McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 272

↗ View in doc context
page
272
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::271

Step 2 Run utils fips_common_criteria status command to verify whether the system is operating in Common Criteria mode. Step 3 Run one of the following commands on a cluster node: • To enable the Common Criteria mode, run utils fips_common_criteria enable. • To disable the Common Criteria mode, run utils fips_common_criteria disable. When Common Criteria mode is disabled, a prompt is displayed to set the minimum TLS version. Note Do not run these commands on all nodes simultaneously. Step 4 To enable Common Criteria Mode across a single cluster, repeat this procedure on all Unified Communications Manager and IM and Presence Service cluster nodes. Note • CTL client does not connect to Unified Communications Manager node when server is in the Common Criteria mode, as CTL client does not support TLS 1.1 and TLS 1.2 protocols. • Only phone models that support TLS 1.1 or TLS 1.2 such as DX series and 88XX series phones are supported in Common Criteria mode. Phone models that support only TLSv1.0 such as 7975 and 9971 are not supported in the Common Criteria mode. • Temporarly allow TLS 1.0 when using the CTL Client and then move the Cluster to Common Criteria mode. Configure Minimum TLS to 1.1 or 1.2. • Migrate to Tokenless CTL by using the CLI Command utils ctl set-cluster mixed-mode in Common Criteria mode. Configure Minimum TLS to 1.1 or 1.2. Note Common Criteria mode will not work with TLS 1.3. Step 5 To enable the Common Criteria mode in a multi cluster setup where ICSA is already configured between the nodes, enable Common Criteria mode in each of the nodes in the following order: a. Unified Communications Manager - Cluster 1 (Publisher) b. IM and Presence Service - Cluster 1 (Publisher) c. IM and Presence Service - Cluster 1 (Subscriber or subscribers) d. Unified Communications Manager - Cluster 2 (Publisher) e. IM and Presence Service - Cluster 2 (Publisher) f. IM and Presence Service - Cluster 2 (Subscriber or subscribers) Step 6 In case of a cert sync failure, see. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 254 Advanced System Security Configure Common Criteria Mode