McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 102

↗ View in doc context
page
102
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::93

Interaction Feature All servers in the Unified Communications Manager cluster must use the same administrator username and password, so CAPF can authenticate all servers in the cluster Cluster Server Credentials If a secure phone gets moved to another cluster, the Unified Communications Manager doesn't trust the LSC certificate sent by the phone because it was issued by another CAPF, whose certificate isn't in the CTL file. Delete the existing CTL file to enable the secure phone to register. You can then use the Install/Upgrade option to install a new LSC certificate with a new CAPF and reset the phone for the new CTL file (or use the MIC). Use the Delete option in the CAPF section on the Phone Configuration window to delete the existing LSC before you move the phones. Migrating secure phone We recommend upgrading Cisco Unified IP Phones 6900, 7900, 8900, and 9900 series to use LSCs for TLS connection to Unified Communications Manager and removing MIC root certificates from the Unified Communications Manager trust store to avoid possible future compatibility issues. Some phone models that use MICs for TLS connection to Unified Communications Manager may not be able to register. Administrators should remove the following MIC root certificates from the Unified Communications Manager trust store: • CAP-RTP-001 • CAP-RTP-002 • Cisco_Manufacturing_CA • Cisco_Root_CA_2048 Cisco Unified IP Phones 6900, 7900, 8900, and 9900 series The following information applies when a communication or power failure occurs. • The phone attempts to obtain the certificate three times in 30-second intervals if a communication failure occurs while installing the certificate on the phone. You can't configure these values. • If there's a power failure while the phone attempts a session with CAPF, the phone uses authentication mode stored in flash. System clears the flash value if the phone can't load a new configuration file from the TFTP server. Power Failures Beginning from Unified Communications Manager Release 11.5(1) SU1, SHA-256 algorithm signs all the LSC certificates issued by CAPF service. Therefore, IP Phones 7900/8900/9900 series models supports SHA-256 signed LSC certificates and external SHA2 identity certificates (Tomcat, Unified Communications Manager, CAPF, TVS, and so on). Only SHA-1 supports any other cryptographic operation that requires validation of signature. Note We recommend using the Unified Communications Manager before 11.5(1) SU1 release for phone models in End of Software Maintenance or End of Life, Certificate Encryption Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 84 Basic System Security CAPF System Interactions