Cisco Unity Installation Guide (With Microsoft Exchange), Release 4.0(3) - Appendix E: Manual Procedures for Setting Up Cisco Unity to Use SSL [Cisco Unity]

Table Of Contents

Manual Procedures for Setting Up Cisco Unity to Use SSL

Manually Setting Up Cisco Unity to Use SSL

Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain (Optional)

Manual Procedures for Setting Up Cisco Unity to Use SSL

The procedures for installing Cisco Unity include a partially automated process for setting up Cisco Unity to use SSL. This chapter describes the manual process to do the same operation.

In this chapter, you do the following tasks in the order listed:

1. Determine whether to set up Cisco Unity to use SSL for all Cisco Unity web applications. See the "Determining Whether to Set Up Cisco Unity to Use SSL" section.

2. Set up Cisco Unity to use SSL, if applicable. See the "Manually Setting Up Cisco Unity to Use SSL" section.

3. Optional: Distribute the root certificate to the trusted root store for the domain, if applicable. See "Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain (Optional)" section.

Manually Setting Up Cisco Unity to Use SSL

This section contains procedures on how to use Microsoft Certificate Services to issue your own certificate and how to set up Cisco Unity to use SSL.

If you purchased a certificate from a CA, refer to the procedures provided by the CA to set up Cisco Unity to use SSL.

To use Microsoft Certificate Services to issue your own certificate and to enable Cisco Unity to use SSL, do the six procedures in this section in the order listed.

Note that Windows and IIS online documentation offer procedures similar to the ones presented in this section. The Microsoft documentation also contains procedures on how to install, configure, and use Certificate Services, and to enable a web server to use SSL in alternative ways—some of which may be more applicable to your organization than the method presented here.

To Install the Microsoft Certificate Services Component

Step 1 On the server that will serve as your Certificate Authority (CA) and issue certificates, on the Windows Start menu, click Settings > Control Panel > Add/Remove Programs.

Step 2 Click Add/Remove Windows Components.

Step 3 In the Windows Components dialog box, check the Certificate Services check box. Do not change any other items. When the warning appears about not being able to rename the computer, or join or be removed from a domain, click Yes.

Step 4 Click Next.

Step 5 Click Stand-alone Root CA, and click Next. (A stand-alone CA is a CA that does not require Active Directory.)

Step 6 Follow the on-screen prompts to complete the installation. For information, refer to the Windows documentation.

If a message appears that Internet Information Services is running on the computer and must be stopped before proceeding, click OK to stop the service.

Step 7 In the Completing the Windows Components Wizard dialog box, click Finish.

Step 8 Close the Add Remove Programs dialog box and Control Panel.

To Create a Certificate Request

Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 Right-click Default Web Site, and click Properties.

Step 4 In the Default Web Site Properties dialog box, click the Directory Security tab.

Step 5 Under Secure Communications, click Server Certificate.

Step 6 On the Web Server Certificate Wizard welcome window, click Next.

Step 7 Click Create a New Certificate, and click Next.

Step 8 Click Prepare the Request Now, But Send It Later, and click Next.

Step 9 Enter a name and a bit length for the certificate.

We strongly recommend that you choose a bit length of 512. Greater bit lengths may decrease performance.

Step 10 Click Next.

Step 11 Enter the organization information, and click Next.

Step 12 For the site's common name, enter either the Cisco Unity server's system name or the fully qualified domain name.

Caution The name must exactly match the host portion of any URL that will access this system using a secure connection.

Step 13 Click Next.

Step 14 Enter the geographical information, and click Next.

Step 15 Specify the certificate request file name and location, and click Next.

Save the file to a disk or to a directory that the Certification Authority server can access.

Step 16 Verify the request file information, and click Next.

Step 17 Click Finish to close the Web Server Certificate wizard.

Step 18 Click OK to Close the Default Website Properties dialog box.

Step 19 Close the Internet Services Manager window.

To Submit the Certificate Request

Step 1 On the CA, on the Windows Start menu, click Run, then run certreq.

Step 2 Browse to the directory where you saved the certificate request file, and double-click it.

Step 3 Click the CA to use, and click OK.

Once the CA processes the certificate request, it assigns a pending status by default for added security. This requires a person to verify the authenticity of the request and to manually issue the certificate on the virtual directories that will use it. The following two procedures guide you through the process.

To Issue the Certificate

Step 1 On the CA, on the Windows Start menu, click Programs > Administrative Tools > Certification Authority.

Step 2 In the left pane of the Certification Authority window, expand Certification Authority.

Step 3 Expand <Certification Authority name>.

Step 4 Click Pending Requests.

Step 5 In the right pane, right-click the request, and click All Tasks > Issue.

Step 6 In the left pane, click Issued Certificates.

Step 7 In the right pane, double-click the certificate to open it.

Step 8 Click the Details tab.

Step 9 In the Show list, choose All, and click Copy to File.

Step 10 On the Certificate Export Wizard welcome window, click Next.

Step 11 Accept the default export file format DER encoded binary X.509 (.CER), and click Next.

Step 12 Specify a file name, and a location that the Cisco Unity server can access, and click Next.

Step 13 Verify the settings, and click Finish.

Step 14 Click OK to close the Certificate Details dialog box.

Step 15 Close the Certification Authority window.

To Install the Certificate

Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 Right-click Default Website, and click Properties.

Step 4 In the Properties dialog box, click the Directory Security tab.

Step 5 Under Secure Communications, click Server Certificate.

Step 6 On the Web Server Certificate Wizard welcome screen, click Next.

Step 7 Click Process the Pending Request and Install the Certificate, and click Next.

Step 8 Browse to the directory of the certificate (.cer) file, and double-click it.

Step 9 Verify the certificate information, and click Next.

Step 10 Click Finish to close the Web Server Certificate wizard window.

Step 11 Click OK to close the Default Website Properties dialog box.

Step 12 Close the Internet Services Manager window.

To Enable IIS to Use SSL

Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.

Step 2 Expand the name of the Cisco Unity server.

Step 3 Under Default Website, right-click Web, and click Properties.

Step 4 In the Properties dialog box, click the Directory Security tab.

Step 5 Under Secure Communications, click Edit.

Step 6 Check the Require Secure Channel (SSL) check box.

Step 7 Click OK to close the Secure Communications dialog box.

Step 8 Click OK to close the Default Web Site Properties dialog box.

Step 9 Under Default Website, right-click Jakarta, and click Properties.

Step 10 In the Properties dialog box, click the Directory Security tab.

Step 11 Under Secure Communications, click Edit.

Step 12 Check the Require Secure Channel (SSL) check box.

Step 13 Click OK to close the Secure Communications dialog box.

Step 14 Click OK to close the Default Web Site Properties dialog box.

Step 15 Close the Internet Services Manager window.

Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain (Optional)

Once Cisco Unity is set up to use SSL, the Cisco Unity Administrator, Status Monitor, and the Cisco PCA web applications automatically use an SSL connection every time a subscriber points the browser to their respective websites. An SSL connection means that Cisco Unity offers the digital certificate that you issued in the "Manually Setting Up Cisco Unity to Use SSL" section as proof of its identity each time the subscriber tries to access the Cisco Unity Administrator, Status Monitor, or Cisco PCA. Until the certificate is added to the trusted root store on the subscriber computer, the browser will display a message to alert the subscriber that the authenticity of the site cannot be verified and, therefore, its content cannot be trusted.

You can distribute the certificate to the trusted root store for all users in the domain by adding it to the Group Policy. Before doing so, discuss it with the network administrator for the organization. If the solution is not acceptable, the Cisco Unity system administrator can tell subscribers how to add the certificate to the trusted root store on their own computers. (This can be done later when the administrators set up subscribers to use the Cisco PCA.)

Do the following two procedures in the order listed.

To Export the CA Root Certificate

Step 1 On the CA, on the Windows Start menu, click Programs > Administrative Tools > Certification Authority.

Step 2 In the left pane of the Certification Authority window, right-click <Root Certification Authority name>, and click Properties.

Step 3 Click View Certificate.

Step 4 Click the Details tab.

Step 5 In the Show list, choose All, and click Copy to File.

Step 6 On the Certificate Export Wizard welcome screen, click Next.

Step 7 Accept the default export file format DER encoded binary X.509 (.CER), and click Next.

Step 8 Specify a file name, and a location, and click Next.

The location must be accessible to the Domain Admin account that will modify the group policy.

Step 9 Verify the settings, and click Finish.

Step 10 Click OK to close the Certificate Details dialog box.

Step 11 Click OK to close the Properties dialog box for the Root Certification Authority.

Step 12 Close the Certification Authority window.

To Add the Root Certificate to the Domain Group Policy for Trusted Root Certificate Authorities

Step 1 On the CA server, log on to Windows by using an account that is a member of the Domain Admins group.

Step 2 On the Windows Start menu, click Run, then run mmc.

Step 3 On the top menu, click Console.

Step 4 Click Add/Remove Snap-in.

Step 5 On the Standalone tab, click Add.

Step 6 In the Add Standalone Snap-in dialog box, click Group Policy, and click Add.

Step 7 Click Browse.

Step 8 In the Browse for a Group Policy Object dialog box, click the Domains/OUs tab.

Step 9 In the Look In list, select the domain to which the Cisco Unity server belongs.

Step 10 In the Domains, OUs, and Linked Group Policy Objects list, click Default Domain Policy, and click OK.

Step 11 Click Finish.

Step 12 Close the Add Standalone Snap-in dialog box.

Step 13 Click OK to close the Add/Remove Snap-in dialog box.

Step 14 In the left pane of the console window, expand Default Domain Policy for the Cisco Unity server's domain.

Step 15 Click Computer Configuration > Windows Settings > Security Settings > Public Key Policies.

Step 16 Right-click Trusted Root Certification Authorities, and click All Tasks > Import.

Step 17 On the Certificate Import Wizard welcome screen, click Next.

Step 18 Browse to the location of the saved Root Certification Authority certificate, and double-click it.

Step 19 Click Next.

Step 20 Accept the default for the certificate store, and click Next.

Step 21 Verify the settings, and click Finish.

Step 22 Save the console settings.

Step 23 Close the console window.

	Cisco Unity Installation Guide (With Microsoft Exchange), Release 4.0(3)
	Appendix E: Manual Procedures for Setting Up Cisco Unity to Use SSL
Cisco Unity Installation Guide (With Microsoft Exchange), Release 4.0(3) Index Preface Overview of Mandatory Tasks for Installing Cisco Unity Preparing for the Installation Setting Up the Hardware Installing the Operating System Customizing the Cisco Unity Platform Setting Up Exchange\r\n Creating Accounts for the Installation and Setting Rights and Permissions Installing and Configuring Cisco Unity Software Installing Optional Software Setting Up Authentication for the Cisco Unity Administrator Upgrading Cisco Unity 4.0(x) Software to Version 4.0(3) Modifying the Cisco Unity 4.0(3) System Upgrading Cisco Unity 3.x Software to Version 4.0(3) Upgrading a Cisco Unity 2.x System to Version 4.0(3) Appendix A: Voice Cards Appendix B: Exiting and Starting the Cisco Unity Software and Server\r\n Appendix C: Manual Installation Procedures for Software Installed by the Cisco Unity System Preparation Assistant During a New Installation Appendix D: Permissions Set by the Cisco Unity Permissions Wizard Appendix E: Manual Procedures for Setting Up Cisco Unity to Use SSL	Download this chapter Appendix E: Manual Procedures for Setting Up Cisco Unity to Use SSL Download the complete book PDF Version of Entire Book (PDF - 8 MB) Feedback Table Of Contents Manual Procedures for Setting Up Cisco Unity to Use SSL Manually Setting Up Cisco Unity to Use SSL Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain (Optional) Manual Procedures for Setting Up Cisco Unity to Use SSL The procedures for installing Cisco Unity include a partially automated process for setting up Cisco Unity to use SSL. This chapter describes the manual process to do the same operation. In this chapter, you do the following tasks in the order listed: 1. Determine whether to set up Cisco Unity to use SSL for all Cisco Unity web applications. See the "Determining Whether to Set Up Cisco Unity to Use SSL" section. 2. Set up Cisco Unity to use SSL, if applicable. See the "Manually Setting Up Cisco Unity to Use SSL" section. 3. Optional: Distribute the root certificate to the trusted root store for the domain, if applicable. See "Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain (Optional)" section. Manually Setting Up Cisco Unity to Use SSL This section contains procedures on how to use Microsoft Certificate Services to issue your own certificate and how to set up Cisco Unity to use SSL. If you purchased a certificate from a CA, refer to the procedures provided by the CA to set up Cisco Unity to use SSL. To use Microsoft Certificate Services to issue your own certificate and to enable Cisco Unity to use SSL, do the six procedures in this section in the order listed. Note that Windows and IIS online documentation offer procedures similar to the ones presented in this section. The Microsoft documentation also contains procedures on how to install, configure, and use Certificate Services, and to enable a web server to use SSL in alternative ways—some of which may be more applicable to your organization than the method presented here. To Install the Microsoft Certificate Services Component Step 1 On the server that will serve as your Certificate Authority (CA) and issue certificates, on the Windows Start menu, click Settings > Control Panel > Add/Remove Programs. Step 2 Click Add/Remove Windows Components. Step 3 In the Windows Components dialog box, check the Certificate Services check box. Do not change any other items. When the warning appears about not being able to rename the computer, or join or be removed from a domain, click Yes. Step 4 Click Next. Step 5 Click Stand-alone Root CA, and click Next. (A stand-alone CA is a CA that does not require Active Directory.) Step 6 Follow the on-screen prompts to complete the installation. For information, refer to the Windows documentation. If a message appears that Internet Information Services is running on the computer and must be stopped before proceeding, click OK to stop the service. Step 7 In the Completing the Windows Components Wizard dialog box, click Finish. Step 8 Close the Add Remove Programs dialog box and Control Panel. To Create a Certificate Request Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager. Step 2 Expand the name of the Cisco Unity server. Step 3 Right-click Default Web Site, and click Properties. Step 4 In the Default Web Site Properties dialog box, click the Directory Security tab. Step 5 Under Secure Communications, click Server Certificate. Step 6 On the Web Server Certificate Wizard welcome window, click Next. Step 7 Click Create a New Certificate, and click Next. Step 8 Click Prepare the Request Now, But Send It Later, and click Next. Step 9 Enter a name and a bit length for the certificate. We strongly recommend that you choose a bit length of 512. Greater bit lengths may decrease performance. Step 10 Click Next. Step 11 Enter the organization information, and click Next. Step 12 For the site's common name, enter either the Cisco Unity server's system name or the fully qualified domain name. Caution The name must exactly match the host portion of any URL that will access this system using a secure connection. Step 13 Click Next. Step 14 Enter the geographical information, and click Next. Step 15 Specify the certificate request file name and location, and click Next. Save the file to a disk or to a directory that the Certification Authority server can access. Step 16 Verify the request file information, and click Next. Step 17 Click Finish to close the Web Server Certificate wizard. Step 18 Click OK to Close the Default Website Properties dialog box. Step 19 Close the Internet Services Manager window. To Submit the Certificate Request Step 1 On the CA, on the Windows Start menu, click Run, then run certreq. Step 2 Browse to the directory where you saved the certificate request file, and double-click it. Step 3 Click the CA to use, and click OK. Once the CA processes the certificate request, it assigns a pending status by default for added security. This requires a person to verify the authenticity of the request and to manually issue the certificate on the virtual directories that will use it. The following two procedures guide you through the process. To Issue the Certificate Step 1 On the CA, on the Windows Start menu, click Programs > Administrative Tools > Certification Authority. Step 2 In the left pane of the Certification Authority window, expand Certification Authority. Step 3 Expand <Certification Authority name>. Step 4 Click Pending Requests. Step 5 In the right pane, right-click the request, and click All Tasks > Issue. Step 6 In the left pane, click Issued Certificates. Step 7 In the right pane, double-click the certificate to open it. Step 8 Click the Details tab. Step 9 In the Show list, choose All, and click Copy to File. Step 10 On the Certificate Export Wizard welcome window, click Next. Step 11 Accept the default export file format DER encoded binary X.509 (.CER), and click Next. Step 12 Specify a file name, and a location that the Cisco Unity server can access, and click Next. Step 13 Verify the settings, and click Finish. Step 14 Click OK to close the Certificate Details dialog box. Step 15 Close the Certification Authority window. To Install the Certificate Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager. Step 2 Expand the name of the Cisco Unity server. Step 3 Right-click Default Website, and click Properties. Step 4 In the Properties dialog box, click the Directory Security tab. Step 5 Under Secure Communications, click Server Certificate. Step 6 On the Web Server Certificate Wizard welcome screen, click Next. Step 7 Click Process the Pending Request and Install the Certificate, and click Next. Step 8 Browse to the directory of the certificate (.cer) file, and double-click it. Step 9 Verify the certificate information, and click Next. Step 10 Click Finish to close the Web Server Certificate wizard window. Step 11 Click OK to close the Default Website Properties dialog box. Step 12 Close the Internet Services Manager window. To Enable IIS to Use SSL Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager. Step 2 Expand the name of the Cisco Unity server. Step 3 Under Default Website, right-click Web, and click Properties. Step 4 In the Properties dialog box, click the Directory Security tab. Step 5 Under Secure Communications, click Edit. Step 6 Check the Require Secure Channel (SSL) check box. Step 7 Click OK to close the Secure Communications dialog box. Step 8 Click OK to close the Default Web Site Properties dialog box. Step 9 Under Default Website, right-click Jakarta, and click Properties. Step 10 In the Properties dialog box, click the Directory Security tab. Step 11 Under Secure Communications, click Edit. Step 12 Check the Require Secure Channel (SSL) check box. Step 13 Click OK to close the Secure Communications dialog box. Step 14 Click OK to close the Default Web Site Properties dialog box. Step 15 Close the Internet Services Manager window. Distributing the Root Certificate to the Trusted Root Store for All Users in the Domain (Optional) Once Cisco Unity is set up to use SSL, the Cisco Unity Administrator, Status Monitor, and the Cisco PCA web applications automatically use an SSL connection every time a subscriber points the browser to their respective websites. An SSL connection means that Cisco Unity offers the digital certificate that you issued in the "Manually Setting Up Cisco Unity to Use SSL" section as proof of its identity each time the subscriber tries to access the Cisco Unity Administrator, Status Monitor, or Cisco PCA. Until the certificate is added to the trusted root store on the subscriber computer, the browser will display a message to alert the subscriber that the authenticity of the site cannot be verified and, therefore, its content cannot be trusted. You can distribute the certificate to the trusted root store for all users in the domain by adding it to the Group Policy. Before doing so, discuss it with the network administrator for the organization. If the solution is not acceptable, the Cisco Unity system administrator can tell subscribers how to add the certificate to the trusted root store on their own computers. (This can be done later when the administrators set up subscribers to use the Cisco PCA.) Do the following two procedures in the order listed. To Export the CA Root Certificate Step 1 On the CA, on the Windows Start menu, click Programs > Administrative Tools > Certification Authority. Step 2 In the left pane of the Certification Authority window, right-click <Root Certification Authority name>, and click Properties. Step 3 Click View Certificate. Step 4 Click the Details tab. Step 5 In the Show list, choose All, and click Copy to File. Step 6 On the Certificate Export Wizard welcome screen, click Next. Step 7 Accept the default export file format DER encoded binary X.509 (.CER), and click Next. Step 8 Specify a file name, and a location, and click Next. The location must be accessible to the Domain Admin account that will modify the group policy. Step 9 Verify the settings, and click Finish. Step 10 Click OK to close the Certificate Details dialog box. Step 11 Click OK to close the Properties dialog box for the Root Certification Authority. Step 12 Close the Certification Authority window. To Add the Root Certificate to the Domain Group Policy for Trusted Root Certificate Authorities Step 1 On the CA server, log on to Windows by using an account that is a member of the Domain Admins group. Step 2 On the Windows Start menu, click Run, then run mmc. Step 3 On the top menu, click Console. Step 4 Click Add/Remove Snap-in. Step 5 On the Standalone tab, click Add. Step 6 In the Add Standalone Snap-in dialog box, click Group Policy, and click Add. Step 7 Click Browse. Step 8 In the Browse for a Group Policy Object dialog box, click the Domains/OUs tab. Step 9 In the Look In list, select the domain to which the Cisco Unity server belongs. Step 10 In the Domains, OUs, and Linked Group Policy Objects list, click Default Domain Policy, and click OK. Step 11 Click Finish. Step 12 Close the Add Standalone Snap-in dialog box. Step 13 Click OK to close the Add/Remove Snap-in dialog box. Step 14 In the left pane of the console window, expand Default Domain Policy for the Cisco Unity server's domain. Step 15 Click Computer Configuration > Windows Settings > Security Settings > Public Key Policies. Step 16 Right-click Trusted Root Certification Authorities, and click All Tasks > Import. Step 17 On the Certificate Import Wizard welcome screen, click Next. Step 18 Browse to the location of the saved Root Certification Authority certificate, and double-click it. Step 19 Click Next. Step 20 Accept the default for the certificate store, and click Next. Step 21 Verify the settings, and click Finish. Step 22 Save the console settings. Step 23 Close the console window.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks