McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 154

↗ View in doc context
page
154
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::150

Set Up Phone Security The following procedure describes the tasks to configure security for supported phones. Procedure Step 1 If you have not already done so, execute the utils ctl CLI command and ensure that the Unified Communications Manager security mode equals Mixed Mode. Step 2 If the phone does not contain a locally significant certificate (LSC) or manufacture-installed certificate (MIC), install a LSC by using the Certificate Authority Proxy Function (CAPF). Step 3 Configure phone security profiles. Step 4 Apply a phone security profile to the phone. Step 5 After you configure digest credentials, choose the Digest User from the Phone Configuration window. Step 6 On Cisco Unified IP Phone 7962 or 7942 (SIP only), enter the digest authentication username and password (digest credentials) that you configured in the End User Configuration window. Note This document does not provide procedures on how to enter the digest authentication credentials on the phone. For information on how to perform this task, see Administration Guide for Cisco Unified Communications Manager that supports your phone model and this version of Unified Communications Manager. Make sure to run the utils ctl CLI command set after you upload a third-party CA-signed certificate to the platform to update the CTL file. Step 7 Encrypt the phone configuration file, if the phone supports this functionality. Step 8 To harden the phone, disable phone settings. Preferred Vendor SIP Phone Security Set Up Secure Preferred Vendor phones are phone types that are manufactured by third-party vendors but are installed in the Cisco Unified database via a COP file. Unified Communications Manager provides security for a preferred vendor SIP phone. In order to support security, you must enable Security Encryption or Security Authentication for the preferred vendor SIP phone in the COP file. These phone types appear in the drop-down list in the Add a New Phone window. While all preferred vendor phones support Digest Authorization, not all preferred vendor phones support TLS security. Security capabilities is based on the phone model. If the Phone Security Profile includes a “Device Security Mode” field, then it supports TLS security. If the preferred vendor phone supports TLS security, there are two modes that are possible: per-device certificate and shared certificate. The phone supplier must specify which mode is applicable for the phone as well as instructions on generating or acquiring a certificate for the phone. Set Up Preferred Vendor SIP Phone Security Profile Per-Device Certificates To configure the preferred vendor SIP phone security profile with per-device certificates, perform the following procedure: Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 136 Basic System Security Set Up Phone Security