McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 268

↗ View in doc context
page
268
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::267

Enhanced Security Mode Enhanced Security Mode runs on a FIPS-enabled system. Both Unified Communications Manager and the IM and Presence Service can be enabled to operate in Enhanced Security Mode, which enables the system with the following security and risk management controls: • Stricter credential policy is implemented for user passwords and password changes. • Contact search authentication feature becomes enabled by default. • If the protocol for remote audit logging is set to TCP or UDP, the default protocol is changed to TCP. If the protocol for remote audit logging is set to TLS, the default protocol remains TLS. In Common Criteria Mode, strict hostname verification is implemented. Hence, you should configure the server with a fully qualified domain name (FQDN) which matches the certificate. When Unified Communications Manager is in FIPS mode, the devices that you set as a backup device must be FIPS compliance. The key exchange algorithm diffie-hellman-group1-sha1 isn't supported in FIPS mode. If you configure diffie-hellman-group1-sha1 algorithm in a non-FIPS mode of Unified Communications Manager, this algorithm is automatically removed from SSH Key Exchange when you enable FIPS mode. Credential Policy Updates When Enhanced Security Mode is enabled, a stricter credential policy takes effect for new user passwords and password changes. After Enhanced Security Mode is enabled, administrators can use the set password *** series of CLI commands to modify any of these requirements: • Password Length should be between 14 to 127 characters. • Password should have at least 1 lowercase, 1 uppercase, 1 digit and 1 special character. • Any of the previous 24 passwords can't be reused. • Minimum age of the password is 1 day and Maximum age of the password is 60 days. • Any newly generated password's character sequence needs to differ by at least 4 characters from the old password's character sequence. When Unified Communications Manager and Cisco Instant and Messaging are operating in Enhanced Security mode, before Jabber login with an existing local end-user or new local end-user, the user needs to follow the below steps: • Log into the Selfcare portal first, then reset the user's password before logging into Jabber. Then log in to Jabber for the local end-user. • URL for Selfcare portal: https://<IPaddress>/ucmuser Note Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 250 Advanced System Security Enhanced Security Mode