/mcpRestrictions Feature FIPS mode does not support Certificate Remote Enrolment. Certificate Remote Enrolment All SFTP client (for example, DRS and CDR) connections uses the following host key algorithms: • FIPS mode only supports rsa-sha2-256 • Non-FIPS mode only supports ssh-rsa The rsa-sha2-256 (SHA256WithRSA) support is available only from OpenSSH 6.8 version onwards. SFTP Server Deprecated Algorithm: • ssh-rsa (SHA1withRSA) New Supported Algorithm: • rsa-sha2-256 • rsa-sha2-512 Note Before upgrading to 14SU2 and above releases, we recommend that you refer to the “Supported Upgrade and Migration Paths with COP Files” section in the Upgrade and Migration Guide for Cisco Unified Communications Manager and the IM and Presence Service. SSH Host Key Algorithms In Common Criteria (CC) mode, Certificate Exchange operation is recommended first between clusters/nodes before configuring IPSec policies for Certificate based IPSec Policy. Certificate based IPSec Policy will not work when moving from Non-FIPS to FIPS/Common Criteria mode or vice-versa. Perform the following when you should move from Non-FIPS mode to FIPS/CC Mode or vice-versa. If you have a certificate based IPSec policy and it is in the enabled state, then: 1. Disable the IPSec policy before moving to FIPS/CC mode or vice versa. 2. Recertify the certificate and exchange the new certificate after moving to FIPS/CC mode or vice versa. 3. Enable IPSec policy. Note When you enable/disable the FIPS CC mode server that is having IPSec configuration, multiple Pluto Cores are visible (utils core active list). However, this doesn't have any impact on functionality. IPSec Policy Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 249 Advanced System Security FIPS Mode Restrictions