Configuration and Maintenance Guide for MeetingPlace 7.1 - Configuring Web Conferencing Security Features [Cisco Unified MeetingPlace]

Table Of Contents

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

How to Configure Restricted Meeting ID Patterns

Adding Restricted Meeting ID Patterns

Deleting Restricted Meeting ID Patterns

How to Configure Secure Sockets Layer

Restrictions for Configuring Secure Sockets Layer

Changing the Web Server Hostname From an IP Address to a Hostname

Creating a New Certificate Signing Request and Obtaining a Certificate File

Applying SSL Certificates

Applying Intermediate Certificates for the Home Page

Enabling SSL

Testing the Web Server Over an HTTPS Connection

Verifying Certificates from the CLI

(Optional) Disabling Support for Low Encryption Ciphers and SSL v2

How to Replace an Expired Intermediate Certificate for the Home Page

Downloading the Updated VeriSign Intermediate CA

Creating a Certificate Snap-In

Removing the Expired Intermediate CA

Installing the New Intermediate CA

How to Replace an Expired Intermediate Certificate for Web Conferencing

How to Back Up and Restore the SSL Private Key

Exporting the Private Key

Copying and Saving the Private Key for Future Use

Backing Up the Breeze Certificate

About Restoring Breeze and Home Page Certificates

Importing the Private Key in to the MPWEB Database

Allowing Guests to Search Through Public Meetings

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

Release 7.1

Revised: February 15, 2012 3:41 pm

•How to Configure Restricted Meeting ID Patterns

•How to Configure Secure Sockets Layer

•How to Replace an Expired Intermediate Certificate for the Home Page

•How to Replace an Expired Intermediate Certificate for Web Conferencing

•How to Back Up and Restore the SSL Private Key

•Allowing Guests to Search Through Public Meetings

How to Configure Restricted Meeting ID Patterns

As a system administrator, you can restrict Cisco Unified MeetingPlace from accepting certain meeting ID patterns that you consider unsecure. For example, you can restrict meeting ID patterns that repeat the same digit three times in a row, such as 111 or 222.

Keep the following points in mind when determining which meeting ID patterns to restrict:

•Restricted meeting ID patterns affect both numerical and vanity meeting IDs. Therefore, if you select to restrict patterns that repeat the same digit three times, Cisco Unified MeetingPlace will disallow both the numerical meeting ID "333" and the vanity meeting ID "deepdive," because "deepdive" translates to 3337383.

•Keep the length of your minimum meeting ID requirement in mind. Repeating the same digit three times when the length of your minimum meeting ID is four digits long can be considered a security risk. However, repeating the same digit three times when the length of your minimum meeting ID is eight digits long may not.

•There is always the chance of a meeting ID hitting the rule pattern and causing a problem. Judicious use of the rule is critical for the reduction of such incidents.

Note You cannot schedule a meeting with a supported meeting ID pattern through the phone or other scheduling endpoint, then attempt to modify it or reschedule it through the web. This rescheduling behavior is not supported.

•Adding Restricted Meeting ID Patterns

•Deleting Restricted Meeting ID Patterns

Adding Restricted Meeting ID Patterns

Procedure

Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Restricted Meeting ID Patterns.

Step 4 For Pattern, enter the restricted meeting ID pattern as a regular expression using the Perl syntax.
Example: .*(012|123|234|345|456|567|678|789|890|098|987|876|765|654|543|432|321|210).*
Step 5 Enter a brief description to explain the intent of the pattern in the field provided.
Example: Block sequences of 3 increasing or decreasing numbers.
Step 6 Select Add.

The pattern displays in the "View" section of the page.

Step 7 Repeat Step 4 through Step 6 for each additional restricted ID pattern.

Related Topics

•How to Configure Restricted Meeting ID Patterns

Deleting Restricted Meeting ID Patterns

Procedure

Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Restricted Meeting ID Patterns.

Step 4 Scroll down to the "View" section of the screen.

Step 5 Locate the pattern you want to delete.

Step 6 Select Delete.

Related Topics

•How to Configure Restricted Meeting ID Patterns

How to Configure Secure Sockets Layer

Secure Sockets Layer (SSL) secures information shared in a web conference by encrypting the data for travel across the network.

Complete the following procedures in the order shown to configure SSL.

•Restrictions for Configuring Secure Sockets Layer

•Changing the Web Server Hostname From an IP Address to a Hostname

•Creating a New Certificate Signing Request and Obtaining a Certificate File

•Applying SSL Certificates

•Applying Intermediate Certificates for the Home Page

•Enabling SSL

•Testing the Web Server Over an HTTPS Connection

•(Optional) Disabling Support for Low Encryption Ciphers and SSL v2

Restrictions for Configuring Secure Sockets Layer

•If you are using SSL on an external Web Server, make sure that the hostname on the SSL certificate resolves to the external Web Server IP address.

•If you are using SSL on a system with a segmented DNS, make sure that the hostname on the SSL certificate differs from the segmented DNS name.

•Self-signed certificates are not supported.

•Make sure that both the Hostname [Home Page] and Hostname [Web Conferencing] use hostnames, not IP addresses.

•If users will access your Web Server through a firewall, make sure that TCP port 443 is open inbound on your firewall for both of the hostnames or IP addresses on your server.

•You can use SSL on any Web Server (internal or DMZ); however, you cannot use or configure WIA (Windows Integrated Authentication) on that server.

Related Topics

•How to Configure Secure Sockets Layer

Changing the Web Server Hostname From an IP Address to a Hostname

The Web Server hostname was populated during the Cisco Unified MeetingPlace Web Conferencing installation. The Hostname [Home Page] was assigned the first IP address in the operating system. The Hostname [Web Conferencing] was assigned the second IP address in the operating system. You should not need to redefine these unless either of the following applies:

•You want users to be able to access the Cisco Unified MeetingPlace Web Server by using the fully qualified domain name (FQDN) of the server or

•You plan to configure SSL for this server. If enabling SSL, you must use hostnames rather than IP addresses.

Before You Begin

This procedure assumes that you have already installed Cisco Unified MeetingPlace Web Conferencing.

Restrictions

Do not perform this procedure if the Web Server is not in a Domain Name Server (DNS).

Procedure

Step 1 Open your web browser and enter the URL of your Web Server.

•For internal Web Servers, the default URL structure is http://server, where server is the name of your internal Web Server.

•For external (DMZ) Web Servers running Release 7.0.1, the default URL structure is http://server/mpweb/admin/, where server is the name of your external Web Server.

•For external Web Servers running Release 7.0.2 or later releases, you can only access the administration pages for the external (DMZ) server from the server box itself and only through port 8002. If you try to access the administration pages on the external (DMZ) server by using http:// server/mpweb/admin/, the system will display a 404 "Page Not Found" error.

To access the administration pages for the external (DMZ) server, you must be on the web server box and enter the following URL: http://localhost:8002/mpweb/admin/

Note If SSL is enabled on your system, you must still enter the URL with http and not https.

The system automatically logs you in as the user called "technician" with technician privileges.

Step 2 Sign in to the end-user web interface.

Step 3 Select Admin if you are not already on the Cisco Unified MeetingPlace Web Administration page.

Step 4 Select Web Server.

Step 5 Scroll down to the "View" section of the page.

Step 6 Select the name of the Web Server that you want to configure.

Information about this Web Server populates the "Edit" section of the page.

Step 7 For Hostname [Home Page], enter the fully qualified domain name (FQDN) of the primary network interface on the Web Server.
Example: hostname.domain.com.
Note This hostname must be different from that used for Hostname [Home Page]. It must be resolvable by its intended users. Depending on your hostname choice, the hostnames might not have been automatically registered with the DNS during the OS installation. We recommend that you check the DNS, both the forward and reverse lookup zones, and add entries manually if needed.

Step 8 For Hostname [Web Conferencing], enter the FQDN of the secondary network interface on the Web Server.
Example: hostnamewc.domain.com.
Note This hostname must be different from that used for Hostname [Home Page]. It must be resolvable by its intended users. Depending on your hostname choice, the hostnames might not have been automatically registered with the DNS during the OS installation. We recommend that you check the DNS, both the forward and reverse lookup zones, and add entries manually if needed.

Step 9 Select Submit.

Step 10 (Optional) If you are working on a Windows system with Internet Explorer, select Test Server Configuration.

Related Topics

•Using the Cisco Unified MeetingPlace Web Administration Page in the Quick Start Configuration: Cisco Unified MeetingPlace Basic Web Conferencing module

•Field Reference: Web Server Specific Fields in the Web Administration References for Cisco Unified MeetingPlace module

•How to Resolve Test Server Configuration Problems in the Troubleshooting Cisco Unified MeetingPlace Web Conferencing module

What to Do Next

•Restart the Cisco Unified MeetingPlace Web Conferencing services for changes to the Hostname [Web Conferencing] field to take effect. See Restarting All Web Conferencing Services in the Managing Cisco Unified MeetingPlace Web Conferencing Services module for instructions.

Note When you restart the Web Server, all manual changes made to the registry are lost.

•If you are configuring SSL, proceed to the "Creating a New Certificate Signing Request and Obtaining a Certificate File" section.

Creating a New Certificate Signing Request and Obtaining a Certificate File

Use the SSL/TLS configuration page to generate certificate signing requests to send to an authorized Certificate Authority in order to apply for a digital identity certificate. You need two certificates: one for the Home Page hostname, and one for the Web Conferencing hostname.

Before You Begin

Complete the "Changing the Web Server Hostname From an IP Address to a Hostname" section.

Procedure

Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select SSL/TLS.

Step 4 Select the Edit icon for the Web Conferencing hostname.

Step 5 Enter your company name and organization unit/department in the applicable fields.

Step 6 Enter the complete, official names of your city/locality and state/province in the applicable fields.

Note Do not use abbreviations.

Step 7 Select your country/region.

Step 8 Select Generate Request.

The new certificate signing request (CSR) displays in the text box. The request is signed with an auto-generated private key.

Step 9 Select the Private Key link to see the value of the private key.

Step 10 Copy the contents of the CSR text box to a text file and send this file to your certificate provider in return for a certificate file.

Caution If your certificate provider asks for your server type, specify Apache or Custom, not Microsoft or IIS. If you attempt to install a Microsoft or IIS certificate by using the SSL/TLS configuration pages, Cisco Unified MeetingPlace Web Conferencing will not restart when you attempt to reboot the system. Instead it will log an error about the certificate and disable SSL so that you can restart and fix the problem.

Step 11 Select Back to return to the main Administration page.

Step 12 Repeat Step 3 through Step 11 for the Web Conferencing hostname.

What to Do Next

When you receive the .cer files from your certificate provider, proceed to the "Applying SSL Certificates" section.

Applying SSL Certificates

When you receive the certificate files from your certificate provider, apply the certificates to the Cisco Unified MeetingPlace website. You should have a home page certificate and web conferencing certificate. Some certificate authorities also provide a primary and secondary intermediate certificate.

Before You Begin

•Complete the "Creating a New Certificate Signing Request and Obtaining a Certificate File" section.

•You must install your certificates in the following order:

–Home page and web conferencing site certificates

–Primary and secondary intermediate certificates (if provided)

Procedure

Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select SSL/TLS.

Step 4 Select the Edit icon for the Home Page hostname.

Step 5 Open the certificate file in a text editor. Paste and copy the text.

Step 6 Paste the text from the certificate into the text box at the bottom of the page.

Make sure the text you paste includes the beginning and ending certificate delimiters.

Step 7 Select Install Certificate.

The host is now set up with a certificate.

Step 8 Select Back.

Step 9 Select the Edit icon for the Web Conferencing hostname.

Step 10 Open the certificate file in a text editor. Paste and copy the text.

Step 11 Paste the text from the certificate into the text box at the bottom of the page.

Step 12 If a secondary intermediate certificate is provided, copy and paste it into the text box under the certificate you pasted in Step 11.

Step 13 If a primary intermediate certificate is provided, copy and paste it into the text box under the certificate you pasted in Step 12.

The following is an example of the web conferencing, secondary intermediate, and primary intermediate certificate text:
----BEGIN CERTIFICATE-----
MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1333
QWEQRWGEASDFGRT%ER%W#%WTFSSG333
wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++93
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
werQRWGEASDFGRT%ER%W#%WTFSDSGDG
wgdfg0JaptJNp7SpMx8xXDaQHmrY2H+9oF48
MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1FRe
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++242
sdfsRWGEASDFGRT%ER%W#%WTFSDRETE233
-----END CERTIFICATE-----
Note You must paste the SSL certificates on top of each other sequentially (no spaces between each block of certificate text). If you only have one intermediate certificate then you only past the web conferencing and intermediate certificates into the text box.

Step 14 Select Install Certificate.

Step 15 Select Back.

What to Do Next

If intermediate certificates were provided, proceed to the "Applying Intermediate Certificates for the Home Page" section. Otherwise, proceed to "Enabling SSL" section.

Applying Intermediate Certificates for the Home Page

You must install ntermediate certificates for the home page using MMC. Remove and replace old intermediate certificates with new certificates from MMC.

Procedure

Step 1 In Windows on your web server click Start > Run.

Step 2 Enter mmc in the text box and select OK.

Step 3 On the Microsoft Management Console (MMC) menu bar, select File > Add/Remove Snap-in.

Step 4 From the list of snap-ins, select Certificates.

Step 5 Select Add.

Step 6 Select Computer account.

Step 7 Select Next.

Step 8 Select Local computer (the computer this console is running on).

Step 9 Select Finish.

Step 10 In the Add/Remove Snap-in window, Select OK.

Step 11 In the left pane select Certificates (Local Computer) > Intermediate Certification Authorities > Certificates.

Step 12 Right-click Certificates and select All Tasks > Import.

Step 13 At the Certificate Import Wizard, select Next.

Step 14 Select Browse and choose your secondary intermediate certificate file.

Step 15 Select Next.

Step 16 Select Place all certificate in the following store > Intermediate Certification Authorities.

Note If Intermediate Certification Authorities is not listed, use the Browse button to select it.

Step 17 Select Next.

Step 18 Select Finish.

Step 19 Repeat Step 12 through 18 for the Primary Intermediate Certificate file.

Step 20 Restart Windows (Reboot).

What to Do Next

Proceed to the "Enabling SSL" section.

Enabling SSL

Complete this procedure to enable the Require SSL field on the Web Server administration page.

Before You Begin

•Complete the "Applying SSL Certificates" section.

•Make sure that you are still on the SSL/TLS page.

Procedure

Step 1 Select Toggle SSL to turn SSL on.

Step 2 Select Reboot Server.

The server shuts down and restarts.

Note If the Web Server cannot validate the SSL certificates, the server will log an error and toggle SSL to off. In this case, you will need to restart the Cisco Unified MeetingPlace Web Conferencing service and fix the issue, then repeat the steps in this procedure.

Note When you restart the Web Server, all manual changes made to the registry are lost.

What to do Next

Proceed to the "Testing the Web Server Over an HTTPS Connection" section.

Testing the Web Server Over an HTTPS Connection

Before You Begin

Complete the "Enabling SSL" section.

Procedure

Step 1 Use a web browser to connect to https://hostname.domain.com, the Fully Qualified Domain Name, of the Web Server.

•If the Cisco Unified MeetingPlace home page displays, the connection to the Home Page hostname is successful.

•If any security warning dialog boxes appear, configure SSL not to show the dialog boxes.

For detailed information, see Microsoft Knowledge Base Articles 813618 and 257873 on the Microsoft website.

Step 2 Sign in to the end-user web interface.

Step 3 Select Immediate Meeting.

If the meeting console opens, the connection to the Web Conferencing hostname is successful.

Verifying Certificates from the CLI

Before You Begin

Install all of your certificates as described in "Applying SSL Certificates" section.

Procedure

Step 1 Open an SSL session.

Step 2 Enter the following for each certificate you want to verify:
openssl s_client -showcerts -connect hostname:443
You receive confirmation that your certificate has been configured. For example:
CONNECTED(00000750)
---
Certificate chain
 0 s:/C=US/ST=CALIFORNIA/L=San Jose/O=Cisco Systems, Inc./OU=CSG/CN=*.webex.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
Certificate code
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For 
authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
Certificate code
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For 
authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
Certificate code
-----END CERTIFICATE--------
Server certificate
subject=/C=US/ST=CALIFORNIA/L=San Jose/O=Cisco Systems, Inc./OU=CSG/CN=*.webex.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4172 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: Master key code
    Key-Arg   : None
    Start Time: 1327584886
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)---
(Optional) Disabling Support for Low Encryption Ciphers and SSL v2

Cisco authorizes Cisco Unified MeetingPlace Web Conferencing customers to disable the support for low encryption ciphers and SSL v2 on their Cisco Unified MeetingPlace Web Servers based on their security requirements.

You must assume all work related to this security hardening as well as the operational consequences of this security lock-down, including the fact that some end-users might be unable to use the Cisco Unified MeetingPlace Web Servers because of incompatible browsers/ client SSL implementation, or encryption strength limitations.

To perform this lock-down for the Microsoft IIS web server component used by Cisco Unified MeetingPlace Web Conferencing, see the following Microsoft Knowledge Base articles:

How to Control the Ciphers for SSL and TLS on IIS (IIS restart required): http://support.microsoft.com/default.aspx?scid=KB;en-us;q216482

How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (Windows restart required): http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (Windows restart required): http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

To perform this lock-down for the Adobe Connect application web server used by Cisco Unified MeetingPlace Web Conferencing, see the following Adobe article: http://livedocs.adobe.com/fms/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000300.html

Note You can find the Server.xml file that contains the SSLCipherSuite tag to be edited in the following folder on the Cisco Unified MeetingPlace Web Server: C:\Program Files\Cisco Systems\MPWeb\WebConf\comserv\win32\conf

Caution Any upgrade of the Cisco Unified MeetingPlace Web Conferencing software with a maintenance release will overwrite the changes that you have made in Server.xml. These changes must be re-applied after the upgrade.

How to Replace an Expired Intermediate Certificate for the Home Page

Note As of April 2006, all SSL certificates issued by VeriSign require the installation of an intermediate Certificate Authority (CA) certificate. The SSL certificates are signed by an intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of SSL certificates.

For more information, go to: http://www.verisign.com/support/advisories/page_040611.html.

Topics in this section include:

•Downloading the Updated VeriSign Intermediate CA

•Creating a Certificate Snap-In

•Removing the Expired Intermediate CA

•Installing the New Intermediate CA

Downloading the Updated VeriSign Intermediate CA

When downloading the intermediate CA certificate, ensure that you select the appropriate one for your SSL certificate: either Secure Site with EV Certificates (Secure Server) or Secure Site Pro with EV Certificates (Global).

Procedure

Step 1 If you are not sure which certificate you have purchased, follow these steps:

a. Go to VeriSign Search Certificates page.

b. Type your Common Name or Order Number.

c. Select Search.

d. Select the certificate name for your certificate.

Step 2 Go to the VeriSign intermediate CA certificates web page and select the CA certificate for your product.

Step 3 Copy and paste the contents into a text (Notepad) file.

Step 4 Save the file as newintermediate.cer.

Creating a Certificate Snap-In

Procedure

Step 1 From the Web server, select Start > Run.

Step 2 In the text box, type mmc.

Step 3 Select OK.

Step 4 For IIS 5.0: From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in.

Step 5 For IIS 6.0: From the Microsoft Management Console (MMC) menu bar, select File > Add/Remove Snap-in.

Step 6 Select Add.

Step 7 From the list of snap-ins, select Certificates.

Step 8 Select Add.

Step 9 Select Computer account.

Step 10 Select Next.

Step 11 Select Local computer (the computer this console is running on).

Step 12 Select Finish.

Step 13 In the snap-in list window, select Close.

Step 14 In the Add/Remove Snap-in window, select OK.

Step 15 Save these console settings for future use.

Removing the Expired Intermediate CA

Procedure

Step 1 From the left pane, double-click Certificate (Local Computer).

Step 2 Select Intermediate Certification Authorities > Certificates.

Step 3 Locate the certificate issued to www.verisign.com/CPS Incorp.by Ref.LIABILITY LTD. (C)97 VeriSign (expiration date of 1/7/2004).

Step 4 Right-click the certificate.

Step 5 Select Delete.

Step 6 From the left pane, select Trusted Root Certification Authorities > Certificates.

Step 7 Locate the certificate issued to Class 3 Public Primary Certification Authority (expiration date of 1/7/2004).

Step 8 Right-click the certificate.

Step 9 Select Delete.

Installing the New Intermediate CA

Procedure

Step 1 From the left pane, select Intermediate Certification Authorities.

Step 2 Right-click Certificates.

Step 3 Select All Tasks > Import.

Step 4 At the Certificate Import Wizard, select Next.

Step 5 Select the Intermediate CA Certificate file.

Step 6 Select Next.

Step 7 Select Place all certificate in the following store: Intermediate Certification Authorities.

Step 8 Select Next.

Step 9 Select Finish.

Step 10 Restart the Web Server.

If this does not resolve the issue, then physically reboot the Web Server. The Web Server should now only have one Intermediate CA that expires in 2016.

Note When you restart the Web Server, all manual changes made to the registry are lost.

How to Replace an Expired Intermediate Certificate for Web Conferencing

Note As of April 2006, all SSL certificates issued by VeriSign require the installation of an intermediate Certificate Authority (CA) certificate. The SSL certificates are signed by an intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of SSL certificates.

For more information, go to: http://www.verisign.com/support/advisories/page_040611.html.

1. Follow the steps in the "Downloading the Updated VeriSign Intermediate CA" section.

In that procedure, you copied the contents of the intermediate CA certificate into a file called newintermediate.cer.

2. Follow the steps in the "Applying SSL Certificates" section.

3. When prompted to copy the certificate, copy the text from file called newintermediate.cer.

4. Add the intermediate certificate provided by your certificate authority provider to the SSL certificate PEM files.

Note When pasting these two certificates within the same PEM file, the order of these certificates matters. The signed server certificate has to be pasted first and then the intermediate certificate should be pasted below the signed server certificate. Be careful when pasting these certificates into the file as extra spaces or dashes can cause problems with the certificate file. Once you make the changes, restart Flash Communication services and the Breeze Application service.

How to Back Up and Restore the SSL Private Key

This section describes how to export and subsequently reimport the SSL private key into the MPWEB database. We recommend that you make this part of your standard backup procedure. You will need to complete these procedures any time you need to move the SSL certificate, for example, from an old Web Server computer to a new Web Server computer or when you are rebuilding a computer.

•Exporting the Private Key

•Copying and Saving the Private Key for Future Use

•Importing the Private Key in to the MPWEB Database

Exporting the Private Key

This procedure describes how to export the private key/certificate pair on the Web Server so that you can manually copy the SSL files in case you need to restore SSL on the Web Server.

Procedure

Step 1 Open the Internet Services Manager on the Cisco Unified MeetingPlace Web Server.

Select Start > Programs > Administrative Tools > Internet Information Services Manager.

Step 2 Navigate to Default Web Site.

Select the + sign beside Local Server > Web Sites to open the appropriate directory trees.

Step 3 Right-click Default Web Site.

Step 4 Select Properties.

The Default Web Site Properties window displays.

Step 5 Select the Directory Security tab.

Step 6 Select Server Certificate.

The Web Server Certificate wizard displays.

Step 7 Select Next.

Step 8 Select Export the current certificate to a pfx file.

Step 9 Select Next.

Step 10 Select Browse and select to save the certificate file to your desktop.

Step 11 Select Next.

Step 12 Enter a password to encrypt the certificate.

Step 13 Enter the password again to confirm it.

Step 14 Select Next.

The Export Certificate Summary Screen displays and the exported certificate file is now on your desktop.

Step 15 Select Next.

Step 16 Select Finish to close the Web Server Certificate wizard.

Step 17 Select OK or Cancel to close the Default Web Site Properties window.

Step 18 Close IIS Manager.

What to Do Next

Proceed to the "Copying and Saving the Private Key for Future Use" section.

Copying and Saving the Private Key for Future Use

We recommend that you complete this procedure as part of your standard backup procedure on the Web Server.

Before You Begin

Complete the "Exporting the Private Key" section.

Procedure

Step 1 Open a DOS prompt.

a. Select Start > Run.

b. Enter cmd.

Step 2 Enter the path to your desktop in the cmd.exe window.
Example: C:\> cd "Documents and Settings\Administrator\Desktop"
Step 3 Enter the full path to OpenSSL.exe keeping the following in mind:

•After -in, enter the full path to where you placed the file when you exported the private key.

•After -out, enter the full path to where you want to send the exported file.
Example:C:\Documents and Settings\Administrator\Desktop>"\Program Files\Cisco 
Systems\MPWeb\DataSvc\openssl.exe" pkcs12 -in "\Documents and 
Settings\Administrator\Desktop\mycertificate.pfx" -out "\Documents and 
Settings\Administrator\Desktop\mycertificate.pem" -nodes
This converts the PFX format to a PEM format. The mycertificate.pem file will have all the certificates starting with the Private key.

Step 4 Enter the import password when prompted.

This is the password you defined in the Web Server Certificate wizard during the export process.

Step 5 Save the PEM file. You will need it whenever you need to reapply the certificate.

Related Topics

•Exporting the Private Key

Backing Up the Breeze Certificate

Procedure

Step 1 Open a DOS prompt.

Step 2 Enter the following command: Copy c:\Program Files\Cisco Systems\MPWeb\WebConf\comserv\win32\conf\_defaultRoot_\cert.pem file to backup path.

About Restoring Breeze and Home Page Certificates

See the "Applying SSL Certificates" section for more information on restoring Breeze and home page certificates.

Importing the Private Key in to the MPWEB Database

Before You Begin

Complete the "Copying and Saving the Private Key for Future Use" section.

Procedure

Step 1 Open SQL Server Enterprise Manager.

Select Start > All Programs > Microsoft SQL Server > Enterprise Manager.

Step 2 Navigate to the MPWEB database.

Select the + sign next to SQL Server Group > LOCAL > Databases > MPWEB to open the appropriate directory trees.

Step 3 Select Tables in the MPWEB directory.

A list of tables opens in the right pane.

Step 4 Right-click Web in the right pane.

Step 5 Select Open table > Return all rows.

The Web database table displays.

Step 6 Scroll to the right until you see the SSLPrivateKey column.

Step 7 Open the PEM file in Notepad.

You saved the PEM file when you copied and saved the private key for future use.

Step 8 Copy the private key in its entirety.

The private key begins with "Begin RSA Private key" and ends with "end RSA private key".

Step 9 Paste the private key into the SSLPrivateKey field.

a. Select the field before the SSLPrivateKey column.

b. Press the Tab key on your keyboard to select all of the data in the SSLPrivateKey field.

c. Right-click and select Paste to paste the value you copied from Notepad.

Step 10 Click somewhere else on the screen to remove your cursor from the SSLPrivateKey field.

Step 11 Close SQL Server Enterprise Manager.

Step 12 (Optional) Enable SSL if it is not already enabled.

Step 13 Reboot the server.

Related Topics

•Enabling SSL

•Copying and Saving the Private Key for Future Use

Allowing Guests to Search Through Public Meetings

Guest users have fewer privileges than users who log in with their profiles. Complete this procedure to allow guests to search through public meetings.

Procedure

Step 1 Sign in to the end-user web interface.

Step 2 Select Admin.

Step 3 Select Web Server.

Step 4 Scroll down to the "View" section of the page.

Step 5 Select the name of the Web Server that you want to configure.

Information about this server populates the "Edit" section of the page.

Step 6 Select Yes for Allow Public Meetings in Find Meeting List.

Step 7 Select Yes for Allow Guest Access to Find Meetings Page.

Step 8 Select Submit.

Tip To allow external users (those outside your firewall) and sites (Cisco Unified MeetingPlace systems outside your network) to access a meeting and the associated meeting materials, make sure that Allow External Web Participants is set to Yes for the meeting.

This parameter is set by the meeting scheduler from the New Meeting scheduling page, and it is only visible if your Cisco Unified MeetingPlace system has an external site—that is, a Web Server located in an Internet-accessible segment of your network, such as in a DMZ zone.

Related Topics

•Field Reference: Web Server Customization Values in the Web Administration References for Cisco Unified MeetingPlace module

	Configuration and Maintenance Guide for MeetingPlace 7.1
	Configuring Web Conferencing Security Features
Configuration and Maintenance Guide for MeetingPlace 7.1 Quick Start Configuration Basic Voice and Video Conferencing Basic Web Conferencing Basic System Configuration Logging In to the Administration Center Installing and Managing Licenses Configuring Access Phone Numbers and Notification Labels Configuring Languages Configuring Meetings Configuring E-Mail Notifications Configuring Recordings Configuring Attendant Settings User and Endpoint Configuration Configuring User Profiles and User Groups Configuring Directory Service Changing the User Status in User Profiles Configuring Endpoints Call Configuration Configuring Call Control Configuring Dial-Out Features Configuring the Auto Attend Feature Configuring Direct Inward Dial Configuring Reservationless Single Number Access (RSNA) Web Conferencing Configuration Configuring the Cisco Unified MeetingPlace Gateway System Integrity Manager Connecting the Application Server to a Web Server Managing Cisco Unified MeetingPlace Web Conferencing Services Configuring Audio Conversion Configuring the Cisco Unified MeetingPlace Web Server for Optimal Data Storage Configuring User Authentication for Cisco Unified MeetingPlace Web Conferencing Configuring the Cisco Unified MeetingPlace Web Conferencing User Interface Configuring External Access to Cisco Unified MeetingPlace Web Conferencing Configuring Cisco Unified MeetingPlace Web Conferencing and SQL Server Monitoring and Maintaining Cisco Unified MeetingPlace Web Conferencing Integrations Integrating with Cisco WebEx Enabling Scheduling from Microsoft Outlook Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface Integrating with Cisco Unified Communications Manager Integrating with Cisco Unified Personal Communicator Integrating With Cisco Unified IP Phone MeetingPlace Conference Manager Installing MeetingPlace Conference Manager Using MeetingPlace Conference Manager Security Securing the System Configuring Web Conferencing Security Features Configuring SSL for the Application Server User Authentication Changing System Administrator Passwords Advanced Configuration Backing Up, Archiving, and Restoring Data on the Application Server Configuring Application Server Failover Importing Data Configuring SNMP Maintenance Running Reports and Exporting Data Sending E-Mail Blasts End-User Interface Customization Configuring Flex Fields Customizing E-Mail Notifications Customizing Music and Voice Prompts Troubleshooting Using Alarms and Logs Password Recovery Troubleshooting User Access Issues Troubleshooting Telephone Issues Troubleshooting Video Issues Troubleshooting E-Mail Notifications Troubleshooting Web Conferencing Troubleshooting SSL for the Application Server Troubleshooting Integration with Cisco WebEx Troubleshooting Scheduling from Microsoft Outlook Troubleshooting Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface About Microsoft System Updates or Patches and the Cisco MCS Reference Information Administration Center Page References for Cisco Unified MeetingPlace Web Administration References for Cisco Unified MeetingPlace MeetingPlace Conference Manager References Using the Command-Line Interface (CLI) Raw Data Export and Import Specifications Time Zone Mapping Between Cisco WebEx and Cisco Unified MeetingPlace Application Server File Locations	Download this chapter Configuring Web Conferencing Security Features Download the complete book Configuration Guide for Cisco Unified MeetingPlace Release 7.1 (PDF - 5 MB) Feedback Table Of Contents Configuring Cisco Unified MeetingPlace Web Conferencing Security Features How to Configure Restricted Meeting ID Patterns Adding Restricted Meeting ID Patterns Deleting Restricted Meeting ID Patterns How to Configure Secure Sockets Layer Restrictions for Configuring Secure Sockets Layer Changing the Web Server Hostname From an IP Address to a Hostname Creating a New Certificate Signing Request and Obtaining a Certificate File Applying SSL Certificates Applying Intermediate Certificates for the Home Page Enabling SSL Testing the Web Server Over an HTTPS Connection Verifying Certificates from the CLI (Optional) Disabling Support for Low Encryption Ciphers and SSL v2 How to Replace an Expired Intermediate Certificate for the Home Page Downloading the Updated VeriSign Intermediate CA Creating a Certificate Snap-In Removing the Expired Intermediate CA Installing the New Intermediate CA How to Replace an Expired Intermediate Certificate for Web Conferencing How to Back Up and Restore the SSL Private Key Exporting the Private Key Copying and Saving the Private Key for Future Use Backing Up the Breeze Certificate About Restoring Breeze and Home Page Certificates Importing the Private Key in to the MPWEB Database Allowing Guests to Search Through Public Meetings Configuring Cisco Unified MeetingPlace Web Conferencing Security Features Release 7.1 Revised: February 15, 2012 3:41 pm •How to Configure Restricted Meeting ID Patterns •How to Configure Secure Sockets Layer •How to Replace an Expired Intermediate Certificate for the Home Page •How to Replace an Expired Intermediate Certificate for Web Conferencing •How to Back Up and Restore the SSL Private Key •Allowing Guests to Search Through Public Meetings How to Configure Restricted Meeting ID Patterns As a system administrator, you can restrict Cisco Unified MeetingPlace from accepting certain meeting ID patterns that you consider unsecure. For example, you can restrict meeting ID patterns that repeat the same digit three times in a row, such as 111 or 222. Keep the following points in mind when determining which meeting ID patterns to restrict: •Restricted meeting ID patterns affect both numerical and vanity meeting IDs. Therefore, if you select to restrict patterns that repeat the same digit three times, Cisco Unified MeetingPlace will disallow both the numerical meeting ID "333" and the vanity meeting ID "deepdive," because "deepdive" translates to 3337383. •Keep the length of your minimum meeting ID requirement in mind. Repeating the same digit three times when the length of your minimum meeting ID is four digits long can be considered a security risk. However, repeating the same digit three times when the length of your minimum meeting ID is eight digits long may not. •There is always the chance of a meeting ID hitting the rule pattern and causing a problem. Judicious use of the rule is critical for the reduction of such incidents. Note You cannot schedule a meeting with a supported meeting ID pattern through the phone or other scheduling endpoint, then attempt to modify it or reschedule it through the web. This rescheduling behavior is not supported. •Adding Restricted Meeting ID Patterns •Deleting Restricted Meeting ID Patterns Adding Restricted Meeting ID Patterns Procedure Step 1 Sign in to the end-user web interface. Step 2 Select Admin. Step 3 Select Restricted Meeting ID Patterns. Step 4 For Pattern, enter the restricted meeting ID pattern as a regular expression using the Perl syntax. Example: .(012\|123\|234\|345\|456\|567\|678\|789\|890\|098\|987\|876\|765\|654\|543\|432\|321\|210). Step 5 Enter a brief description to explain the intent of the pattern in the field provided. Example: Block sequences of 3 increasing or decreasing numbers. Step 6 Select Add. The pattern displays in the "View" section of the page. Step 7 Repeat Step 4 through Step 6 for each additional restricted ID pattern. Related Topics •How to Configure Restricted Meeting ID Patterns Deleting Restricted Meeting ID Patterns Procedure Step 1 Sign in to the end-user web interface. Step 2 Select Admin. Step 3 Select Restricted Meeting ID Patterns. Step 4 Scroll down to the "View" section of the screen. Step 5 Locate the pattern you want to delete. Step 6 Select Delete. Related Topics •How to Configure Restricted Meeting ID Patterns How to Configure Secure Sockets Layer Secure Sockets Layer (SSL) secures information shared in a web conference by encrypting the data for travel across the network. Complete the following procedures in the order shown to configure SSL. •Restrictions for Configuring Secure Sockets Layer •Changing the Web Server Hostname From an IP Address to a Hostname •Creating a New Certificate Signing Request and Obtaining a Certificate File •Applying SSL Certificates •Applying Intermediate Certificates for the Home Page •Enabling SSL •Testing the Web Server Over an HTTPS Connection •(Optional) Disabling Support for Low Encryption Ciphers and SSL v2 Restrictions for Configuring Secure Sockets Layer •If you are using SSL on an external Web Server, make sure that the hostname on the SSL certificate resolves to the external Web Server IP address. •If you are using SSL on a system with a segmented DNS, make sure that the hostname on the SSL certificate differs from the segmented DNS name. •Self-signed certificates are not supported. •Make sure that both the Hostname [Home Page] and Hostname [Web Conferencing] use hostnames, not IP addresses. •If users will access your Web Server through a firewall, make sure that TCP port 443 is open inbound on your firewall for both of the hostnames or IP addresses on your server. •You can use SSL on any Web Server (internal or DMZ); however, you cannot use or configure WIA (Windows Integrated Authentication) on that server. Related Topics •How to Configure Secure Sockets Layer Changing the Web Server Hostname From an IP Address to a Hostname The Web Server hostname was populated during the Cisco Unified MeetingPlace Web Conferencing installation. The Hostname [Home Page] was assigned the first IP address in the operating system. The Hostname [Web Conferencing] was assigned the second IP address in the operating system. You should not need to redefine these unless either of the following applies: •You want users to be able to access the Cisco Unified MeetingPlace Web Server by using the fully qualified domain name (FQDN) of the server or •You plan to configure SSL for this server. If enabling SSL, you must use hostnames rather than IP addresses. Before You Begin This procedure assumes that you have already installed Cisco Unified MeetingPlace Web Conferencing. Restrictions Do not perform this procedure if the Web Server is not in a Domain Name Server (DNS). Procedure Step 1 Open your web browser and enter the URL of your Web Server. •For internal Web Servers, the default URL structure is http://server, where server is the name of your internal Web Server. •For external (DMZ) Web Servers running Release 7.0.1, the default URL structure is http://server/mpweb/admin/, where server is the name of your external Web Server. •For external Web Servers running Release 7.0.2 or later releases, you can only access the administration pages for the external (DMZ) server from the server box itself and only through port 8002. If you try to access the administration pages on the external (DMZ) server by using http:// server/mpweb/admin/, the system will display a 404 "Page Not Found" error. To access the administration pages for the external (DMZ) server, you must be on the web server box and enter the following URL: http://localhost:8002/mpweb/admin/ Note If SSL is enabled on your system, you must still enter the URL with http and not https. The system automatically logs you in as the user called "technician" with technician privileges. Step 2 Sign in to the end-user web interface. Step 3 Select Admin if you are not already on the Cisco Unified MeetingPlace Web Administration page. Step 4 Select Web Server. Step 5 Scroll down to the "View" section of the page. Step 6 Select the name of the Web Server that you want to configure. Information about this Web Server populates the "Edit" section of the page. Step 7 For Hostname [Home Page], enter the fully qualified domain name (FQDN) of the primary network interface on the Web Server. Example: hostname.domain.com. Note This hostname must be different from that used for Hostname [Home Page]. It must be resolvable by its intended users. Depending on your hostname choice, the hostnames might not have been automatically registered with the DNS during the OS installation. We recommend that you check the DNS, both the forward and reverse lookup zones, and add entries manually if needed. Step 8 For Hostname [Web Conferencing], enter the FQDN of the secondary network interface on the Web Server. Example: hostnamewc.domain.com. Note This hostname must be different from that used for Hostname [Home Page]. It must be resolvable by its intended users. Depending on your hostname choice, the hostnames might not have been automatically registered with the DNS during the OS installation. We recommend that you check the DNS, both the forward and reverse lookup zones, and add entries manually if needed. Step 9 Select Submit. Step 10 (Optional) If you are working on a Windows system with Internet Explorer, select Test Server Configuration. Related Topics •Using the Cisco Unified MeetingPlace Web Administration Page in the Quick Start Configuration: Cisco Unified MeetingPlace Basic Web Conferencing module •Field Reference: Web Server Specific Fields in the Web Administration References for Cisco Unified MeetingPlace module •How to Resolve Test Server Configuration Problems in the Troubleshooting Cisco Unified MeetingPlace Web Conferencing module What to Do Next •Restart the Cisco Unified MeetingPlace Web Conferencing services for changes to the Hostname [Web Conferencing] field to take effect. See Restarting All Web Conferencing Services in the Managing Cisco Unified MeetingPlace Web Conferencing Services module for instructions. Note When you restart the Web Server, all manual changes made to the registry are lost. •If you are configuring SSL, proceed to the "Creating a New Certificate Signing Request and Obtaining a Certificate File" section. Creating a New Certificate Signing Request and Obtaining a Certificate File Use the SSL/TLS configuration page to generate certificate signing requests to send to an authorized Certificate Authority in order to apply for a digital identity certificate. You need two certificates: one for the Home Page hostname, and one for the Web Conferencing hostname. Before You Begin Complete the "Changing the Web Server Hostname From an IP Address to a Hostname" section. Procedure Step 1 Sign in to the end-user web interface. Step 2 Select Admin. Step 3 Select SSL/TLS. Step 4 Select the Edit icon for the Web Conferencing hostname. Step 5 Enter your company name and organization unit/department in the applicable fields. Step 6 Enter the complete, official names of your city/locality and state/province in the applicable fields. Note Do not use abbreviations. Step 7 Select your country/region. Step 8 Select Generate Request. The new certificate signing request (CSR) displays in the text box. The request is signed with an auto-generated private key. Step 9 Select the Private Key link to see the value of the private key. Step 10 Copy the contents of the CSR text box to a text file and send this file to your certificate provider in return for a certificate file. Caution If your certificate provider asks for your server type, specify Apache or Custom, not Microsoft or IIS. If you attempt to install a Microsoft or IIS certificate by using the SSL/TLS configuration pages, Cisco Unified MeetingPlace Web Conferencing will not restart when you attempt to reboot the system. Instead it will log an error about the certificate and disable SSL so that you can restart and fix the problem. Step 11 Select Back to return to the main Administration page. Step 12 Repeat Step 3 through Step 11 for the Web Conferencing hostname. What to Do Next When you receive the .cer files from your certificate provider, proceed to the "Applying SSL Certificates" section. Applying SSL Certificates When you receive the certificate files from your certificate provider, apply the certificates to the Cisco Unified MeetingPlace website. You should have a home page certificate and web conferencing certificate. Some certificate authorities also provide a primary and secondary intermediate certificate. Before You Begin •Complete the "Creating a New Certificate Signing Request and Obtaining a Certificate File" section. •You must install your certificates in the following order: –Home page and web conferencing site certificates –Primary and secondary intermediate certificates (if provided) Procedure Step 1 Sign in to the end-user web interface. Step 2 Select Admin. Step 3 Select SSL/TLS. Step 4 Select the Edit icon for the Home Page hostname. Step 5 Open the certificate file in a text editor. Paste and copy the text. Step 6 Paste the text from the certificate into the text box at the bottom of the page. Make sure the text you paste includes the beginning and ending certificate delimiters. Step 7 Select Install Certificate. The host is now set up with a certificate. Step 8 Select Back. Step 9 Select the Edit icon for the Web Conferencing hostname. Step 10 Open the certificate file in a text editor. Paste and copy the text. Step 11 Paste the text from the certificate into the text box at the bottom of the page. Step 12 If a secondary intermediate certificate is provided, copy and paste it into the text box under the certificate you pasted in Step 11. Step 13 If a primary intermediate certificate is provided, copy and paste it into the text box under the certificate you pasted in Step 12. The following is an example of the web conferencing, secondary intermediate, and primary intermediate certificate text: ----BEGIN CERTIFICATE----- MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1333 QWEQRWGEASDFGRT%ER%W#%WTFSSG333 wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++93 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- werQRWGEASDFGRT%ER%W#%WTFSDSGDG wgdfg0JaptJNp7SpMx8xXDaQHmrY2H+9oF48 MIIFLzCCBBegAwIBAgIQGXyI4NRucd6RG1FRe -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- wE5NM0JaptJNp7SpMx8xXDaQHmrY2H++242 sdfsRWGEASDFGRT%ER%W#%WTFSDRETE233 -----END CERTIFICATE----- Note You must paste the SSL certificates on top of each other sequentially (no spaces between each block of certificate text). If you only have one intermediate certificate then you only past the web conferencing and intermediate certificates into the text box. Step 14 Select Install Certificate. Step 15 Select Back. What to Do Next If intermediate certificates were provided, proceed to the "Applying Intermediate Certificates for the Home Page" section. Otherwise, proceed to "Enabling SSL" section. Applying Intermediate Certificates for the Home Page You must install ntermediate certificates for the home page using MMC. Remove and replace old intermediate certificates with new certificates from MMC. Procedure Step 1 In Windows on your web server click Start > Run. Step 2 Enter mmc in the text box and select OK. Step 3 On the Microsoft Management Console (MMC) menu bar, select File > Add/Remove Snap-in. Step 4 From the list of snap-ins, select Certificates. Step 5 Select Add. Step 6 Select Computer account. Step 7 Select Next. Step 8 Select Local computer (the computer this console is running on). Step 9 Select Finish. Step 10 In the Add/Remove Snap-in window, Select OK. Step 11 In the left pane select Certificates (Local Computer) > Intermediate Certification Authorities > Certificates. Step 12 Right-click Certificates and select All Tasks > Import. Step 13 At the Certificate Import Wizard, select Next. Step 14 Select Browse and choose your secondary intermediate certificate file. Step 15 Select Next. Step 16 Select Place all certificate in the following store > Intermediate Certification Authorities. Note If Intermediate Certification Authorities is not listed, use the Browse button to select it. Step 17 Select Next. Step 18 Select Finish. Step 19 Repeat Step 12 through 18 for the Primary Intermediate Certificate file. Step 20 Restart Windows (Reboot). What to Do Next Proceed to the "Enabling SSL" section. Enabling SSL Complete this procedure to enable the Require SSL field on the Web Server administration page. Before You Begin •Complete the "Applying SSL Certificates" section. •Make sure that you are still on the SSL/TLS page. Procedure Step 1 Select Toggle SSL to turn SSL on. Step 2 Select Reboot Server. The server shuts down and restarts. Note If the Web Server cannot validate the SSL certificates, the server will log an error and toggle SSL to off. In this case, you will need to restart the Cisco Unified MeetingPlace Web Conferencing service and fix the issue, then repeat the steps in this procedure. Note When you restart the Web Server, all manual changes made to the registry are lost. What to do Next Proceed to the "Testing the Web Server Over an HTTPS Connection" section. Testing the Web Server Over an HTTPS Connection Before You Begin Complete the "Enabling SSL" section. Procedure Step 1 Use a web browser to connect to https://hostname.domain.com, the Fully Qualified Domain Name, of the Web Server. •If the Cisco Unified MeetingPlace home page displays, the connection to the Home Page hostname is successful. •If any security warning dialog boxes appear, configure SSL not to show the dialog boxes. For detailed information, see Microsoft Knowledge Base Articles 813618 and 257873 on the Microsoft website. Step 2 Sign in to the end-user web interface. Step 3 Select Immediate Meeting. If the meeting console opens, the connection to the Web Conferencing hostname is successful. Verifying Certificates from the CLI Before You Begin Install all of your certificates as described in "Applying SSL Certificates" section. Procedure Step 1 Open an SSL session. Step 2 Enter the following for each certificate you want to verify: openssl s_client -showcerts -connect hostname:443 You receive confirmation that your certificate has been configured. For example: CONNECTED(00000750) --- Certificate chain 0 s:/C=US/ST=CALIFORNIA/L=San Jose/O=Cisco Systems, Inc./OU=CSG/CN=.webex.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 -----BEGIN CERTIFICATE----- Certificate code -----END CERTIFICATE----- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- Certificate code -----END CERTIFICATE----- 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- Certificate code -----END CERTIFICATE-------- Server certificate subject=/C=US/ST=CALIFORNIA/L=San Jose/O=Cisco Systems, Inc./OU=CSG/CN=.webex.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 4172 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: Session-ID-ctx: Master-Key: Master key code Key-Arg : None Start Time: 1327584886 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)--- (Optional) Disabling Support for Low Encryption Ciphers and SSL v2 Cisco authorizes Cisco Unified MeetingPlace Web Conferencing customers to disable the support for low encryption ciphers and SSL v2 on their Cisco Unified MeetingPlace Web Servers based on their security requirements. You must assume all work related to this security hardening as well as the operational consequences of this security lock-down, including the fact that some end-users might be unable to use the Cisco Unified MeetingPlace Web Servers because of incompatible browsers/ client SSL implementation, or encryption strength limitations. To perform this lock-down for the Microsoft IIS web server component used by Cisco Unified MeetingPlace Web Conferencing, see the following Microsoft Knowledge Base articles: How to Control the Ciphers for SSL and TLS on IIS (IIS restart required): http://support.microsoft.com/default.aspx?scid=KB;en-us;q216482 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (Windows restart required): http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (Windows restart required): http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 To perform this lock-down for the Adobe Connect application web server used by Cisco Unified MeetingPlace Web Conferencing, see the following Adobe article: http://livedocs.adobe.com/fms/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000300.html Note You can find the Server.xml file that contains the SSLCipherSuite tag to be edited in the following folder on the Cisco Unified MeetingPlace Web Server: C:\Program Files\Cisco Systems\MPWeb\WebConf\comserv\win32\conf Caution Any upgrade of the Cisco Unified MeetingPlace Web Conferencing software with a maintenance release will overwrite the changes that you have made in Server.xml. These changes must be re-applied after the upgrade. How to Replace an Expired Intermediate Certificate for the Home Page Note As of April 2006, all SSL certificates issued by VeriSign require the installation of an intermediate Certificate Authority (CA) certificate. The SSL certificates are signed by an intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of SSL certificates. For more information, go to: http://www.verisign.com/support/advisories/page_040611.html. Topics in this section include: •Downloading the Updated VeriSign Intermediate CA •Creating a Certificate Snap-In •Removing the Expired Intermediate CA •Installing the New Intermediate CA Downloading the Updated VeriSign Intermediate CA When downloading the intermediate CA certificate, ensure that you select the appropriate one for your SSL certificate: either Secure Site with EV Certificates (Secure Server) or Secure Site Pro with EV Certificates (Global). Procedure Step 1 If you are not sure which certificate you have purchased, follow these steps: a. Go to VeriSign Search Certificates page. b. Type your Common Name or Order Number. c. Select Search. d. Select the certificate name for your certificate. Step 2 Go to the VeriSign intermediate CA certificates web page and select the CA certificate for your product. Step 3 Copy and paste the contents into a text (Notepad) file. Step 4 Save the file as newintermediate.cer. Creating a Certificate Snap-In Procedure Step 1 From the Web server, select Start > Run. Step 2 In the text box, type mmc. Step 3 Select OK. Step 4 For IIS 5.0: From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in. Step 5 For IIS 6.0: From the Microsoft Management Console (MMC) menu bar, select File > Add/Remove Snap-in. Step 6 Select Add. Step 7 From the list of snap-ins, select Certificates. Step 8 Select Add. Step 9 Select Computer account. Step 10 Select Next. Step 11 Select Local computer (the computer this console is running on). Step 12 Select Finish. Step 13 In the snap-in list window, select Close. Step 14 In the Add/Remove Snap-in window, select OK. Step 15 Save these console settings for future use. Removing the Expired Intermediate CA Procedure Step 1 From the left pane, double-click Certificate (Local Computer). Step 2 Select Intermediate Certification Authorities > Certificates. Step 3 Locate the certificate issued to www.verisign.com/CPS Incorp.by Ref.LIABILITY LTD. (C)97 VeriSign (expiration date of 1/7/2004). Step 4 Right-click the certificate. Step 5 Select Delete. Step 6 From the left pane, select Trusted Root Certification Authorities > Certificates. Step 7 Locate the certificate issued to Class 3 Public Primary Certification Authority (expiration date of 1/7/2004). Step 8 Right-click the certificate. Step 9 Select Delete. Installing the New Intermediate CA Procedure Step 1 From the left pane, select Intermediate Certification Authorities. Step 2 Right-click Certificates. Step 3 Select All Tasks > Import. Step 4 At the Certificate Import Wizard, select Next. Step 5 Select the Intermediate CA Certificate file. Step 6 Select Next. Step 7 Select Place all certificate in the following store: Intermediate Certification Authorities. Step 8 Select Next. Step 9 Select Finish. Step 10 Restart the Web Server. If this does not resolve the issue, then physically reboot the Web Server. The Web Server should now only have one Intermediate CA that expires in 2016. Note When you restart the Web Server, all manual changes made to the registry are lost. How to Replace an Expired Intermediate Certificate for Web Conferencing Note As of April 2006, all SSL certificates issued by VeriSign require the installation of an intermediate Certificate Authority (CA) certificate. The SSL certificates are signed by an intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of SSL certificates. For more information, go to: http://www.verisign.com/support/advisories/page_040611.html. 1. Follow the steps in the "Downloading the Updated VeriSign Intermediate CA" section. In that procedure, you copied the contents of the intermediate CA certificate into a file called newintermediate.cer. 2. Follow the steps in the "Applying SSL Certificates" section. 3. When prompted to copy the certificate, copy the text from file called newintermediate.cer. 4. Add the intermediate certificate provided by your certificate authority provider to the SSL certificate PEM files. Note When pasting these two certificates within the same PEM file, the order of these certificates matters. The signed server certificate has to be pasted first and then the intermediate certificate should be pasted below the signed server certificate. Be careful when pasting these certificates into the file as extra spaces or dashes can cause problems with the certificate file. Once you make the changes, restart Flash Communication services and the Breeze Application service. How to Back Up and Restore the SSL Private Key This section describes how to export and subsequently reimport the SSL private key into the MPWEB database. We recommend that you make this part of your standard backup procedure. You will need to complete these procedures any time you need to move the SSL certificate, for example, from an old Web Server computer to a new Web Server computer or when you are rebuilding a computer. •Exporting the Private Key •Copying and Saving the Private Key for Future Use •Importing the Private Key in to the MPWEB Database Exporting the Private Key This procedure describes how to export the private key/certificate pair on the Web Server so that you can manually copy the SSL files in case you need to restore SSL on the Web Server. Procedure Step 1 Open the Internet Services Manager on the Cisco Unified MeetingPlace Web Server. Select Start > Programs > Administrative Tools > Internet Information Services Manager. Step 2 Navigate to Default Web Site. Select the + sign beside Local Server > Web Sites to open the appropriate directory trees. Step 3 Right-click Default Web Site. Step 4 Select Properties. The Default Web Site Properties window displays. Step 5 Select the Directory Security tab. Step 6 Select Server Certificate. The Web Server Certificate wizard displays. Step 7 Select Next. Step 8 Select Export the current certificate to a pfx file. Step 9 Select Next. Step 10 Select Browse and select to save the certificate file to your desktop. Step 11 Select Next. Step 12 Enter a password to encrypt the certificate. Step 13 Enter the password again to confirm it. Step 14 Select Next. The Export Certificate Summary Screen displays and the exported certificate file is now on your desktop. Step 15 Select Next. Step 16 Select Finish to close the Web Server Certificate wizard. Step 17 Select OK or Cancel to close the Default Web Site Properties window. Step 18 Close IIS Manager. What to Do Next Proceed to the "Copying and Saving the Private Key for Future Use" section. Copying and Saving the Private Key for Future Use We recommend that you complete this procedure as part of your standard backup procedure on the Web Server. Before You Begin Complete the "Exporting the Private Key" section. Procedure Step 1 Open a DOS prompt. a. Select Start > Run. b. Enter cmd. Step 2 Enter the path to your desktop in the cmd.exe window. Example: C:\> cd "Documents and Settings\Administrator\Desktop" Step 3 Enter the full path to OpenSSL.exe keeping the following in mind: •After -in, enter the full path to where you placed the file when you exported the private key. •After -out, enter the full path to where you want to send the exported file. Example:C:\Documents and Settings\Administrator\Desktop>"\Program Files\Cisco Systems\MPWeb\DataSvc\openssl.exe" pkcs12 -in "\Documents and Settings\Administrator\Desktop\mycertificate.pfx" -out "\Documents and Settings\Administrator\Desktop\mycertificate.pem" -nodes This converts the PFX format to a PEM format. The mycertificate.pem file will have all the certificates starting with the Private key. Step 4 Enter the import password when prompted. This is the password you defined in the Web Server Certificate wizard during the export process. Step 5 Save the PEM file. You will need it whenever you need to reapply the certificate. Related Topics •Exporting the Private Key Backing Up the Breeze Certificate Procedure Step 1 Open a DOS prompt. Step 2 Enter the following command: Copy c:\Program Files\Cisco Systems\MPWeb\WebConf\comserv\win32\conf\_defaultRoot_\cert.pem file to backup path. About Restoring Breeze and Home Page Certificates See the "Applying SSL Certificates" section for more information on restoring Breeze and home page certificates. Importing the Private Key in to the MPWEB Database Before You Begin Complete the "Copying and Saving the Private Key for Future Use" section. Procedure Step 1 Open SQL Server Enterprise Manager. Select Start > All Programs > Microsoft SQL Server > Enterprise Manager. Step 2 Navigate to the MPWEB database. Select the + sign next to SQL Server Group > LOCAL > Databases > MPWEB to open the appropriate directory trees. Step 3 Select Tables in the MPWEB directory. A list of tables opens in the right pane. Step 4 Right-click Web in the right pane. Step 5 Select Open table > Return all rows. The Web database table displays. Step 6 Scroll to the right until you see the SSLPrivateKey column. Step 7 Open the PEM file in Notepad. You saved the PEM file when you copied and saved the private key for future use. Step 8 Copy the private key in its entirety. The private key begins with "Begin RSA Private key" and ends with "end RSA private key". Step 9 Paste the private key into the SSLPrivateKey field. a. Select the field before the SSLPrivateKey column. b. Press the Tab key on your keyboard to select all of the data in the SSLPrivateKey field. c. Right-click and select Paste to paste the value you copied from Notepad. Step 10 Click somewhere else on the screen to remove your cursor from the SSLPrivateKey field. Step 11 Close SQL Server Enterprise Manager. Step 12 (Optional) Enable SSL if it is not already enabled. Step 13 Reboot the server. Related Topics •Enabling SSL •Copying and Saving the Private Key for Future Use Allowing Guests to Search Through Public Meetings Guest users have fewer privileges than users who log in with their profiles. Complete this procedure to allow guests to search through public meetings. Procedure Step 1 Sign in to the end-user web interface. Step 2 Select Admin. Step 3 Select Web Server. Step 4 Scroll down to the "View" section of the page. Step 5 Select the name of the Web Server that you want to configure. Information about this server populates the "Edit" section of the page. Step 6 Select Yes for Allow Public Meetings in Find Meeting List. Step 7 Select Yes for Allow Guest Access to Find Meetings Page. Step 8 Select Submit. Tip To allow external users (those outside your firewall) and sites (Cisco Unified MeetingPlace systems outside your network) to access a meeting and the associated meeting materials, make sure that Allow External Web Participants is set to Yes for the meeting. This parameter is set by the meeting scheduler from the New Meeting scheduling page, and it is only visible if your Cisco Unified MeetingPlace system has an external site—that is, a Web Server located in an Internet-accessible segment of your network, such as in a DMZ zone. Related Topics •Field Reference: Web Server Customization Values in the Web Administration References for Cisco Unified MeetingPlace module
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks