McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 229

↗ View in doc context
page
229
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::229

Configure the TLS 1.3 Certificate Preference Order Parameter Use this procedure to determine how Unified Communications Manager and IM and Presence Service selects RSA or EC certificates while establishing an inbound connection. For clients that offer only the TLS 1.3 protocol, Unified Communications Manager and/or IM and Presence Service will select an RSA or EC certificate based on TLS 1.3 Signature Algorithm Preference Order, regardless of the setting of the TLS 1.3 Certificate Preference Order parameter. This parameter has no impact on the TLS 1.2 protocol negotiation. Note Procedure Step 1 From Cisco Unified CM Administration, choose System > Enterprise Parameters. Step 2 In Security Parameters, configure a value for the TLS 1.3 Certificate Preference Order enterprise parameter. • TLS 1.2 Ciphers Preference Order (Default)—When you select this parameter, Unified Communications Manager and/or IM and Presence Service will select as RSA or EC certificate based on the TLS 1.2 Ciphers preference order if both the TLS 1.2 and 1.3 protocols are offered by the client. This option selects only what certificate to be used for TLS 1.3 connections; connections continue to use the TLS 1.3 cipher and signature algorithm. • TLS 1.3 Signature Algorithm Preference Order—When you select this parameter, Unified Communications Manager and/or IM and Presence will select an RSA or EC certificate based on the TLS 1.3 Signature Algorithm Preference order if TLS 1.3 protocol is offered by the client. It is highly recommended to review the certificate requirements of the clients (devices) connecting to Unified Communications Manager and/or IM and Presence Service and update the necessary certificates in the clients' trust store (including ECDSA), when using this option. Step 3 Click Save. Important For the parameter changes to take effect, restart the Cisco CallManager and Cisco CTIManager services on Unified Communications Manager. Restart the Cisco Config Agent, Cisco XCP Config Manager, Cisco XCP Router, and Cisco XCP Connection Manager services on IM and Presence Service. TLS 1.3 Restrictions • Common Criteria Mode—For Release 15SU2, TLS 1.3 protocol is not supported in Common Criteria mode. TLS 1.2 is the only supported TLS protocol in this mode. • SIP Trunk and Phone Security Profile—If you set the Device Security Mode to Authenticated, the phones will switch to a TLS version lower than 1.3. When the minimum supported TLS version on the Unified CM is set to 1.3, phones and SIP trunks with the Authenticated Device Security Mode is not supported. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 211 Basic System Security Configure the TLS 1.3 Certificate Preference Order Parameter