Table Of Contents
Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
HTTPS Overview
Using Internet Explorer with HTTPS
Using Internet Explorer to Save the Certificate to the Trusted Folder
Viewing Details of the Certificate
Copying the Certificate to File
Using Netscape with HTTPS
Using Netscape to Save the Certificate to the Trusted Folder
Using a Server Authentication Certificate from a Third-Party Certificate Authority
Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)
This chapter contains information on the following topics:
•
HTTPS Overview
•Using Internet Explorer to Save the Certificate to the Trusted Folder
•Viewing Details of the Certificate
•Copying the Certificate to File
•Using Netscape to Save the Certificate to the Trusted Folder
•Using a Server Authentication Certificate from a Third-Party Certificate Authority
HTTPS Overview
Hypertext Transfer Protocol over Secure Sockets Layer (SSL), which secures communication between the browser client and the IIS server, uses a certificate and a public key to encrypt the data that is transferred over the internet. HTTPS also ensures that the user login password transports securely via the web. The following Cisco CallManager applications support HTTPS, which ensures the identity of the server: Cisco CallManager Administration, Cisco CallManager Serviceability, the Cisco IP Phone User Option Pages, the Bulk Administration Tool (BAT), TAPS, Cisco CDR Analysis and Reporting (CAR), Trace Collection Tool, and the Real-Time Monitoring Tool.
When you install/upgrade Cisco CallManager, the HTTPS self-signed certificate, httpscert.cer, automatically installs on the IIS default website that hosts the Cisco CallManager virtual directories in Table 2-1:
Table 2-1 Cisco CallManager Virtual Directories
Cisco CallManager Virtual Directory
|
Corresponding Application
|
CCMAdmin
|
Cisco CallManager Administration
|
CCMService
|
Cisco CallManager Serviceability
|
CCMUser
|
Cisco IP Phone User Option Pages
|
AST
|
Real-Time Monitoring Tool (RTMT)
|
RTMTReports
|
RTMT reports archive
|
CCMTraceAnalysis
|
Trace Analysis Tool
|
PktCap
|
TAC troubleshooting tools
Note These troubleshooting tools use the virtual directory to get the trace files that contain the SCCP messages (phone) or UDP and TCP backhaul messages (gateway) traces.
|
ART
|
Cisco CDR Analysis and Reporting (CAR)
|
CCMServiceTraceCollectionTool
|
Trace Collection Tool
|
BAT
|
Bulk Administration Tool (BAT)
|
TAPS
|
Tool for Auto-Registration Phone Support (TAPS)
|
The HTTPS certificate gets stored in the C:\Program Files\Cisco\Certificates directory. If you prefer to do so, you can install a server authentication certificate from a certificate authority and use it instead of the HTTPS self-signed certificate. To use the certificate authority certificate after the Cisco CallManager installation/upgrade, you must delete the self-signed certificate, as described in the "Troubleshooting" section on page 9-1. Then, you install the server authentication certificate that is provided by the certificate authority, as described in the certificate authority documentation.
Note If you access the web application by using the hostname and install the certificate in the trusted folder and then try to access the application by using the localhost or IP address, the Security Alert dialog box displays to indicate that the name of the security certificate does not match the name of the site.
If you use the localhost, the IP address, or the hostname in the URL to access the application that supports HTTPS, you must save the certificate in the trusted folder for each of type of URL (with the local host, IP address, and so on); otherwise, the Security Alert dialog box displays for each type.
Related Topics
•Cisco CallManager Administration Guide
•Cisco CallManager System Guide
•Bulk Administration Tool User Guide
•Cisco CallManager Serviceability Administration Guide
•Cisco CallManager Serviceability System Guide
•Customizing Your Cisco IP Phone on the Web
•Using Internet Explorer to Save the Certificate to the Trusted Folder
•Viewing Details of the Certificate
•Copying the Certificate to File
Using Internet Explorer with HTTPS
This section provides details on the following topics that are associated with using HTTPS with Internet Explorer:
•Using Internet Explorer to Save the Certificate to the Trusted Folder
•Viewing Details of the Certificate
•Copying the Certificate to File
The first time that you (or a user) accesses Cisco CallManager Administration or other Cisco CallManager SSL-enabled virtual directories after the Cisco CallManager 4.1 installation/upgrade from a browser client, a Security Alert dialog box asks whether you trust the server. When the dialog box displays, you must perform one of the following tasks:
•By clicking Yes, you choose to trust the certificate for the current web session only. If you trust the certificate for the current session only, the Security Alert dialog box displays each time that you access the application; that is, until you install the certificate in the trusted folder.
•By clicking View Certificate > Install Certificate, you intend to perform certificate installation tasks, so you always trust the certificate. If you install the certificate in the trusted folder, the Security Alert dialog box does not display each time that you access the web application.
•By clicking No, you cancel the action. No authentication occurs, and you cannot access the web application. To access the web application, you must click Yes or install the certificate via the View Certificate > Install Certificate options.
Related Topics
•HTTPS Overview
•Using Internet Explorer to Save the Certificate to the Trusted Folder
•Viewing Details of the Certificate
•Copying the Certificate to File
•Troubleshooting HTTPS, page 9-4
Using Internet Explorer to Save the Certificate to the Trusted Folder
To save the HTTPS certificate in the trusted folder on the browser client, so the Security Alert dialog box does not display each time that you access the web application, perform the following procedure:
Procedure
Step 1 Browse to the application on the IIS server.
Step 2 When the Security Alert dialog box displays, click View Certificate.
Step 3 In the Certificate pane, click Install Certificate.
Step 4 Click Next.
Step 5 Click the Place all certificates in the following store radio button; click Browse.
Step 6 Browse to Trusted Root Certification Authorities.
Step 7 Click Next.
Step 8 Click Finish.
Step 9 To install the certificate, click Yes.
A message states that the import was successful. Click OK.
Step 10 In the lower, right corner of the dialog box, click OK.
Step 11 To trust the certificate, so you do not receive the dialog box again, click Yes.
Note If you use the localhost, the IP address, or the hostname in the URL to access the application that supports HTTPS, you must save the certificate in the trusted folder for each of type of URL (with the local host, IP address, and so on); otherwise, the Security Alert dialog box displays for each type.
Related Topics
•HTTPS Overview
•Viewing Details of the Certificate
•Copying the Certificate to File
Viewing Details of the Certificate
To view the details of the certificate, perform one of the following tasks:
•Click the View Certificate button and then the Details tab.
•On the server where the certificate exists, right-click the certificate in C:\Program Files\Cisco\Certificates\httpscert.cer; click Open.
Tip You cannot change any data that displays for the settings in the pane. For descriptive information on the following settings, refer to Microsoft documentation.
The following certificate settings may display:
•Version
•Serial Number
•Signature Algorithm
•Issuer
•Valid From
•Valid To
•Subject
•Public key
•Subject Key Installer
•Key Usage
•Enhanced Key Usage
•Thumbprint Algorithm
•Thumbprint
To display a subset of settings, if available, choose one of the following options:
•All—All options display in the Details pane.
•Version 1 Fields Only—Version, Serial Number, Signature Algorithm, Issuer, Valid From, Valid To, Subject, and the Public Key options display.
•Extensions Only—Subject Key Identifier, Key Usage, and the Enhanced Key Usage options display.
•Critical Extensions Only—Critical extensions, if any display.
•Properties Only—Thumbprint algorithm and the thumbprint options display.
Related Topics
•HTTPS Overview
•Using Internet Explorer to Save the Certificate to the Trusted Folder
•Copying the Certificate to File
Copying the Certificate to File
Copying the certificate to file allows you to restore the certificate whenever necessary. You can also use the following procedure to install a certificate file that another user sends you.
Performing the following procedure copies the certificate by using a standard certificate storage format. To copy the certificate contents to file, perform the following procedure:
Procedure
Step 1 In the Security Alert dialog box, click View Certificate.
Step 2 Click the Details tab.
Step 3 Click the Copy to File button.
Step 4 The Welcome Wizard displays. Click Next.
Step 5 The following list defines the file formats from which you can choose. Choose the file format that you want to use to export the file; click Next.
•DER encoded binary X.509 (.CER)—Uses DER to transfer information between entities.
•Base-64 encoded X.509 (.CER)—Sends secure binary attachments over the internet; uses ASCII text format to prevent corruption of file.
•Cryptographic Message Syntax Standard-PKCS #7 Certificates (.P7B)—Exports the certificate and all certificates in the certification path to the chosen PC.
Step 6 Browse to the file that you want to export.
Step 7 Click Finish.
Step 8 When the successful export dialog box displays, click OK.
Related Topics
•HTTPS Overview
•Using Internet Explorer to Save the Certificate to the Trusted Folder
•Viewing Details of the Certificate
Using Netscape with HTTPS
When you use HTTPS with Netscape, you can view the certificate credentials, trust the certificate for one session, trust the certificate until it expires, or not trust the certificate at all.
Tip If you trust the certificate for one session only, you must repeat the "Using Netscape to Save the Certificate to the Trusted Folder" procedure each time that you access the HTTPS-supported application. If you do not trust the certificate, you cannot access the application.
Related Topics
•HTTPS Overview
•Using Netscape to Save the Certificate to the Trusted Folder
•Troubleshooting HTTPS, page 9-4
Using Netscape to Save the Certificate to the Trusted Folder
Perform the following procedure to save the certificate to the trusted folder:
Procedure
Step 1 Access the application, for example, Cisco CallManager Administration, through Netscape.
Step 2 After the New Site Certificate window displays, click Next.
Step 3 After the next New Site Certificate window displays, click Next.
Tip To view the certificate credentials before you click Next, click More Info. Review the credentials, and click OK; then, click Next in the New Site Certificate window.
Step 4 Click one of the following radio buttons:
•Accept this certificate for this session
•Do not accept this certificate and do not connect
•Accept this certificate forever (until it expires)
Step 5 Click Next.
Step 6 If you clicked the Do not accept this certificate... radio button, go to Step 8.
Step 7 If you want Netscape to warn you before sending information to other sites, check the Warn me before I send information to this site check box; then, click Next.
Step 8 Click Finish.
Related Topics
•HTTPS Overview
•Using Netscape with HTTPS
•Troubleshooting HTTPS, page 9-4
Using a Server Authentication Certificate from a Third-Party Certificate Authority
To use a server authentication certificate from a third-party certificate authority instead of the certificate that is provided with Cisco CallManager, perform the following procedure:
Procedure
Step 1 Delete the HTTPS certificate, as described in the "Deleting the HTTPS Certificate" section on page 9-8.
Step 2 Install the certificate that you want to use.
Step 3 Right-click the certificate file.
Step 4 Choose the Install Certificate option.
Tip You can install by using the default setting.
Step 5 Install the certificate on the IIS default website by performing the following tasks:
a. Choose Start > Programs > Administrative Tools > Internet Service Manager.
b. Click the name of the server where you want to install the certificate.
c. Click the Directory Security tab.
d. Under Secure Communications, click the Server Certificate button.
e. Click Next.
f. Choose the Assign an Existing Certificate option.
g. Choose the certificate from Step 2.
h. Click Next.
i. Click Finish.
Step 6 Rename the Root CA certificate to httpscert.cer.
Step 7 Copy the certificate to C:\program files\cisco\certificates in DER format.
Related Topics
•Troubleshooting, page 9-1
•HTTPS Overview
Feedback
