McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 83

↗ View in doc context
page
83
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::73

• Unified Communications Manager uses the Delegated Trust Model (DTM) and checks the Root CA or Intermediate CA for the OCSP signing attribute. The Root CA or the Intermediate CA must sign the OCSP Certificate to check the status. • If the Delegated Trust Model fails, falls back to the Trust Responder Model (TRP). Unified Communications Manager then uses a designated OCSP response signing certificate from an OCSP server to validate certificates. OCSP Responder must be running to check the revocation status of the certificates. Note Configure OCSP so that the system revokes expired certificates automatically. Enable the OCSP option in the Certificate Revocation window to provide a secure means of checking certificate revocation in real time. Choose from options to use the OCSP URI from the certificate or from the configured OCSP URI. TLS clients like syslog, FileBeat, SIP, ILS, LBM, and so on, receive the revocation response in real time from OCSP. Note Make sure that your system has the certificates required for OCSP checks. You can use Root or Intermediate CA certificates configured with the OCSP response attribute or designated OCSP signing certificates uploaded to the tomcat-trust. This section is applicable from Release 14SU3 onwards. Important Certificate revocation is a process that distinguishes invalid and untrusted certificates from valid trusted ones. Where the CAs makes it known that one or more of their digital certificates is no longer trustworthy and essentially invalidates the certificate ahead of its expiration date. A certificate revocation list (CRL) is a list of digital certificates that the issuing certificate authority has revoked before their actual or assigned expiration date. Certificate Revocation List is integral to public key infrastructure (PKI) and web security. Every CA will have its own CRL list. This feature is mainly designed for CA-issued CAPF signed phone LSCs. Whenever there is a difference in latest and previously downloaded CRL files from CA, a CRLChanged alarm will be generated and displayed on the RTMT along with a message in the syslog server. For more details on the CRLChanged alarm, see the Cisco Unified Real-Time Monitoring Tool. The administrator needs to address the alarm by renewing and replacing the valid certificate chain and restart the affected services on the Call Manager to terminate the existing TLS new connections that were using the revoked certificates. Later, connections will be established with the valid new certificates. From Release 15SU3 onwards, you can configure the Enable CRL check box and the CRL Distribution Point URI field on the Unified CM subscriber nodes too. Important Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 65 Basic System Security Certificate Revocation Configuration