The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes Certificate Management and IPSec Management and provides procedures for managing system security.
To download certificates from the server, ensure your Internet Explorer security settings are configured as follows:
Note | To access the Security menu items, you must log in to Cisco Unified Communications Operating System Administration using your administrator credentials. |
To download a certificate from the Cisco Unified Communications Operating System to your PC, follow this procedure:
To delete a trusted certificate, follow this procedure:
Caution | Deleting a certificate can affect your system operations. |
Caution | Any existing CSR for the certificate that you choose from the Certificate list is deleted from the system. You must generate a new CSR. |
To regenerate a certificate, follow this procedure:
Caution | Regenerating a certificate can affect your system operations. |
For certificate regeneration, use the supported key lengths 1024 or 2048 from the list.
Step 1 | Navigate to The . Certificate List window appears. | ||||||
Step 2 | Click Generate Self-signed. The Generate New Self-signed Certificate dialog box opens. | ||||||
Step 3 | Choose a certificate name from the Certificate Purpose list. The following table contains descriptions of the certificate names that appear:
| ||||||
Step 4 | Click Generate. | ||||||
Step 5 | After you regenerate a certificate, you must restart the Unified CCX server. In the case of high availability deployments, restart both the nodes. |
After you regenerate a certificate in Cisco Unified Communications Operating System, you must perform a backup so that the latest backup contains the regenerated certificates.
Caution | Uploading a new certificate can affect your system operations. After you upload a new certificate, you must restart the Unified CCX server (in the case of high availability deployments, restart both nodes). |
Note | The system does not distribute trust certificates to other cluster node automatically. If you must have the same certificate on more than one node, you must upload the certificate to each node individually. |
Step 1 | Navigate to The . Certificate List window appears. | ||
Step 2 | Click Upload Certificate or Certificate Chain. The Upload Certificate or Certificate Chain dialog box opens. | ||
Step 3 | Select the certificate name from the Certificate Purpose list. | ||
Step 4 | Select the file to upload by performing one of the following steps:
| ||
Step 5 | Click the Upload button to upload the file to the server.
|
Note | Uploading a Directory Trust Certificate is not applicable for Unified CCX. |
Cisco Unified Communications Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR). The following table provides an overview of this process, with references to more documentation:
Step 1 | Generate a CSR on the server. |
Step 2 | Download the CSR to your PC. |
Step 3 | Use the CSR to obtain an application certificate from a CA.
Get information about obtaining application certificates from your CA. See Application Certificates for more notes. |
Step 4 | Obtain the CA root certificate.
Get information about obtaining a root certificate from your CA. See Application Certificates for more notes. |
Step 5 | Upload the CA root certificate to the server. |
Step 6 | Upload the application certificate to the server. |
Step 7 | Restart the Unified CCX server. In the case of high availability deployments, restart both the nodes. |
To generate a Certificate Signing Request (CSR), follow these steps:
For CSR generation, use the supported key lengths 1024 or 2048 from the list.
Step 1 | Navigate to The . Certificate List window appears. | ||
Step 2 | Click Generate CSR. The Generate Certificate Signing Certificate dialog box opens. | ||
Step 3 | Select the certificate name from the Certificate Purpose list.
| ||
Step 4 | Click Generate. |
To download a Certificate Signing Request, follow this procedure:
To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA. Collect information about obtaining these certificates from your CA. The process varies among CAs.
Cisco Unified Communications Operating System generates certificates in DER and PEM encoding formats and generates CSRs in PEM encoding format. It accepts certificates in DER and PEM encoding formats.
For all certificate types, obtain and upload a CA root certificate and an application certificate on each node. Or upload Certificate Chain that has both the application certificate and the chain of the corresponding certificate issuer.
The CSRs for Tomcat and IPSec use the following extensions:
X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
Upload the CA root certificate of the CA that signed an application certificate. If a subordinate CA signs an application certificate, you must upload the CA root certificate of the subordinate CA, not the root CA.
You upload CA root certificates and application certificates by using the same Upload Certificate dialog box. When you upload a CA root certificate, choose the certificate name with the format certificate type-trust.
When you upload an application certificate, choose the certificate name that only includes the certificate type. For example, choose tomcat-trust when you upload a Tomcat CA root certificate; choose tomcat when you upload a Tomcat application certificate. Restart the Unified CCX Engine.
The system can automatically send you an e-mail when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:
Step 1 | Navigate to
.
The Certificate Monitor window appears. | ||||||||||||
Step 2 | Enter the required configuration information.
See the table below for a description of the Certificate Monitor Expiration fields. | ||||||||||||
Step 3 | To save your changes, click
Save.
|
The following topics describe the functions that you can perform with the IPSec menu:
Note | IPSec does not automatically get set up between nodes in the cluster during installation. |
Any changes that you make to an IPSec policy during a system upgrade are lost, so do not modify or create IPSec policies during an upgrade.
Caution | IPSec, especially with encryption, affects the performance of your system. |
Step 1 | Navigate to The . IPSEC Policy List window appears. | ||||||||||||||||||||||||||||||||||||||||||||||
Step 2 | Click Add New. The IPSEC Policy Configuration window appears. | ||||||||||||||||||||||||||||||||||||||||||||||
Step 3 | Enter the appropriate information on the IPSEC Policy Configuration window. See the table below for descriptions of the fields on this window. | ||||||||||||||||||||||||||||||||||||||||||||||
Step 4 | Click
Save to set up the new IPSec policy.
|
To display, enable or disable, or delete an existing IPSec policy, follow this procedure:
Note | Because any changes that you make to an IPSec policy during a system upgrade are lost, do not modify or create IPSec policies during an upgrade. |
Caution | IPSec, especially with encryption, will affect the performance of your system. |
Caution | Any changes that you make to the existing IPSec policies can impact your normal system operations. |
Step 1 | Navigate to
.
| ||
Step 2 | To display, enable, or disable a policy, follow these steps:
| ||
Step 3 | To delete one or more policies, follow these steps:
|
To support the Extension Mobility Cross Cluster (EMCC) feature, the system allows you to execute a bulk import and export operation to and from a common SFTP server that has been configured by the cluster administrator.
To use Bulk Certificate Management to export certificates, use the following procedure:
Navigate to Security > Bulk Certificate Management.
The Bulk Certificate Management window displays.
Enter the appropriate information on the Bulk Certificate Management window.
To save the values you entered, click Save.
To export certificates, click Export.
The Bulk Certificate Export popup window displays.
From the drop-down menu, choose Tomcat as the type of certificate to export.
Click Export.
The system exports and stores the certificates you chose on the central SFTP server.
You can also use the Bulk Certificate Management window to import certificates that you have exported from other clusters. However, before the Import button displays, you must complete the following activities: