McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 262

↗ View in doc context
page
262
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::261

• In single-server clusters, because certificates are regenerated, you need to run the CTL Client or apply the Prepare Cluster for Rollback to pre-8.0 enterprise parameter before you enable FIPS mode. If you do not perform either of these steps, you must manually delete the ITL file after you enable FIPS mode. • In a cluster, all nodes should be either in FIPS or Non FIPS mode. Each node being in different modes is not allowed. For example, Node A in FIPS mode and Node B in Non-FIPS mode is not allowed. • After you enable FIPS mode on a server, please wait until the server reboots and the phones re-register successfully before enabling FIPS on the next server. • When you enable FIPS mode in Unified Communications Manager Release 15, the 3DES algorithm is not supported for IPSec communication. • If you have already configured the IPSec policies with ESP and Encryption Algorithm as 3DES and enabled FIPS mode, the upgrade to Unified Communications Manager Release 15 is blocked. • If you’re planning to upgrade or migrate to Release 15 or later versions, note that the IPSec policy with 3DES Algorithm isn't supported in FIPS mode. Delete and recreate the IPSec policy with the Encryption and ESP Algorithms other than 3DES in both the nodes between which the IPSec tunnel is to be established, before you upgrade or migrate. • In FIPS mode, ssh-rsa will be replaced with SHA2-based HostKeyAlgorithms for the SSH interface. • From Release 15SU3 onwards, DH groups 17 and 18 are no longer available. If you're planning to upgrade or migrate to Release 15SU3, note that the IPSec policy using these DH groups are not supported in either FIPS or non-FIPS mode. If you have configured any IPSec policy with these unsupported DH groups, delete and recreate them using supported DH groups, before you upgrade or migrate. Before you enable FIPS mode, we strongly recommend that you perform a system backup. If FIPS checks fail at start-up, the system halts and requires a recovery CD to be restored. Make sure that all cluster nodes are set to FIPS mode or Non-FIPS mode during deployment. You cannot deploy mixed nodes in a cluster. A cluster must be either a FIP or a non-FIPS node. Caution Procedure Step 1 Start a CLI session. For more information, see “Start CLI Session” in the Command Line Interface Reference Guide for Cisco Unifed Communications Solutions. Step 2 Important This step ONLY applies from Release 15SU3 onwards. Skip this and proceed to the next step if your installation is on Releases below 15SU3. In the CLI, enter utils fips enable If you enter a password fewer than 14 characters, the following prompt appears: The cluster security password must be at least 14 characters long before security modes such as FIPS, Common Criteria and Enhanced Security modes can be Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 244 Advanced System Security Enable FIPS 140-2 Mode