McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 157

↗ View in doc context
page
157
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::153

Table 24: Phone Security Interactions and Restrictions Interaction and Restriction Feature Beginning from Unified Communications Manager Release 11.5(1) SU1, all the LSC certificates issued by CAPF service are signed with SHA-256 algorithm. Therefore, Cisco Unified IP Phone 7900 Series, 8900 Series, and 9900 Series supports SHA-256 signed LSC certificates and external SHA2 identity certificates (Tomcat, CallManager, CAPF, TVS, and so on). For any other cryptographic operation that require validation of signature, only SHA-1 is supported. Note If you use phone models which are in End of Software Maintenance or End of Life, we strongly recommend using the Unified Communications Manager before 11.5(1)SU1 release. Certificate Encryption Phone Security Profiles Unified Communications Manager, groups the security-related settings for phone type and protocol into security profiles. Hence, you can assign this single security profile to multiple phones. The security-related settings include device security mode, digest authentication, and some of the CAPF settings. Installing Unified Communications Manager provides a set of predefined, non-secure security profiles for auto-registration. You can apply the configured settings to a phone by choosing the security profile in the Phone Configuration window. To enable security features for a phone, you must configure a new security profile for the device type and protocol, and then apply that profile to the phone. Only the security features that the selected device and protocol support are displayed in the security profile settings window. Prerequisites Consider the following information before you configure the phone security profiles: • When you configure phones, choose a security profile in the Phone Configuration window. If the device does not support security or a secure profile, apply a non-secure profile. • You cannot delete or change the predefined non-secure profiles. • You cannot delete a security profile that is currently assigned to a device. • If you change the settings in a security profile that is already assigned to a phone, the re-configured settings apply to all phones that are assigned that particular profile. • You can rename security files that are assigned to devices. The phones that are assigned with the earlier profile name and settings assume the new profile name and settings. • The CAPF settings, the authentication mode and the key size, are displayed in the Phone Configuration window. You must configure CAPF settings for certificate operations that involve MICs or LSCs. You can update these fields directly in the Phone Configuration window. • If you update the CAPF settings in the security profile, the settings are also updated in the Phone Configuration window. • If you update the CAPF settings in the Phone Configuration window and a matching profile is found, Unified Communications Manager applies the matching profile to the phone. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 139 Basic System Security Phone Security Profiles