Security
Set Internet Explorer Security Options
To download certificates from the server, ensure your Internet Explorer security settings are configured as follows:
Procedure
Step 1 |
Start Internet Explorer. |
Step 2 |
Navigate to . |
Step 3 |
Click the Advanced tab. |
Step 4 |
Scroll down to the Security section on the Advanced tab. |
Step 5 |
If necessary, clear the Do not save encrypted pages to disk check box. |
Step 6 |
Click OK. |
Manage Certificates and Certificate Trust Lists
The following topics describe the functions that you can perform from the Certificate Management menu:
Note |
To access the Security menu items, you must log in to Cisco Unified Communications Operating System Administration again with your administrator password. |
Display Certificates
To display existing certificates, follow this procedure:
Procedure
Step 1 |
Navigate to .The Certificate List window displays. |
Step 2 |
You can use the Find controls to filter the certificate list. |
Step 3 |
To view details of a certificate or trust store, click its file name of the certificate under Common Name.. The Certificate Details window displays information about the certificate. The SHA-512 checksum value is also displayed for the certificate to check the file integrity. |
Step 4 |
To return to the Certificate List window, click Close on Certificate Details window. |
Download a Certificate
To download a certificate from the Cisco Unified Communications Operating System to your PC, follow this procedure:
Procedure
Step 1 |
Navigate to .The Certificate List window displays. |
Step 2 |
You can use the Find controls to filter the certificate list. |
Step 3 |
Click the file name of the certificate under Common Name. The Certificate Details window displays. |
Step 4 |
Click Download .PEM File or Download .DER File. |
Step 5 |
In the File Download dialog box, click Save. |
Delete and Regenerate a Certificate
These sections describe deleting and regenerating a certificate.
Deleting a Certificate
To delete a trusted certificate, follow this procedure:
Caution |
Deleting a certificate can affect your system operations. Any existing CSR for the certificate that you select from the Certificate list gets deleted from the system, and you must generate a new CSR. For more information, see the “Generating a Certificate Signing Request" . |
Procedure
Step 1 |
Navigate to .The Certificate List window displays. |
Step 2 |
You can use the Find controls to filter the certificate list. |
Step 3 |
Click the file name of the certificate under Common Name. The Certificate Details window displays. |
Step 4 |
Click Delete. |
Regenerating a Certificate
To regenerate a certificate, follow this procedure:
Caution |
Regenerating a certificate can affect your system operations. |
Procedure
Step 1 |
Navigate to .The Certificate List window displays. |
||||||||||||
Step 2 |
Click .The Generate Certificate dialog box opens. |
||||||||||||
Step 3 |
Select a certificate name from the Certificate Name list. For a description of the certificate names that display, see Table 6-1. |
||||||||||||
Step 4 |
Click Generate.
|
Using Third-Party CA Certificates
Single-server and Multi-server Certificates Overview
As the name suggests, Single-server certificate contains single FQDN which identifies the trust for that FQDN only. The single FQDN or domain is present in Subject Alternative Name (SAN) extensions. If there are multiple servers in a cluster, then the system requires the generation of an equal number of X.509 certificates, one for each server.
The system uses a multi-server certificate to identify the trust for multiple servers or domains or sub-domains. The SAN extensions of a multi-server certificate contain multiple FQDNs or domains.
Note |
For telephony integration, multi-server SAN certificate is supported only with SIP integration. However, with SCCP integration, only single-server certificate is supported. |
The following table describes the basic differences between single-server and multi-server certificates.
Single-server certificate |
Multi-server certificate |
---|---|
It contains a single FQDN or domain in either the CN field and/or SAN extensions. |
It contains multiple FQDNs or domains present in SAN extensions. |
The system uses a single certificate for each server in a cluster. |
A single certificate identifies multiple servers. |
The administrator regenerates the certificate and private key on each individual server in situations such as certificate expiry, private key compromise, etc. |
Since this certificate covers only one public and private key pair common to all servers, it requires secure transfer of same private key to all the servers in a cluster along with the certificate. If the private key is compromised on any server, the certificate and private key needs to be regenerated for all the servers. |
Generation of single server certificate can become an overhead for the administrator in a large cluster because the administrator needs to perform steps such as generate Certificate Signing Request (CSR), send CSR to CA for signing, upload signed certificate etc for each of the servers in the cluster. |
There is less overhead for the administrator in managing multi-server certificates since he or she performs the steps only once on a given server, and the system distributes the associated private key and signed certificates to all the servers in the cluster. |
Cisco Unified Communications Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR).
The following table provides an overview of this process, with references to additional documentation:
Task |
For More Information |
|
---|---|---|
Step 1 |
Login to Cisco Unified Communications Operating System Administration window. |
Cisco Unified Communications Operating System Administration allows the system administrator to select the distribution type, when generating a CSR for the individual certificate purposes that supports the multi-server option. The system automatically populates the CSR with the required SAN entries and displays the default SAN entries on the screen. On generating a multi-server CSR, the system automatically distributes that CSR to all the required servers in the cluster. Similarly, on upload of a multi-server CA signed certificate, the system automatically distributes that certificate to all the required servers in the cluster |
Step 2 |
Generate a CSR on the server. |
|
Step 3 |
Download the CSR to your PC. |
|
Step 4 |
Use the CSR to obtain an application certificate from a CA. |
Get information about obtaining application certificates from your CA. See “Third-Party CA Certificates” for additional notes. |
Step 5 |
Obtain the CA root certificate. |
Get information about obtaining a root certificate from your CA. See “Third-Party CA Certificates” for additional notes. |
Step 6 |
Upload the CA root certificate to the server. |
See the “Upload Trust Certificate” . |
Step 7 |
Upload the application certificate to the server. |
See the “Upload Application Certificate” . |
Step 8 |
Restart the services that are affected by the new certificate. |
For all certificate types, restart the corresponding service:
See the Cisco Unified Communications Manager Serviceability Administration Guide for information about restarting services. |
Generating a Certificate Signing Request
To regenerate a certificate signing request, follow this procedure:
Procedure
Step 1 |
Select .The Certificate List window displays. |
||
Step 2 |
Use the find control to filter the certificate list. |
||
Step 3 |
Click Generate CSR, the Generate Certificate Signing Request dialog box opens. |
||
Step 4 |
From the Certificate Purpose drop-down list box, select the required certificate purpose. |
||
Step 5 |
From the Distribution drop-down list box, select the required distribution list item.
|
||
Step 6 |
For Multi-server (SAN), additional domains can be added in Subject Alternate Names field. |
||
Step 7 |
From the Key Length drop-down list box, select value as per the certificate purpose.
|
||
Step 8 |
From the Hash Algorithm drop-down list box, select as per the certificate purpose.
|
||
Step 9 |
Click Generate to generate a new CSR.
|
Downloading a Certificate Signing Request
To download a Certificate Signing Request, follow this procedure:
Procedure
Step 1 |
Select .The Certificate List window displays. |
||
Step 2 |
From the list, click the Common Name of the entry with type 'CSR Only' and a Distribution value matching the Common Name.
|
||
Step 3 |
Click Download CSR. |
||
Step 4 |
After the CSR download completes, click Close. |
You need to restart the tomcat service after configuring the Multi-server SAN certificate on both Publisher and Subscriber in a cluster. See the procedure below:
Procedure
Step 1 |
Sign in to the Unity Connection server with an SSH application. |
Step 2 |
Run the following CLI command to restart the Tomcat service: |
Third-Party CA Certificates
To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA or PKCS#7 Certificate Chain (DER format), which contains both the application certificate and CA certificates. Retrieve information about obtaining these certificates from your CA. The process varies among CAs.
Cisco Unified Operating System Administration generates CSRs in PEM encoding format. The system accepts certificates in DER and PEM encoding formats and PKCS#7 Certificate chain in PEM format. For all certificate types, you must obtain and upload a CA root certificate and an application certificate on each node.
Cisco Unified Operating System Administration CSRs include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, shown as follows:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
Note |
You can generate a certificate signing request (CSR) for your certificates and have them signed by a third party CA with a SHA256 signature. You can then uploads this signed certificate back to Cisco Unified Operating System Administration, allowing for Tomcat and other certificates to be support SHA256. |
Upload Trust Certificate
To upload a trust certificate, follow this procedure:
Procedure
Step 1 |
Navigate to .The Certificate List window displays. |
||
Step 2 |
Click Upload Certificate/Certificate Chain. The Upload Certificate Trust List dialog box opens. |
||
Step 3 |
Select the certificate name from the Certificate Purpose drop-down list. |
||
Step 4 |
Enter the name of the CA root certificate in the Description text box. |
||
Step 5 |
Select the file to upload, click the Browse button and navigate to the file; then, click Open. |
||
Step 6 |
To upload the file to the server, click the Upload button.
|
Upload Application Certificate
Cisco Unified Communications Operating System supports certificates that a third-party CA issues with PKCS#10 Certificate Signing Request (CSR).
Procedure
Step 1 |
Generate a CSR on the server. |
||
Step 2 |
Download the CSR to your PC. |
||
Step 3 |
Use the CSR to obtain an application certificate from a CA or PKCS#7 format certificate chain, which may contain application certificate along with CA certificate. |
||
Step 4 |
Obtain the CA certificate or certificate chain. To upload tomcat application certificate, select tomcat from Certificate Purpose list. To upload ipsec application certificate, select ipsec from Certificate Purpose list. To upload tomcat-ECDSA application certificate, select tomcat-ECDSA from Certificate Purpose list. |
||
Step 5 |
Select the certificate from the Certificate Purpose drop-down list. |
||
Step 6 |
Select the file to upload, click the Browse button and navigate to the file; then, click Open. |
||
Step 7 |
To upload the file to the server, click the Upload button.
|
Monitor Certificate Expiration Dates
The system can automatically send you an e-mail when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:
Procedure
Step 1 |
To view the current Certificate Expiration Monitor configuration, navigate to .The Certificate Monitor window displays. |
||||||||||||
Step 2 |
Enter the required configuration information. See Table 6-3 for a description of the Certificate Monitor Expiration fields. |
||||||||||||
Step 3 |
To save your changes, click Save.
|
Certificate Revocation
You can use the Online Certificate Status Protocol (OCSP) to obtain the revocation status of the certificate.
To configure OCSP, follow this procedure:
Procedure
Step 1 |
Navigate to .The Certificate List window displays. |
||||
Step 2 |
Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area. |
||||
Step 3 |
Choose Use OCSP URI from Certificate if the certificate is configured with OCSP URI and that to be used to contact OCSP Responder. |
||||
Step 4 |
Choose Use configured OCSP URI if external or configured URI is used to contact OCSP Responder. Enter the URI of the OCSP Responder, where certificate revocation status is verified, in the OCSP Configured URI field. |
||||
Step 5 |
Check the check box for Enable Revocation Check to perform the revocation check.
|
||||
Step 6 |
Enter the Check Every value to check the periodicity of the certificate revocation status.
|
||||
Step 7 |
Click Save.
|
Generating IPSEC Certificate
To generate or regenerate the ipsec certificate on standalone or cluster, follow this procedure:
Procedure
Step 1 |
Navigate to Security > Certificate Management. The Certificate List window displays. |
Step 2 |
Click Generate Self-signed > or > Generate CSR. The Generate Certificate dialog box opens. |
Step 3 |
Select ipsec from the Certificate Purpose drop-down list. |
Step 4 |
Click Generate. After generating the certificate, ipsec and ipsec trust will be updated with the certificate for standalone or publisher server. |
Step 5 |
In case of subscriber server, follow Step 1 to Step 4 for generating ipsec certificate. After generating, download the ipsec certificate from subscriber server. |
Step 6 |
Navigate to Security > Certificate Management on subscriber server. |
Step 7 |
Click Upload Certificate/Certificate Chain. The Upload Certificate Trust List dialog box opens. |
Step 8 |
Select the ipsec-trust from the Certificate Purpose drop-down list. |
Step 9 |
Browse the certificate and click Upload. |
Step 10 |
After uploading the ipsec certificate to subscriber server, restart the below services first on publisher server and then subscriber server.
|
IPSEC Management
The following topics describe the functions that you can perform with the IPSec menu:
Note |
IPSec does not automatically get set up between nodes in the cluster during installation. |
Set Up a New IPSec Policy
To set up a new IPSec policy and association, follow this procedure:
Note |
Do not modify or create IPSec policies during an upgrade because any changes that you make to an IPSec policy during a system upgrade gets lost. |
Caution |
IPSec affects the performance of your system, especially with encryption. |
Procedure
Step 1 |
Navigate to .The IPSEC Policy List window displays. |
||||||||||||||||||||||||||||||||||||||||||||
Step 2 |
Click Add New. The IPSEC Policy Configuration window displays. |
||||||||||||||||||||||||||||||||||||||||||||
Step 3 |
Enter the appropriate information on the IPSEC Policy Configuration window. For a description of the fields on this window, see Table 6-4. |
||||||||||||||||||||||||||||||||||||||||||||
Step 4 |
To set up the new IPSec policy, click Save.
|
Managing Existing IPSec Policies
To display, enable or disable, or delete an existing IPSec policy, follow this procedure:
Note |
Do not modify or create IPSec policies during an upgrade because any changes made to an IPSec policy during a system upgrade, gets lost. |
Caution |
IPSec affects the performance of your system, especially with encryption. |
Caution |
Any changes that you make to the existing IPSec policies can impact your normal system operations. |
Procedure
Step 1 |
Navigate to .
|
||
Step 2 |
To display, enable, or disable a policy, follow these steps: |
||
Step 3 |
To delete one or more policies, follow these steps: |
Bulk Certificate Management
To support the Extension Mobility Cross Cluster (EMCC) feature, the system allows you to execute a bulk import and export operation to and from a common SFTP server that has been configured by the cluster administrator. For more information about using Bulk Certificate Management, see the Cisco Unified Communications Manager Security Guide.
For Bulk Certificate Management, use the following procedure:
Procedure
Step 1 |
Navigate to Security > Bulk Certificate Management. The Bulk Certificate Management window displays. |
||||||||||||
Step 2 |
Enter the appropriate information on the Bulk Certificate Management window. For a description of the fields on this window, see Bulk Certificate Management Field Description . |
||||||||||||
Step 3 |
To save the values you entered, click Save |
||||||||||||
Step 4 |
To export certificates, click Export. The Bulk Certificate Export popup window displays. |
||||||||||||
Step 5 |
From the drop-down menu, choose the type of certificate you want to export:
|
||||||||||||
Step 6 |
Click Export. The system exports and stores the certificates you chose on the central SFTP server.
|
Session Management
Platform Administrator is allowed to terminate the active web sessions of a user or administrator for the following web interfaces of Cisco Unity Connection:
-
Cisco Unity Connection Administration
-
Cisco Unity Connection Serviceability
-
Cisco Personal Communications Assistant
-
Cisco Unity Connection Web Inbox
-
Cisco Unity Connection SRSV
To terminate the active web sessions of a user or administrator, use the following procedure:
Procedure
Step 1 |
Navigate to Security > Session Management. The Session Management window displays. |
||
Step 2 |
On the Session Management window, enter the alias of the active logged-in user in User ID field. |
||
Step 3 |
Select Terminate Session to terminate the active web sessions of the user.
|
Note |
Session termination is not applicable for platform users. To terminate the active web sessions, platform user must logout the sessions or wait until the sessions are timed out. |
Cipher Management
Cisco Unity Connection supports Cipher Management that allows administrator to control set of ciphers that are used for every TLS and SSH connection. You can configure the recommended ciphers for various secure interfaces of Cisco Unity Connection.
TLS Interfaces
You can configure ciphers for the TLS interfaces mentioned in below.
Interfaces |
Description |
||
---|---|---|---|
All TLS |
You can configure the ciphers for all supported TLS interfaces of Cisco Unity Connection. Example: SIP, SCCP, HTTPS, Jetty, SMTP, LDAP and IMAP inerfaces. |
||
HTTPS TLS |
You can configure the ciphers for all Cisco Tomcat interfaces of Cisco Unity Connection. |
||
SIP TLS |
You can configure the ciphers for SIP interfaces of Cisco Unity Connection. Example: Telephony User Interface to support secure SIP call in Unity Connection.
|
SSH Interfaces
You can configure ciphers and algorithm for the SSH interfaces mentioned below.
Interfaces |
Description |
---|---|
SSH Ciphers |
You can configure the cipher for SSH interfaces of Cisco Unity Connection. |
SSH Key Exchange |
You can configure the SSH Key Exchange algorithm for SSH interfaces of Cisco Unity Connection. |
SSH MAC |
You can configure the SSH MAC algorithm for SSH interfaces of Cisco Unity Connection. |
For information on recommended ciphers, see the "Cipher Management" section in the Security Guide for Cisco Unified Communications Manager at https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html.
Configuring Cipher String
To configure the cipher string for TLS and SSH interfaces, do the following procedure:
Procedure
Step 1 |
Navigate to Security > Cipher Management. The Cipher Management page appears. |
||||
Step 2 |
On the Cipher Management page, enter the cipher string in Cipher String field for All TLS, HTTPS TLS and SIP TLS interfaces.
|
||||
Step 3 |
Enter the cipher string in Cipher String field for SSH Ciphers. |
||||
Step 4 |
Enter the algorithm string in Algorithm String field to configure the key algorithm for SSH Key Exchange. |
||||
Step 5 |
Enter the algorithm string in Algorithm String field to configure the MAC algorithm for SSH MAC. |
||||
Step 6 |
Select Save.
|