McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 80

↗ View in doc context
page
80
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::70

Regenerate Keys for OAuth Refresh Logins Use this procedure to regenerate both the encryption key and the signing key using the Command Line Interface. Complete this task only if the encryption key or signing key that Cisco Jabber uses for OAuth authentication with Unified Communications Manager has been compromised. The signing key is asymmetric and RSA-based whereas the encryption key is a symmetric key. After you complete this task, the current access and refresh tokens that use these keys become invalid. We recommend that you complete this task during off-hours to minimize the impact to end users. The encryption key can be regenerated only via the CLI below, but you can also use the Cisco Unified OS Administration GUI of the publisher to regenerate the signing key. Choose Security > Certificate Management, select the AUTHZ certificate, and click Regenerate. Procedure Step 1 From the Unified Communications Manager publisher node, log in to the Command Line Interface . Step 2 If you want to regenerate the encryption key: a) Run the set key regen authz encryption command. b) Enter yes. Step 3 If you want to regenerate the signing key: a) Run the set key regen authz signing command. b) Enter yes. The Unified Communications Manager publisher node regenerates keys and replicates the new keys to all Unified Communications Manager cluster nodes, including any local IM and Presence Service nodes. You must regenerate and sync your new keys on all of your UC clusters: • IM and Presence central cluster—If you have an IM and Presence centralized deployment, your IM and Presence nodes are running on a separate cluster from your telephony. In this case, repeat this procedure on the Unified Communications Manager publisher node of the IM and Presence Service central cluster. • Cisco Expressway or Cisco Unity Connection—Regenerate the keys on those clusters as well. See your Cisco Expressway and Cisco Unity Connection documentation for details. Note You must restart the Cisco XCP Authentication Service in the following scenarios: • When you regenerate Authz certificate • When you make a new entry to the centralized deployment in the IM and Presence administrator console Add Certificate Authority-Signed CAPF Root Certificate to the Trust Store Add the root certificate to the Unified Communications Manager trust store when using a Certificate Authority-Signed CAPF Certificate. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 62 Basic System Security Regenerate Keys for OAuth Refresh Logins