Enhancement in Security Certificate Management CUCM 11.x

Similar documents
Unified Communication Cluster Setup with CA Signed Multi Server Subject Alternate Name Configuration Example

Secure External Phone Services Configuration Example

Install an LSC on a Phone with CUCM Cluster Security Mode set to Non-Secure

Cisco Unified Communications Manager configuration for integration with IM and Presence Service

Managing Security Certificates in Cisco Unified Operating System

Manage Certificates. Certificates Overview

This document describes the procedure to delete unassigned directory numbers (DNs) in Cisco Unified Communication Manager (CUCM).

LDAP Directory Integration

Intercluster Peer Configuration

LDAP Directory Integration

Unity Connection Version 10.5 SAML SSO Configuration Example

High Level View of Certificates and Authorities in CUCM

Configuring Syslog. Prerequisites for Configuring Syslog. Information About Syslog. Enabling Syslog DETAILED STEPS

Modify IP Addresses for Servers Defined by IP Address

Configure SIP Registrations to Authenticate and Authorize on a Per-user Basis (MRA) for CUCM 11.5

How to Enable Common PIN for CUCM and UCXN.

Configure Service Parameters

Push Notifications (On-Premises Deployments)

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Change Server Node Name

Service Parameter Configuration

Real-Time Monitoring. Installation and Configuration

Configure Push Notifications for Cisco Jabber on iphone and ipad

Voice-Messaging Ports Security Setup

SAML-Based SSO Configuration

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Backup the System. Backup Overview. Backup Prerequisites

Security Certificate Configuration for XMPP Federation

CUCM Security By Default and ITL Operation and Troubleshooting

Cisco CTL Client setup

Voice-messaging ports security setup

Command or Action Step 1. Create and Configure Cisco Jabber Devices, on page 1. Configure a SIP Trunk, on page 6

Cisco recommends that you have knowledge of these commonly used CUCM features:

IM and Presence Server High Availability

Configure Dual Stack IPv6

Cisco UCCX Configuration Guide. Comstice Mobile Agent App for Cisco UCCX Configuration Steps. made with

Configure and Troubleshoot Device Mobility

Configuring Syslog. Prerequisites for Configuring Syslog. Information About Syslog

IM and Presence Service Network Setup

Manage Device Firmware

Migrate Phones Between Secure Clusters

SAML-Based SSO Configuration

Configuration Example for CUCM Non-Secure SIP Integration with CUC

Configuration Example for Secure SIP Integration Between CUCM and CUC based on Next Generation Encryption (NGE)

Cisco CTL Client Setup

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Configure IPv6 Stack. IPv6 Stack Overview. IPv6 Stack Overview, page 1 IPv6 Prerequisites, page 2 IPv6 Configuration Task Flow, page 2

Read Me for Cisco Unified IM and Presence, Release 11.5(1) SU1

Configure Location Awareness

Real-Time Monitoring Configuration

Domain Name and Node Name Changes

Understanding Feature and Network Services in Cisco Unified Serviceability

Cisco Prime Collaboration Deployment Configuration and Administration

Port Usage Information for the IM and Presence Service

CDR Database Copy or Migration to Another Server

Availability and Instant Messaging on IM and Presence Service Configuration

Configuring Cisco Unified Presence for Integration with Microsoft Exchange Server

This chapter provides information to help you manage reports. Table 1: Unified CM reports that display in Cisco Unified Reporting

Setting Up the Server

CDR Database Copy or Migration to Another Server

Troubleshooting Exchange Calendaring Integrations

Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 12.x

Domain Name and Node Name Changes

Changing the IP Address and Hostname for Cisco Unified Communications Manager Release 8.5(1)

Changing the IP Address and Hostname for Cisco Unified Communications Manager Release 8.6(1)

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Real-Time Monitoring. Installation and Configuration

Default Security Setup

Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface

Contents. Introduction. Prerequisites. Requirements

Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

Unified Communications Mobile and Remote Access via Cisco VCS

to verify network configuration. cluster to verify the network cluster information.

Configure Intercluster Lookup Service

Set Commands. Command Line Interface Reference Guide for Cisco Unified Communications Solutions, Release 11.5(1) 1

Cisco Unified Communications XMPP Federation

External Database Requirements

The information in this document is based on these software and hardware versions:

Cisco Emergency Responder Integration with Cisco Unified Communications Manager

FIPS Mode Setup

Troubleshooting Exchange Calendaring Integrations

Configure Voice and Video Communication

Set Up Certificate Validation

External Database Requirements

Port Usage Information for the IM and Presence Service

Troubleshooting Cisco Unity Connection

Replace Single Server or Cluster

Refer to Cisco Unified Communications Manager Security Guide for more details.

Contents. Introduction. Prerequisites. Requirements. Components Used

Multinode Scalability and WAN Deployments

Installing the Cisco Unified CallManager Customer Directory Plugin Release 4.3(1)

How to Move the PostgreSQL Database Between Inter-Cluster Peers in IM & Presence (IM&P)

Agent Unable to Log Into Cisco Agent Desktop

The Cisco HCM-F Administrative Interface

Change Server Domain

Cisco Jabber Features and Options

Installing and Configuring Cisco Unified Real-Time Monitoring Tool

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

Configure the IM and Presence Service

TLS Setup. TLS Overview. TLS Prerequisites

Transcription:

Enhancement in Security Certificate Management CUCM 11.x Contents Introduction Prerequisites Requirements Components Used Background Information Certificate Management Old Versions New Versions Frequently Asked Questions Verifiy Syslogs IPT Platform CertMgr Logs Introduction This document describes the advancement made in certificate management for Cisco Unified Communications Manager (CUCM) implemented in version 11.x. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: CUCM Components Used The information in this document is based on these software versions: CUCM version 11.5.1.10000-6 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information CUCM certificate management helps Unified Communications or security administrators take

advantagesmanage certificates more efficiently. Advantages of the enhancement made include a decreased time during removal of unwanted of expired certificates in CUCM and IM&Presence. Certificate Management Old Versions Prior to CUCM version 11, this message appeared if a certificate is deleted. The certificate gets deleted only from the node on which the delete operation is initiated. If the same certificate is not deleted in other nodes, the deleted certificate gets populated back in the node where it was initially deleted. This is due to the certificate monitoring service called Certificate Change Notification. As a best practice in older versions of CUCM, the Certificate Change Notification service is stopped on all the CUCM nodes before certificate deletion. Another drawback in older versions is the requirement to log in to the OS administration section of each

node in order to delete a single unwanted or expired certificate, which becomes tedious and time consuming especially for a big cluster. New Versions Starting at CUCM version 11.0 or higher, any unwanted or expired certificates that are deleted from the current node are also deleted from all other nodes within the cluster. The enhancement was included to address these defects: CSCto86463 - Deleted certificates reappear, unable to remove certificates from CUCM CSCus28550 - Cert Management Enhancement to delete a certificate from all nodes Frequently Asked Questions Q. What are the type of certificates included in this enhancement?

A. For Cisco Unified Communications Manager: tomcat-trust CallManager-trust Phone-SAST-trust For Cisco Unified Communications Manager IM & Presence: tomcat-trust Q. What happens at the backend for this enhancement? A. As soon as a certificate is deleted in any one of the CUCM nodes: Certificate is deleted from the local node Platform event triggers deletion of the same certificate to all other nodes. Verifiy Once a certificate is deleted via the OS Administration page in a node, log in to other nodes and check if the certificate is present or not. If a deleted certificate is not deleted from all the nodes, check the logs generated through the instance of certificate deletion. Syslogs IPT Platform CertMgr Logs In a common working scenario, these are the expected logs. Syslogs Platform-event is seen in other nodes (other than the node where the certificate deletion was initiated). In this example, a tomcat-trust certificate named CUCMSUB1.pem was deleted from the publisher, diplaying this on the subscriber s syslog. Aug 6 20:20:47 CUCMSUB1 user 6 ilog_impl: Received request for platform-event (--no-wait platform-event-clusterwide-certificate-delete HOSTNAME=CUCM-PUB UNIT=tomcat-trust NAME=CUCMSUB1.pem) IPT Platform CertMgr Logs In the CertMgr logs, the records confirm that the certificate is on queue for deletion from the database entries. 2016-08-06 21:22:06,151 INFO [main] - IN -- CertDBAction.java - deletecertificateindb(certinfo) - 2016-08-06 21:22:06,151 INFO [main] - DBParameters... PKID : CN : serialno : L=BGL,ST=Karnataka,CN=CUCMSUB1,OU=TAC,O=Cisco,C=IN 4d6dc0cb7bc73e70c3ded20690d15fa8

hostname : issuername : Certificate : CUCMSUB1 L=BGL,ST=Karnataka,CN=CUCMSUB1,OU=TAC,O=Cisco,C=IN Not Printing huge Certificate String.. IPV4Address : 10.106.99.196 IPV6Address : TimeToLive : NULL TkCertificateDistribution :1 UNIT : TYPE : ROLE : tomcat-trust trust-certs RoleMoniker : RoleEnum : SERVICE : ServiceMoniker : ServiceEnum :0 2016-08-06 21:22:06,151 INFO [main] - DB - Certifciate Store Plugin Handler is :com.cisco.ccm.certmgmt.db.certdbimpl 2016-08-06 21:22:06,156 INFO [main] - IN -- CertDBImpl.java - deletecertificate(certinfo) SQL command triggered for deletion of the certificate can be seen in the CertMgr logs. 2016-08-06 21:22:08,980 DEBUG [main] - Delete query of CERTIFICATEPROCESSNODEMAP :DELETE FROM CERTIFICATEPROCESSNODEMAP WHERE FKCERTIFICATE="cdd0365a-2d17-3483-4d00-1bf08f942cf5" AND SERVERNAME = "CUCMSUB1" 2016-08-06 21:22:08,980 DEBUG [main] - execute(delete FROM CERTIFICATEPROCESSNODEMAP WHERE FKCERTIFICATE="cdd0365a-2d17-3483-4d00-1bf08f942cf5" AND SERVERNAME = "CUCMSUB1") From the CertMgr logs, the entries confirm that the certificate is deleted from the FILE-SYSTEM (certificate with pem or der extensions). 2016-08-06 21:22:09,009 DEBUG [main] - deletederandpem: scertdir = /usr/local/platform/.security/tomcat/trust-certs --- salias = CUCMSUB1 2016-08-06 21:22:09,009 INFO [main] - IN -- TomcatCertMgr.java - removefromkeystore(..) - 2016-08-06 21:22:09,010 INFO [main] - IN -- RSACryptoEngine.java - removefromkeystore(keystorefile, keystorepass, alias) - 2016-08-06 21:22:09,010 INFO [main] - IN -- RSACryptoEngine.java - loadkeystore(keystorefile, keystorepass) - 2016-08-06 21:22:09,086 INFO [main] - OUT -- RSACryptoEngine.java - loadkeystore - 2016-08-06 21:22:09,103 DEBUG [main] - Removing certificate from keystore : CUCMSUB1 If certificate deletion is still not reflected to the rest of the nodes in a cluster or logs show errors, proceed to open a TAC case with the CUCM team.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback