The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The operating system security options enable you to manage security certificates in these two ways:
To access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
To access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
A trusted certificate is the only type of certificate that you can delete. You can not delete a self-signed certificate that is generated by the system.
Caution | Deleting a certificate can affect your system operations. If there is an existing CSR for the certificate you select from the Certificate list, it is deleted from the system and you must generate a new CSR. |
To access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
A certificate of type "cert" is the only type of certificate that you can regenerate.
Caution | Regenerating a certificate can affect your system operations. |
To access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
Caution | Uploading a new certificate or certificate trust list (CTL) file can affect your system operations. |
The system does not automatically distribute non-trust single server certificates such as tomcat, cup, cup-xmpp, cup-xmpp-s2s, and ipsec to other nodes on the cluster. Multi-Server SAN based certificates, including their signing certificates, are automatically distributed to other nodes on the cluster and only need to be uploaded to one IM and Presence Service node per cluster.
The Cisco Intercluster Sync Agent service automatically distributes trust certificates such as tomcat-trust, cup-trust, cup-xmpp-trust, and ipsec-trust to other nodes on the cluster and to any configured IM and Presence Service Intercluster peers. This process can take up to 30 minutes to complete. A manual upload of trust certificates to other nodes can be performed if required.
Step 1 | Sign in to Cisco Unified IM and Presence Operating System Administration. |
Step 2 | Select . |
Step 3 | Select Upload Certificate . |
Step 4 | Select the name of the certificate or CTL from the Certificate Name drop-down list. |
Step 5 | Select the file to upload by completing the following actions: |
Step 6 | Select Upload File to upload the file to the node. |
Step 7 | Restart the services that are affected by the new certificate. |
You can use the OCSP to obtain the revocation status of the certificate. To configure OCSP, follow this procedure.
You must upload the Online Certificate Status Protocol (OCSP) Responder certificate to tomcat-trust before enabling OCSP.
Step 1 | Navigate to
The Certificate Revocation window displays. | ||||||
Step 2 | Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area. | ||||||
Step 3 | Choose one of
the following options:
| ||||||
Step 4 | Select
Save.
The certificate revocation status check is performed only during upload of a certificate or certificate chain. The appropriate alarm will be raised if a certificate is revoked. |
If you encounter an error when attempting to access Cisco Unified Communications Manager services from an IM and Presence node or IM and Presence services from a Cisco Unified Communications Manager node, there is a problem with the tomcat-trust certificate. The error message "Connection to the Server cannot be established (unable to connect to Remote Node)" will appear the following Serviceability interface pages:
This procedure provides steps to help you resolve the certificate error. Start with the first step and proceed if necessary. In some cases, you may only have to complete the first step to resolve the error; in other cases, you will have to complete all steps.
Step 1 | From the Cisco Unified IM and Presence OS Administration interface, verify that the required tomcat-trust certificates are present: . If the required certificates are not present, wait 30 minutes before checking again. |
Step 2 | Select the certificate to obtain information about the certificate and verify that the content matches the contents of the same certificate on the remote node. |
Step 3 | From the CLI, restart the Cisco Intercluster Sync Agent service: utils service restart Cisco Intercluster Sync Agent. |
Step 4 | After the Cisco Intercluster Sync Agent service restarts, restart the Cisco Tomcat service: utils service restart Cisco Tomcat. |
Step 5 | Wait 30 minutes. If the previous steps have not addressed the certificate error and an IM and Presence tomcat-trust certificate is present, delete the certificate. After you delete the certificate, you must manually exchange it by downloading the Tomcat certificate for each node, and uploading it to its peers as a tomcat-trust certificate. After the certificate exchange is complete, restart Cisco Tomcat on each impacted server: utils service restart Cisco Tomcat. |
Cisco Unified Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR).
To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA. Get information about obtaining these certificates from your CA. The process varies among CAs.
IM and Presence Service Certificate Signing Requests (CSRs) include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions that are listed in the generated CSR file. For information on how to view the extensions in the generated CSR file, see View Certificates.
Cisco verified third-party certificates that were obtained from Microsoft, Keon, and Verisign CAs. Certificates from other CAs might work but have not been verified.
Cisco Unified Operating System generates certificates in DER and PEM encoding formats and generates CSRs in PEM encoding format. It accepts certificates in PEM and DER encoding formats.
Public Certificate Authorities (CA) typically require Certificate Signing Requests (CSRs) to conform to specific formats. For example, a public CA might only accept CSRs that:
Likewise, if you submit CSRs from multiple nodes, public CAs might require that the information is consistent in all CSRs.
To prevent issues with your CSRs, you should review the format requirements from the public CA to which you plan to submit the CSRs. You should then ensure that the information you enter when configuring your server conforms to the format that the public CA requires.
This procedure provides an overview of the third-party certificate process, with references to each step in sequence:
Step 1 | ||
Step 2 | ||
Step 3 |
Get information about obtaining application certificates from your CA. |
|
Step 4 |
Get information about obtaining a root certificate from your CA. |
|
Step 5 | ||
Step 6 | ||
Step 7 |
Restart the services that are affected by the new certificate. |
For all certificate types, restart the corresponding service (for example, restart the Cisco Tomcat service if you updated the Tomcat certificate). For information about restarting services, see the Cisco Unified Serviceability Administration Guide. |
Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager describes in detail how to upload the following types of CA signed certificates to an IM and Presence Service deployment:
To access the Security menu items, you must sign in again to Cisco Unified IM and Presence Operating System Administration using your Administrator password.
The system can automatically send you an email when a certificate is close to its expiration date.
Step 1 | Sign in to Cisco Unified IM and Presence Operating System Administration. | ||
Step 2 | Select to view the current Certificate Expiration Monitor configuration. | ||
Step 3 | In the Notification Start Time field, enter the number of days before the certificate expires that you want to be notified. | ||
Step 4 | In the Notification Frequency field, enter the frequency for notification, either in hours or days. | ||
Step 5 | Check the Enable E-mail Notification check box to enable email notification. | ||
Step 6 | In the
E-mail
IDs field, enter the email address to which you want notifications
sent.
| ||
Step 7 | Select Save. |