After enabling or disabling the FIPS mode, the Cisco Unity Connection server
If the Cisco Unity Connection server is in a cluster, do not change the FIPS
settings on any other node until the FIPS operation on the current node is
complete and the system is back up and running.
Certificates for FIPS
Cisco Unity Connection servers with pre-existing telephony
integrations must have the root certificate manually regenerated after enabling
or disabling the FIPS mode. If the telephony integration uses an Authenticated
or Encrypted Security mode, the regenerated root certificate must be
re-uploaded to any corresponding Cisco Unified Communications Manager servers.
For fresh installations, regenerating the root certificate can be avoided by
enabling FIPS mode before adding the telephony integration.
In case of
clusters, perform the following steps on all nodes.
Networking from Cisco Unity Connection to another
server must be secured by an IPsec policy. This includes intersite links,
intrasite links, and VPIM locations. The remote server is responsible for
assuring its own FIPS compliance.
Secure Messages are not sent in a FIPS compliant manner unless an
IPsec Policy is configured.
Configure Unified Messaging When Using FIPS Mode
Unified Messaging Services require the following
Configure IPsec policy
between Cisco Unity Connection and Microsoft Exchange or Cisco Unified
Set the Web-Based
Authentication Mode setting to Basic on the Edit Unified Messaging Service page
in Unity Connection Administration.
The administrator has the option to configure web-based
authentication mode setting to NTLM in FIPS mode. Please note with this
configuration Unified Messaging Interface becomes non-FIPS compliant.
The IPsec policy between servers is required to
protect the plain text nature of Basic web authentication.
The following Cisco Unity Connection features are not supported
when FIPS mode is enabled:
SIP Digest Authentication
(configured for SIP Telephony Integrations).
Voicemail PIN For Touchtone Conversation Users To Sign-In
Enabling FIPS in Cisco Unity Connection prevents a touchtone
conversation user from signing in to play or send voice messages or to change
user settings if both of the following options are true:
The user was created in
Cisco Unity 5.x or earlier, and migrated to Connection.
The Unity Connection user
still has a voicemail PIN that was assigned in Cisco Unity 5.x or earlier.
conversation user signs in by entering an ID (usually the user's extension) and
a voicemail PIN. The ID and PIN are assigned when the user is created. Either
an administrator or the user can change the PIN. To prevent administrators from
accessing PINs in Connection Administration, PINs are hashed. In Cisco Unity
5.x and earlier, Cisco Unity hashed the PIN by using an MD5 hashing algorithm,
which is not FIPS compliant. In Cisco Unity 7.x and later, and in Unity
Connection, the PIN is hashed by using an SHA-1 algorithm, which is much harder
to decrypt and is FIPS compliant.
Voicemail PIN with SHA-1 Algorithm in Unity Connection
When FIPS is enabled, Cisco Unity Connection no longer checks
the database to determine whether the user's voicemail PIN was hashed with MD5
or SHA-1 algorithm. Unity Connection hashes all the voicemail PINs with SHA-1
and compares it with the hashed PIN in the Unity Connection database. The user
is not allowed to sign in if the MD5 hashed voicemail PIN entered by user does
not match with the SHA-1 hashed voicemail PIN in the database.
MD5-hashed Voicemail PIN with SHA-1 Algorithm in Cisco Unity 5.x Or Earlier
For Unity Connection user accounts that were originally created
in Cisco Unity 5.x or earlier, the voicemail PIN that might have been hashed
with MD5 algorithm must be replaced with SHA-1 algorithm. Consider the
following points while replacing the MD5-hashed passwords with SHA-1-hashed
versions of the User Data Dump utility do not include the Pin_Hash_Type column.
Check the User Must Change at Next Sign-In check box on the
Password Settings page in Unity Connection Administration before you enable
FIPS. This encourages users to sign in to Unity Connection and change their
Run the Bulk Password Edit
utility if you still have users who have not changed their voicemail PINs. The
Bulk Password Edit utility lets you selectively change PINs to random values
and exports data on the changes to a.csv file. The export file includes the
name, alias, email address, and new PIN for each user who's PIN was changed.
You can use the.csv file to send an email to each user with the new PIN. The
utility is available on the Cisco Unity Tools website at