Table Of Contents
Displaying NTP Server Information
Required Data for This Procedure
Configuring the Clock Time Zone
Configuring Password and PIN Parameters
Configuring Password and PIN Length and Expiry Time
Configuring Password and PIN Protection Lockout Modes
Configuring Password Protection with Permanent Lockout
Configuring PIN Protection with Permanent Lockout
Configuring Password Protection with Temporary Lockout
Configuring PIN Protection with Temporary Lockout
Using HTTPS to Protect Passwords and PINs
Configuring Pin and Password History
Configuring the Password History Depth
Configuring the PIN History Depth
Displaying Password and PIN System Settings
Encrypting PINs in Backup Files
Advanced Configuration
Last Updated: June 21, 2007
This chapter describes advanced configuration procedures for modifying application parameters after the initial installation and configuration process described in the section "Configuring System Components" on page 33. That earlier chapter includes commands not described in this chapter.
The advanced configuration procedures include:
•Configuring the Clock Time Zone
•Configuring Password and PIN Parameters
Configuring the Hostname
During the software postinstallation process, the hostname was configured. Use this procedure to change the hostname.
SUMMARY STEPS
1. config t
2. hostname hostname
3. exit
4. show hosts
5. copy running-config startup-config
DETAILED STEPS
Examples
The following commands configure the hostname:
se-10-0-0-0# config tse-10-0-0-0(config)# hostname mainhostca-west(config)# exitca-west#The output from the show hosts command might look similar to the following:
ca-west# show hostsHostname: mainhostDomain: myofficeDNS Server1: 10.100.10.130DNS Server2: 10.5.0.0ca-west#Configuring the DNS Server
During the software postinstallation process, the DNS server and IP addresses may have been configured. Use this procedure to change the server name and IP addresses.
SUMMARY STEPS
1. config t
2. ip domain-name dns-server-name
3. ip name-server ip-address [ip-address] [ip-address] [ip-address]
4. exit
5. show hosts
6. copy running-config startup-config
DETAILED STEPS
Examples
The following commands configure the DNS server:
se-10-0-0-0# config tse-10-0-0-0(config)# ip domain-name mycompanyse-10-0-0-0(config)# ip name-server 10.100.10.130 10.5.0.0se-10-0-0-0(config)# exitse-10-0-0-0#The output from the show hosts command might look similar to the following:
se-10-0-0-0# show hostsHostname: se-10-100-6-10Domain: mycompanyDNS Server1: 10.100.10.130se-10-0-0-0#Configuring NTP Servers
During the software postinstallation process, the Network Time Protocol (NTP) server may have been configured. Cisco Unity Express accepts a maximum of three NTP servers. Use this procedure to add or delete NTP servers.
Adding NTP Servers
You can designate an NTP server using its IP address or its hostname.
Cisco Unity Express uses the DNS server to resolve the hostname to an IP address and stores the IP address as an NTP server. If DNS resolves the hostname to more than one IP address, Cisco Unity Express randomly chooses one of the IP addresses that is not already designated as an NTP server.
To configure an NTP server with multiple IP addresses for a hostname, repeat the configuration steps using the same hostname. Each iteration assigns the NTP server to its remaining IP addresses.
SUMMARY STEPS
1. config t
2. ntp server {hostname | ip-address} [prefer]
3. exit
4. show ntp status
5. show ntp configuration
6. copy running-config startup-config
DETAILED STEPS
Examples
The following commands configure the NTP server:
se-10-0-0-0# config tse-10-0-0-0(config)# ntp server 10.100.6.9se-10-0-0-0(config)# exitse-10-0-0-0#The output from the show ntp status command might look similar to the following:
se-10-0-0-0# show ntp statusNTP reference server 1: 10.100.6.9Status: sys.peerTime difference (secs): 3.268110099434328E8Time jitter (secs): 0.1719226837158203se-10-0-0-0#The following example configures an NTP server with a hostname that points to two IP addresses 172.16.10.1 and 172.16.10.2:
se-10-0-0-0# config tse-10-0-0-0(config)# ntp server NTP.mine.comse-10-0-0-0(config)# exitse-10-0-0-0#se-10-0-0-0# config tse-10-0-0-0(config)# ntp server NTP.mine.comse-10-0-0-0(config)# exitse-10-0-0-0#The output from the show ntp status command might look similar to the following:
se-10-0-0-0# show ntp statusNTP reference server 1: 172.16.10.1Status: sys.peerTime difference (secs): 3.268110099434328E8Time jitter (secs): 0.1719226837158203NTP reference server 1: 172.16.10.2Status: sys.peerTime difference (secs): 3.268110099434328E8Time jitter (secs): 0.1719226837158203se-10-0-0-0#Removing an NTP Server
Remove an NTP server using its IP address or hostname.
SUMMARY STEPS
1. config t
2. no ntp server {hostname | ip-address}
3. exit
4. show ntp status
5. show ntp configuration
6. copy running-config startup-config
DETAILED STEPS
Displaying NTP Server Information
The following commands are available to display NTP server configuration information and status:
•show ntp associations
•show ntp servers
•show ntp source
•show ntp status
The following is sample output for the show ntp associations command:
se-10-0-0-0# show ntp associationsind assID status conf reach auth condition last_event cnt===========================================================1 61253 8000 yes yes none rejectThe following is sample output for the show ntp servers command:
se-10-0-0-0# show ntp serversremote refid st t when poll reach delay offset jitter==============================================================================1.100.6.9 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00space reject, x falsetick, . excess, - outlyer+ candidate, # selected, * sys.peer, o pps.peerThe following is sample output for the show ntp source command:
se-10-0-0-0# show ntp source127.0.0.1: stratum 16, offset 0.000013, synch distance 8.672010.0.0.0: *Not Synchronized*The following is sample output for the show ntp status command:
se-10-0-0-0# show ntp statusNTP reference server : 10.100.6.9Status: rejectTime difference (secs): 0.0Time jitter (secs): 4.0Configuring a Syslog Server
Cisco Unity Express captures messages that describe activities in the system. These messages are collected and directed to a messages.log file on the Cisco Unity Express module hard disk, the console, or an external system log (syslog) server. The messages.log file is the default destination.
This section describes the procedure for configuring an external server to collect the messages. To view the messages, see "Viewing System Activity Messages" on page 322.
Required Data for This Procedure
You need the hostname or IP address of the designated log server.
SUMMARY STEPS
1. config t
2. log server address {hostname | ip-address}
3. exit
4. show running-config
DETAILED STEPS
Examples
The output from the show running-config command might look similar to the following:
se-10-0-0-0# show running-configclock timezone America/Los_Angeleshostname se-10-0-0-0ip domain-name localdomainntp server 10.100.60.1...log server address 10.100.10.210voicemail default mailboxsize 3000voicemail capacity time 6000endConfiguring the Clock Time Zone
During the software postinstallation process, the time zone of the local Cisco Unity Express module was configured. Use this procedure to change the module's time zone.
Cisco Unity Express automatically updates the clock for daylight savings time on the basis of the selected time zone.
SUMMARY STEPS
1. config t
2. clock timezone timezone
3. exit
4. show clock detail
5. copy running-config startup-config
DETAILED STEPS
Examples
The following commands configure the clock time zone:
se-10-0-0-0# config tse-10-0-0-0(config)# clock timezonePlease identify a location so that time zone rules can be set correctly.Please select a continent or ocean.1) Africa 4) Arctic Ocean 7) Australia 10) Pacific Ocean2) Americas 5) Asia 8) Europe3) Antarctica 6) Atlantic Ocean 9) Indian Ocean#? 2Please select a country.1) Anguilla 18) Ecuador 35) Paraguay2) Antigua & Barbuda 19) El Salvador 36) Peru3) Argentina 20) French Guiana 37) Puerto Rico4) Aruba 21) Greenland 38) St Kitts & Nevis5) Bahamas 22) Grenada 39) St Lucia6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon7) Belize 24) Guatemala 41) St Vincent8) Bolivia 25) Guyana 42) Suriname9) Brazil 26) Haiti 43) Trinidad & Tobago10) Canada 27) Honduras 44) Turks & Caicos Is11) Cayman Islands 28) Jamaica 45) United States12) Chile 29) Martinique 46) Uruguay13) Colombia 30) Mexico 47) Venezuela14) Costa Rica 31) Montserrat 48) Virgin Islands (UK)15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US)16) Dominica 33) Nicaragua17) Dominican Republic 34) Panama#? 45Please select one of the following time zone regions.1) Eastern Time2) Eastern Time - Michigan - most locations3) Eastern Time - Kentucky - Louisville area4) Eastern Standard Time - Indiana - most locations5) Central Time6) Central Time - Michigan - Wisconsin border7) Mountain Time8) Mountain Time - south Idaho & east Oregon9) Mountain Time - Navajo10) Mountain Standard Time - Arizona11) Pacific Time12) Alaska Time13) Alaska Time - Alaska panhandle14) Alaska Time - Alaska panhandle neck15) Alaska Time - west Alaska16) Aleutian Islands17) Hawaii#? 11The following information has been given:United StatesPacific TimeTherefore TZ='America/Los_Angeles' will be used.Local time is now: Tue Jul 18 02:02:19 PDT 2006.Universal Time is now: Tue Jul 18 09:02:19 UTC 2006.Is the above information OK?1) Yes2) No#? 1Save the change to startup configuration and reload the module for the new timezone to take effect.se-10-0-0-0(config)# endse-10-0-0-0#The output from the show clock detail command might look similar to the following:
se-10-0-0-0# show clock detail19:20:33.724 PST Wed Feb 4 2004time zone: America/Pacificclock state: unsyncdelta from reference (microsec): 0estimated error (microsec): 175431time resolution (microsec): 1clock interrupt period (microsec): 10000time of day (sec): 732424833time of day (microsec): 760817Configuring Password and PIN Parameters
Cisco Unity Express supports the configuration of the password and personal identification number (PIN) parameters described in the following sections:
•Configuring Password and PIN Length and Expiry Time
•Configuring Password and PIN Protection Lockout Modes
•Using HTTPS to Protect Passwords and PINs
•Configuring Pin and Password History
•Encrypting PINs in Backup Files
•Displaying Password and PIN System Settings
Configuring Password and PIN Length and Expiry Time
Cisco Unity Express supports configuring the following two attributes of password and PIN:
•Minimum password and PIN length
To support enhanced security procedures, Cisco Unity Express has made the password and PIN length configurable. The administrator can configure the length to a value greater than or equal to 3 alphanumeric characters. This is a system-wide value, so that all subscribers must have passwords and PINs of at least that many characters. Use the GUI Defaults > User option or the procedure described below to configure this length.
The password length does not have to equal the PIN length.
The default length is 3 alphanumeric characters. The maximum password length is 32 alphanumeric characters. The maximum PIN length is 16 alphanumeric characters.
To set the password or PIN length to the system default values, use the no or default form of the commands.
Note If the minimum password or PIN length is increased, existing passwords and PINs that do not conform to the new limit will automatically expire. The subscriber must reset the password at the next log in to the GUI and must reset the PIN at the next log in to the TUI.
•Password and PIN expiry time
Cisco Unity Express permits the administrator to configure the password and PIN expiry time on a system-wide basis. The expiry time is the time, in days, for which the password and PIN are valid. When this time is reached, the subscriber must enter a new password or PIN.
If this option is not configured, passwords and PINs do not expire.
Use the GUI Defaults > User option or the procedure described below to configure this time.
The password expiry time does not have to equal the PIN expiry time.
The valid range is 3 to 365 days.
To set the password or PIN expiry time to the system default values, use the no or default form of the commands.
SUMMARY STEPS
•config t
•security password length min password-length
•security pin length min pin-length
•security password expiry days password-days
•security pin expiry days pin-days
•exit
DETAILED STEPS
Examples
The following example sets the password length to 6 characters, the PIN length to 5 characters, the password expiry time to 60 days, and the PIN expiry time to 45 days.
se-10-0-0-0# config tse-10-0-0-0(config)# security password length min 6se-10-0-0-0(config)# security pin length min 5se-10-0-0-0(config)# security password expiry days 60se-10-0-0-0(config)# security pin expiry days 45se-10-0-0-0(config)# exitConfiguring Password and PIN Protection Lockout Modes
This feature provides both temporary and permanent lockout for passwords and PINs to help prevent security breeches.
For the permanent lockout mode, the user's account is permanently locked after a specified number of incorrect passwords or PINs are entered. After the account is locked, only the administrator can unlock it and reset the password.
For the temporary lockout mode, the user's account is temporarily locked after a specified number of initial incorrect passwords or PINs are entered. This lockout lasts for a specified amount of time. If the maximum number of incorrect passwords or PINs is exceeded for a second time, the account is locked for twice the specified a mount of time. The lockout time continues to increase for each set of incorrect passwords or PINs until the total number of failed login attempts equals the number specified to lock the account permanently. To prevent denial-of-service attacks, the retry count is not incremented if a user tries to log in during the lockout period. If the user enters the correct password or PIN and logs in successfully, the lockout time is reset to zero. After the account is permanently locked, only the administrator can unlock it and reset the password. When the administrator unlocks the account, the retry count and disable time are also reset to zero.
To configure the behavior for permanent lockouts, you just have to specify the:
•Lockout mode (set to permanent)
•Maximum number of failed login attempts allowed before the account is locked
To configure the behavior for temporary lockouts, you just have to specify four parameters:
•Lockout mode (set to temporary)
•Number of failed attempts that trigger the initial temporary lockout
•Duration of initial temporary lockout
•Number of failed attempts that will lock the account permanently
You have the following four options when using password and PIN protect:
•Password Protection with:
–Permanent lockout
–Temporary Lockout
•PIN Protection with:
–Permanent lockout
–Temporary Lockout
The corresponding procedures are documented in the following sections:
•Configuring Password Protection with Permanent Lockout
•Configuring PIN Protection with Permanent Lockout
•Configuring Password Protection with Temporary Lockout
•Configuring PIN Protection with Temporary Lockout
Configuring Password Protection with Permanent Lockout
Prerequisites
There are no prerequisites.
Required Data for This Procedure
There is no data required.
SUMMARY STEPS
1. config t
2. security password lockout enable
3. security password lockout policy perm-lock
4. security password perm-lock max-attempts no_of_max_attempts
5. end
DETAILED STEPS
Configuring PIN Protection with Permanent Lockout
Prerequisites
There are no prerequisites.
Required Data for This Procedure
There is no data required.
SUMMARY STEPS
1. config t
2. security pin lockout enable
3. security pin lockout policy perm-lock
4. security pin perm-lock max-attempts no_of_max_attempts
5. end
DETAILED STEPS
Configuring Password Protection with Temporary Lockout
Prerequisites
There are no prerequisites.
Required Data for This Procedure
There is no data required.
SUMMARY STEPS
1. config t
2. security password lockout enable
3. security password lockout policy temp-lock
4. security password temp-lock max-attempts no_of_max_attempts
5. security password temp-lock init-attempts no_of_init_attempts
6. security password temp-lock duration duration
7. end
DETAILED STEPS
Configuring PIN Protection with Temporary Lockout
Prerequisites
There are no prerequisites.
Required Data for This Procedure
There is no data required.
SUMMARY STEPS
1. config t
2. security pin lockout enable
3. security pin lockout policy temp-lock
4. security pin temp-lock max-attempts no_of_max_attempts
5. security pin temp-lock init-attempts no_of_init_attempts
6. security pin temp-lock duration duration
7. end
DETAILED STEPS
Using HTTPS to Protect Passwords and PINs
You can use HTTPS to secure the transmission of user passwords and PINs between the client and server. However, by default, Tomcat web servers does not have HTTPS enabled. HTTPS communicates over the TLS protocol. The default port for HTTPS is 8443. However, Cisco Unity Express uses port 443 for the HTTPS port to avoid having to include the port number in the URL. Port forwarding from 80 (HTTP) to 443 is not enabled.
The web server will automatically use HTTPS to render any parts of the GUI or web pages that are not application-specific. You can configure applications to use HTTPS using their web.xml file.
HTTPS uses public key cryptography. Therefore, the HTTPS client must download the certificate from the server. You can either generate your own certificate or import one from a certificate authority. If you want to generate your own certificate, use the crypto command in configuration mode, as shown below
crypto key generate rsa label tomcat modulus 1024
Note This feature, does not require any configuration using the GUI or CLI.
Configuring Pin and Password History
This feature enables the system to track previous PINS and password for all users and prevent users from reusing old PINs or passwords. You can configure the depth of the PIN or the password history using either the GUI or CLI.
This section contains the procedures:
•Configuring the Password History Depth
•Configuring the PIN History Depth
Configuring the Password History Depth
Prerequisites
There are no prerequisites.
Required Data for This Procedure
There is no data required.
SUMMARY STEPS
1. config t
2. security password history depth depth
3. end
DETAILED STEPS
Configuring the PIN History Depth
Prerequisites
There are no prerequisites.
Required Data for This Procedure
There is no data required.
SUMMARY STEPS
1. config t
2. security pin history depth depth
3. end
DETAILED STEPS
Displaying Password and PIN System Settings
Use the following Cisco Unity Express EXEC mode command to display the password and PIN settings:
show security detail
The command output may look similar to the following:
se-10-0-0-0# show security detailPassword Expires: truePassword Age: 60 daysPassword Length (min): 5Password Length (max): 32PIN Expires: truePIN Age: 45 daysPIN Length (min): 4PIN Length (max): 16The following example shows the values when password expiration and the PIN length are reset to the system default values:
se-10-0-0-0# show security detailPassword Expires: falsePassword Length (min): 3Password Length (max): 32PIN Expires: falsePIN Length (min): 3PIN Length (max): 16Encrypting PINs in Backup Files
Before 3.0, PINs were stored as clear text in LDAP and were therefore visible in the backup file. This is because user PINs are stored in LDAP, which is backed up in LDIF format. This feature applies SHA-1 hash encryption to PINs before storing them in the LDAP database. As a result, when a user logs in to voice mail, the PIN they submit is hashed and compared to the PIN attribute retrieved from LDAP directory.
To migrate from earlier version, you must convert from a clear PIN to a hashed PIN in the LDAP directory. This conversion is typically done right after a system upgrade froman earlier version or after a restore operation from an old backup. At his point, the clear PIN is removed from the database and replaced with the encrypted PIN.
Because encryption using SHA-1 is not reversible, after the conversion is complete, you cannot disable or turn off this feature to restore the encrypted PIN to its clear form.
Note This feature, does not require any configuration using the GUI or CLI.