Introduction
This document describes the procedure to use SHA256 with CVP.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Components Used
The information in this document is based on CVP 10.5.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Starting January 2016 all browsers rejected SHA1 signed certificates. This did not render the requested services correctly, unless you move from SHA1 to SHA256.
With recent development in computational algorithms as well as the explosive computational capacity, SHA1 has grown weaker day by day. This led to fundamental degradation collision resistance of the SHA1 and eventual demise.
Configure
Certificate exchange procedure between CVP Operations Console (OAMP):
On OAMP
Step 1. Export OAMP CERT.
c:\Cisco\CVP\jre\bin\keytool.exe -export -v -keystore .keystore -storetype JCEKS -alias oamp_certificate -file oamp_security_76.cer
Step 2. Copy OAMP certificate to Callserver and import.
c:\Cisco\CVP\jre\bin\keytool.exe -import -trustcacerts -keystore .keystore -storetype JCEKS -alias orm_oamp_certificate -file oamp_security_76.cer
On Call Server
Step 1. Export CALLSERVER CERT.
c:\Cisco\CVP\jre\bin\keytool.exe -export -v -keystore .ormkeystore -storetype JCEKS -alias orm_certificate -file orm_security_108.cer
Step 2. Copy CALLSERVER CERT to OAMP and import.
c:\Cisco\CVP\jre\bin\keytool.exe -import -trustcacerts -keystore .keystore -storetype JCEKS -alias oamp_orm_certificate -file orm_security_108.cer
Step 3. Export orm certificate in Call Server keystore.
C:\Cisco\CVP\conf\security>c:\Cisco\CVP\jre\bin\keytool.exe -import -trustcacerts -keystore .keystore -storetype JCEKS -alias vxml_orm_certificate -file orm_security_108.cer
Verify
You can validate if the secure communication is established between components. Navigate to OAMP Page > Device management > <managed server> > Statistics
Stats must be displayed.
You can use JConsole to establish a connection if security is properly setup:
Step 1. c:\Cisco\CVP\conf\orm_jmx.conf on OAMP looks like:
javax.net.debug = all
com.sun.management.jmxremote.ssl.need.client.auth = false
com.sun.management.jmxremote.authenticate = false
com.sun.management.jmxremote.port = 2099
com.sun.management.jmxremote.ssl = true
javax.net.ssl.keyStore=C:\Cisco\CVP\conf\security\.ormkeystore
javax.net.ssl.keyStorePassword=<local security password>
Step 2. Open jconsole from command. Use the command:
C:\Cisco\CVP\jre\bin>jconsole.exe -J-Djavax.net.ssl.trustStore=C:\Cisco\CVP\conf\security\.keystore -J-Djavax.net.ssl.trustStorePassword=<oamp security password/jconsole client> -J-Djavax.net.ssl.keyStore=C:\Cisco\CVP\conf\security\.keystore -J-Djavax.net.ssl.keyStorePassword=<oamp security password/jconsole client> -J-Djavax.net.ssl.keyStoreType=JCEKS -debug -J-Djavax.net.ssl.trustStoreType=JCEKS
Key in <managed server ip>:<secure jmx port eg:2099> in Remote Process field.
Note: JConsole must connect without prompt for the application to bypass the secure method.
Step 3. Wireshark while the jconsole connection is invoked. The capture gives you the insight into the details negotiated while security handshake.
Traces in JMX
The implementation of JMX uses java.util.logging to log debug traces. Many of these traces concern internal unexposed classes, but they can help you understand what is going on with your application.
The JMX implementation has two sets of loggers:
javax.management.\*: all loggers related to the JMX APIjavax.management.remote.\*: loggers specifically related to the JMX Remote API
You can find a more complete description of JMX Loggers here.
You can activate the JMX traces in two different ways:
- Statically, with the use of a logging.properties file
- Dynamically, with the use of a JMXTracing MBean. In Java SE 6, you can do this for an an application, even if the JMX connector is not enabled on the command line.
Use a logging.properties file
Start your application with these flags:
java -Djava.util.logging.config.file=<logging.properties> ....
where logging.properties activates traces for JMX loggers:
handlers= java.util.logging.ConsoleHandler
.level=INFO
java.util.logging.FileHandler.pattern = %h/java%u.log
java.util.logging.FileHandler.limit = 50000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.ConsoleHandler.level = FINEST
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
// Use FINER or FINEST for javax.management.remote.level - FINEST is
// very verbose...
//
javax.management.level=FINEST
javax.management.remote.level=FINER
Feedback