Configuration and Maintenance Guide for MeetingPlace 7.1
Configuring SSL for the Application Server
Downloads: This chapterpdf (PDF - 133.0KB) The complete bookPDF (PDF - 5.46MB) | Feedback

Configuring SSL for the Cisco Unified MeetingPlace Application Server

Table Of Contents

Configuring SSL for the Cisco Unified MeetingPlace Application Server

Interfaces Secured by SSL for the Application Server

Generating a Certificate Signing Request and Obtaining the Certificate

Uploading the Certificate File and Enabling SSL

Displaying the Certificate

Backing Up the SSL Configuration

Restoring the SSL Configuration

Disabling SSL


Configuring SSL for the Cisco Unified MeetingPlace Application Server


Release 7.1
Revised: April 3, 2011 8:30 pm

To enable Secure Sockets Layer (SSL) to provide secure web communications for the Application Server, you need to obtain and upload a digital identity certificate that the system binds with a private key and password.

Interfaces Secured by SSL for the Application Server

Generating a Certificate Signing Request and Obtaining the Certificate

Uploading the Certificate File and Enabling SSL

Displaying the Certificate

Backing Up the SSL Configuration

Restoring the SSL Configuration

Disabling SSL

Interfaces Secured by SSL for the Application Server

Enabling SSL for the Application Server secures web communications with the following interfaces:

Administration Center

MeetingPlace Conference Manager

Microsoft Outlook plug-ins for scheduling Cisco Unified MeetingPlace and Cisco WebEx web conferencing.

Cisco WebEx integration end-user interface on the Application Server


Note For information about configuring SSL for web conferencing, see the following modules:

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

Integrating Cisco Unified MeetingPlace with Cisco WebEx


Generating a Certificate Signing Request and Obtaining the Certificate

In this task, you create a certificate signing request (CSR) that you then send to an authorized certificate authority (CA) to apply for a digital identity certificate. The system also creates and stores a private key file and password specifically for that certificate. When you later upload the certificate file, the system binds the certificate file with the system-generated private key file and password to enable SSL.

Before You Begin

If you created your own certificate and private key, then do not perform this task. Proceed to the "Uploading the Certificate File and Enabling SSL" section.

SSL must be disabled to generate CSRs.

The CSR and resulting certificate use the Application Server hostname that you entered for Ethernet Port 1 (device eth0) during the operating system installation.

If you change this hostname, then you must obtain new certificates.

For information about installing the operating system, see the Installation, Upgrade, and Migration Guide for Cisco Unified MeetingPlace at http://www.cisco.com/en/US/products/sw/ps5664/ps5669/prod_installation_guides_list.html.

Self-signed certificates can be used for the application server.

Make sure that you request a file in one of the following formats:

Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore

Certificates: X.509 (PEM or DER encoding), Java keystore


Caution If you already installed a valid SSL certificate, then generating a new CSR will make the existing certificate invalid. Proceed only if you are installing the certificate for the first time, if you are replacing an expired or invalid certificate, or if you change the hostname of your Application Server.

Procedure


Step 1 Log in to the Administration Center.

Step 2 Select Certificate Management > Generate CSRs.

Step 3 Enter values in the fields on the Generate Certificate Signing Request (CSR) Page.


Note Some CAs do not recognize two-letter state abbreviations, so enter the full name of the state. Also, if you want to use any special (non-alphanumeric) characters, ask your CA for character restrictions.


Step 4 Select Generate CSR only once.

Step 5 Select OK.

Step 6 Select Download CSR.


Caution After you select Download CSR, do not modify any fields on this page, and do not select Generate CSR again. Doing so will result in an invalid certificate from the CA.

Step 7 Select Save.

Step 8 In the Save As dialog box, perform the following actions:

a. Delete any browser-added text (typically [1] and .txt) from the filename, to make the filename appear in this format: fully-qualified-domain-name_req.csr

Example: meetings.example.com_req.csr

b. In the Save as type field, select All Files.

c. Choose the appropriate directory.

d. Select Save.

Step 9 Send this file to the CA in return for a certificate file.

Make sure that you request a file in one of the following formats:

Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore

Certificates: X.509 (PEM or DER encoding), Java keystore


Related Topics

Field Reference: Generate Certificate Signing Requests (CSRs) Page in the Administration Center Page References for Cisco Unified MeetingPlace module

Troubleshooting the Cisco Unified MeetingPlace Application Server module

What To Do Next

We recommend that you back up and archive your system to save the system-generated private key file and password that are required to validate the certificate that you ordered from the CA. Otherwise, if the system is reinstalled for some reason before you receive and upload the certificate, then you will need to generate a new CSR and obtain a new certificate. See the Backing Up, Archiving, and Restoring Data on the Cisco Unified MeetingPlace Application Server module.

Proceed to the "Uploading the Certificate File and Enabling SSL" section.

Uploading the Certificate File and Enabling SSL

Before You Begin

Obtain the certificate by one of these methods:

Obtain a certificate from a trusted CA—See the "Generating a Certificate Signing Request and Obtaining the Certificate" section. This is the root CA certificate.

Create your own certificate, private key, and password—If you use this method, note that when a user tries to access one of the Interfaces Secured by SSL for the Application Server, a security alert warns the user that the certificate comes from an untrusted source. The user then has to select OK to proceed.

Self-signed certificates can be used for the application server.

The application server supports only the following formats:

Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore

Certificates: X.509 (PEM or DER encoding), Java keystore

If your CA issued a certificate that requires the installation of an intermediate CA certificate:

1. Obtain the intermediate CA certificate(s) by contacting your CA.

2. Using a text editor, paste the text of the intermediate CA certificate to the end of the Cisco Unified MeetingPlace certificate file.

3. In the procedure below, make sure that you upload the combined certificate file that includes both the root and intermediate CA certificates.

Procedure


Step 1 Log in to the Administration Center.

Step 2 Select Certificate Management > Enable SSL.

Step 3 Enter values in the fields.


Note If you obtained the certificate from a CA by using the Generate Certificate Signing Request (CSR) Page, then only enter the Certificate file.


Step 4 Select Upload Certificate.


Verifying

If this is the first certificate upload for the system, then proceed to the "Displaying the Certificate" section.

Otherwise, view the information capture log. See "Obtaining and Viewing the System Information Capture (Infocap) Log" in the Using Alarms and Logs on Cisco Unified MeetingPlace module.

Related Topics

Field Reference: Enable SSL Page in the Administration Center Page References for Cisco Unified MeetingPlace module

Using the Command-Line Interface (CLI) in Cisco Unified MeetingPlace module

Troubleshooting the Cisco Unified MeetingPlace Application Server module

Certificate or Private Key is in the Wrong Format in the Troubleshooting the Cisco Unified MeetingPlace Application Server module

What to Do Next

If you use MeetingPlace Conference Manager, then you will need to edit the server URL to use "https" instead of "http." See "Editing an Existing Server" in the Using MeetingPlace Conference Manager module.

Proceed to the "Backing Up the SSL Configuration" section.

Displaying the Certificate

Procedure


Step 1 Log in to the Administration Center.

Step 2 Select Certificate Management > Display Certificate.

Step 3 Select Display Certificate.


Backing Up the SSL Configuration

Use this procedure to back up your SSL configuration, including the certificate.

If you ever reinstall the operating system, the SSL files will be deleted. The SSL files may also be lost (but are often preserved) when you reinstall or upgrade the Cisco Unified MeetingPlace application.

Before You Begin

Complete the "Uploading the Certificate File and Enabling SSL" section.

Procedure


Step 1 Log in to the Administration Center.

Step 2 Select Certificate Management > Back Up SSL Configuration.

Step 3 Select Back Up SSL Configuration.

Step 4 Select Save.


Related Topics

Restoring the SSL Configuration

What to Do Next

To configure SSL for web conferencing, see the Configuring Cisco Unified MeetingPlace Web Conferencing Security Features module.

Restoring the SSL Configuration

Before You Begin

Complete the "Backing Up the SSL Configuration" section.

Procedure


Step 1 Log in to the Administration Center.

Step 2 Select Certificate Management > Restore SSL Configuration.

Step 3 Browse to the file.

By default, the filename is backupSSLData.zip.

Step 4 Select Restore SSL Configuration.


Related Topics

Troubleshooting the Cisco Unified MeetingPlace Application Server module

Disabling SSL

Before You Begin

You cannot disable SSL for only one Application Server interface. Completing this task disables SSL for all interfaces listed in the "Interfaces Secured by SSL for the Application Server" section.

Procedure


Step 1 Log in to the Administration Center.

Step 2 Select Certificate Management > Disable SSL.

Step 3 Select Disable SSL.

Step 4 Select OK.


What To Do Next

If you use MeetingPlace Conference Manager, then you will need to edit the server URL to use "http" instead of "https." See "Editing an Existing Server" in the Using MeetingPlace Conference Manager module.