McDewey

Do not run either utils EnhancedSecurityMode enable or utils EnhancedSecurityMode disable CLI commands on all nodes simultaneously. Common Criteria Mode Common Criteria mode allows both Unified Communications Manager and IM and Presence Service Service to comply with Common Criteria guidelines. Common Criteria mode can be configured with the following set of CLI commands on each cluster node: • utils fips_common_criteria enable • utils fips_common_criteria disable • utils fips_common_criteria status Common Criteria mode will not work with TLS 1.3. Note Common Criteria Configuration Task Flow • FIPS mode must be running to enable Common Criteria mode. If FIPS isn't already enabled, you'll be prompted to enable it when you try to enable Common Criteria mode. Enabling FIPS does require certificate regeneration. For more information, see Enable FIPS 140-2 Mode, on page 243. • In Common Criteria mode, Certificate Exchange operation is mandatory between clusters/nodes before configuring IPSec policies for Certificate based IPSec Policy. • X.509 v3 certificates are required in Common Criteria mode. X.509 v3 certificates enable secure connections when using TLS 1.2 as a communication protocol for the following: • Remote audit logging • Establishing connection between the FileBeat client and the logstash server. To configure Unified Communications Manager and IM and Presence Service for Common Criteria mode, perform the following: Procedure Purpose Command or Action TLS is a prerequisite for configuring Common Criteria mode. Enable TLS, on page 253 Step 1 Configure Common Criteria mode on all Unified Communications Manager and IM and Presence Service cluster nodes. Configure Common Criteria Mode, on page 253 Step 2 Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 252 Advanced System Security Common Criteria Mode