McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 288

↗ View in doc context
page
288
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::289

• CCM_AEAD_AES_256_GCM (CiscoMediaEncryptionAlgorithmType.AEAD_256_COUNTER) When you receive a call, Unified Communications Manager negotiates the media and encryption capabilities as specified by the CTI application while registering the CTI port with those of the called phone. If there is a matching algorithm, the Unified CM sends the key information to both sides to decrypt the packets and monitor or record the media. Limitations Unified Communications Manager does not support the CCM_F8_128_HMAC_SHA1_32 and CCM_F8_128_HMAC_SHA1_80 algorithms. If the CTI application tries to register a CTI Port terminating media with these unsupported algorithms, the Unified CM ignores it and selects the best of the remaining available algorithms. If the system does not consist of any algorithm other than these two then the Unified CM will switches to the existing behavior and selects the CCM_AES_CM_128_HMAC_SHA1_32, by default. CAPF Functions for CTI, JTAPI, and TAPI Applications Certificate Authority Proxy Function (CAPF), which automatically installs with Unified Communications Manager, performs the following tasks for CTI/TAPI/TAPI applications, depending on your configuration: • Authenticates to the JTAPI/TSP client via an authentication string. • Issues Locally Significant Certificates (LSC) to CTI/JTAPI/TAPI applicationusers or end users. • Upgrades existing Locally Significant Certificates. • Retrieves certificates for viewing and troubleshooting. When the JTAPI/TSP client interacts with CAPF, the client authenticates to CAPF by using an authentication string; the client then generates its public key and private key pair and forwards its public key to the CAPF server in a signed message. The private key remains in the client and never gets exposed externally. CAPF signs the certificate and then sends the certificate back to the client in a signed message. You issue certificates to application users or end users by configuring the settings in the Application User CAPF Profile Configuration window or End User CAPF Profile Configuration window, respectively. The following information describes the differences between the CAPF profiles that Unified Communications Manager supports: • Application User CAPF Profile—This profile allows you to issue locally significant certificates to secure application users so that a TLS connection opens between the CTIManager service and the application. One Application User CAPF Profile corresponds to a single instance of the service or application on a server. If you activate multiple web services or applications on the same server, you must configure multiple Application User CAPF Profiles, one for each service on the server. If you activate a service or application on two servers in the cluster, you must configure two Application User CAPF Profiles, one for each server. • End User CAPF Profile—This profile allows you to issue locally significant certificates to CTI clients so that the CTI client communicates with the CTIManager service via a TLS connection. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 270 Advanced System Security CAPF Functions for CTI, JTAPI, and TAPI Applications