Cisco Unity Express VoiceMail and Auto Attendant CLI Administrator Guide for 3.0 and Later Versions
Configuring Security
Downloads: This chapterpdf (PDF - 215.0KB) The complete bookPDF (PDF - 11.9MB) | Feedback

Configuring Security

Table Of Contents

Configuring Security

Overview of Security

Obtaining a Certificate and Private Key

Generating a Certificate-Key Pair

Importing a Certificate-Key Pair

Displaying the Certificate-Key Pairs

Changing the Default Certificate-Key Pair

Deleting a Certificate-Key Pair

Accessing the Cisco Unity Express GUI Using HTTPS

Enabling HTTPS Access to the Cisco Unity Express GUI (Versions 3.0 and 3.1)

Prerequisites

Enabling HTTPS Access to the Cisco Unity Express GUI (Versions 3.2 and Higher)

Prerequisites


Configuring Security


This chapter describes the procedures for configuring and managing security certificates and includes the following sections:

Overview of Security

Obtaining a Certificate and Private Key

Displaying the Certificate-Key Pairs

Changing the Default Certificate-Key Pair

Deleting a Certificate-Key Pair

Accessing the Cisco Unity Express GUI Using HTTPS

Overview of Security

Cisco Unity Express provides the infrastructure for configuring and managing security certificates.

You can obtain these certificates using either of the following methods:

Generate self-signed certificates using the RSA encryption algorithm with a modulus size from 512 to 1024.


Note For self-signed certificates, certain clients display a warning message and require subscribers to accept the certificate.


Obtain the certificates from the Certificate Authority (CA). Import these certificates from the Cisco Unity Express console or upload them from an FTP or HTTP server.

The certificates use either the Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM) encoding formats.

Any feature which requires certificates to establish a secure connection can use this infrastructure.


Note This configuration and infrastructure apply only to Cisco Unity Express devices. For other devices, see their respective device documentation.


Obtaining a Certificate and Private Key

Cisco Unity Express requires a default certificate and private key before the IMAP server is configured for SSL and can accept SSL connections. Two procedures are available to obtain a certificate-key pair:

Generating a Certificate-Key Pair—A command automatically generates the pair.

Importing a Certificate-Key Pair—A command imports a pair from the console or a remote server.

Generating a Certificate-Key Pair

Starting in Cisco Unity Express configuration mode, use the following command to have the Cisco Unity Express system generate a certificate-key pair:

crypto key generate [rsa {label label-name | modulus modulus-size} | default]

where rsa is the supported encryption algorithm, label-name is the name assigned to the certificate-key pair, modulus-size is a number between 512 and 1024 used for generating a key, and default designates the generated certificate-key pair as the system default. If you do not select any keywords or do not specify a label, the system automatically generates a certificate-key pair with a name in the format hostname.domainname.

The following example generates a default certificate-key pair with the label alphakey.myoffice.

se-10-0-0-0# config t
se-10-0-0-0(config)# crypto key generate label alphakey.myoffice modulus 600 default
se-10-0-0-0(config)# end

Importing a Certificate-Key Pair

Starting in Cisco Unity Express configuration mode, use the following command to import a certificate-key pair:

crypto key import rsa label label-name {der url {ftp: | http:} | pem {terminal | url {ftp: | http:}} [default]

where the parameters are defined as follows:

rsa is the supported encryption algorithm.

label label-name is the name assigned to the certificate-key pair.

der and pem are the encoding formats of the imported certificate.

terminal indicates that the import is coming from the console.

url {ftp: | http:} indicates that the import is coming from a remote server at the specified URL.

default designates the imported certificate-key pair as the system default.

The command prompts you for the certificate and private key information.

The following example imports a default certificate-key pair with the label alphakey.myoffice.

se-10-0-0-0# config t
se-10-0-0-0(config)# crypto key import rsa label alphakey.myoffice pem terminal
 
   
Enter certificate...
End with a blank line or "quit" on a line by itself
 
   
Enter private key...
Private key passphrase?
End with a blank line or "quit" on a line by itself
 
   
quit
 
   
Import succeeded.

Displaying the Certificate-Key Pairs

Starting in Cisco Unity Express EXEC mode, use the following command to display a list of all certificate-key pairs on the system or to display a specific certificate-key pair.

show crypto key {all | label label-name}

where all displays all certificate-key pairs on the system and label label-name displays information for the specified certificate-key pair.

The following is sample output for the show crypto key command:

se-10-0-0-0# show crypto key label alphakey.myoffice
 
   
Label name: alphakey.myoffice [default]
Entry type:Key Entry
Creation date: Mon Jun 10 14:23:09 PDT 2002
Owner: CN=se-1-100-6-10.localdomain, OU='', O='', L='', ST='', C=''
Issuer: CN=se-1-100-6-10.localdomain, OU='', O='', L='', ST='', C=''
Valid from: Mon Jun 10 14:23:06 PDT 2002 until: Sun Sep 08 14:23:06 PDT 2002

Changing the Default Certificate-Key Pair

Use the following command in Cisco Unity Express configuration mode to designate a certificate-key pair as the system default.

[no] crypto key label label-name default

where label label-name is the certificate-key pair that is designated as the new system default.

If several certificate-key pairs exist on the system and none of them are the system default, use this command to designate one of them as the system default.

If a certificate-key pair exists as the default, designating another pair as the default automatically removes the default status from the first pair.

The no form of the command does not delete the certificate-key pair; it only removes the system default designation.

The system displays an error message if the certificate-key pair does not exist.

Deleting a Certificate-Key Pair

Starting in Cisco Unity Express configuration mode, use the following command to delete a certificate-key pair.

crypto key delete {all | label label-name}

where all deletes all certificate-key pairs on the system and label label-name deletes information for the specified certificate-key pair.

The following deletes the certificate-key pair labeled alphakey.myoffice:

se-10-0-0-0#  config t
se-10-0-0-0(config)#  crypto key delete label alphakey.myoffice
se-10-0-0-0(config)# end
 
   

An error message appears if the certificate-key pair does not exist.

Accessing the Cisco Unity Express GUI Using HTTPS

You can set up the system to access the Cisco Unity Express GUI using HTTPS. See the following sections:

Enabling HTTPS Access to the Cisco Unity Express GUI (Versions 3.0 and 3.1)

Enabling HTTPS Access to the Cisco Unity Express GUI (Versions 3.2 and Higher)

Enabling HTTPS Access to the Cisco Unity Express GUI (Versions 3.0 and 3.1)

Beginning with Cisco Unity Express 3.0, you can use HTTPS to access the Cisco Unity Express GUI. This procedure requires that Cisco Unity Express is reloaded. The implementation beginning with version 3.2 does not require a system reload.

To set up HTTPS access to the the Cisco Unity Express GUI, perform the following steps:

Prerequisites

Cisco Unity Express 3.0 or 3.1

SUMMARY STEPS

1. config t

2. crypto key generate

3. end

4. reload

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

config t

Example:

se-10-0-0-0# config t

Enters configuration mode.

Step 2 

crypto key generate label

Example:
se-10-0-0-0(config)# crypto key generate 
Key generation in progress. Please wait... 
The label name for the key is mainkey.ourcompany

Generates a self-signed certificate and private key.

Step 3 

end

Example:

se-10-0-0-0(config)# end

se-10-0-0-0#

Exits to privileged EXEC mode.

Step 4 

reload

se-10-0-0-0# reload

Restarts the Cisco Unity Express system.

To access the Cisco Unity Express GUI using HTTPS, type the following into the browser:

https://x.x.x.x/

where x.x.x.x represents the Cisco Unity Express IP address.

Enabling HTTPS Access to the Cisco Unity Express GUI (Versions 3.2 and Higher)

Beginning with Cisco Unity Express 3.2, you can configure the system to allow HTTPS access to the Cisco Unity Express GUI without having to reload the system.

To enable HTTPS access to the the Cisco Unity Express GUI, perform the following steps:

Prerequisites

Cisco Unity Express 3.2 or a later version

SUMMARY STEPS

1. config t

2. crypto key generate

3. web session security keylabel labelname

4. end

5. (Optional) show web session security keylabel

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

config t

Example:

se-10-0-0-0# config t

Enters configuration mode.

Step 2 

crypto key generate label

Example:
se-10-0-0-0(config)# crypto key generate 
Key generation in progress. Please wait... 
The label name for the key is mainkey.ourcompany

Generates a self-signed certificate and private key.

Step 3 

web session security keylabel labelname

Example:

se-10-0-0-0(config)# web session security keylabel mainkey.ourcompany

Associates a security key for HTTPS.

Step 4 

end

Example:

se-10-0-0-0(config)# end

Exits to privileged EXEC mode.

Step 5 

show web session security keylabel

Example:
se-10-0-0-0# show web session security keylabel
Key Label is mainkey.ourcompany

(Optional) Displays the security key for HTTPS.

To access the Cisco Unity Express GUI using HTTPS, type the following into the browser:

https://x.x.x.x/

where x.x.x.x represents the Cisco Unity Express IP address.