Cisco Unity Connection servers with pre-existing telephony integrations must have the root certificate manually regenerated after enabling or disabling the FIPS mode. If the telephony integration uses an Authenticated or Encrypted Security mode, the regenerated root certificate must be re-uploaded to any corresponding Cisco Unified Communications Manager servers. For fresh installations, regenerating the root certificate can be avoided by enabling FIPS mode before adding the telephony integration.

Note	In case of clusters, perform the following steps on all nodes.

1. Sign in to Cisco Unity Connection Administration.
2. Select Telephony Integrations> Security> Root Certificate.
3. On the View Root Certificate page, click Generate New.
4. If the telephony integration uses an Authenticated or Encrypted Security mode, continue with steps 5-10, otherwise skip to step 12.
5. On the View Root Certificate page, right-click the Right-click to Save the Root Certificate as a File link.
6. Select Save As to browse to the location to save the Cisco Unity Connection root certificate as a.pem file.

   Note	The certificate must be saved as a file with the extension.pem rather than.htm, else Cisco Unified CM will not recognize the certificate.

7. Copy the Cisco Unity Connection root certificate to all Cisco Unified CM servers by performing the following substeps:
   1. On the Cisco Unified CM server, sign in to Cisco Unified Operating System Administration.
   2. Select the Certificate Management option from the Security menu.
   3. Select Upload Certificate/Certificate Chain on the Certificate List page.
   4. On the Upload Certificate/Certificate Chain page, select the CallManager-trust option from the Certificate Name drop-down.
   5. Enter Cisco Unity Connection Root Certificate in the Root Certificate field.
   6. Click Browse in the Upload File field to locate and select the Cisco Unity Connection root certificate that was saved in Step 5.
   7. Click Upload File.
   8. Click Close.
8. On the Cisco Unified CM server, sign in to Cisco Unified Serviceability.
9. Select Service Management from the Tools menu.
10. On the Control Center - Feature Services page, restart the Cisco CallManager service.
11. Repeat steps 5-10 on all remaining Cisco Unified CM servers in the Cisco Unified CM cluster.
12. Restart the Unity Connection Conversation Manager Service by following these steps:
    1. Sign in to Cisco Unity Connection Serviceability.
    2. Select Service Management from the Tools menu.
    3. Select Stop for the Unity Connection Conversation Manager service in the Critical Services section.
    4. When the Status area displays a message that the Unity Connection Conversation Manager service is successfully stopped, select Start for the service.
13. New and pre-existing telephony integration ports are now correctly registered with Cisco Unified CM.

FIPS is supported for both SCCP and SIP integrations between Cisco Unified Communications Manager and Cisco Unity Connection.

For more information on managing certificates, see the "Manage Certificates and Certificate Trust Lists" section in the "Security" chapter of the Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection available at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/14/os_administration/guide/b_14cucosagx.html

Unity Connection supports only RSA key based Tomcat certificates to configure secure calls using SIP Integration.This allows the use of self signed as well as third-party CA signed certificate for SIP secure call. Cisco Unity Connection servers with pre-existing telephony integrations must have the Tomcat certificate manually regenerated after enabling or disabling the FIPS mode. If the telephony integration uses an Authenticated or Encrypted Security mode, the regenerated tomcat certificate must be re-uploaded to any corresponding Cisco Unified Communications Manager servers. For fresh installations, regenerating the tomcat certificate can be avoided by enabling FIPS mode before adding the telephony integration.

To learn how to regenerate certificates, see section Settings for RSA Key Based certificates of chapter "Setting Up a Cisco Unified Communications Manager SIP Trunk Integration" in Cisco Unified Communications Manager SIP Integration Guide for Cisco Unity Connection Release 14 available at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/14/integration/cucm_sip/b_14cucintcucmsip.html.

Note	Verify that the value entered in X.509 Subject Name field on SIP Trunk Security Profile Configuration page of Cisco Unified Communication Manager is the FQDN of the Unity Connection server.

Networking from Cisco Unity Connection to another server must be secured by an IPsec policy. This includes intersite links, intrasite links, and VPIM locations. The remote server is responsible for assuring its own FIPS compliance.

Note	Secure Messages are not sent in a FIPS compliant manner unless an IPsec Policy is configured.

Unified Messaging Services require the following configuration:

• Configure IPsec policy between Cisco Unity Connection and Microsoft Exchange.

• Set the Web-Based Authentication Mode setting to Basic on the Edit Unified Messaging Service page in Unity Connection Administration. NTLM web authentication mode is not supported in FIPS mode.

Caution

The IPsec policy between servers is required to protect the plain text nature of Basic web authentication.

For information on setting up IPsec policies, see the "IPSec Management" section in the "Security" chapter of the Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/14/os_administration/guide/b_14cucosagx.html.

For information on the impact of IPsec policies with Unity Connection, see "Upgrading Cisco Unity Connection" chapter of Install, Upgrade, and Maintenance Guide for Cisco Unity Connection Release 14 available at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/14/install_upgrade/guide/b_14cuciumg.html.

The following Cisco Unity Connection features are not supported when FIPS mode is enabled:

• SpeechView Transcription Service.
• SIP Digest Authentication (configured for SIP Telephony Integrations).
• SIP NTLM Authentication (configured for SIP Telephony Integration).
• Video Messaging.

When FIPS is enabled, Cisco Unity Connection no longer checks the database to determine whether the user's voicemail PIN was hashed with MD5 or SHA-1 algorithm. Unity Connection hashes all the voicemail PINs with SHA-1 and compares it with the hashed PIN in the Unity Connection database. The user is not allowed to sign in if the MD5 hashed voicemail PIN entered by user does not match with the SHA-1 hashed voicemail PIN in the database.

For Unity Connection user accounts that were originally created in Cisco Unity 5.x or earlier, the voicemail PIN that might have been hashed with MD5 algorithm must be replaced with SHA-1 algorithm. Consider the following points while replacing the MD5-hashed passwords with SHA-1-hashed passwords:

• Use the latest version of the User Data Dump utility to determine how many users still have MD5-hashed PINs. For each user, the Pin_Hash_Type column contains either MD5 or SHA-1. To download the latest version of the utility and to view the Help, see the User Data Dump page on the Cisco Unity Tools website at http://ciscounitytools.com/Applications/CxN/UserDataDump/UserDataDump.html

• Note	The earlier versions of the User Data Dump utility do not include the Pin_Hash_Type column.

  Check the User Must Change at Next Sign-In check box on the Password Settings page in Unity Connection Administration before you enable FIPS. This encourages users to sign in to Unity Connection and change their voicemail PINs.
• Run the Bulk Password Edit utility if you still have users who have not changed their voicemail PINs. The Bulk Password Edit utility lets you selectively change PINs to random values and exports data on the changes to a.csv file. The export file includes the name, alias, email address, and new PIN for each user who's PIN was changed. You can use the.csv file to send an email to each user with the new PIN. The utility is available on the Cisco Unity Tools website at http://www.ciscounitytools.com/Applications/CxN/BulkPasswordEdit/BulkPasswordEdit.html