This release includes Elliptic Curve Digital Signature Algorithm
(ECDSA) support for Tomcat, SIP Proxy, and XMPP interfaces on TLS version 1.2
that when you create a certificate, that you configure both an RSA-based
certificate and an ECDSA-based certificate. For example, if you configure a
tomcat certificate, you should then also configure a tomcat-ECDSA certificate,
If an IM and
Presence Service peer does not support TLS version 1.2, then the connection
falls back to TLS version 1.0 and the existing behavior is retained.
length value of 3072 or 4096 can only be selected for RSA
certificates. These options are not available for ECDSA certificates.
EC Ciphers on
the Tomcat interface are disabled by default. You can enable them using the
HTTPS Ciphers enterprise parameter on Cisco
Unified Communications Manager or on IM and Presence Service. If you change
this parameter the Cisco Tomcat service must be restarted on all nodes.
As part of this
support four new ciphers have been introduced for use on TLS connections
supporting the Tomcat, SIP Proxy, and XMPP interfaces. Two of these new ciphers
are RSA-based and two are ECDSA-based.
information on ECDSA-based cipher support see, ECDSA Support for Common
Criteria for Certified Solutions, in the Release Notes for Cisco Unified
Communications Manager and IM and Presence Service, Release 11.0(1).
The new ciphers
which are being introduced are:
For the RSA-based
ciphers, existing security certificates are used. However, the ECDSA-based
ciphers require the following additional security certificates:
If the certificate
name ends in
-ECDSA, then the
certificate/key type is Elliptic Curve (EC).
Otherwise, it is RSA. The Common Name (CN) of an EC certificate has
-EC appended to the hostname and EC certificates also
contain the FQDN or hostname of the server in the SAN field.
that you do not use -EC in the Common Name (CN) field of the RSA-based
certificates: Tomcat, XMPP, XMPP-s2s, and CUP. If you do this, the existing
EC-based certificate will be overwritten.
information on configuring security certificates on IM and Presence Service
see, IM and Presence Service Certificate Types, Multi-Server CA Signed
Certificate Upload to IM and Presence Service, and Single-Server CA Signed
Certificate Upload to IM and Presence Service.
For information on
configuring the TLS ciphers see, Configure TLS Cipher Mapping.