McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 41

↗ View in doc context
page
41
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::29

SCCP Gateway and Hardware Conference Bridge Support for Secure Hash Algorithm (SHA-2) The secure Skinny Client Control Protocol (SCCP) enhances Foreign Exchange Station (FXS) analog endpoints through signaling integrity and media encryption using Transport Layer Security (TLS) and Secured Real-Time Transport Protocol (SRTP) with Unified Communications Manager. Unified Communications Manager now provides enhanced support to the SHA-2 algorithms on SCCP Gateway (Analog endpoints) and Hardware conference bridge (TLS and SRTP). Prerequisite SHA-2 support for SCCP Analog endpoints and Hardware Conference Bridge works with the following Unified Communications Manager and Gateway Versions. • Unified CM Version 14 SU1 and above. • Gateway IOS Version: IOS XE 17.6.1 and must be configured to support TLS V1.2 for secure signaling. • For Analog endpoints, enable STCAPP on the voice gateway and make sure that the FXS ports are available on the voice gateway to register secure FXS ports on the Unified Communications Manager. • For the Hardware conference bridge, a secure DSPFARM profile for the conference is needed as it supports a combination of transcoding sessions, MTP sessions, and conferences simultaneously. Note Override Functionality Unified Communications Manager requests conferencing or transcoding services from the gateway, which either grants or denies these requests, depending on resource availability. If you haven’t configured any ciphers on the Cipher Management page of the Cisco Unified OS Administration user interface, the default settings from Enterprise Parameters > TLS Ciphers will be recognized and negotiated. SCCP FXS defaults to the SHA-1 TLS cipher to avoid backward compatibility with the SCCP Cisco IP phone. If you have selected the default option All Supported Ciphers in the Cisco Unified CM Administration > Systems > Enterprise Parameter > TLS Ciphers field, the following ciphers will be recognized and negotiated by Unified CM for TLS connection: AEAD_AES_256_GCM, AEAD_AES_128_GCM, AES_CM_128_HMAC_SHA1_32, SHA1_80, F8_128_HMAC_SHA1_32, F8_SHA1_80. However, if Cisco Unified OS Administration > Security > Cipher Management is configured with “AES256-GCM-SHA384:AES256-SHA256” on All TLS interfaces, all SIP interfaces support only the “AES256-GCM-SHA384:AES256-SHA256” ciphers and ignore the Enterprise Parameter value. For more information, see the "Configure Cipher String" and "Cipher Limitations" sections. For Example: 1. In the Cisco Unified OS Administration > Cipher Management is set to Default, SHA-1 TLS is negotiated. 2. In the Cisco Unified OS Administration > Cipher Management is set to ALL, SHA-2 TLS is negotiated. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 23 An Introduction to Unified CM Security SCCP Gateway and Hardware Conference Bridge Support for Secure Hash Algorithm (SHA-2)