Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2
Total Page:16
File Type:pdf, Size:1020Kb
Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2 First Published: 2020-02-03 Last Modified: 2021-09-27 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2020 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE Preface xvii Purpose xvii Audience xviii Organization xviii Related Documentation xx Conventions xx Obtain Documentation, Support, and Security Guidelines xx Cisco Product Security Overview xxi PART I Security Basics 23 CHAPTER 1 Security Overview 1 Terms and Acronyms 1 System Requirements 6 Features List 6 Security Icons 7 Interactions and Restrictions 8 Interactions 9 Restrictions 10 Authentication and Encryption 10 Barge and Encryption 10 Wideband Codecs and Encryption 11 Media Resources and Encryption 11 Phone Support and Encryption 11 Phone Support and Encrypted Setup Files 12 Security Icons and Encryption 12 Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2 iii Contents Cluster and Device Security Modes 13 Digest Authentication and Encryption 13 Packet Capturing and Encryption 13 Best Practices 13 Device Resets, Server and Cluster Reboots, and Service Restarts 14 Reset Devices, Servers, Clusters, and Services 15 Media Encryption with Barge Setup 15 CTL Client, SSL, CAPF, and Security Token Installation 16 TLS and IPSec 16 Certificates 16 Phone Certificate Types 17 Server Certificate Types 19 Support for Certificates from External CAs 20 Authentication, Integrity, and Authorization 21 Image Authentication 21 Device Authentication 21 File Authentication 22 Signaling Authentication 23 Digest Authentication 23 Authorization 25 Encryption 26 Secure End Users Login Credentials 26 Signaling Encryption 26 Media Encryption 27 AES 256 Encryption Support for TLS and SIP SRTP 28 AES 256 and SHA-2 Support in TLS 28 AES 256 Support in SRTP SIP Call Signaling 29 Cisco Unified Communications Manager Requirements 30 Interactions and Restrictions 30 AES 80-Bit Authentication Support 30 Self-encrypting Drive 31 Configuration File Encryption 32 Encrypted iX Channel 32 Encryption Modes 33 Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2 iv Contents Non-Encrypted Modes 33 NMAP Scan Operation 34 Set Up Authentication and Encryption 34 Cipher Management 37 Recommended Ciphers 39 Configure Cipher String 39 Cipher Limitations 42 Cipher Restrictions 51 Where to Find More Information 52 CHAPTER 2 Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS) 53 HTTPS 53 HTTPS for Cisco Unified IP Phone Services 55 Cisco Unified IP Phones that Support HTTPS 55 Features That Support HTTPS 55 Cisco Unified IP Phone Services Settings 56 Enterprise Parameter Settings for HTTPS Support 58 Save Certificate to Trusted Folder Using Internet Explorer 8 58 Copy Internet Explorer 8 Certificate to File 59 First-Time Authentication for Firefox with HTTPS 60 Save Certificate to Trusted Folder Using Firefox 3.x 60 Copy Firefox 3.x Certificate to File 61 First-Time Authentication for Safari with HTTPS 62 Save Certificate to Trusted Folder Using Safari 4.x 63 Copy Safari 4.x Certificate to File 64 Where to Find More Information About HTTPS Setup 64 CHAPTER 3 Default Security Setup 65 Default Security Features 65 Trust Verification Service 66 TVS Description 66 Initial Trust List 66 Initial Trust List Files 68 ITL File Contents 68 Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2 v Contents ITL and CTL File Interaction 69 Certificate Management Changes for ITLRecovery Certificate 69 ITLRecovery Certificate 69 Interactions and Restrictions 70 Update ITL File for Cisco Unified IP Phones 70 Autoregistration 70 Obtain ITL File Status 71 Obtain Cisco Unified IP Phone Support List 71 ECDSA Support for Common Criteria for Certified Solutions 71 Certificate Manager ECDSA Support 72 SIP ECDSA Support 72 CAPF ECDSA Support 73 Entropy 74 HTTPS Support for Configuration Download 74 CTI Manager Support 74 Certificate Regeneration 75 Regenerate CAPF Certificate 75 Regenerate TVS Certificate 75 Regenerate TFTP Certificate 76 Regenerate ITLRecovery Certificate 76 Tomcat Certificate Regeneration 78 System Back-Up Procedure After TFTP Certificate Regeneration 78 Refresh Upgrade From Cisco Unified Communications Manager Release 7.x to Release 8.6 Or Later 79 Roll Back Cluster to a Pre-8.0 Release 80 Switch Back to Release 8.6 or Later After Revert 81 Migrate IP Phones Between Clusters with Cisco Unified Communications Manager and ITL Files 82 Bulk Certificate Export 83 Generate Self-Signed Certificate 84 Self-signed Certificate Fields 84 Generate Certificate Signing Request 86 Certificate Signing Request Fields 87 Interactions and Restrictions 89 Perform Bulk Reset of ITL File 89 Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2 vi Contents Reset CTL Localkey 90 View the Validity Period of ITLRecovery Certificate 90 Contact Search Authentication Task Flow 91 Confirm Phone Support for Contact Search Authentication 91 Enable Contact Search Authentication 92 Configure Secure Directory Server for Contact Search 92 CHAPTER 4 Cisco CTL Client Setup 93 About Cisco CTL Setup 93 Addition of Second SAST Role in the CTL File for Recovery 95 SIP OAuth Configuration Through CLI 95 Activate Cisco CTL Provider Service 96 Cisco CAPF Service Activation 97 Set up Secure Ports 97 Set Up Cisco CTL Client 98 SAST Roles of CTL File 100 Migrate Phones from One Cluster to Another Cluster 101 Migration from eToken-based CTL File to Tokenless CTL File 102 Update CTL File 102 Update Cisco Unified Communications Manager Security Mode 103 Cisco CTL File Details 104 Verify Cisco Unified Communications Manager Security Mode 105 Set Up Smart Card Service to Started or Automatic 106 Verify or Uninstall Cisco CTL Client 107 CHAPTER 5 TLS Setup 109 TLS Overview 109 TLS Prerequisites 109 TLS Configuration Task Flow 110 Set Minimum TLS Version 111 Set TLS Ciphers 111 Configure TLS in a SIP Trunk Security Profile 111 Add Secure Profile to a SIP Trunk 112 Configure TLS in a Phone Security Profile 112 Security Guide for Cisco Unified Communications Manager, Release 12.5(1)SU2 vii Contents Add Secure Phone Profile to a Phone 113 Add Secure Phone Profile to a Universal Device Template 114 TLS Interactions and Restrictions 114 TLS Interactions 115 TLS Restrictions 115 PART II Certificates 121 CHAPTER 6 Certificate Overview 123 Certificates Overview 123 Third-Party CA-Signed Certificates 124 Certificate Signing Request Key Usage Extensions 125 Server Certificate Types 126 Administration Tasks for Certificates 127 Show Certificates 127 Download Certificates 127 Install Intermediate Certificates 127 Delete a Trust Certificate 128 Regenerate a Certificate 129 Certificate