Configuration Guide for Cisco Unified Customer Voice Portal, Release 11.6(1)

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Configuration Guide for Cisco Unified Customer Voice Portal, Release 11.6(1)

Chapter Title

Unified CVP Security

Results

Updated:
April 29, 2020

Chapter: Unified CVP Security

Unified CVP Security

This chapter describes security considerations for Unified CVP call flow model deployments.

Secure JMX Communication between CVP Components

You can secure JMX communication by:

  • Exchanging the self-signed certificates between the components.

  • Signing the certificates by a Certificate Authority.

Self-Signed Certificates

On Call Server or VXML Server or Reporting Server

Procedure
Step 1

Export the ORM certificate from Call/Vxml Server:

%CVP_HOME%\jre\bin\keytool.exe -export -v -keystore %CVP_HOME%\conf\security\.ormkeystore -storetype JCEKS -alias orm_certificate –file %CVP_HOME%\conf\security\<orm_security.cer>
Step 2

Enter the keystore password when prompted.

Step 3

Import the ORM certificate to the keystore of Call/Vxml Server:

keytool.exe -import -trustcacerts -keystore %CVP_HOME%\CVP\conf\security\.keystore -storetype JCEKS -alias orm_certificate -file %CVP_HOME%\conf\security\orm_security.cer
Step 4

Copy the exported ORM certificate to %CVP_HOME%\conf\security\ on the OAMP machine.

Note 

Repeat the above steps for all the Call Servers and use different alias names in each server to avoid ambiguity.

On OAMP

Log in to the Operations Console Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure
Step 1

Import the copied ORM certificate to OAMP: .

%CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias orm_certificate -file %CVP_HOME%\conf\security\<orm_security.cer>
Step 2

Enter the keystore password when prompted.

Step 3

Trust this certificate? [no]: yes
Step 4

Export the OAMP certificate:

%CVP_HOME%\jre\bin\keytool.exe -export -v -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias oamp_certificate -file %CVP_HOME%\conf\security\<oamp_cert.cer>
Step 5

Copy the generated OAMP certificate to %CVP_HOME%\conf\security\ on each Call Server/VXML Server/Reporting Server.

Step 6

Restart OAMP service.
Step 7

Log into OAMP. To enable secure communication between OAMP and Call Server or VXML Server, navigate to Device Management > Call Server. Check the Enable secure communication with the Ops console check box. Save and deploy both Call Server and VXML Server.

On Call Server or VXML Server or Reporting Server

Procedure
Step 1

Import the certificate to the callserver keystore:

%CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias oamp_certificate -file %CVP_HOME%\conf\security\oamp_security.cer
Step 2

Enter the keystore password when prompted.
Step 3

Restart the Operation Console Server and the Call Server.
Step 4

Configure ORM in CVP:

  1. Go to %CVP_HOME%/conf/orm_jmx.properties.

    Add or update the file as shown and save it:
    javax.net.debug = all
com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2099
com.sun.management.jmxremote.ssl = true
com.sun.management.jmxremote.rmi.port = 3000
javax.net.ssl.keyStore= C:/Cisco/CVP/conf/security/.ormKeystore
javax.net.ssl.keyStorePassword= <keystore_password>

  2. Go to %CVP_HOME%/conf/wrapper.conf.

    Update the keystore password as shown and save the file:
    # Java Additional Parameters
wrapper.java.additional.1= -Djavax.net.ssl.keyStore=C:/Cisco/CVP/conf/security/.ormKeystore
wrapper.java.additional.2= -Djavax.net.ssl.keyStorePassword=<Keystore password>
wrapper.java.additional.3= -Djavax.net.ssl.keyStoreType=JCEKS
wrapper.java.additional.4= -Djavax.net.ssl.trustStore=C:/Cisco/CVP/conf/security/.Keystore
wrapper.java.additional.5= -Djavax.net.ssl.trustStorePassword=<Keystore password>
wrapper.java.additional.6= -Djavax.net.ssl.trustStoreType=JCEKS
wrapper.java.additional.7= -Dcom.sun.management.config.file=../conf/orm_jmx.properties
wrapper.java.additional.8= -Dccbu.logging.config.file=log4j_orm.xml
wrapper.java.additional.9= -Djava.rmi.server.hostname=<IP address of ORM server>
Step 5

Configure JMX of Call Server in CVP:

  1. Go to %CVP_HOME%/conf/jmx_callserver.conf.

    Update the file as shown and save the file:

    com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2098
com.sun.management.jmxremote.ssl = true
 com.sun.management.jmxremote.rmi.port = 2097
javax.net.ssl.keyStore = C:/Cisco/CVP/conf/security/.ormKeystore
javax.net.ssl.keyStorePassword = <Keystore password>
Step 6

Configure JMX of VXMLServer in CVP:

  1. Go to %CVP_HOME%/conf/jmx_vxml.conf

    Edit the file as shown and save the file:

    com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 9696
com.sun.management.jmxremote.ssl = true
com.sun.management.jmxremote.rmi.port = 9697
javax.net.ssl.keyStore = C:/Cisco/CVP/conf/security/.ormKeystore
javax.net.ssl.keyStorePassword = <keystore_password>
Step 7

Restart Cisco CVP Call Server and VXML Server.
Step 8

Repeat the steps for all the Call Servers.

CA-Signed Certificates

On OAMP

Log in to the Operations Console Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure
Step 1

Generate CSR on OAMP by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias oamp_certificate -file %CVP_HOME%\conf\security\oamp.csr.

Step 2

Enter the keystore password when prompted.

Step 3

Sign the certificate on a CA.

Step 4

Copy the root CA certificate and the CA-signed certificate to %CVP_HOME%\conf\security\.

Step 5

Import the root CA certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>.

Step 6

Enter the keystore password when prompted.

Step 7

Import the CA-signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias oamp_certificate -file %CVP_HOME%\conf\security\<filename_of_CA_signed_cert>.

On Call Server or VXML Server or Reporting Server

Log in to the Call Server or VXML Server or Reporting Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure
Step 1

Generate CSR on Call Server or VXML Server or Reporting Server by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -certreq -alias orm_certificate -file %CVP_HOME%\conf\security\orm.csr.

Step 2

Sign the certificate on a CA.

Step 3

Copy the root CA certificate and the CA-signed certificate to %CVP_HOME%\conf\security\.

Step 4

Import the root CA certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>.

Step 5

Enter the keystore password when prompted.

Step 6

Import the CA-signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v -trustcacerts -alias orm_certificate -file %CVP_HOME%\conf\security\<filename_of_CA_signed_cert>.

Step 7

Configure ORM in CVP:

  1. Go to c:/cisco/cvp/conf/orm_jmx.properties.

    Add or update the file as shown and save it:
    javax.net.debug = all
com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2099
com.sun.management.jmxremote.ssl = true
com.sun.management.jmxremote.rmi.port = 3000
javax.net.ssl.keyStore= C:/Cisco/CVP/conf/security/.ormKeystore
javax.net.ssl.keyStorePassword= <keystore_password>

  2. Go to c:/cisco/cvp/conf/wrapper.conf.

    Update the keystore password as shown and save the file:
    # Java Additional Parameters
wrapper.java.additional.1= -Djavax.net.ssl.keyStore=C:/Cisco/CVP/conf/security/.ormKeystore
wrapper.java.additional.2= -Djavax.net.ssl.keyStorePassword=<Keystore password>
wrapper.java.additional.3= -Djavax.net.ssl.keyStoreType=JCEKS
wrapper.java.additional.4= -Djavax.net.ssl.trustStore=C:/Cisco/CVP/conf/security/.ormKeystore
wrapper.java.additional.5= -Djavax.net.ssl.trustStorePassword=<Keystore password>
wrapper.java.additional.6= -Djavax.net.ssl.trustStoreType=JCEKS
wrapper.java.additional.7= -Dcom.sun.management.config.file=../conf/orm_jmx.properties
wrapper.java.additional.8= -Dccbu.logging.config.file=log4j_orm.xml
wrapper.java.additional.9= -Djava.rmi.server.hostname=<IP address of ORM server>
Step 8

Configure JMX of callserver in CVP:

  1. Go to c:/cisco/cvp/conf/jmx_callserver.conf.

    Update the file as shown and save the file:

    com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2098
com.sun.management.jmxremote.ssl = true
 com.sun.management.jmxremote.rmi.port = 2097
javax.net.ssl.keyStore = C:/Cisco/CVP/conf/security/.ormKeystore
javax.net.ssl.keyStorePassword = <keystore_password>
Step 9

Configure JMX of VXMLServer in CVP:

  1. Go to c:/cisco/cvp/conf/jmx_vxml.conf

    Edit the file as shown and save the file:

    com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 9696
com.sun.management.jmxremote.ssl = true
com.sun.management.jmxremote.rmi.port = 9697
javax.net.ssl.keyStore = C:/Cisco/CVP/conf/security/.ormKeystore
javax.net.ssl.keyStorePassword = <keystore_password>
Step 10

Restart the Operation Console Server and the CVP server.

Note 

To enable Courtesy Callback feature in the secure mode, add the CA root certificate to Tomcat trust store .keystore in %CVP_HOME%\jre\bin>keytool.exe -keystore%CVP_HOME%\jre\lib\security\cacerts -storepass changeit -importcert -file %CVP_HOME%\conf\security\CA_Root.cer.

To configure secure communications between the OAMP and the Call Server, see Call Server Setup in Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html.

To configure secure communications between the OAMP and the VXML Server, see Unified CVP VXML Server Setup in Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html.

To configure secure communications between the OAMP and the VXML Server(standalone), see section Unified CVP VXML Server (Standalone) Setup in Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html.

To configure secure communications between the OAMP and the Reporting Server, see section Set Up Reporting Server in Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html.

To configure Call Server SIP TLS/SRTP, see SIP Service Settings in Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html.

To sign a certificate on a CA, see https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html.

Secure JMX Communication between OAMP and Call Server using Mutual Authentication

You can secure JMX communication by:

  • Exchanging the CA-signed certificates between the components.

  • Signing the certificates by a Certificate Authority.

Self Signed Certificate

You can secure JMX communication between OAMP and Call Server by exchanging self-signed certificates. Refer to the steps mentioned for Self-Signed Certificate exchange in the Secure JMX Communication between CVP Components section.

For mutual authentication, configure the following parameter as true in the applicable jmx properties file: com.sun.management.jmxremote.ssl.need.client.auth = true

Generate CA-Signed Certificate for ORM Service in Call Server/VXML Server/Reporting Server

Log into the Call Server or VXML Server or Reporting Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure

Step 1

Go to %CVP_HOME%\conf\security and delete the ORM certificate from by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -delete -alias orm_certificate. Enter the keystore password when prompted.

Step 2

Generate a CA-signed certificate for ORM server by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -genkeypair -alias orm_certificate -v -keysize 2048 -keyalg RSA.

  1. Enter the details at the prompts and type Yes to confirm.

  2. Enter the keystore password when prompted.

    Note 

    The CN provided here while generating the key is referred to as <CN of Callserver ORM certificate> in the following steps. Note the CN name for future reference.

Step 3

Generate the certificate request for the alias by running the following command and saving it to a file (for example, orm.csr): %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -certreq -alias orm_certificate -file %CVP_HOME%\conf\security\orm.csr.

  1. Enter the keystore password when prompted.

  2. Verify that the CSR was generated successfully by running dir orm.csr.

Step 4

Sign the certificate on a CA.

Note 

Follow the procedure to create a CA-signed certificate using the CA authority. Download the certificate and the root certificate of the CA authority.

Step 5

Copy the root certificate and the CA-signed ORM certificate to %CVP_HOME%\conf\security\.

Step 6

Import the root certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cer>.

  1. Enter the keystore password when prompted.

  2. At Trust this certificate prompt, type Yes.

Step 7

Import the CA-signed ORM certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v - trustcacerts -alias orm_certificate -file %CVP_HOME%\conf\security\<filename_of_your_signed_cert_from_CA>. Enter the keystore password when prompted.

Step 8

Configure ORM in CVP:

  1. Go to c:\cisco\cvp\conf\orm_jmx.properties.

    Add or update the file as shown and save it:
    javax.net.debug = all
com.sun.management.jmxremote.ssl.need.client.auth = true
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2099
com.sun.management.jmxremote.ssl = true
com.sun.management.jmxremote.rmi.port = 3000
javax.net.ssl.keyStore=C:\Cisco\CVP\conf\security\.ormKeystore
javax.net.ssl.keyStorePassword=< keystore_password >

  2. Go to c:\cisco\cvp\conf\wrapper.conf.

    Update the keystore password as shown and save the file:
    # Java Additional Parameters
wrapper.java.additional.1= -Djavax.net.ssl.keyStore=C:/Cisco/CVP/conf/security/.ormKeystore
wrapper.java.additional.2= -Djavax.net.ssl.keyStorePassword=<Keystore password>
wrapper.java.additional.3= -Djavax.net.ssl.keyStoreType=JCEKS
wrapper.java.additional.4= -Djavax.net.ssl.trustStore=C:/Cisco/CVP/conf/security/.ormKeystore
wrapper.java.additional.5= -Djavax.net.ssl.trustStorePassword=<Keystore password>
wrapper.java.additional.6= -Djavax.net.ssl.trustStoreType=JCEKS
wrapper.java.additional.7= -Dcom.sun.management.config.file=../conf/orm_jmx.properties
wrapper.java.additional.8= -Dccbu.logging.config.file=log4j_orm.xml
wrapper.java.additional.9= -Djava.rmi.server.hostname=<IP address of ORM server>

  3. Restart Cisco CVP Resource Manager service.

Step 9

Configure JMX of callserver in CVP:

  1. Go to c:\cisco\cvp\conf\jmx_callserver.conf.

    Update the file as shown and save the file:

    com.sun.management.jmxremote.ssl.need.client.auth = true
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2098
com.sun.management.jmxremote.ssl = true
 com.sun.management.jmxremote.rmi.port = 2097
javax.net.ssl.keyStore = C:\Cisco\CVP\conf\security\.ormKeystore
javax.net.ssl.keyStorePassword = <Keystore password>

  2. Run the regedit command.

    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\CallServer\Parameters\Java\Options.

    Append the following to the file:

    -Djavax.net.ssl.trustStore=C:\Cisco\CVP\conf\security\.ormKeystore
-Djavax.net.ssl.trustStorePassword=<Keystore password>
-Djavax.net.ssl.trustStoreType=JCEKS

  3. Restart Cisco CVP Callserver service.
Step 10

Configure JMX of VXMLServer in CVP:

  1. Go to c:\cisco\cvp\conf\jmx_vxml.conf.

    Edit the file as shown and save the file:

    com.sun.management.jmxremote.ssl.need.client.auth = true
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 9696
com.sun.management.jmxremote.ssl = true
com.sun.management.jmxremote.rmi.port = 9697
javax.net.ssl.keyStore = C:\Cisco\CVP\conf\security\.ormKeystore
javax.net.ssl.keyStorePassword = <Keystore password>

  2. Run the regedit command.

    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\VXMLServer\Parameters\Java.

    Append the following to the file:

    -Djavax.net.ssl.trustStore=C:\Cisco\CVP\conf\security\.ormKeystore
-Djavax.net.ssl.trustStorePassword=<Keystore password>
-Djavax.net.ssl.trustStoreType=JCEKS

  3. Restart Cisco CVP VXMLServer service.

Generate CA-Signed Client Certificate for ORM

Log into the Call Server or VXML Server or Reporting Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Before you begin

This requires ORM of Callserver/VXML Server machine to connect to Callserver and VXMLServer ORM service.

Procedure

Step 1

Go to %CVP_HOME%\conf\security and generate a CA-signed certificate for client authentication with callserver by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -genkeypair -alias <CN of Callserver ORM certificate> -v -keysize 2048 -keyalg RSA.

  1. Enter the details at the prompts and type Yes to confirm.

  2. Enter the keystore password when prompted.

    Note 

    The alias will be the same as the CN used for generating ORM server certificate.
Step 2

Generate the certificate request for the alias by running the following command and saving it to a file (for example, jmx_client.csr): %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -certreq -alias <CN of Callserver ORM certificate> -file %CVP_HOME%\conf\security\jmx_client.csr.

  1. Enter the keystore password when prompted.

  2. Verify that the CSR was generated successfully by running dir jmx_client.csr.

Step 3

Sign the certificate on a CA.

Note 

Follow the procedure to create a CA-signed certificate using the CA authority. Download the certificate and the root certificate of the CA authority.

  1. Enter the keystore password when prompted.

  2. At Trust this certificate prompt, type Yes.

Step 4

Copy the root certificate and the CA-signed JMX Client certificate to %CVP_HOME%\conf\security\.

Step 5

Import the CA-signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v -trustcacerts -alias <CN of Callserver ORM certificate> -file %CVP_HOME%\conf\security\<filename of CA-signed JMX Client certificate>.

  1. Enter the keystore password when prompted.
Step 6

Restart ORM service.

Note 

Repeat the same procedure for Reporting Server, if any.

Generate CA-Signed Client Certificate for OAMP (to be done on OAMP)

Log into the Call Server or VXML Server or Reporting Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure

Step 1

Go to %CVP_HOME%\conf\security and generate a CA-signed certificate for client authentication with callserver ORM by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -genkeypair -alias <CN of Callserver ORM certificate> -v -keysize 2048 -keyalg RSA.

  1. Enter the details at the prompts and type Yes to confirm.

  2. Enter the keystore password when prompted.

    Note 

    The alias will be the same as the CN of the Call Server or the VXML Server.
Step 2

Generate the certificate request for the alias by running the following command and saving it to a file (for example, jmx.csr): %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -certreq -alias <CN of Callserver ORM certificate> -file %CVP_HOME%\conf\security\jmx.csr.

  1. Enter the keystore password when prompted.

  2. Verify that the CSR was generated successfully by running dir jmx.csr.

Step 3

Sign the certificate on a CA.

Note 

Follow the procedure to create a CA-signed certificate using the CA authority. Download the certificate and the root certificate of the CA authority.

Step 4

Copy the root certificate and CA-signed JMX Client certificate to %CVP_HOME%\conf\security\.

Step 5

Import the root certificate of the CA by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>.

  1. Enter the keystore password when prompted.

  2. At Trust this certificate prompt, type Yes.

Step 6

Import the CA-signed JMX Client certificate of CVP into .ormkeystore by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.ormkeystore -import -v -trustcacerts -alias <CN of Callserver ORM certificate> -file %CVP_HOME%\conf\security\<filename_of_your_signed_cert_from_CA>.

  1. Enter the keystore password when prompted.
Step 7

Import the CA-signed JMX Client certificate of CVP into .keystore by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias <CN of Callserver ORM certificate> -file %CVP_HOME%\conf\security\<filename_of_your_signed_cert_from_CA>

  1. Enter the keystore password when prompted.

  2. At Trust this certificate prompt, type Yes.

Step 8

Run the regedit command.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\OPSConsoleServer\Parameters\Java.

  2. Append the following to the file sand save it:

    -Djavax.net.ssl.keyStore=C:\Cisco\CVP\conf\security\.ormKeystore
-Djavax.net.ssl.keyStorePassword=<keystore_password> 
-Djavax.net.ssl.keyStoreType=JCEKS
-Djavax.net.ssl.trustStore=C:\Cisco\CVP\conf\security\.ormKeystore
-Djavax.net.ssl.trustStorePassword=<keystore_password>
-Djavax.net.ssl.trustStoreType=JCEKS
Step 9

Restart OAMP service.
Step 10

Log into OAMP. To enable secure communication between OAMP and Call Server or VXML Server, navigate to Device Management > Call Server. Check the Enable secure communication with the Ops console check box. Save and deploy both Call Server and VXML Server.

[Optional] Securing JConsole Login to OAMP

This section is needed if you want to block JConsole login to OAMP.


Note

The OAMP will stop the JMX communication with the following procedure but OAMP to Call Server/VXML Server / Reporting Server will continue to work.

Procedure

Step 1

Go to c:\cisco\cvp\conf\orm_jmx.properties

Add the following to the file and save it:
javax.net.debug=all
com.sun.management.jmxremote.ssl.need.client.auth=true
com.sun.management.jmxremote.authenticate=false
com.sun.management.jmxremote.port=2099
com.sun.management.jmxremote.ssl=true
com.sun.management.jmxremote.rmi.port=3000
javax.net.ssl.keyStore = C:\\Cisco\\CVP\\conf\\security\\.ormKeystore
javax.net.ssl.keyStorePassword = <Keystore password>

Restart Resource Manager service.
Step 2

Go to c:\cisco\cvp\conf\jmx_oamp.conf

Comment out the OAMP JMX port ( if not needed) in the following file and save it:
com.sun.management.jmxremote.ssl.need.client.auth = true
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 10001
com.sun.management.jmxremote.ssl = true
#com.sun.management.jmxremote.ssl.config.file=
com.sun.management.jmxremote.rmi.port = 10000

Restart OAMP service.
Step 3

You must import the CA certificate in .keystore and .ormKeystrore of OAMP.

With the aforesaid steps, unsecure JConsole login to OAMP will stop from remote machines but JConsole will continue to work from the OAMP host.

Secure SIP Communication between Call Server and Cisco VVB

You can secure SIP communication by:

  • Exchanging the self-signed certificates between the components.

  • Signing the certificates by a Certificate Authority.

Self-Signed Certificates

On Call Server

Log in to the Call Server, retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure
Step 1

Export the Call Server certificate by running %CVP_HOME%\jre\bin\keytool.exe -export -v -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias callserver_certificate -file %CVP_HOME%\conf\security\<callserver_certificate.cer>.

Step 2

Enter the keystore password when prompted.

Step 3

Copy the VVB/VXML gateway self-signed certificate to %CVP_HOME%\conf\security\ and import the certificate to the callserver keystore by running %CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias vb_cert -file %CVP_HOME%\conf\security\<vvb certificate.pem>.

Note 

See Step 5 of the following Section, On Cisco VVB to download a VVB certificate.

Step 4

Enter the keystore password when prompted.

A message appears on the screen: Trust this certificate? [no]: Enter yes.
Step 5

Use the list flag to check your keystore entries by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -list.

On Cisco VVB

Procedure
Step 1

Copy the CVP CallServer self-signed certificate downloaded from CVP and upload it to VVB against tomcat-trust.

Step 2

Go to OS Admin > Security > Certificate Management > Upload certificate/certificate chain.

Step 3

In Certificate Purpose, select tomcat-trust.

Step 4

Select the self-signed certificate of the Call Server and click Upload.

Step 5

Download the self-signed certificate of the VVB.

Step 6

Go to OS Admin > Security > Certificate Management.

Step 7

In the Certificate column, find the certificate named tomcat.

Step 8

Select the self-signed tomcat certificate and click Download .PEM File.

Step 9

After the new certificate is uploaded, restart the node(s) using the CLI command utils system restart.

Step 10

Go to Cisco VVB Administration > System Parameters > TLS.

Step 11

Check TLS as Enable.

Step 12

Select the supported TLS version and click Update.

Step 13

Restart Cisco VVB Engine from the VVB Serviceability page.

CA-Signed Certificate

On Call Server

Log in to the Call Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure
Step 1

Remove the existing certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias callserver_certificate.

Step 2

Enter the keystore password when prompted.

Step 3

Generate a new key pair for the alias with the selected key size by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias callserver_certificate -v -keysize 2048 -keyalg RSA. 

Enter keystore password: <enter the keystore password>
What is your first and last name?
 [Unknown]: <specify the CVP host name> E.g cisco-cvp-211
What is the name of your organizational unit?
 [Unknown]: <specify OU> E.g. CCBU
What is the name of your organization?
 [Unknown]: <specify the name of the org> E.g. CISCO
What is the name of your City or Locality?
 [Unknown]: <specify the name of the city/locality>  E.g. BLR
What is the name of your State or Province?
 [Unknown]: <specify the name of the state/province>  E.g. KAR
What is the two-letter country code for this unit?
 [Unknown]: <specify two-letter Country code>  E.g. IN

Specify ‘yes’ for the inputs.
Step 4

Generate the CSR certificate for the alias by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias callserver_certificate -file %CVP_HOME%\conf\security\callserver.csr and save it to a file (for example, oamp.csr).

Step 5

Enter the keystore password when prompted.

Step 6

Download the callserver.csr from %CVP_HOME%\conf\security\ and sign it from CA.

Step 7

Copy the root CA certificate and the CA-signed certificate to %CVP_HOME%\conf\security\.

Step 8

Install the root CA certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>.

Step 9

Enter the keystore password when prompted.

Step 10

Install the signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias callserver_certificate -file %CVP_HOME%\conf\security\<filename_of_CA_signed_cert>.

On Cisco VVB

Procedure
Step 1

To generate the CSR certificate on VVB, open the administration page. From the Navigation drop-down list, choose Cisco Unified OS Administration and click Go.

Step 2

Go to Security > Certificate Management > Generate CSR Generate Certificate signing Request. Create the CSR against tomcat with the key-length as 2048.

Step 3

To download the generated CSR, click Download CSR. After the Generate Certificate signing Request dialog opens, click Download CSR.

Step 4

Open the certificate in Notepad, copy the contents and sign the certificate with CA.

Step 5

Upload the root certificate generated from the CA into VVB against tomcat-trust:

  1. Go to Security > Certificate Management > Generate CSR > Upload certificate/certificate chain.

  2. Choose tomcat-trust from the drop-down list.

  3. Click Browse and select the certificate.

  4. Click Upload to upload the root certificate of the Certificate Authority.

Step 6

Upload the signed certificate into VVB against tomcat.

  1. Go to Security > Certificate Management > Upload certificate/certificate chain.

  2. Choose tomcat from the drop-down list.

  3. Click Browse and select the certificate.

  4. Click Upload.

After the certificate is uploaded successfully, VVB displays the certificate signed by <CA hostname>.
Step 7

Restart the Tomcat service and the VVB engine.

For the configuration steps, see the Manage System Parameters section.

Secure HTTP Communication between VXML Server and Cisco VVB

You can secure HTTP communication by:

  • Exchanging the self-signed certificates between the VXML Server and VVB or VXML Gateway.

  • Signing the certificates by a Certificate Authority.

Self-Signed Certificate

On VXML Server

Log in to the VXML Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password wherever it prompts.

Procedure
Step 1

Export the VXML SERVER certificate by running %CVP_HOME%\jre\bin\keytool.exe -export -v -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias vxml_certificate -file %CVP_HOME%\conf\security\<vxml_certificate.cer>.

Step 2

Enter the keystore password when prompted.

Step 3

Copy the VVB/VXML gateway self-signed certificate to %CVP_HOME%\conf\security\ and import the certificate to the callserver keystore by running keystore.%CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias vb_cert -file %CVP_HOME%\conf\security\<vvb certificate.pem>.

Note 

See Step 5 of the following Section, On Cisco VVB to download a VVB certificate.

Step 4

Enter the keystore password when prompted.

A message appears on the screen: Trust this certificate? [no]: Enter yes.
Step 5

Use the list flag to check your keystore entries by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -list.

On Cisco VVB

Procedure
Step 1

Copy the VXML Server self-signed certificate downloaded from CVP and upload it to VVB against tomcat-trust.

Step 2

Go to OS Admin > Security > Certificate Management > Upload certificate/certificate chain.

Step 3

In Certificate Purpose, select tomcat-trust.

Step 4

Select the self-signed certificate of the VXML Server and click Upload.

Step 5

Download the self-signed certificate of the VVB.

Step 6

Go to OS Admin > Security > Certificate Management.

Step 7

In the Certificate column, select the tomcat certificate.

Step 8

Select the tomcat certificate and click Download .PEM File.

Step 9

After the new certificate uploads, restart the Cisco Tomcat service.
Step 10

Go to Cisco VVB Administration > System Parameters > TLS.

Step 11

Check the TLS check box as Enable.

Step 12

Select the supported TLS version and click Update.

Step 13

Restart the Cisco VVB Engine from the VVB Serviceability page.

Note 

To enable secured connection in Application Management from the Cisco VVB UI, see Cisco Virtualized Voice Browser Administration and Configuration Guide available at https://www.cisco.com/c/en/us/support/customer-collaboration/virtualized-voice-browser/tsd-products-support-series-home.html.

CA-Signed Certificate

On VXML Server

Log in to the VXML Server. Retrieve the keystore password from the security.properties file.


Note

At the command prompt, enter more %CVP_HOME%\conf\security.properties.

Security.keystorePW = <Returns the keystore password>

Enter the keystore password when prompted.

Procedure
Step 1

Remove the existing certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias vxml_certificate.

Step 2

Generate a new key pair for the alias with selected key size by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias vxml_certificate -v -keysize 2048 -keyalg RSA. 

Enter keystore password: <enter the keystore password>
What is your first and last name?
 [Unknown]: <specify the CVP host name appended with "VXML_Server"> E.g cisco-cvp-211_VXML_Server
What is the name of your organizational unit?
 [Unknown]: <specify OU> E.g. CCBU
What is the name of your organization?
 [Unknown]: <specify the name of the org> E.g. CISCO
What is the name of your City or Locality?
 [Unknown]: <specify the name of the city/locality>  E.g. BLR
What is the name of your State or Province?
 [Unknown]: <specify the name of the state/province>  E.g. KAR
What is the two-letter country code for this unit?
 [Unknown]: <specify two-letter Country code>  E.g. IN
Specify ‘yes’ for the inputs.
Step 3

Generate the CSR certificate for the alias by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias vxml_certificate -file %CVP_HOME%\conf\security\vxmlserver.csr and save it to a file (for example, oamp.csr).

Step 4

Enter the keystore password when prompted.

Step 5

Download the vxmserver.csr from CVP %CVP_HOME%\conf\security\ and sign it from CA.

Step 6

Copy the root CA certificate and the CA-signed certificate to %CVP_HOME%\conf\security\

Step 7

Install the root CA certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>.

Step 8

Enter the keystore password when prompted.

Step 9

Install the signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias vxml_certificate -file %CVP_HOME%\conf\security\<filename_of_CA_signed_cert>.

Step 10

Enter the keystore password when prompted.

Step 11

Restart the VXML Server.

On Cisco VVB

Procedure
Step 1

Upload the root certificate generated from the CA into VVB against tomcat-trust. Go to OS Admin > Security > Certificate Management > Upload certificate/certificate chain, select tomcat-trust and upload the root certificate of the Certificate Authority.

Note 

If you use the same root certificate that was used in the Call Server configuration as described in Section, Secure Communication between Call Server and Cisco VVB and the certificate is already imported, then you can skip this step.

Step 2

Generate the CSR against tomcat with the key-length as 2048.

Step 3

Open the certificate in Notepad. Copy the contents and sign the certificate with CA.

Step 4

Restart the Tomcat service and the VVB engine.

To enable secure communications on the VXML Server, see Unified CVP VXML Server Setup Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-user-guide-list.html.

To enable secure communications on the VXML Server (standalone), see Unified CVP VXML Server (Standalone) Setup Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-user-guide-list.html.

Secure HTTPS Communication between Media Server and Cisco VVB

This section describes how to import certificate from IIS MediaServer to Cisco VVB and how to create IIS CA-signed certificate.

Procedure

Step 1

Enter https://<mediaserver>:443/ in the address bar of the web browser.

Step 2

In the Security Alert dialog box, click View Certificate.

Step 3

Click the Details tab

Step 4

Click Copy to File.

Step 5

In the Certificate Export Wizard dialog box, click Base-64 encoded X.509 (.CER), and then click Next.

Step 6

In the File to the Export dialog box, specify a file name, and then click Next.

Step 7

Click Finish.

A message indicates that the export was successful.
Step 8

Click OK and close the Security Alert dialog box.

Step 9

Copy the CVP MediaServer self-signed certificate downloaded from the CVP and upload into VVB against tomcat-trust.

Step 10

Go to OS Admin > Security > Certificate Management > Upload certificate/certificate chain > In Certificate Purpose* select tomcat-trust, choose the self-signed certificate of the Call Server and press Upload button.

Step 11

Restart Cisco VVB Engine.

Secure Communication on CUCM

You can secure communication on CUCM by:

  • Exchanging the self-signed certificates.

  • Signing the certificates by a Certificate Authority.

Self-Signed Certificate

Procedure

Step 1

Log in to the CUCM OS Administration page.

Step 2

Go to Security > Certificate Management.

Step 3

Click Generate Self-signed.

Step 4

On the pop-up window, click Generate button.

Step 5

Restart Tomcat from CUCM CLI by running utils service restart Cisco Tomcat.

Note 

Tomcat will take a few minutes to stop and then start. If you access the CUCM UI during this time, you may receive a 404 error.
Step 6

When the CUCM UI is available, open the CUCM OS Administration page.
Step 7

Go to Security > Certificate Management.

Step 8

Click Find and identify the Self-signed certificate generated by the system.

Step 9

Click the CallManager Certificate name.
Step 10

In the dialog box, click Download .PEM file.

CA-Signed Certificate

To configure TLS and SRTP, see Security Guide for Cisco Unified Communications Manager 11.6 available at https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html

Procedure

Step 1

Enter the following command in the CLI to set the CUCM in the mixed mode, and to register the endpoints in the encrypted mode:

admin: utils ctl set-cluster mixed-mode

This operation will set the cluster to Mixed mode.  Auto-registration is enabled on at least one CM node. Do you want to continue? (y/n):y

Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
You must reset all phones to ensure they received the updated CTL file. 
You must restart Cisco CTIManager services on all the nodes in the cluster that have the service activated.
admin:
Step 2

Choose CUCM Admin Page > System > Enterprise Parameters. Check if Cluster Security Mode is set to 1.

Step 3

Set the minimum TLS version command from the CLI:

admin:set tls client min-version 1.2

**WARNING** If you are lowering the TLS version it can lead to security issues **WARNING**

Do you really want to continue (yes/no)?y
Execute this command in the other nodes of the cluster.

Restart the system using the command 'utils system restart' for the changes to take effect

Command successful
admin:set tls ser
admin:set tls server mi
admin:set tls server min-version?
Syntax:
set tls server min-version

admin:set tls server min-version 1.2

**WARNING** If you are lowering the TLS version it can lead to security issues **WARNING**

Do you really want to continue (yes/no)?y
Execute this command in the other nodes of the cluster.

Restart the system using the command 'utils system restart' for the changes to take effect

Command successful
admin:
Step 4

Create an encrypted phone profile and the SIP trunk profile. Associate them with the phone and CUCM SIP trunk.

Step 5

Go to System > Security > SIP Trunk Security Profile and create a new SIP trunk security profile.

Step 6

On CUCM SIP Trunk, check the SRTP Allowed check box.

Step 7

From SIP Trunk Security Profile drop-down list, choose TLS Secure Profile.

Step 8

Restart the TFTP and Cisco CallManager services on all the nodes in the cluster that run these services.

Step 9

Upload the root certificate generated from the CA to CUCM against CUCM-trust.

Step 10

Generate the CSR against CallManager and select the key-length as 2048.

Step 11

Sign the certificate on a CA https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html.

Step 12

Click Upload Certificate on CUCM by selecting the certificate name as CallManager.

On successful completion, CUCM displays the description as Certificate signed by <CA hostname>.

Step 13

Restart TFTP and Cisco CallManager services on all the nodes in the cluster that run these services.

Secure Communication between Ingress Gateway and Call Server

You can secure communication between the Ingress Gateway and the Call Server by:

  • Exchanging the self-signed certificates.

  • Signing the certificates by a Certificate Authority.

Self-Signed Certificate

To secure SIP connection between Cisco Ingress Gateway and Call Server, import the Call Server certificate on the IOS device during the device configuration.

Procedure

Step 1

Open the certificate that was exported in Step 1.

Step 2

Click View Certificate.

Step 3

Click the Details tab.

Step 4

Click Copy to File.

The Certificate ExportWizard window appears.
Step 5

Click Base-64 encoded X.509 (.CER), and then click Next.

Step 6

Specify a file name in the File to the Export dialog box, and then click Next.

Step 7

Click Finish. A message indicates that the export was successful.

Step 8

Click OK and close the Security Alert dialog box.

Step 9

Open the certificate in Notepad.
Step 10

Access the IOS ingress GW in the privileged EXEC mode.
Step 11

Access the global configuration mode by entering the configuration terminal.
Step 12

Import the CVP CallServer Certificate to Cisco IOS Gateway by entering the following commands:

crypto pki trustpoint <Call Server trust point name>
enrollment terminal

exit
Step 13

Open the exported Call Server certificate in Notepad and copy the certificate information that appears between the -BEGIN CERTIFICATE and END CERTIFICATE tags to the IOS device.

Step 14

Enter the following command:

crypto pki auth <Call Server  trust point name>
Step 15

Paste the certificate from Notepad and end with a blank line or the word quit on a line by itself.

Step 16

To generate the self-signed certificate of the Gateway, first generate 2048-bit RSA keys: 

crypto key generatersageneral-keys Label <Your Ingress GW trustpointname> modulus 2048
Step 17

Configure a trustpoint:


crypto pkitrustpoint<Your Ingress GW trustpointname>
enrollment selfsigned
fqdn none
subject-name CN=SIP-GW
rsakeypair <Your Ingress GW trustpoint name>

Router(config)# crypto pkienroll<Your Ingress GW trustpointname>
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Step 18

View the certificate in PEM format, and copy the Self-signed CA certificate (output starting from “----BEGIN” to “CERTIFICATE----“) to a file named ingress_gw.pem. 

Router(config)# crypto pki export <Your Ingress GW trustpoint name> pem terminal
% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIIB6zCCAVSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMTcwOTI2MTQ1MTE2WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKdSDxIj8T6UaYxgujMk
9B2d5dq3Ni8s1e4yfsSB1lbJ/AQk+aLDfE3/BeVkeXEjRCohhnZcEnMV4DdOPxj7
9MWzoJgxkMj7X3I6ijaL2Oll2iQuBcjiqYtAUPlxB3VTjqLMbxG30fb7xLCDTuo5
s07TLsE1AbxrbrH62Za/C0e5AgMBAAGjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHwYD
VR0jBBgwFoAU+tJphvbvgc7yE6uqIh7VlgTrtPswHQYDVR0OBBYEFPrSaYb274HO
8hOrqiIe1ZYE67T7MA0GCSqGSIb3DQEBBQUAA4GBADRaW93OqErMEgRGWJJVLlbs
n8XnSbiw1k8KeY/AzgxBoBJtc0FKs4L0XUOEc6eHUKCHoks1FDV211MMlzPe7MAc
vDd7EV/abx2UdFSL9jjm/YzIleVUj8b0T3qNSfOqDtV5CyCjPichNa2eCR1bTmGx
o3HqLeEl/+66L/l74nlT
-----END CERTIFICATE-----

% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
MIIB6zCCAVSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMTcwOTI2MTQ1MTE2WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKdSDxIj8T6UaYxgujMk
9B2d5dq3Ni8s1e4yfsSB1lbJ/AQk+aLDfE3/BeVkeXEjRCohhnZcEnMV4DdOPxj7
9MWzoJgxkMj7X3I6ijaL2Oll2iQuBcjiqYtAUPlxB3VTjqLMbxG30fb7xLCDTuo5
s07TLsE1AbxrbrH62Za/C0e5AgMBAAGjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHwYD
VR0jBBgwFoAU+tJphvbvgc7yE6uqIh7VlgTrtPswHQYDVR0OBBYEFPrSaYb274HO
8hOrqiIe1ZYE67T7MA0GCSqGSIb3DQEBBQUAA4GBADRaW93OqErMEgRGWJJVLlbs
n8XnSbiw1k8KeY/AzgxBoBJtc0FKs4L0XUOEc6eHUKCHoks1FDV211MMlzPe7MAc
vDd7EV/abx2UdFSL9jjm/YzIleVUj8b0T3qNSfOqDtV5CyCjPichNa2eCR1bTmGx
o3HqLeEl/+66L/l74nlT
-----END CERTIFICATE-----
Step 19

Test your certificate.

show crypto pkicertificates
Step 20

To configure TLS version on the Gateway:


router# configure terminal
router(config)# sip-ua
router(config-sip-ua)# transport tcp tls <version>
v1.0 Enable TLS Version 1.0
v1.1 Enable TLS Version 1.1
v1.2 Enable TLS Version 1.2

Note: SIP TLS version 1.2 is available in Cisco IOS Software Release 15.6(1)T and higher.
Step 21

To check if the TLS version is negotiated:


router# show sip-ua connections tcp tls detail
Step 22

To enable SRTP on the incoming/outgoing dial-peer, specify SRTP: 

router# configure terminal
router(config)# dial-peer voice 100 voip
router(config-dial-peer)# srtp

Note: This command is supported in Cisco IOS Software Release 15.6(1)T and higher.
Step 23

Configure the SIP stack in Cisco IOS GW to use the self-signed certificate of the router to establish a SIP TLS connection from/to the CVP Call Server. 

router# configure terminal
router(config)# sip-ua
router(config-sip-ua)# crypto signaling remote-addr <peer IP address> <peer subnet mask> trustpoint <Your Ingress GW trustpoint name> strict-cipher

Example: 
sip-ua 
 crypto signaling remote-addr 10.48.54.89 255.255.255.255 trustpoint VG-SIP-1 strict-cipher
Step 24

Configure an outbound VoIP dial-peer to route calls to the CVP Call Server.

session target ipv4:<Call Server IP address>:5061
 session transport tcp tls

Example:
dial-peer voice 3 voip
 destination-pattern 82...
 session protocol sipv2
 session target ipv4:10.48.54.89:5061
 session transport tcp tls
 dtmf-relay rtp-nte
 codec g711ulaw
Step 25

To import GW or CUSP certificate into the CVP Call Server:

  1. Copy the Ingress GW/CUSP self-signed certificate to %CVP_HOME%\conf\security\ and import the certificate to the callserverkeystore. %CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetypeJCEKS -alias gw_cert -file %CVP_HOME%\conf\security\<ingress GW\CUSP certificate name.pem>

  2. Enter the keystore password when prompted.

  3. A message appears on the screen: Trust this certificate? [no]: Enter yes.

  4. Use the list flag to check your keystore entries by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -list
Step 26

To change the supported TLS version from the OAMP UI, see Administration Guide for Cisco Unified Customer Voice Portal available at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-user-guide-list.html.

Step 27

Restart the Call Server.

CA-Signed Certificate

For the configuration steps, see the latest Cisco Unified Border Element Configuration Guide available at https://www.cisco.com/c/en/us/support/unified-communications/unified-border-element/products-installation-and-configuration-guides-list.html.

Before you begin

  • To configure SIP TLS and SRTP on the gateway, apply a security-k9 license on the gateway.

  • Time sync all the nodes (CVP, VVB, Gateway) with an NTP server.

Procedure

Step 1

Create a 2048-bit RSA key. 

Router(config)# crypto key generate rsa general-keys Label keypairname modulus 2048  
   Generates 2048 bit RSA key pair. "keypairname" defines the name of the key pair.
Step 2

Create a trustpoint. A trustpoint represents a trusted CA. 


Example:

Router(config)# crypto pki trustpoint ms-ca-name
     Creates the trustpoint.

Router(config-pki-trustpoint)# enrollment terminal
 			Specifies cut and paste enrollment with this trustpoint.

Router(config-pki-trustpoint)# subject-name CN=sslvpn.mydomain.com,OU=SSLVPN,O=My Company Name,C=US,ST=Florida
    Defines x.500 distinguished name.

Router(config-pki-trustpoint)# rsakeypair keypairname
    Specifies key pair generated previously

Router(config-pki-trustpoint)# fqdn sslvpn.mydomain.com
   Specifies subject alternative name (DNS:).

Router(config-pki-trustpoint)# exit
Step 3

Create a CSR (Certificate Request) to give to the MS Certificate Server. 


Example:

Router(config)# crypto pki enroll ms-ca-name
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=Webvpn.cisco.com
% The subject name in the certificate will include: webvpn.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
! Displays the PKCS#10 enrollment request to the terminal.
! You will need to copy this from the terminal to a text
! file or web text field to submit to the 3rd party CA.

Certificate Request follows:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Redisplay enrollment request? [yes/no]: no

Router(config)#
Step 4

Sign the CSR with the root CA.

Step 5

Install the root certificate. 


Router(config)# crypto pki authenticate ms-ca-name
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----
quit

Certificate has the following attributes:
Fingerprint MD5: D5DF85B7 9A5287D1 8CD50F90 232DB534
Fingerprint SHA1: 7C4656C3 061F7F4C 0D67B319 A855F60E BC11FC44
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
Step 6

Install the signed certificate for the gateway: 


Router(config)# crypto pki import ms-ca-name certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----
quit
% Router Certificate successfully imported
Step 7

Test your certificate. 

show crypto pki certificates
Note 

  • To configure TLS version on the gateway: 

    router#
router# config terminal
router(config)# sip-ua
router(config-sip-ua)# transport tcp tls <version>
  v1.0  Enable TLS Version 1.0
  v1.1  Enable TLS Version 1.1
  v1.2  Enable TLS Version 1.2

  • To check if the TLS version is negotiated:

    router# show sip-ua connections tcp tls detail

  • To enable SRTP on the incoming/outgoing dial-peer, specify srtp: 

    
 router# configure terminal
 router(config)# dial-peer voice 100 voip
 router(config-dial-peer)# srtp
Step 8

Associate the created trustpoint in Step 2 with sip-ua. 


router# configure terminal
router(config)# sip-ua
router(config-sip-ua)# crypto signaling remote-addr <peer IP address> 
<peer subnet mask> trustpoint <trust point name created in step2>
Note 

Installing CVP Call/VXML Servers enables IIS (for media server functionality), which opens port 443 by default for TLS connections. This port allows TLSv1.0 and TLSv1.1 connections. To close these connections, change the Enabled value to 0 by selecting the Decimal option in the following registry keys:

  • TLSv1.0: HKEY-LOCAL-MACHINE \SYSTEM\CurrentControlSet\Control\SecurityProviders\

    SCHANNEL\Protocols\TLS1.0\Server\Enabled

  • TLSv1.1: HKEY-LOCAL-MACHINE\ SYSTEM\CurrentControlSet\Control\SecurityProviders\

    SCHANNEL\Protocols\TLS1.1\Server\Enabled

This disables ports 443 and 3389 for TLSv1.0 and TLSv1.1 server-side connections. While Windows 8 and Windows Server 2012 remote desktop clients work by default, Windows 7 and Windows Server 2008 remote desktop clients cannot connect to these servers for the RDP port (3389). To re-enable this port, install the patch available at https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-

support-for-tls-1-1-and-tls-1-2-in-windows-7-or-wind.

Secure Communication on CUSP

You can secure communication on CUSP by:

  • Exchanging the self-signed certificates between the components.

  • Signing the certificates by a Certificate Authority.

CA-Signed Certificate

Procedure

Step 1

Create an RSA keypair in CUSP. From the CUSP foundation, enter the config mode and create the keypair:

democusp48(config)# crypto key generate rsa label <key-label> modulus 2048 default

Example 

democusp48# conf terminal
democusp48(config)# crypto key generate rsa label cusp48-ca modulus 2048 default
Key generation in progress. Please wait...
The label name for the key is cusp48-ca
Step 2

Generate CSR signed by CA by running democusp48(config)# crypto key certreq label <key-label> url ftp:

An FTP or HTTP server is required to export the CSR. Make sure the label in the command matches the label used to create the rsa private key.

Example 

democusp48(config)# crypto key certreq label cusp48-ca url ftp:  
Address or name of remote host? 10.64.82.176
Username (ENTER if none)? test 
Password (not shown)?  
Destination path? /cusp48-ca.csr Uploading CSR file succeed 
democusp48(config)#
Step 3

Import the CA server root certificate into CUSP by running: crypto key import trustcacert label <rootCA-label> terminal.

Example 

democusp48(config)# crypto key import trustcacert label rootCA terminal
Enter certificate...
End with a blank line or "quit" on a line by itself
-----BEGIN CERTIFICATE----- MIIEdTCCA12gAwIBAgIQaO1+pgDsy5lNqtF3E
epB4TANBgkqhkiG9w0BAQUFADBC MRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYK
CZImiZPyLGQBGRYHQVJUR1NPTDES MBAGA1UEAxMJU0lQUEhPTklYMB4XDTA3MDc
xMzExNTAyMVoXDTEyMDcxMzExNTgz MVowQjETMBEGCgmSJomT8ixkARkWA2NvbT
EXMBUGCgmSJomT8ixkARkWB0FSVEdT T0wxEjAQBgNVBAMTCVNJUFBIT05JWDCCA
SIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKbepxqDVZ5uWUVMWx8VaHVG
geg4CgDbzCz8Na0XqI/0aR9lImgx1Jnf ZD0nP1QvgUFSZ2m6Ee/pr2SkJ5kJSZo
zSmz2Ge4sKjZZbgQHmljWv1DswVDw0nyV F71ULTaNpsh81JVF5t2lqm75UnkW4x
P5qQn/rgfXv/Xse9964kiZhZYjtt2Ixt2V3imhh1i228YTihnTY5c3L0vD30v8dH
newsaCKd/XU+czw8feWguXXCTovvXHIbFeHvLCk9FLDoV8n9PAIHWZRPnt+HQjsD
s+jaB3F9MPVYXYElpmWrpEPHUPNZG4LsFi 6tQtiRP2UANUkXZ9fvGZMXHCZOZJi
FUCAwEAAaOCAWUwggFhMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA
1UdDgQWBBR39nCk+FjRuAbWEof5na/+Sf58STCCAQ4GA1UdHwSCAQUwggEBMIH+o
IH7oIH4hoG4bGRhcDovLy9DTj1TSVBQSE9O SVgsQ049U0lQUEhPTklYLUlORElB
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBT ZXJ2aWNlcyxDTj1TZXJ2aWNlcyx
DTj1Db25maWd1cmF0aW9uLERDPUFSVEdTT0ws REM9Y29tP2NlcnRpZmljYXRlUm
V2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz cz1jUkxEaXN0cmlidXRpb25Qb
2ludIY7aHR0cDovL3NpcHBob25peC1pbmRpYS5h cnRnc29sLmNvbS9DZXJ0RW5y
b2xsL1NJUFBIT05JWC5jcmwwEAYJKwYBBAGCNxUB BAMCAQAwDQYJKoZIhvcNAQE
FBQADggEBAHua4/pwvSZ48MNnZKdsW9hvuTV4jwtGErgc16bOR0Z1urRFIFr2NCP
yzZboTb+ZllkQPDMRPBoBwOVr7BciVyoTo7AKFheqYm9asXL18A6XpK/WqLjlCcX
rdzF8ot0o+dK05sd9ZG7hRckRhFPwwj5Z7z0Vsd/jcO51QjpS4rzMZZXK2FnRvng
d5xmp4U+yJtPyr8g4DyAP2/UeSKe0SEYoTV5x5FpdyF4veZneB7+ZfFntWFf4xwi
obf+UvW47W6pCj5nGLMBzOiaxeQ8pre+yjipL2ucWK4ynOfKzz4XlkfktITDSogQ
A1AS1quQVbKTKk+qLGD6Ml2P0LrcKQkk= 
-----END CERTIFICATE----- 
Certificate info
*******************************************
Owner: CN=cvpvb-GDESINGHROOTCA-CA, DC=cvpvb, DC=cisco, DC=com
Issuer: CN=cvpvb-GDESINGHROOTCA-CA, DC=cvpvb, DC=cisco, DC=com
Certificate fingerprint (MD5): 41:A2:31:9D:97:AF:A8:CA:60:FC:46:95:82:DE:78:03
Do you want to continue to import this certificate, additional validation will be perfom? [y/n]: y 
democusp48(config)#
Step 4

Import the signed certificate into CUSP by running crypto key import cer label <key-label> url terminal.

Example 

democusp48(config)# crypto key import cer label cusp48-ca terminal
Enter certificate...
End with a blank line or "quit" on a line by itself
-----BEGIN CERTIFICATE----- MIIFITCCBAmgAwIBAgIKGI1fqgAAAAAAEDAN
BgkqhkiG9w0BAQUFADBCMRMwEQYK CZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZ
PyLGQBGRYHQVJUR1NPTDESMBAGA1UE AxMJU0lQUEhPTklYMB4XDTA4MTIwOTA5M
DExOVoXDTA5MTIwOTA5MTExOVowYTEL MAkGA1UEBhMCJycxCzAJBgNVBAgTAicn
MQswCQYDVQQHEwInJzELMAkGA1UEChMC JycxCzAJBgNVBAsTAicnMR4wHAYDVQQ
DExVTT0xURVNUQ0MuYXJ0Z3NvbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMI
GJAoGBAOZz88nK51bJYjWgvuv4Wx1CGxTN YWGyNg+vDyQgKBXlL7b1CqBx1Yjl4
eetO4LiKkW/y4jSv3nCxCAdOrMvVF5lxFmY baMlR1R/qMCLzAMvmsWlH6VY4rcf
FGkjed3zCcI6BJ6fG9H9dt1J+47iM7SdZYz/ NrEqDnrpoHaUxdzlAgMBAAGjggJ
8MIICeDAdBgNVHQ4EFgQUYXLxMfiZJP29UZ3w Mpj0e79sk4EwHwYDVR0jBBgwFo
AUd/ZwpPhY0bgG1hKH+Z2v/kn+fEkwggEOBgNV HR8EggEFMIIBATCB/qCB+6CB+
IaBuGxkYXA6Ly8vQ049U0lQUEhPTklYLENOPVNJ UFBIT05JWC1JTkRJQSxDTj1D
RFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs Q049U2VydmljZXMsQ049Q29
uZmlndXJhdGlvbixEQz1BUlRHU09MLERDPWNvbT9j ZXJ0aWZpY2F0ZVJldm9jYX
Rpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnSGO
2h0dHA6Ly9zaXBwaG9uaXgtaW5kaWEuYXJ0Z3NvbC5j b20vQ2VydEVucm9sbC9T
SVBQSE9OSVguY3JsMIIBIgYIKwYBBQUHAQEEggEUMIIB EDCBqAYIKwYBBQUHMAK
GgZtsZGFwOi8vL0NOPVNJUFBIT05JWCxDTj1BSUEsQ049 UHVibGljJTIwS2V5JT
IwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJh dGlvbixEQz1BUlRHU
09MLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0 Q2xhc3M9Y2VydGlm
aWNhdGlvbkF1dGhvcml0eTBjBggrBgEFBQcwAoZXaHR0cDov L3NpcHBob25peC1
pbmRpYS5hcnRnc29sLmNvbS9DZXJ0RW5yb2xsL1NJUFBIT05J WC1JTkRJQS5BUl
RHU09MLmNvbV9TSVBQSE9OSVguY3J0MA0GCSqGSIb3DQEBBQUA A4IBAQAXm0MPu
eXcMYxQhVlPR/Yaxw0n2epeNRwsPP31Pr9Ak3SYSzhoMRVadJ3z K2gt4qiVV8wL
tzTO2o70JXKx+0keZdOX/DQQndxBkiBKqdJ2Qvipv8Z8k3pza3lN jANnYw6FL3/
Yvh+vWCLygEHfrUfKj/7H8GaXQVapj2mDs79/zgoSyIlo+STmwFWT GQy6iFO+pv
vMcyfjjv2dsuwt1Ml0nlict0LtkIKnRGLqnkA6sJo1P6kE+WK7n3P2 yho/Lg98q
vWl+1FRC18DrkUhpNiKXsP1ld9TcJGrdJP9zG7lI5Mf3Q/2NIAx2JZd ZVAsXZMN
smOsOrgXzkcU/xU3BXkX -----END CERTIFICATE-----  Import succeeded 
democusp48(config)#exit 
democusp48#
Step 5

You can list the certificates by running show crypto key all.

Example 

democusp48# sh crypto key all
Label name: rootca
Entry type: Trusted Certificate Entry
Creation date: Sat Jul 01 14:13:14 GMT+05:30 2017
Owner: CN=cvpvb-GDESINGHROOTCA-CA, DC=cvpvb, DC=cisco, DC=com
Issuer: CN=cvpvb-GDESINGHROOTCA-CA, DC=cvpvb, DC=cisco, DC=com
Valid from: Wed Mar 22 14:23:10 GMT+05:30 2017 until: Tue Mar 22 14:33:09 GMT+0
5:30 2022
Certificate fingerprint (MD5): 41:A2:31:9D:97:AF:A8:CA:60:FC:46:95:82:DE:78:03

Label name: cusp48-ca
Entry type: Key Entry
Creation date: Tue Jul 04 10:47:40 GMT+05:30 2017
Owner: CN=democusp48.cvpvb.cisco.com, OU='', O='', L='', ST='', C=''
Issuer: CN=cvpvb-GDESINGHROOTCA-CA, DC=cvpvb, DC=cisco, DC=com
SubjectAltName: DNS:democusp48.cvpvb.cisco.com
Valid from: Tue Jul 04 10:41:56 GMT+05:30 2017 until: Thu Jul 04 10:41:56 GMT+0
5:30 2019
Certificate fingerprint (MD5): 91:ED:83:CA:3B:37:16:E8:AB:07:EA:85:04:1A:D1:05

Configuration Changes for Ghostcat Vulnerability

To fix the Apache Tomcat AJP Local File Inclusion vulnerability (Ghostcat), configuration changes need to be done in OAMP and VXML server.

OAMP

Procedure

Step 1

Go to C:\Cisco\CVP\OPSConsoleServer\Tomcat\conf\server.xml.

Step 2

Update the following line as highlighted and save the file: 

Connector enableLookups="false" port="9009" protocol="AJP/1.3" redirectPort="9443" address="127.0.0.1"
Step 3

Go to C:\Cisco\CVP\wsm\Server\Tomcat\conf\server.xml.

Step 4

Update the following line as highlighted and save the file: 

Connector port="8101" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1"
Step 5

Restart the Web Services Manager, Resource Manager, and Operations Console services.

VXML Server

Procedure

Step 1

Go to C:\Cisco\CVP\VXMLServer\Tomcat\conf\server.xml.

Step 2

Update the following line as highlighted and save the file: 

Connector enableLookups="false" port="7009" protocol="AJP/1.3" redirectPort="7443" address="127.0.0.1"
Step 3

Go to C:\Cisco\CVP\wsm\Server\Tomcat\conf\server.xml.

Step 4

Update the following line as highlighted and save the file: 

Connector port="8101" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1"
Step 5

Restart the Web Services Manager, Resource Manager, and VXML services.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco