Configuration Guide for Cisco Unified MeetingPlace Release 8.5 - Configuring SSL for the Application Server [Cisco Unified MeetingPlace]

Table Of Contents

Configuring SSL for the Cisco Unified MeetingPlace Application Server

Interfaces Secured by SSL for the Application Server

Generating a Certificate Signing Request and Obtaining the Certificate

Uploading the Certificate File and Enabling SSL

Enabling SSL on an Audio-Only Deployment with Failover Configured

Displaying the Certificate

Backing Up the SSL Configuration

Restoring the SSL Configuration

Disabling SSL

Configuring SSL for the Cisco Unified MeetingPlace Application Server

Release 8.5

Revised: November 5, 2012 9:18 am

On WebEx-scheduled deployments the TSP Secure Sockets Layer (SSL) certificate between Cisco WebEx and the Cisco Unified MeetingPlace Application Server SSL is configured automatically after you configure your Cisco WebEx site.

To enable SSL to provide secure web communications for the Application Server, you must obtain and upload a digital identity certificate that the system binds with a private key and password. Self-signed certificates can be used for the Application Server.

•Interfaces Secured by SSL for the Application Server

•Generating a Certificate Signing Request and Obtaining the Certificate

•Uploading the Certificate File and Enabling SSL

•Displaying the Certificate

•Backing Up the SSL Configuration

•Restoring the SSL Configuration

•Disabling SSL

Related Topics

•Integrating WebEx-Scheduling Deployments with Cisco WebEx module

Interfaces Secured by SSL for the Application Server

Enabling SSL for the Application Server secures web communications with these interfaces:

•Administration Center

•MeetingPlace Conference Manager

•Microsoft Outlook plug-ins for scheduling Cisco Unified MeetingPlace and Cisco WebEx web conferencing

•Cisco WebEx integration end-user interface on the Application Server

•How to Configure Secure Sockets Layer for the Web Server in the Configuring Security Features for the Cisco Unified MeetingPlace Web Server module

Generating a Certificate Signing Request and Obtaining the Certificate

In this task, you create a certificate signing request (CSR) that you then send to an authorized certificate authority (CA) to apply for a digital identity certificate. The system also creates and stores a private key file and password specifically for that certificate. You can use self-signed certificates for the Application Server.

When you later upload the certificate file, the system binds the certificate file with the system-generated private key file and password to enable SSL.

Before You Begin

•If you created your own certificate and private key, do not perform this task. Proceed to the "Uploading the Certificate File and Enabling SSL" section.

•SSL must be disabled to generate CSRs.

•The CSR and resulting certificate use the Application Server hostname that you entered for Ethernet Port 1 (device eth0) during the operating system installation.

If you change this hostname, you must obtain new certificates.

For information about installing the Application Server, see Installing the Cisco Unified MeetingPlace Application Server Software.

Caution If you already installed a valid SSL certificate, generating a new CSR will make the existing certificate invalid. Proceed only if you are installing the certificate for the first time, if you are replacing an expired or invalid certificate, or if you change the hostname of your Application Server.

Procedure

Step 1 Sign in to the Administration Center.

Step 2 Select Certificate Management > Web Certificate Management > Generate Certificate Signing Request (CSR).

Step 3 Enter values in the fields on the Generate Certificate Signing Request (CSR) Page.

Note Some CAs do not recognize two-letter state abbreviations, so enter the full name of the state. Also, if you want to use any special (non-alphanumeric) characters, ask your CA for character restrictions.

Step 4 Select Generate CSRs only once.

Step 5 Select OK.

Step 6 Select Download CSR.

Caution After you select Download CSR, do not modify any fields on this page, and do not select Generate CSR again. Doing so will result in an invalid certificate from the CA.

Step 7 Select Save.

Step 8 In the Save As dialog box, perform these actions:

a. Delete any browser-added text (typically [1] and .txt) from the filename, to make the filename appear in this format: fully-qualified-domain-name_req.csr

Example: meetings.example.com_req.csr

b. In the Save as type field, select All Files.

c. Choose the appropriate directory.

d. Select Save.

Step 9 Send this file to the CA in return for a certificate file.

Make sure that you request a file in one of the following formats:

–Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore

–Certificates: X.509 (PEM or DER encoding), Java keystore

Related Topics

•Field Reference: Generate Certificate Signing Requests (CSRs) Page in the Administration Center Page References for Cisco Unified MeetingPlace module

•Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module

What To Do Next

•We recommend that you back up and archive your system to save the system-generated private key file and password that are required to validate the certificate that you ordered from the CA. Otherwise, if the system is reinstalled for some reason before you receive and upload the certificate, you will need to generate a new CSR and obtain a new certificate. See the Backing Up, Archiving, and Restoring Data on the Cisco Unified MeetingPlace Application Server module.

•Proceed to the "Uploading the Certificate File and Enabling SSL" section.

Uploading the Certificate File and Enabling SSL

Before You Begin

•Obtain the certificate by one of these methods:

–Obtain a certificate from a trusted CA—See the "Generating a Certificate Signing Request and Obtaining the Certificate" section. This is the root CA certificate.

–Create your own certificate, private key, and password—If you use this method, note that when a user tries to access one of the Interfaces Secured by SSL for the Application Server, a security alert warns the user that the certificate comes from an untrusted source. The user then has to select OK to proceed.

Note You can use self-signed certificates for the Application Server.

•The Application Server supports only the following formats:

–Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore

–Certificates: X.509 (PEM or DER encoding), Java keystore

If your certificate or private key is in an unsupported format, then see Certificate or Private Key is in the Wrong Format in the Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module.

•If your CA issued a certificate that requires the installation of an intermediate CA certificate:

1. Obtain the intermediate CA certificate(s) by contacting your CA.

2. Using a text editor, paste the text of the intermediate CA certificate to the end of the Cisco Unified MeetingPlace certificate file.

3. In the procedure below, make sure that you upload the combined certificate file that includes both the root and intermediate CA certificates.

Procedure

Step 1 Sign in to the Administration Center.

Step 2 Select Certificate Management > Web Certificate Management > Enable SSL.

Step 3 Enter values in the fields.

Note If you obtained the certificate from a CA by using the Generate Certificate Signing Request (CSR) Page, then only enter the certificate file.

Step 4 Select Upload Certificate.

Verifying

If this is the first certificate upload for the system, proceed to the "Displaying the Certificate" section.

Otherwise, view the information capture log. See "Obtaining and Viewing the System Information Capture (Infocap) Log" in the Using Alarms and Logs on Cisco Unified MeetingPlace module.

Related Topics

•Using the Command-Line Interface (CLI) on the Cisco Unified MeetingPlace Application Server module

•Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module

What to Do Next

•If you use MeetingPlace Conference Manager, you will need to edit the server URL to use "https" instead of "http." See "Editing an Existing Server" in the Modifying the List of Available Servers in MeetingPlace Conference Manager module.

•Proceed to the "Backing Up the SSL Configuration" section.

Enabling SSL on an Audio-Only Deployment with Failover Configured

Perform the following steps after enabling SSL on the primary server.

Procedure

Step 1 Sign in to the CLI of the active server. If you are logging in remotely, use the eth0 IP address or hostname.

Step 2 Enter the following command to compress and transfer the files from the active server to the standby server:
failoverUtil copyConfigFiles 
Step 3 Sign in to the CLI of the standby server. If you are logging in remotely, use eth0:0 IP address or hostname.

Step 4 Enter the following command to decompress the transferred files and put them in the correct directories on the standby server:
failoverUtil restoreConfigFiles
Displaying the Certificate

Procedure

Step 1 Sign in to the Administration Center.

Step 2 Select Certificate Management > Web Certificate Management > Display Certificate.

Step 3 Select Display Certificate.

Backing Up the SSL Configuration

Use this procedure to back up your SSL configuration, including the certificate.

If you ever reinstall the operating system, the SSL files will be deleted. The SSL files might also be lost (but are often preserved) when you reinstall or upgrade the Cisco Unified MeetingPlace application.

Before You Begin

Complete the "Uploading the Certificate File and Enabling SSL" section.

Procedure

Step 1 Sign in to the Administration Center.

Step 2 Select Certificate Management > Web Certificate Management > Back Up SSL Configuration.

Step 3 Select Back Up SSL Configuration.

Step 4 Select Save.

Related Topics

•Restoring the SSL Configuration

What to Do Next

To configure SSL for the Web Server, see the Configuring Security Features for the Cisco Unified MeetingPlace Web Server module.

Restoring the SSL Configuration

Before You Begin

Complete the "Backing Up the SSL Configuration" section.

Procedure

Step 1 Sign in to the Administration Center.

Step 2 Select Certificate Management > Web Certificate Management > Restore SSL Configuration.

Step 3 Browse to the file.

By default, the filename is backupSSLData.zip.

Step 4 Select Restore SSL Configuration.

Related Topics

•Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module

Disabling SSL

Before You Begin

You cannot disable SSL for only one Application Server interface. Completing this task disables SSL for all interfaces listed in the "Interfaces Secured by SSL for the Application Server" section.

Procedure

Step 1 Sign in to the Administration Center.

Step 2 Select Certificate Management > Web Certificate Management > Disable SSL.

Step 3 Select Disable SSL.

Step 4 Select OK.

What To Do Next

If you use MeetingPlace Conference Manager, you will need to edit the server URL to use "http" instead of "https." See "Editing an Existing Server" in the Modifying the List of Available Servers in MeetingPlace Conference Manager module.

	Configuration Guide for Cisco Unified MeetingPlace Release 8.5
	Configuring SSL for the Application Server
Configuration Guide for Cisco Unified MeetingPlace Release 8.5 Quick Start Configuration Basic Voice and Video Conferencing Web Scheduling Interface for Scheduling and Joining Meetings Configuring a Multinode System with Two EMS Nodes Basic System Configuration Signing In to the Administration Center Installing and Managing Licenses Configuring Access Phone Numbers and Notification Labels Configuring Languages Configuring Meetings Configuring Ad-Hoc Conferencing Configuring Email Notifications Configuring Audio and Video Recordings Configuring Attendant Settings Managing your Multinode Topology for Cisco Unified MeetingPlace User and Endpoint Configuration Configuring User Profiles and User Groups Configuring Directory Service Changing the User Status in User Profiles Configuring Endpoints Call Configuration Configuring Call Control Configuring Dial-Out Features Configuring the Auto Attend Feature Configuring Direct Inward Dial Web Server Configuration Configuring the Cisco Unified MeetingPlace Gateway System Integrity Manager Connecting the Application Server to a Web Server Stopping, Starting, or Restarting the Cisco Unified MeetingPlace Web Master Service Configuring Audio Conversion Configuring the Web Server for Optimal Data Storage Configuring User Authentication for the Web Server Configuring Segmented Meeting Access Configuring the SQL Server for the Web Server Monitoring and Maintaining the Web Server MeetingPlace Conference Manager Installing MeetingPlace Conference Manager Signing In to MeetingPlace Conference Manager Modifying the List of Available Servers Searching for Meetings Scheduling Meetings Monitoring Active Meetings Updating User Information Integrating with Cisco WebEx Integrating with Cisco WebEx Integrating WebEx-Managed Deployments with Cisco WebEx Integrating MeetingPlace-Managed Deployments with Cisco WebEx Configuring Recordings for Cisco WebEx Integration Integrating with Microsoft Outlook Enabling Scheduling from Microsoft Outlook Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the User Web Interface Cisco Integrations Integrating with Cisco Unified Communications Manager Integrating with Cisco Unified Personal Communicator Integrating with Cisco Unified IP Phone Integrating with Cisco Unity Connection Security Securing the System Configuring SSL for the Application Server Configuring Security Features for the Web Server User Authentication Changing System Administrator Passwords Advanced Configuration Backing Up, Archiving, and Restoring Data on the Application Server Configuring Application Server Failover Importing Data Configuring SNMP Configuring SNMP on the Cisco Unified MeetingPlace Cisco WebEx Node Maintenance Configuring Maintenance Windows Running Reports and Exporting Data Sending Email Blasts Configuring Time and Time Zones Maintaining the Database User Interface Customization Configuring Flex Fields Customizing Email Notifications Customizing Music and Voice Prompts Customizing the User Web Interface Troubleshooting Using Alarms and Logs Password Recovery Troubleshooting User Access Issues Troubleshooting Phone Issues Troubleshooting Video Issues Troubleshooting Topology Management Issues Troubleshooting Email Notifications Troubleshooting the Cisco Unified MeetingPlace Web Server Troubleshooting SSL for the Application Server Troubleshooting the Integration with Cisco WebEx Troubleshooting Directory Services Troubleshooting Scheduling from Microsoft Outlook Troubleshooting Microsoft Outlook Calendar Notifications for Meetings Scheduled from the User Web Interface Troubleshooting Time Issues with Cisco Unified MeetingPlace About Microsoft System Updates or Patches and the Cisco MCS Reference Information Administration Center Page References Web Administration References MeetingPlace Conference Manager References Using the Command-Line Interface (CLI) on the Application Server Using the Command-Line Interface (CLI) on the Cisco WebEx Node Raw Data Export and Import Specifications Time Zone Codes Time Zone Mapping Between Cisco WebEx and Cisco Unified MeetingPlace Application Server File Locations Accessibility Features in the Administration Center	Download this chapter Configuring SSL for the Application Server Feedback Table Of Contents Configuring SSL for the Cisco Unified MeetingPlace Application Server Interfaces Secured by SSL for the Application Server Generating a Certificate Signing Request and Obtaining the Certificate Uploading the Certificate File and Enabling SSL Enabling SSL on an Audio-Only Deployment with Failover Configured Displaying the Certificate Backing Up the SSL Configuration Restoring the SSL Configuration Disabling SSL Configuring SSL for the Cisco Unified MeetingPlace Application Server Release 8.5 Revised: November 5, 2012 9:18 am On WebEx-scheduled deployments the TSP Secure Sockets Layer (SSL) certificate between Cisco WebEx and the Cisco Unified MeetingPlace Application Server SSL is configured automatically after you configure your Cisco WebEx site. To enable SSL to provide secure web communications for the Application Server, you must obtain and upload a digital identity certificate that the system binds with a private key and password. Self-signed certificates can be used for the Application Server. •Interfaces Secured by SSL for the Application Server •Generating a Certificate Signing Request and Obtaining the Certificate •Uploading the Certificate File and Enabling SSL •Displaying the Certificate •Backing Up the SSL Configuration •Restoring the SSL Configuration •Disabling SSL Related Topics •Integrating WebEx-Scheduling Deployments with Cisco WebEx module Interfaces Secured by SSL for the Application Server Enabling SSL for the Application Server secures web communications with these interfaces: •Administration Center •MeetingPlace Conference Manager •Microsoft Outlook plug-ins for scheduling Cisco Unified MeetingPlace and Cisco WebEx web conferencing •Cisco WebEx integration end-user interface on the Application Server •How to Configure Secure Sockets Layer for the Web Server in the Configuring Security Features for the Cisco Unified MeetingPlace Web Server module Generating a Certificate Signing Request and Obtaining the Certificate In this task, you create a certificate signing request (CSR) that you then send to an authorized certificate authority (CA) to apply for a digital identity certificate. The system also creates and stores a private key file and password specifically for that certificate. You can use self-signed certificates for the Application Server. When you later upload the certificate file, the system binds the certificate file with the system-generated private key file and password to enable SSL. Before You Begin •If you created your own certificate and private key, do not perform this task. Proceed to the "Uploading the Certificate File and Enabling SSL" section. •SSL must be disabled to generate CSRs. •The CSR and resulting certificate use the Application Server hostname that you entered for Ethernet Port 1 (device eth0) during the operating system installation. If you change this hostname, you must obtain new certificates. For information about installing the Application Server, see Installing the Cisco Unified MeetingPlace Application Server Software. Caution If you already installed a valid SSL certificate, generating a new CSR will make the existing certificate invalid. Proceed only if you are installing the certificate for the first time, if you are replacing an expired or invalid certificate, or if you change the hostname of your Application Server. Procedure Step 1 Sign in to the Administration Center. Step 2 Select Certificate Management > Web Certificate Management > Generate Certificate Signing Request (CSR). Step 3 Enter values in the fields on the Generate Certificate Signing Request (CSR) Page. Note Some CAs do not recognize two-letter state abbreviations, so enter the full name of the state. Also, if you want to use any special (non-alphanumeric) characters, ask your CA for character restrictions. Step 4 Select Generate CSRs only once. Step 5 Select OK. Step 6 Select Download CSR. Caution After you select Download CSR, do not modify any fields on this page, and do not select Generate CSR again. Doing so will result in an invalid certificate from the CA. Step 7 Select Save. Step 8 In the Save As dialog box, perform these actions: a. Delete any browser-added text (typically [1] and .txt) from the filename, to make the filename appear in this format: fully-qualified-domain-name_req.csr Example: meetings.example.com_req.csr b. In the Save as type field, select All Files. c. Choose the appropriate directory. d. Select Save. Step 9 Send this file to the CA in return for a certificate file. Make sure that you request a file in one of the following formats: –Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore –Certificates: X.509 (PEM or DER encoding), Java keystore Related Topics •Field Reference: Generate Certificate Signing Requests (CSRs) Page in the Administration Center Page References for Cisco Unified MeetingPlace module •Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module What To Do Next •We recommend that you back up and archive your system to save the system-generated private key file and password that are required to validate the certificate that you ordered from the CA. Otherwise, if the system is reinstalled for some reason before you receive and upload the certificate, you will need to generate a new CSR and obtain a new certificate. See the Backing Up, Archiving, and Restoring Data on the Cisco Unified MeetingPlace Application Server module. •Proceed to the "Uploading the Certificate File and Enabling SSL" section. Uploading the Certificate File and Enabling SSL Before You Begin •Obtain the certificate by one of these methods: –Obtain a certificate from a trusted CA—See the "Generating a Certificate Signing Request and Obtaining the Certificate" section. This is the root CA certificate. –Create your own certificate, private key, and password—If you use this method, note that when a user tries to access one of the Interfaces Secured by SSL for the Application Server, a security alert warns the user that the certificate comes from an untrusted source. The user then has to select OK to proceed. Note You can use self-signed certificates for the Application Server. •The Application Server supports only the following formats: –Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore –Certificates: X.509 (PEM or DER encoding), Java keystore If your certificate or private key is in an unsupported format, then see Certificate or Private Key is in the Wrong Format in the Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module. •If your CA issued a certificate that requires the installation of an intermediate CA certificate: 1. Obtain the intermediate CA certificate(s) by contacting your CA. 2. Using a text editor, paste the text of the intermediate CA certificate to the end of the Cisco Unified MeetingPlace certificate file. 3. In the procedure below, make sure that you upload the combined certificate file that includes both the root and intermediate CA certificates. Procedure Step 1 Sign in to the Administration Center. Step 2 Select Certificate Management > Web Certificate Management > Enable SSL. Step 3 Enter values in the fields. Note If you obtained the certificate from a CA by using the Generate Certificate Signing Request (CSR) Page, then only enter the certificate file. Step 4 Select Upload Certificate. Verifying If this is the first certificate upload for the system, proceed to the "Displaying the Certificate" section. Otherwise, view the information capture log. See "Obtaining and Viewing the System Information Capture (Infocap) Log" in the Using Alarms and Logs on Cisco Unified MeetingPlace module. Related Topics •Using the Command-Line Interface (CLI) on the Cisco Unified MeetingPlace Application Server module •Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module What to Do Next •If you use MeetingPlace Conference Manager, you will need to edit the server URL to use "https" instead of "http." See "Editing an Existing Server" in the Modifying the List of Available Servers in MeetingPlace Conference Manager module. •Proceed to the "Backing Up the SSL Configuration" section. Enabling SSL on an Audio-Only Deployment with Failover Configured Perform the following steps after enabling SSL on the primary server. Procedure Step 1 Sign in to the CLI of the active server. If you are logging in remotely, use the eth0 IP address or hostname. Step 2 Enter the following command to compress and transfer the files from the active server to the standby server: failoverUtil copyConfigFiles Step 3 Sign in to the CLI of the standby server. If you are logging in remotely, use eth0:0 IP address or hostname. Step 4 Enter the following command to decompress the transferred files and put them in the correct directories on the standby server: failoverUtil restoreConfigFiles Displaying the Certificate Procedure Step 1 Sign in to the Administration Center. Step 2 Select Certificate Management > Web Certificate Management > Display Certificate. Step 3 Select Display Certificate. Backing Up the SSL Configuration Use this procedure to back up your SSL configuration, including the certificate. If you ever reinstall the operating system, the SSL files will be deleted. The SSL files might also be lost (but are often preserved) when you reinstall or upgrade the Cisco Unified MeetingPlace application. Before You Begin Complete the "Uploading the Certificate File and Enabling SSL" section. Procedure Step 1 Sign in to the Administration Center. Step 2 Select Certificate Management > Web Certificate Management > Back Up SSL Configuration. Step 3 Select Back Up SSL Configuration. Step 4 Select Save. Related Topics •Restoring the SSL Configuration What to Do Next To configure SSL for the Web Server, see the Configuring Security Features for the Cisco Unified MeetingPlace Web Server module. Restoring the SSL Configuration Before You Begin Complete the "Backing Up the SSL Configuration" section. Procedure Step 1 Sign in to the Administration Center. Step 2 Select Certificate Management > Web Certificate Management > Restore SSL Configuration. Step 3 Browse to the file. By default, the filename is backupSSLData.zip. Step 4 Select Restore SSL Configuration. Related Topics •Troubleshooting SSL for the Cisco Unified MeetingPlace Application Server module Disabling SSL Before You Begin You cannot disable SSL for only one Application Server interface. Completing this task disables SSL for all interfaces listed in the "Interfaces Secured by SSL for the Application Server" section. Procedure Step 1 Sign in to the Administration Center. Step 2 Select Certificate Management > Web Certificate Management > Disable SSL. Step 3 Select Disable SSL. Step 4 Select OK. What To Do Next If you use MeetingPlace Conference Manager, you will need to edit the server URL to use "http" instead of "https." See "Editing an Existing Server" in the Modifying the List of Available Servers in MeetingPlace Conference Manager module.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks