McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 38

↗ View in doc context
page
38
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::24

With this new security functionality in mind, three problems can occur when moving a phone from one cluster to another cluster: 1. The ITL file of the new cluster is not signed by the current ITL file signer, so the phone cannot accept the new ITL file or configuration files. 2. The TVS servers listed in the existing ITL of the phone may not be reachable when the phones are moved to the new cluster. 3. Even if the TVS servers are reachable for certificate verification, the old cluster servers may not have the new server certificates. If one or more of these three problems are encountered, one possible solution is to delete the ITL file manually from all phones being moved between clusters. However, this is not a desirable solution since it requires massive effort as the number of phones increases. The most preferred option is to make use of the Cisco Unified CM Enterprise Parameter Prepare Cluster for Rollback to pre-8.0. Once this parameter is set to True, the phones download a special ITL file that contains empty TVS and TFTP certificate sections. When a phone has an empty ITL file, the phone accepts any unsigned configuration file (for migrations to Unified CM pre-8.x clusters), and also accepts any new ITL file (for migrations to different Unified CM 8.x clusters). The empty ITL file can be verified on the phone by checking Settings > Security > Trust List > ITL. Empty entries appear where the old TVS and TFTP servers used to be. The phones must have access to the old Unified CM servers only as long as it takes them to download the new empty ITL files. If you plan to keep the old cluster online, disable the Prepare Cluster for Rollback to pre-8.0 Enterprise Parameter to restore Security By Default. Encryption Encryption capability installs automatically when you install Unified Communications Manager on a server. Tip This section describes the types of encryption that Unified Communications Manager supports: Secure End Users Login Credentials From Unified Communications Manager Release 12.5(1), all end users login credentials are hashed with SHA2 to provide enhanced security. Earlier than Unified Communications Manager Release 12.5(1), all end users login credentials were hashed with SHA1 only. Unified Communications Manager Release 12.5(1) also includes the “UCM Users with the Out-Of-Date Credential Algorithm” report. This report is available in the Cisco Unified Reporting page. This report helps the administrator to list all the end users whose passwords or PINs are hashed with SHA1. All end users passwords or PINs that are hashed with SHA1 are migrated to SHA2 automatically upon their first successful login. The end users with SHA1 hashed (out of date) credentials can update their PINs or passwords using one of the following ways: Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 20 An Introduction to Unified CM Security Encryption