McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 304

↗ View in doc context
page
304
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::305

Example: ciscoasa(config)# dns domain-lookup inside ciscoasa(config)# dns server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 10.1.1.5 192.168.1.67 209.165.201.6 Step 2 Generate and register the necessary certificates for Unified Communications Manager and ASA. Import the following certificates from the Unified Communications Manager. • CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for mixed-mode clusters). • Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate (MIC). • CAPF - Authenticating IP phones with an LSC. To import these Unified Communications Manager certificates, do the following: a) From the Cisco Unified OS Administration, choose Security > Certificate Management. b) Locate the certificates Cisco_Manufacturing_CA and CAPF. Download the.pem file and save asa .txt file. c) Create trustpoint on the ASA. Example: ciscoasa(config)# crypto ca trustpoint trustpoint_name ciscoasa(ca-trustpoint)# enrollment terminal ciscoasa(config)# crypto ca authenticate trustpoint_name When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded .pem file along with the BEGIN and END lines. Repeat the procedure for the other certificates. d) Generate the following ASA self-signed certificates and register them with Unified Communications Manager, or replace with a certificate that you import from a CA. • Generate a self-signed certificate. Example: ciscoasa> enable ciscoasa# configure terminal ciscoasa(config)# crypto key generate rsa general-keys label <name> ciscoasa(config)# crypto ca trustpoint <name> ciscoasa(ca-trustpoint)# enrollment self ciscoasa(ca-trustpoint)# keypair <name> ciscoasa(config)# crypto ca enroll <name> ciscoasa(config)# end • Generate a self-signed certificate with Host-id check enabled on the VPN profile in Unified Communications Manager. Example: ciscoasa> enable ciscoasa# configure terminal ciscoasa(config)# crypto key generate rsa general-keys label <name> ciscoasa(config)# crypto ca trustpoint <name> ciscoasa(ca-trustpoint)# enrollment self ciscoasa(ca-trustpoint)# fqdn <full domain name> ciscoasa(config-ca-trustpoint)# subject-name CN=<full domain name>,CN=<IP> ciscoasa(config)# crypto ca enroll <name> ciscoasa(config)# end • Register the generated certificate with Unified Communications Manager. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 286 Advanced System Security Configure ASA for VPN Client on IP Phone