McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 263

↗ View in doc context
page
263
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::262

enabled. Update the cluster security password using the 'set password user security' CLI command on all nodes and retry this command.

Executed command unsuccessfully If you enter a password more than 14 characters, the following prompts appear: Security Warning : The operation will regenerate certificates for 1)CallManager 2)Tomcat 3)IPsec 4)TVS 5)CAPF 6)SSH Any third party CA signed certificates that have been uploaded for the above components will need to be re-uploaded. If the system is operating in mixed mode, then the CTL client needs to be run again to update the CTL file. If there are other servers in the cluster, please wait and do not change the FIPS settings on any other node until the FIPS operation on this node is complete and the system is back up and running. All nodes within a cluster should be in either FIPS mode or in Non-FIPS mode. Different modes within a cluster is not a valid configuration. E.g. Node A in FIPS mode and Node B in Non-FIPS mode is not allowed If the enterprise parameter 'TFTP File Signature Algorithm' is configured with the value 'SHA-1' which is not FIPS compliant in the current version of the CUCM, though the signing operation will continue to succeed, it is recommended the parameter value be changed to SHA-512 in order to be fully FIPS. Configuring SHA-512 as the signing algorithm may require all the phones that are provisioned in the cluster to be capable of verifying SHA-512 signed configuration file, otherwise the phone registration may fail. Please refer to the Cisco Unified Communications Manager Security Guide for more details. For SSH interface in FIPS mode, the ssh-rsa HostKeyAlgorithm is replaced with the SHA-2 based HostKeyAlgorithm.

This will change the system to FIPS mode and will reboot.

WARNING: Once you continue do not press Ctrl+C. Canceling this operation after it starts will leave the system in an inconsistent state; rebooting the system and running "utils fips status" will be required to recover.

Do you want to continue (yes/no)? Step 3 Important This step ONLY applies to releases below 15SU3. Skip this step for Release 15SU3 or later. In the CLI, enter utils fips enable If you enter a password fewer than 14 characters, the following prompt appears: The cluster security password must be at least 14 characters long before security modes such as FIPS, Common Criteria and Enhanced Security modes can be enabled. Update the cluster security password using the 'set password user security' CLI command on all nodes and retry this command. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 245 Advanced System Security Enable FIPS 140-2 Mode