before You Begin

Follow the procedure in Creating a Certificate To Be Signed by a Certificate Authority.

Receive the signed certificate by email from the Certificate Authority. This email message may also contain information about an intermediate certificate if one is required.

Review any instructions from the Certificate Authority.

Identify the name of the Security Context that is associated with the server that requires a signed certificate from Cisco Unified Mobility Advantage. For the Cisco Adaptive Security Appliance, this is the Security Context specified on the System Management > Network Properties page. You must import the certificate into this Security Context.

Import the intermediate certificate, if required. See Importing Intermediate Certificates

Procedure


Step 1 Select the [+] beside Security Context Management.

Step 2 Select Security Contexts.

Step 3 Select Manage Context beside the Security Context into which you will import the certificate.

If you followed the instructions for the Configuration Wizard this will be the cuma Security Context.

Step 4 Select Import CA Reply.

Step 5 Name the certificate.

Step 6 Paste the certificate text.

Step 7 Select Import.

You do not need to import a signed certificate for Cisco Unified Mobility Advantage into any other server.


Certificate Uploads and Downloads

You can upload or download certificates, for example certificates that Cisco Unified Mobility Advantage uses to verify its identity to other servers.

These features are particularly useful if you are upgrading from Cisco Unified Mobility Advantage Release 3.x and you want to reuse the signed certificate from the Proxy Server.

Operation
Details

Uploading certificates

If you have an existing signed certificate that is valid for this server, you can upload the existing certificate instead of creating a new certificate.

Supported file formats are JKS and PKCS12.

The security context into which you upload the certificate cannot have the Trust Policy set to All Certificates.

Uploading is different from importing certificates from trusted servers.

Downloading certificates

This process downloads a keystore file in PKCS12 format.

Do not use this process for generating self-signed certificates.


Related Topics

Uploading the Proxy Server Certificate to Release 7.x, page 5-13

Downloading the Proxy Server Certificate and Preparing It for Use on the Cisco Adaptive Security Appliance, page 5-14

Importing Self-Signed Certificates from Trusted Servers

Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage

Viewing Certificate Details

You can view certificate information such as expiration date.

Procedures

To View
Procedure

Certificates Cisco Unified Mobility Advantage shows to other servers

1. Navigate to the Security Context that holds the certificate.

2. Select Manage Context.

3. Look at the server certificate information in the Key Entry section.

4. Select View Certificate Chain to view any intermediate and root certificates associated with this server certificate.

Imported certificates from trusted servers

1. Navigate to the Security Context that holds the certificate.

2. Select Manage Context.

3. Select the [+] beside the certificate name under Trusted Certificates.

Any certificate resident on the server

1. Select the [+] beside Security Context Management.

2. Select Certificate Utility.

3. Browse to the certificate.

4. Select the certificate type.

5. Enter the certificate password.

6. Select View.


Deleting Security Contexts And Certificates

Procedures

To Delete
Do This

A security context and any associated certificates.

You cannot delete a security context that is specified in any Enterprise Adapter or the Network Properties page.

1. Consider downloading and saving any signed certificates associated with this security context. Be sure to use the Download button, not the Download Certificate button.

2. Select the [+] beside Security Context Management.

3. Select Security Contexts.

4. Select Delete beside the appropriate security context.

An imported certificate for a trusted server

1. Navigate to the Security Context that holds the certificate.

2. Select Manage Context.

3. Select Delete beside the certificate name under Trusted Certificates.


Related Topics

Downloading the Proxy Server Certificate and Preparing It for Use on the Cisco Adaptive Security Appliance, page 5-14