Table Of Contents
Security
Set Internet Explorer Security Options
Manage Certificates and Certificate Trust Lists
Display Certificates
Download a Certificate or CTL
Delete and Regenerate a Certificate
Deleting a Certificate
Regenerating a Certificate
Upload a Certificate or Certificate Trust List
Upload a Certificate
Upload a Certificate Trust List
Using Third Party CA Certificates
Generating a Certificate Signing Request
Download a Certificate Signing Request
Obtaining Third-Party CA Certificates
Monitor Certificate Expiration Dates
IPSEC Management
Set Up a New IPSec Policy
Display or Enable/Disable an Existing IPSec Policy
Delete One or More IPSec Policies
Security
This chapter describes Certificate Management and IPSec Management and provides procedures for performing the following tasks:
•
Set Internet Explorer Security Options
•Manage Certificates and Certificate Trust Lists
•IPSEC Management
Set Internet Explorer Security Options
To download certificates from the server, ensure your Internet Explorer security settings are configured as follows:
Procedure
Step 1 Start Internet Explorer.
Step 2 Navigate to Tools>Internet Options.
Step 3 Click the Advanced tab.
Step 4 Scroll down to the Security section on the Advanced tab.
Step 5 If necessary, clear the Do not save encrypted pages to disk check box.
Step 6 Click OK.
Manage Certificates and Certificate Trust Lists
The Certificate Management menu options allow you to perform the following functions:
•Display certificates
•Upload certificates and Certificate Trust Lists (CTL)
•Download certificates and CTLs
•Delete certificates
•Regenerate certificates
•Download and generate Certificate Signing Requests (CSR)
•Monitor certificate expiration dates
Note To access the Security menu items, you must re-log in to Cisco Unified Communications Operating System Administration by using your Administrator password.
Display Certificates
To display existing certificates, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 You can use the Find controls to filter the certificate list.
Step 3 To view details of a certificate or trust store, click its file name.
The Certificate Configuration window displays information about the certificate.
Step 4 To return to the Certificate List window, select Back To Find/List in the Related Links list; then, click Go.
Download a Certificate or CTL
To download a certificate or CTL from the Cisco Unified Communications Operating System to your PC, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 You can use the Find controls to filter the certificate list.
Step 3 Click the file name of the certificate or CTL.
The Certificate Configuration window displays.
Step 4 Click Download.
Step 5 In the File Download dialog box, click Save.
Delete and Regenerate a Certificate
These sections describe deleting and regenerating a certificate:
•"Deleting a Certificate" section
•"Regenerating a Certificate" section
Deleting a Certificate
To delete a trusted certificate, which is the only type of certificate that you can delete, follow this procedure:
Caution Deleting a certificate can affect your system operations.
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 You can use the Find controls to filter the certificate list.
Step 3 Click the file name of the certificate or CTL.
The Certificate Configuration window displays.
Step 4 Click Delete.
Regenerating a Certificate
To regenerate a certificate, follow this procedure:
Caution Regenerating a certificate can affect your system operations.
Note You can regenerate only certificates of type "cert."
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 Click Generate New.
The Generate Certificate dialog box opens.
Step 3 From the Certificate Name list, choose a certificate name.
Step 4 Click Generate New.
Upload a Certificate or Certificate Trust List
Caution Uploading a new certificate or certificate trust list (CTL) file can affect your system operations.
Note The system does not distribute trust certificates to other cluster nodes automatically. If you need to have the same certificate on more than one node, you must upload the certificate to each node individually.
These sections describe how to upload a CA root certificate, application certificate, or CTL file to the server:
•"Upload a Certificate" section
•"Upload a Certificate Trust List" section
Upload a Certificate
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 Click Upload Certificate.
The Upload Certificate dialog box opens.
Step 3 From the Certificate Name list, select the certificate name.
Step 4 If you are uploading an application certificate that was issued by a third party CA, enter the name of the CA root certificate in the Root Certificate text box. If you are uploading a CA root certificate, leave this text box empty.
Step 5 Select the file to upload by doing one of the following steps:
•In the Upload File text box, enter the path to the file.
•Click the Browse button and navigate to the file; then, click Open.
Step 6 To upload the file to the server, click the Upload File button.
Upload a Certificate Trust List
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 Click Upload CTL.
The Upload Certificate Trust List dialog box opens.
Step 3 From the Certificate Name list, select the certificate name.
Step 4 If you are uploading an application certificate that was issued by a third-party CA, enter the name of the CA root certificate in the Root Certificate text box. If you are uploading a CA root certificate, leave this text box empty.
Step 5 Select the file to upload by doing one of the following steps:
•In the Upload File text box, enter the path to the file.
•Click the Browse button and navigate to the file; then, click Open.
Step 6 To upload the file to the server, click the Upload File button.
Using Third Party CA Certificates
Cisco Unified Communications Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR). The following table provides an overview of this process, with references to additional documentation:
| |
Task
|
For More Information
|
Step 1
|
Generate a CSR on the server.
|
See the "Generating a Certificate Signing Request" section.
|
Step 2
|
Download the CSR to your PC.
|
See the "Download a Certificate Signing Request" section.
|
Step 3
|
Use the CSR to obtain an application certificate from a CA.
|
Get information about obtaining application certificates from your CA. See "Obtaining Third-Party CA Certificates" section for additional notes.
|
Step 4
|
Obtain the CA root certificate.
|
Get information about obtaining a root certificate from your CA. See "Obtaining Third-Party CA Certificates" section for additional notes.
|
Step 5
|
Upload the CA root certificate to the server.
|
See the "Upload a Certificate" section.
|
Step 6
|
Upload the application certificate to the server.
|
See the "Upload a Certificate" section.
|
Step 7
|
If you updated the certificate for CAPF or Cisco Unified Presence, generate a new CTL file.
|
See the Cisco Unified Communications Manager Security Guide.
|
Step 8
|
Restart the services that are affected by the new certificate.
|
For all certificate types, restart the corresponding service (for example, restart the Tomcat service if you updated the Tomcat certificate). In addition, if you updated the certificate for CAPF or Cisco Unified Presence, restart the TFTP service.
For information about restarting services, see the Cisco Unified Serviceability Administration Guide for Cisco Unified Presence.
|
Generating a Certificate Signing Request
To generate a Certificate Signing Request (CSR), follow these steps:
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 Click Generate CSR.
The Generate Certificate Signing Request dialog box opens.
Step 3 From the Certificate Name list, select the certificate name.
Step 4 Click Generate CSR.
Download a Certificate Signing Request
To download a Certificate Signing Request, follow this procedure:
Procedure
Step 1 Navigate to Security>Certificate Management.
The Certificate List window displays.
Step 2 Click Download CSR.
The Download Certificate Signing Request dialog box opens.
Step 3 From the Certificate Name list, select the certificate name.
Step 4 Click Download CSR.
Step 5 In the File Download dialog box, click Save.
Obtaining Third-Party CA Certificates
To use an application certificate that a third-party CA issues, from the CA you must obtain both the signed application certificate and the CA root certificate. Get information about obtaining these certificates from your CA. The process varies among CAs.
CAPF and Cisco Unified Presence CSRs include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions that are listed on the final window of the CSR generation process.
Cisco Unified Communications Operating System generates certificates in DER and PEM encoding formats and generates CSRs in PEM encoding format. It accepts certificates in DER and DER encoding formats.
Cisco verified third-party certificates that were obtained from Microsoft, Keon, and Verisign CAs. Certificates from other CAs might work but have not been verified.
Monitor Certificate Expiration Dates
The system can automatically send you an e-mail when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:
Procedure
Step 1 To view the current Certificate Expiration Monitor configuration, navigate to Security>Certificate Monitor.
The Certificate Monitor window displays.
Step 2 Enter the required configuration information. See Table 6-1 for a description of the Certificate Monitor Expiration fields.
Step 3 To save your changes, click Save.
Table 6-1 Certificate Monitor Field Descriptions
Field
|
Description
|
Notification Start Time
|
Enter the number of days before the certificate expires that you want to be notified.
|
Notification Frequency
|
Enter the frequency for notification, either in hours or days.
|
Enable E-mail Notification
|
Check the check box to enable email notification.
|
E-mail IDs
|
Enter the e-mail address to which you want notifications sent.
Note For the system to send notifications, you must configure an SMTP host.
|
IPSEC Management
The IPSec menu options allow you to perform the following functions:
•Set up a new IPSec policy.
•Display or enable/disable an existing IPSec policy.
•Delete one or more IPSec policies.
Note IPSec does not get set up automatically between nodes in the cluster during installation.
Set Up a New IPSec Policy
To set up a new IPSec policy and association, follow this procedure:
Note Do not attempt to create IPSec policies during an upgrade.
Caution IPSec, especially with encryption, will affect the performance of your system.
Procedure
Step 1 Navigate to Security > IPSEC Configuration.
The IPSEC Policy List window displays.
Step 2 Click Add New.
The IPSEC Policy Configuration window displays.
Step 3 Enter the appropriate information on the IPSEC Policy Configuration window. For a description of the fields on this window, see Table 6-2.
Step 4 To set up the new IPSec policy, click Save.
Table 6-2 IPSEC Policy and Association Field Descriptions
Field
|
Description
|
Policy Name
|
Specifies the name of the IPSec policy.
|
Association Name
|
Specifies the association name that is given to each IPSec association.
|
Authentication Method
|
Specifies the authentication method.
|
Preshared Key
|
Specifies the preshared key if you selected Pre-shared Key in the Authentication Name field.
|
Peer Type
|
Specifies whether the peer is the same type or different.
|
Destination Address
|
Specifies the IP address or FQDN of the destination.
|
Destination Port
|
Specifies the port number at the destination.
|
Source Address
|
Specifies the IP address or FQDN of the source.
|
Source Port
|
Specifies the port number at the source.
|
Mode
|
Specifies Tunnel or Transport mode.
|
Remote Port
|
Specifies the port number to use at the destination.
|
Protocol
|
Specifies the specific protocol, or Any:
•TCP
•UDP
•Any
|
Encryption Algorithm
|
From the drop-down list, choose the encryption algorithm. Choices include
•DES
•3DES
|
Hash Algorithm
|
Specifies the hash algorithm:
•SHA1—Hash algorithm that is used in phase one IKE negotiation
•MD5—Hash algorithm that is used in phase one IKE negotiation
|
ESP Algorithm
|
From the drop-down list, choose the ESP algorithm. Choices include
•NULL_ENC
•DES
•3DES
•BLOWFISH
•RIJNDAEL
|
Phase One Life Time
|
Specifies the lifetime for phase one IKE negotiation, in seconds.
|
Phase One DH
|
From the drop-down list, choose the phase one DH value. Choices include 2, 1, 5, 14, 16, 17, and 18.
|
Phase Two Life Time
|
Specifies the lifetime for phase two IKE negotiation, in seconds.
|
Phase Two DH
|
From the drop-down list, choose the phase two DH value. Choices include 2, 1, 5, 14, 16, 17, and 18.
|
Enable Policy
|
Check the check box to enable the policy.
|
Display or Enable/Disable an Existing IPSec Policy
To display or enable/disable an existing IPSec policy, follow this procedure:
Note Do not attempt to create or enable/disable IPSec policies during an upgrade.
Caution IPSec, especially with encryption, will affect the performance of your system.
Procedure
Step 1 Navigate to Security > IPSEC Configuration.
Note To access the Security menu items, you must re-log in to Cisco Unified Communications Operating System Administration by using your Administrator password.
The IPSEC Policy List window displays.
Step 2 From the list, click an IPSec Policy.
The IPSEC Policy Details window displays.
Step 3 To change whether the policy is enabled or disabled, check the Enable Policy check box.
Step 4 Click Save.
Delete One or More IPSec Policies
To delete one or more IPSec policies, follow this procedure:
Note Do not attempt to delete IPSec policies during an upgrade.
Caution IPSec, especially with encryption, will affect the performance of your system.
Procedure
Step 1 Navigate to Security > IPSEC Configuration.
Note To access the Security menu items, you must re-log in to Cisco Unified Communications Operating System Administration by using your Administrator password.
The IPSEC Policy List window displays.
Step 2 Using the check boxes, choose the policy or policies that you want to delete.
Step 3 Click Delete Selected.
Feedback
