Unified Communication Cluster Setup with CA Signed Multi Server Subject Alternate Name Configuration Example

Similar documents
Security Certificate Configuration for XMPP Federation

Managing Security Certificates in Cisco Unified Operating System

SAML-Based SSO Configuration

LDAP Directory Integration

LDAP Directory Integration

Secure External Phone Services Configuration Example

Manage Certificates. Certificates Overview

Configuration Example for Secure SIP Integration Between CUCM and CUC based on Next Generation Encryption (NGE)

Enhancement in Security Certificate Management CUCM 11.x

Set Up Certificate Validation

How to Enable Common PIN for CUCM and UCXN.

Default Security Setup

Post-Change Tasks and Verification

Intercluster Peer Configuration

Certificates for Live Data Standalone

Cisco recommends that you have knowledge of these commonly used CUCM features:

Cisco CTL Client Setup

High Level View of Certificates and Authorities in CUCM

Certificates for Live Data

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Cisco CTL Client setup

Domain Name and Node Name Changes

Settings. IP Settings. Set Up Ethernet Settings. Procedure

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Unity Connection Version 10.5 SAML SSO Configuration Example

TLS Setup. TLS Overview. TLS Prerequisites

Service Parameter Configuration

Domain Name and Node Name Changes

Configure and Integrate CMS Single Combined

Voice-Messaging Ports Security Setup

This chapter provides information to help you manage reports. Table 1: Unified CM reports that display in Cisco Unified Reporting

Contents. Introduction. Prerequisites. Requirements. Components Used

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Default security setup

Troubleshooting Single Sign-On

The information in this document is based on these software and hardware versions:

SAML-Based SSO Configuration

Manage SAML Single Sign-On

Skype for Business Configuration for Partitioned Intradomain Federation

Manage Device Firmware

Troubleshooting Single Sign-On

Security and Certificates

Voice-messaging ports security setup

Phone Security. Phone Security. This chapter provides information about phone security.

Interdomain Federation Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1)SU2

Push Notifications (On-Premises Deployments)

Change Server Domain

Backup the System. Backup Overview. Backup Prerequisites

Modify IP Addresses for Servers Defined by IP Address

Refer to Cisco Unified Communications Manager Security Guide for more details.

FIPS Mode Setup

Security by Default. Overview CHAPTER

Configure Push Notifications for Cisco Jabber on iphone and ipad

This document describes the procedure to delete unassigned directory numbers (DNs) in Cisco Unified Communication Manager (CUCM).

Cisco Unified Communications Manager configuration for integration with IM and Presence Service

Unified Communications Mobile and Remote Access via Cisco VCS

Unified Communications Mobile and Remote Access via Cisco Expressway

Configure Proxy WebRTC With CMS over Expressway with Dual Domain

Release 8.6, page 2 Configure Cisco Unity Connection for Use with Cisco Jabber, page 3

Pre-Change Tasks and System Health Checks

Branding Customizations

Migrate Phones Between Secure Clusters

Cisco Unified Communications XMPP Federation

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Configure Voice and Video Communication

Interdomain Federation for the IM and Presence Service, Release 10.x

Unified Communications Mobile and Remote Access via Cisco Expressway

Configure and Troubleshoot Device Mobility

Managing Certificates

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1. Configure a SIP Trunk, on page 6

Mobile and Remote Access Through Cisco Expressway

Configure SIP Registrations to Authenticate and Authorize on a Per-user Basis (MRA) for CUCM 11.5

Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone

Compatibility Matrix for Cisco Unified Communications Manager and the IM and Presence Service, Release 11.5(1)SU5

Configure IM and Presence Service for External Database

Install Telepresence Content Server License Key(s)

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

IM and Presence Service Network Setup

Command or Action Step 1 with Cisco Jabber, on page 2. Configure Retrieval and Redirection, on page 3. Apply a Voic Service, on page 5

Securing LDAP Directory Integration with Cisco Unified CallManager 4.x

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

Mobile and Remote Access Through Cisco Expressway

The information in this document is based on these software and hardware versions:

Using SSL to Secure Client/Server Connections

Mobile and Remote Access Through Cisco Video Communication Server

Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

Configure Service Parameters

Configure Mobile and Remote Access

Cisco Unified Communications Manager Administration Guide End User Configuration Section

Configure Dual Stack IPv6

IEA 2048 Bit Key Support for CSR on IEA Configuration Example

Branding Customizations

Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 10.5(1)

Reference. Base Configuration Updates

Understanding Cisco Unified Communications Security

Monitor System Status

CSM - How to install Third-Party SSL Certificates for GUI access

Configure TFTP Servers

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Transcription:

Unified Communication Cluster Setup with CA Signed Multi Server Subject Alternate Name Configuration Example Document ID: 118731 Contributed by Vasanth Kumar K, Cisco TAC Engineer. Mar 09, 2015 Contents Introduction Prerequisites Requirements Components Used Background Information Configure Verify CallManager Multi Server SAN Certificate Troubleshoot Introduction This document describes how to set up a Unified Communication Cluster with the use of a Certificate Authority (CA) Signed Multi Server Subject Alternate Name (SAN). Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Cisco Unified Communications Manager (CUCM) CUCM IM and Presence Version 10.5 Before you attempt this configuration, ensure these services are up and functional: Cisco Platform Administrative Web Service Cisco Tomcat service In order to verify these services on a web interface, navigate to Cisco Unified Serviceability Page Services > Network Service > Select a server. In order to verify them on the CLI, enter the utils service list command. Components Used This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information In CUCM Version 10.5 and later, this trust store Certificate Signing Request (CSR) request can include SAN and alternate domains. 1. Tomcat 2. Cisco CallManager (CCM) 3. Cisco Unified Presence Extensible Messaging and Presence Protocol (CUP XMPP) 4. CUP XMPP Server to Server (S2S) It is simpler to obtain a CA signed certificate in this version. Only one CSR is required to be signed by CA rather than the requirement to obtain a CSR from each server node and then obtain a CA signed certificate for each CSR and manage them individually. Configure 1. Log into Operating System (OS) Administration and navigate to Security > Certificate Management > Generate CSR. 2. Select Multi Server SAN in Distribution.

It autopopulates the SAN domains and the parent domain.

Once it is generated, this displays: In Certificate Management, the SAN Request is generated:

3. You can use the local CA or an External CA like VeriSign in order to get it signed. This example shows configuration steps for a Microsoft Windows Server based CA. Log into https://<windowsserveripaddress>/certsrv/ Select Request a Certificate > Advanced Certificate Request. 4. Submit the CSR request as shown here. 5. Once you obtain the certificate, you must upload the CA certificate as tomcat trust and then upload the CA signed certificate as tomcat.

6. Ensure the service is restarted on all nodes in the SAN list, which includes the node where it is uploaded. You see Multi Server SAN listed in Certificate Management. Verify Log into http://<fqdnofccm>:8443/ccmadmin in order to ensure that the new certificate is used.

CallManager Multi Server SAN Certificate A similar procedure can be followed for the CallManager certificate. In this case, the autopopulated domains are all of the CallManager nodes. If it does not run, you can choose to keep it from the SAN list or remove it from there. After you install the certificate issued by CA, you must restart the CallManager service on all nodes. Before you get the CA signed SAN certificate for CUCM, ensure that: The IP Phone is able to trust the Trust Verification Service (TVS). This can be verified if you access any HTTPS service from the phone. For example, if Corporate Directory access works, then it means that the phone trusts TVS service. If it is a secure cluster, ensure that the Certificate Trust List (CTL) client is rerun so that a new CTL file is created and the cluster is rebooted.

Troubleshoot These logs should help the Cisco Technical Assistance Center identify any issues related to Multi Server SAN CSR generation and upload of CA Signed Certficate. Cisco Unified OS Platform API Cisco Tomcat IPT Platform CertMgr Logs In an existing Multi Server Certifcate CUCM, if the hostname of the server changes, it is recommended to generate a multi server SAN CSR request as explained previously in order to get the certificate signed by CA. Updated: Mar 09, 2015 Document ID: 118731

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback