Security

This chapter describes Certificate Management and IPSec Management and provides procedures for performing the following tasks:

Set Internet Explorer Security Options

To download certificates from the server, ensure your Internet Explorer security settings are configured as follows:

Procedure

Step 1blank.gif Start Internet Explorer.

Step 2blank.gif Navigate to Tools > Internet Options.

Step 3blank.gif Click the Advanced tab.

Step 4blank.gif Scroll down to the Security section on the Advanced tab.

Step 5blank.gif If necessary, clear the Do not save encrypted pages to disk check box.

Step 6blank.gif Click OK.

 

Manage Certificates and Certificate Trust Lists

The following topics describe the functions that you can perform from the Certificate Management menu:

note.gif

Noteblank.gif To access the Security menu items, you must log in to Cisco Unified Communications Operating System Administration again by using your administrator password.

Display Certificates

To display existing certificates, follow this procedure:

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif You can use the Find controls to filter the certificate list.

Step 3blank.gif To view details of a certificate or trust store, click its file name of the certificate under Common Name..

The Certificate Details window displays information about the certificate.

Step 4blank.gif To return to the Certificate List window, click Close on Certificate Details window.

 

Download a Certificate

To download a certificate from the Cisco Unified Communications Operating System to your PC, follow this procedure:

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif You can use the Find controls to filter the certificate list.

Step 3blank.gif Click the file name of the certificate under Common Name.

The Certificate Details window displays.

Step 4blank.gif Click Download.PEM File or Download.DER File.

Step 5blank.gif In the File Download dialog box, click Save.

 

Delete and Regenerate a Certificate

These sections describe deleting and regenerating a certificate:

Deleting a Certificate

To delete a trusted certificate, follow this procedure:

caut.gif
Caution blank.gif Deleting a certificate can affect your system operations. Any existing CSR for the certificate that you choose from the Certificate list gets deleted from the system, and you must generate a new CSR. For more information, see the Generating a Certificate Signing Request for Single Server and Multi-Server Certificate.

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif You can use the Find controls to filter the certificate list.

Step 3blank.gif Click the file name of the certificate under Common Name.

The Certificate Details window displays.

Step 4blank.gif Click Delete.

 

Regenerating a Certificate

To regenerate a certificate, follow this procedure:

caut.gif
Caution blank.gif Regenerating a certificate can affect your system operations.

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Click Generate Self-signed or Generate CSR.

The Generate Certificate dialog box opens.

Step 3blank.gif Choose a certificate name from the Certificate Name list. For a description of the certificate names that display, see Table 6-1 .

Step 4blank.gif Click Generate.

 

note.gif

Noteblank.gif After you regenerate certificates in Cisco Unified Communications Operating System, you must perform a backup so that the latest backup contains the regenerated certificates. If your backup does not contain the regenerated certificates and you must perform restoration tasks for any reason, you must manually unlock each phone in your system so that the phone can register with Cisco Unified Communications Manager. For information on performing a backup, refer to the Disaster Recovery System Administration Guide.

 

Table 6-1 Certificate Names and Descriptions
Name
Description

tomcat

This self-signed root certificate gets generated during installation for the HTTPS server.

ipsec

This self-signed root certificate gets generated during installation for IPSec connections with MGCP and H.323 gateways.

Upload a Certificate or Certificate Trust List

note.gif

Noteblank.gif The system does not distribute trust certificates to other cluster nodes automatically. If you need to have the same certificate on more than one node, you must upload the certificate to each node individually.

These sections describe how to upload a CA root certificate, application certificate, or CTL file to the server:

Upload a Certificate

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Click Upload Certificate/Certificate chain.

The Upload Certificate/ Certificate chain dialog box opens.

Step 3blank.gif Select the certificate name from the Certificate Purpose list.

Step 4blank.gif Select the file to upload by doing one of the following steps:

    • In the Upload File text box, click the Browse button and navigate to the file; then, click Open.

Step 5blank.gif To upload the file to the server, click the Upload File button.

 

Upload a Certificate Trust List

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Click Upload Certificate.

The Upload Certificate Trust List dialog box opens.

Step 3blank.gif Select the certificate name from the Certificate Name list.

Step 4blank.gif If you are uploading an application certificate that was issued by a third-party CA, enter the name of the CA root certificate in the Root Certificate text box. If you are uploading a CA root certificate, leave this text box empty.

Step 5blank.gif Select the file to upload by doing one of the following steps:

    • In the Upload File text box, enter the path to the file.
    • Click the Browse button and navigate to the file; then, click Open.

Step 6blank.gif To upload the file to the server, click the Upload File button.

 

Upload a Directory Trust Certificate

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Click Upload Certificate.

The Upload Certificate Trust List dialog box opens.

Step 3blank.gif Select directory-trust from the Certificate Name list.

Step 4blank.gif Enter the file to upload in the Upload File field.

Step 5blank.gif To upload the file, click the Upload File button.

Step 6blank.gif Log into Cisco Unified Serviceability.

Step 7blank.gif Navigate to Tools > Control Center - Feature Services.

Step 8blank.gif Restart the service Cisco Dirsync.

Step 9blank.gif Log in to the Cisco Unified Communications Operating System CLI as an administrator.

Step 10blank.gif To restart the Tomcat service, enter the command utils service restart Cisco Tomcat.

Step 11blank.gif After the services have been restarted, you can add the directory agreement for SSL.

 

Using Third-Party CA Certificates

Single-server and Multi-server Certificates Overview

As the name suggests, Single-server certificate contains single FQDN which identifies the trust for that FQDN only. The single FQDN or domain is present in Subject Alternative Name (SAN) extensions. If there are multiple servers in a cluster, then the system requires the generation of an equal number of X.509 certificates, one for each server.

The system uses a multi-server certificate to identify the trust for multiple servers or domains or sub-domains. The SAN extensions of a multi-server certificate contain multiple FQDNs or domains.

note.gif

Noteblank.gif In telephony integration, multi-server SAN certificate is supported only with secure SIP integration. However, with secure SCCP integration, only single-server certificate is supported.

The following table describes the basic differences between single-server and multi-server certificates.

Table 6-2 Configuration Comparison of Certificates
Single-server certificate
Multi-server certificate

It contains a single FQDN or domain in either the CN field and/or SAN extensions.

It contains multiple FQDNs or domains present in SAN extensions.

The system uses a single certificate for each server in a cluster.

A single certificate identifies multiple servers.

The administrator regenerates the certificate and private key on each individual server in situations such as certificate expiry, private key compromise, etc.

Since this certificate covers only one public and private key pair common to all servers, it requires secure transfer of same private key to all the servers in a cluster along with the certificate. If the private key is compromised on any server, the certificate and private key needs to be regenerated for all the servers.

Generation of single server certificate can become an overhead for the administrator in a large cluster because the administrator needs to perform steps such as generate Certificate Signing Request (CSR), send CSR to CA for signing, upload signed certificate etc for each of the servers in the cluster.

There is less overhead for the administrator in managing multi-server certificates since he or she performs the steps only once on a given server, and the system distributes the associated private key and signed certificates to all the servers in the cluster.

Cisco Unified Communications Operating System supports certificates that a third-party Certificate Authority (CA) issues with PKCS # 10 Certificate Signing Request (CSR).

The following table provides an overview of this process, with references to additional documentation:

 

Task
For More Information

Step 1

Login to Cisco Unified Communications Operating System Administration window.
note.gif

Noteblank.gif Cisco Unified Communications Operating System Administration allows the system administrator to select the distribution type, when generating a CSR for the individual certificate purposes that supports the multi-server option. The system automatically populates the CSR with the required SAN entries and displays the default SAN entries on the screen. On generating a multi-server CSR, the system automatically distributes that CSR to all the required servers in the cluster. Similarly, on upload of a multi-server CA signed certificate, the system automatically distributes that certificate to all the required servers in the cluster

Step 2

Generate a CSR on the server.

See the “Generating a Certificate Signing Request for Single Server and Multi-Server Certificate” section.

Step 3

Download the CSR to your PC.

See the “Download a Certificate Signing Request for Single-Server Certificate and Multi-Server Certificate” section.

Step 4

Use the CSR to obtain an application certificate from a CA.

Get information about obtaining application certificates from your CA. See “Obtaining Third-Party CA Certificates” section for additional notes.

Step 5

Obtain the CA root certificate.

Get information about obtaining a root certificate from your CA. See “Obtaining Third-Party CA Certificates” section for additional notes.

Step 6

Upload the CA root certificate to the server.

See the “Upload a Certificate” section.

Step 7

Upload the application certificate to the server.

See the “Upload a Certificate” section.

Step 8

Restart the services that are affected by the new certificate.

For all certificate types, restart the corresponding service (for example, restart the Tomcat service if you updated the Tomcat certificate). In addition, if you updated the certificate for CAPF or Cisco Unified Communications Manager, restart the TFTP service.

Note If you updated the Tomcat certificate, you also must restart the Connection IMAP Server service in Cisco Unity Connection Serviceability.

See the Cisco Unified Communications Manager Serviceability Administration Guide for information about restarting services.

Generating a Certificate Signing Request for Single Server and Multi-Server Certificate

Procedure

Step 1blank.gif Select Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Use the find control to filter the certificate list.

Step 3blank.gif Click Generate CSR.

The Generate Certificate Signing Request dialog box opens.

Step 4blank.gif From the Certificate Purpose drop-down list box, select the required certificate purpose.

Step 5blank.gif From the Distribution drop-down list box, select the required distribution list item.

note.gif

Noteblank.gif The Multi-server (SAN) option is available only when you select tomcat from the Certificate Purpose drop-down list box.Click Generate CSR.

note.gif

Noteblank.gif By default, the system populates the CN field with the server FQDN (or hostname). You can modify the value, if required. For self-signed certificate, the CN is not configurable.

Step 6blank.gif For Multi-server (SAN), additional domains can be added in Additional Domain field.

Step 7blank.gif From the Key Length drop-down list box, select 1024 or 2048.

Step 8blank.gif From the Hash Algorithm drop-down list box, select SHA1 or SHA256.

Step 9blank.gif Click Generate to generate a new CSR.

note.gif

Noteblank.gif The new CSR that is generated for a specific certificate type overwrites any existing CSR for that type. The CSR is automatically distributed to all the required servers in the cluster.

 

Download a Certificate Signing Request for Single-Server Certificate and Multi-Server Certificate

To download a Certificate Signing Request, follow this procedure:

Procedure

Step 1blank.gif Select Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif From the list, click the Common Name of the entry with type 'CSR Only' and a Distribution value matching the Common Name.

note.gif

Noteblank.gif For multi-server SAN certificate, click the Common Name of the entry with type 'CSR Only' and a Distribution value of 'Multi-Server (SAN)'.

The CSR Details window appears.

Step 3blank.gif Click Download CSR.

Step 4blank.gif After the CSR download completes, click Close.

You need to restart the tomcat service after configuring the Multi-server SAN certificate on both Publisher and Subscriber in a cluster. See the procedure below:

Procedure

Step 1blank.gif Sign in to the Unity Connection server by using an SSH application.

Step 2blank.gif Run the following CLI command to restart the Tomcat service:

utils service restart Cisco Tomcat

 

Obtaining Third-Party CA Certificates

To use an application certificate that a third-party CA issues, you must obtain both the signed application certificate and the CA root certificate from the CA. Get information about obtaining these certificates from your CA. The process varies among CAs.

CAPF and Cisco Unified Communications Manager CSRs include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions that are listed on the final page of the CSR generation process.

Cisco Unified Communications Operating System generates certificates in DER and PEM encoding formats and generates CSRs in PEM encoding format. It accepts certificates in DER and PEM encoding formats.

For all certificate types except CAPF, obtain and upload a CA root certificate and an application certificate on each node.

For CAPF, obtain and upload a CA root certificate and an application certificate only on the first node.

CAPF and Cisco Unified Communications Manager CSRs include extensions that you must include in your request for an application certificate from the CA. If your CA does not support the ExtensionRequest mechanism, you must enable the X.509 extensions, as follows:

  • The CAPF CSR uses the following extensions:
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, IPSec End System
 
  • The CSRs for Cisco Unified Communications Manager, Tomcat, and IPSec use the following extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, IPSec End System
 

Upload the CA root certificate of the CA that signed an application certificate. If a subordinate CA signs an application certificate, you must upload the CA root certificate of the subordinate CA, not the root CA.

You upload CA root certificates and application certificates by using the same Upload Certificate dialog box. When you upload a CA root certificate, choose the certificate name with the format certificate type -trust. When you upload an application certificate, choose the certificate name that only includes the certificate type. For example, choose tomcat-trust when you upload a Tomcat CA root certificate; choose tomcat when you upload a Tomcat application certificate.

Monitor Certificate Expiration Dates

The system can automatically send you an e-mail when a certificate is close to its expiration date. To view and configure the Certificate Expiration Monitor, follow this procedure:

Procedure

Step 1blank.gif To view the current Certificate Expiration Monitor configuration, navigate to Security > Certificate Monitor.

The Certificate Monitor window displays.

Step 2blank.gif Enter the required configuration information. See Table 6-3 for a description of the Certificate Monitor Expiration fields.

Step 3blank.gif To save your changes, click Save.

 

 

Table 6-3 Certificate Monitor Field Descriptions

Field
Description

Notification Start Time

Enter the number of days before the certificate expires that you want to be notified.

Notification Frequency

Enter the frequency for notification, either in hours or days.

Enable E-mail Notification

Select the check box to enable e-mail notification.

Email IDs

Enter the e-mail address to which you want notifications sent.

Note For the system to send notifications, you must configure an SMTP host.

 

Certificate Revocation

You can use the Online Certificate Status Protocol (OCSP) to obtain the revocation status of the certificate.

To configure OCSP, follow this procedure:

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Check the Enable OCSP check box in the Online Certificate Status Protocol Configuration area.

Step 3blank.gif Choose Use OCSP URI from Certificate if the certificate is configured with OCSP URI and that to be used to contact OCSP Responder.

Step 4blank.gif Choose Use configured OCSP URI if external or configured URI is used to contact OCSP Responder. Enter the URI of the OCSP Responder, where certificate revocation status is verified, in the OCSP Configured URI field.

Step 5blank.gif Check the check box for Enable Revocation Check to perform the revocation check.

note.gif

Noteblank.gif The certificate revocation service is active for LDAP and IPSec connections, when revocation and expiry check enterprise parameter is set to enabled.

Step 6blank.gif Enter the Check Every value to check the periodicity of the certificate revocation status.

  • Click Hours or Days to check the revocation status hourly or daily.

Step 7blank.gif Click Save.

warn.gif

Warningblank.gif You must upload the OCSP Responder certificate to tomcat-trust before enabling OCSP.

note.gif

Noteblank.gif The Certificate revocation status check is performed only during upload of a Certificate or Certificate chain and the appropriate alarm will be raised if a certificate is revoked. The Cisco Certificate Expiry Monitor service must be restarted to ensure certificate revocation. Navigate to Cisco Unified Serviceability > Tool > Control Center - Network Services and restart the Cisco Certificate Expiry Monitor service.

Generating IPSEC Certificate

To generate or regenerate the ipsec certificate on standalone or cluster, follow this procedure::

Procedure

Step 1blank.gif Navigate to Security > Certificate Management.

The Certificate List window displays.

Step 2blank.gif Click Generate Self-signed > or > Generate CSR.

Step 3blank.gif Select ipsec from the Certificate Purpose drop-down list.

Step 4blank.gif Click Generate.

After generating the certificate, ipsec and ipsec trust will be updated with the certificate for standalone or publisher server.

Step 5blank.gif In case of subscriber server, follow Step 1 to Step 4 for generating ipsec certificate. After generating, download the ipsec certificate from subscriber server.

Step 6blank.gif Navigate to Security > Certificate Management on subscriber server.

Step 7blank.gif Click Upload Certificate/Certificate Chain.

The Upload Certificate Trust List dialog box opens.

Step 8blank.gif Select the ipsec-trust from the Certificate Purpose drop-down list.

Step 9blank.gif Browse the certificate and click Upload.

Step 10blank.gif After uploading the ipsec certificate to subscriber server, restart the below services first on publisher server and then subscriber server.

  • Cisco DRF Master
  • Cisco DRF Local

IPSEC Management

The following topics describe the functions that you can perform with the IPSec menu:

note.gif

Noteblank.gif IPSec does not automatically get set up between nodes in the cluster during installation.

Set Up a New IPSec Policy

To set up a new IPSec policy and association, follow this procedure:

note.gif

Noteblank.gif Because any changes that you make to an IPSec policy during a system upgrade will get lost, do not modify or create IPSec policies during an upgrade.

caut.gif
Caution blank.gif IPSec, especially with encryption, will affect the performance of your system.

Procedure

Step 1blank.gif Navigate to Security > IPSEC Configuration.

The IPSEC Policy List window displays.

Step 2blank.gif Click Add New.

The IPSEC Policy Configuration window displays.

Step 3blank.gif Enter the appropriate information on the IPSEC Policy Configuration window. For a description of the fields on this window, see Table 6-4 .

Step 4blank.gif To set up the new IPSec policy, click Save.

 

 

Table 6-4 IPSEC Policy and Association Field Descriptions

Field
Description

Policy Group Name

Specifies the name of the IPSec policy group. The name can contain only letters, digits, and hyphens.

Policy Name

Specifies the name of the IPSec policy. The name can contain only letters, digits, and hyphens.

Authentication Method

Specifies the authentication method.

Preshared Key

Specifies the preshared key if you selected Pre-shared Key in the Authentication Name field.

Note Pre-shared IPSec keys can contain alphanumeric characters and hyphens only, not white spaces or any other characters. If you are migrating from a Windows-based version of Cisco Unified Communications Manager, you may need to change the name of your pre-shared IPSec keys, so they are compatible with current versions of Cisco Unified Communications Manager.

Peer Type

Specifies whether the peer is the same type or different.

Destination Address

Specifies the IP address or FQDN of the destination.

Destination Port

Specifies the port number at the destination.

Source Address

Specifies the IP address or FQDN of the source.

Source Port

Specifies the port number at the source.

Mode

Specifies Transport mode.

Remote Port

Specifies the port number to use at the destination.

Protocol

Specifies the specific protocol, or Any:

  • TCP
  • UDP
  • Any

Encryption Algorithm

From the drop-down list, choose the encryption algorithm. Choices include

  • DES
  • 3DES

Hash Algorithm

Specifies the hash algorithm

  • SHA1—Hash algorithm that is used in phase 1 IKE negotiation
  • MD5—Hash algorithm that is used in phase 1 IKE negotiation

ESP Algorithm

From the drop-down list, choose the ESP algorithm. Choices include

  • NULL_ENC
  • DES
  • 3DES
  • BLOWFISH
  • RIJNDAEL

Phase One Life Time

Specifies the lifetime for phase One, IKE negotiation, in seconds.

Phase One DH

From the drop-down list, choose the phase One DH value. Choices include: 2, 1, and 5.

Phase Two Life Time

Specifies the lifetime for phase Two, IKE negotiation, in seconds.

Phase Two DH

From the drop-down list, choose the phase Two DH value. Choices include: 2, 1, and 5.

Enable Policy

Check the check box to enable the policy.

Managing Existing IPSec Policies

To display, enable or disable, or delete an existing IPSec policy, follow this procedure:

note.gif

Noteblank.gif Because any changes that you make to an IPSec policy during a system upgrade will get lost, do not modify or create IPSec policies during an upgrade.

caut.gif
Caution blank.gif IPSec, especially with encryption, will affect the performance of your system.
caut.gif
Caution blank.gif Any changes that you make to the existing IPSec policies can impact your normal system operations.

Procedure

Step 1blank.gif Navigate to Security > IPSEC Configuration.

note.gif

Noteblank.gif To access the Security menu items, you must log in to Cisco Unified Communications Operating System Administration again by using your Administrator password.

The IPSEC Policy List window displays.

Step 2blank.gif To display, enable, or disable a policy, follow these steps:

a.blank.gif Click the policy name.

The IPSEC Policy Configuration window displays.

b.blank.gif To enable or disable the policy, use the Enable Policy check box.

c.blank.gif Click Save.

Step 3blank.gif To delete one or more policies, follow these steps:

a.blank.gif Check the check box next to the policies that you want to delete.

You can click Select All to select all policies or Clear All to clear all the check boxes.

b.blank.gif Click Delete Selected.