McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 242

↗ View in doc context
page
242
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::241

This feature is applicable from Release 15 onwards and for Webex clients only. Whenever Webex clients request the renewal of their access tokens, Cisco Unified Communications Manager checks whether the refresh token renewal feature has been enabled on Cisco Unified CM and Webex clients, as well as whether the refresh token's lifetime has reached 50% of its expiry time. When both the conditions are met, then the refresh tokens will be automatically renewed during the process of renewing access tokens, ensuring seamless access without the need for reauthentication. Important SIP OAuth Mode SIP OAuth Mode enhances the OAuth framework, enabling the usage of OAuth access tokens and refresh tokens for SIP lines, thereby removing the need to install LSC certificates on Jabber clients. SIP OAuth Mode allows for secure signing and media for Jabber without CAPF. Token validation is completed during SIP registration. In this mode, Jabber can perform media and signaling encryption without an LSC, and without the need to enable mixed-mode on Unified CM. Regenerating Keys for OAuth If you believe the keys that are used for signing and encrypting OAuth tokens have been compromised, use the following CLI commands to generate new keys. The signing key is asymmetric and RSA-based whereas the encryption key is a symmetric key. • set key regen authz encryption • set key regen authz signing When OAuth keys are regenerated, you must restart the Cisco XCP Authentication Service on all IM and Presence nodes for Jabber OAuth login to work. Note Configure SIP OAuth Mode For detailed procedures on how to configure SIP OAuth Mode so that you can use OAuth Refresh Logins for SIP lines, refer to the "SIP OAuth Mode" chapter of the Feature Configuration Guide for Cisco Unified Communications Manager. Revoke Existing OAuth Refresh Tokens Use an AXL API to revoke existing OAuth refresh tokens. For example, if an employee leaves your company, you can use this API to revoke that employee's current refresh token so that they cannot obtain new access tokens and will no longer be able to log in to the company account. The API is a REST-based API that is protected by AXL credentials. You can use any command-line tool to invoke the API. The following command provides an example of a cURL command that can be used to revoke a refresh token: curl -k -u "admin:password" https://<UCMaddress:8443/ssosp/token/revoke?user_id=<end_user> where: • admin:password is the login ID and password for the Cisco Unified Communications Manager administrator account. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 224 User Security Configure SIP OAuth Mode