Name
|
Enter a name for the security profile.
When you save the new profile, the name displays in the Device Security Profile drop-down list in the Phone Configuration window for the phone type and protocol.
Tip
|
Include the device model and protocol in the security profile
name to help you find the correct profile when you are searching for or
updating a profile.
|
|
Description
|
Enter a description for the security profile.
|
Nonce Validity Time
|
Enter the number of minutes (in seconds) that the nonce value is valid. The default value equals 600 (10 minutes). When the
time expires, Unified Communications Manager generates a new value.
Note
|
A nonce value, a random number that supports digest authentication, gets used to calculate the MD5 hash of the digest authentication
password.
|
|
Device Security Mode
|
From the drop-down list, choose one of the following options:
-
Non Secure—No security features except image, file, and device authentication exist for the phone. A TCP connection opens to Unified Communications Manager.
-
Authenticated—Unified Communications Manager provides integrity and authentication for the phone. A TLS connection that uses NULL/SHA opens for signaling.
-
Encrypted—Unified Communications Manager provides integrity, authentication, and encryption for the phone. A TLS connection that uses AES128/SHA opens for signaling,
and SRTP carries the media for all phone calls on all SRTP-capable hops.
Note
|
If the trunks are configured with Device Security Profile option selected as Authenticated, then Unified Communications Manager starts a TLS connection that uses NULL_SHA cipher (without data encryption). These trunks will not register or make calls
if the destination devices do not support NULL_SHA cipher. For destination devices that do not support NULL_SHA cipher, the
trunks should be configured with Device Security Profile option selected as Encrypted. With this device security profile,
the trunks offer additional TLS ciphers that enables data encryption.
|
|
Transport Type
|
When Device Security Mode is Non Secure, choose one of the following options from the drop-down list (some options may not display):
-
TCP—Choose the Transmission Control Protocol to ensure that packets get received in the same order as the order in which they
are sent. This protocol ensures that no packets get dropped, but the protocol does not provide any security.
-
UDP—Choose the User Datagram Protocol to ensure that packets are received quickly. This protocol, which can drop packets, does
not ensure that packets are received in the order in which they are sent. This protocol does not provide any security.
-
TCP + UDP—Choose this option if you want to use a combination of TCP and UDP. This option does not provide any security.
When Device Security Mode is Authenticated or Encrypted, TLS specifies the Transport Type. TLS provides signaling integrity, device authentication, and signaling encryption (encrypted
mode only) for SIP phones.
If Device Security Mode cannot be configured in the profile, the
transport type specifies UDP.
|
Enable Digest Authentication
|
If you check this check box, Unified Communications Manager challenges all SIP requests from the phone.
Digest authentication does not provide a device authentication, integrity, or confidentiality. Choose a security mode of authenticated
or encrypted to use these features.
|
TFTP Encrypted Config
|
When this check box is checked, Unified Communications Manager encrypts the phone downloads from the TFTP server. This option exists for Cisco phones only.
Tip
|
We recommend that you enable this option and configure a symmetric key to secure digest credentials and administrative passwords.
|
|
Enable OAuth Authentication
|
This check box is available, when you choose Encrypted from the Device Security Profile drop-down list.
When this check box is checked, Unified Communications Manager allows the device that is associated with the phone security profile to register on the SIP OAuth port. By default, this
check box is unchecked.
You can enable the SIP OAuth when:
-
Transport type is TLS.
-
Device security mode is encrypted.
-
Digest authentication is disabled.
-
Encrypted configuration is disabled.
Note
|
From Unified Communications Manager Release 12.5, Jabber devices support SIP OAuth authentication.
|
|
Exclude Digest Credentials in Configuration File
|
When this check box is checked, Unified Communications Manager omits digest credentials in the phone downloads from the TFTP server. This option exists for Cisco IP Phones, 7942, and 7962
(SIP only).
|
Authentication Mode
|
This field allows you to choose the authentication method that
the phone uses during the CAPF certificate operation. This option exists for
Cisco phones only.
From the drop-down list, choose one of the following options:
-
By Authentication String—Installs or upgrades or troubleshoots a locally significant certificate only when the user enters the CAPF authentication
string on the phone.
-
By Null String—Installs or upgrades or troubleshoots a locally significant certificate without the user intervention.
This option provides no security; we recommend that you choose this option only for closed, secure environments.
-
By Existing Certificate (Precedence to LSC)—Installs or upgrades or troubleshoots a locally significant certificate if a manufacture-installed certificate (MIC) or locally
significant certificate (LSC) exists in the phone. If an LSC exists in the phone, authentication occurs through the LSC, regardless
whether a MIC exists in the phone. If an LSC does not exist in the phone, but a MIC does exist, authentication occurs through
the MIC.
Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate
exists in the phone, the operation fails.
At any time, the phone uses only one certificate to authenticate to CAPF although a MIC and an LSC can exist in the phone
at the same time. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want
to authenticate through the other certificate, you must update the authentication mode.
-
By Existing Certificate (Precedence to MIC)—Installs or upgrades or troubleshoots a locally significant certificate if an LSC or MIC exists in the phone. If a MIC exists
in the phone, authentication occurs through the MIC, regardless whether an LSC exists in the phone. If an LSC exists in the
phone, but a MIC does not exist, authentication occurs through the LSC.
Before you choose this option, verify that a certificate exists in the phone. If you choose this option and no certificate
exists in the phone, the operation fails.
Note
|
The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window.
|
|
Key Size
|
For this setting that is used for CAPF, choose the key size for the certificate from the drop-down list. The default setting
equals 1024. The other option for key size is 512.
If you choose a higher key size than the default setting, the
phones take longer to generate the entropy that is required to generate the
keys. Key generation, which is set at low priority, allows the phone to
function while the action occurs. Depending on the phone model, you may notice
that key generation takes up to 30 or more minutes to complete.
Note
|
The CAPF settings that are configured in the Phone Security Profile window interact with the CAPF parameters that are configured in the Phone Configuration window.
|
|
SIP Phone Port
|
This setting applies to phones that are running SIP that uses UDP transport.
Enter the port number for Cisco Unified IP Phone (SIP only) that use UDP to listen for SIP messages from Unified Communications Manager. The default setting equals 5060.
Phones that use TCP or TLS ignore this setting.
|