cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Ask the Expert: Understanding and Managing Cisco Unified Communications Manager Certificates

ciscomoderator
Community Manager
Community Manager

            Read the bioWith Akhil Behl

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Unified Communications Manager Certificates. 

Cisco Unified Communications Manager is the heart of any Cisco Collaboration network. It provides vital services such as call control; dial plan; and, most important, a central point of integration for various UC and third party applications. Cisco Unified Communications Manager comes with a host of security features, almost all of which are based on certificates -Public Key Infrastructure (PKI). Although, certificates empower an engineer to a network manager to an information security consultant to enable and deploy security features for Cisco Collaboration network; many of the certificates and their functions remain to be understood and managed properly to achieve a truly secure voice network construct.

This is a continuation of the live webcast.

Akhil Behl is a solutions architect with Cisco Services, focusing on Cisco Collaboration and Security architectures. He leads collaboration and security projects and service delivery worldwide for Cisco Services and the Collaborative Professional Services (CPS) portfolio. He has played a major role in service conception and creation for various services within Cisco Advanced Services. He has presales to sales to Professional Services to delivery to post sales experience with expertise in consulting, advisory, and guidance services. He has extensive experience in borderless, collaboration, and data center portfolios. Prior to his current role, he spent 10 years working in various roles at Linksys as a technical support lead, as an escalation engineer at the Cisco Technical Assistance Center (TAC), and as a network consulting engineer in Cisco Advanced Services.  

Akhil has a bachelor of technology degree in electronics and telecommunications from IP University and a master's degree in business administration from Symbiosis Institute. He is dual Cisco Certified Internetwork Expert CCIE 19564 in voice and security. He also holds many other industry certifications, such as PMP, ITIL, VCP, ISM, CCNA, CCSP, CCVP, ISO/IEC 27002, TOGAF, and CEH.  

Over the course of his career, Akhil has presented and contributed at various industry forums such as Enterprise Connect, Cloud Connect, Cloud Summit, Interop, Cisco Networkers, and SecCon. He has several research papers published in various national and international journals, including IEEE. He is an avid blogger and maintains a blog about unified communications security at Aashish Jolly

Aashish Jolly

Aashish Jolly is a network consulting engineer who is currently serving as the Unified Communications (UC) consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center, where he helped customers Cisco partners with installation, configuring, and troubleshooting UC products such as Cisco UC Manager and Manager Express, Cisco Unity solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco UC for more than seven years. He holds a bachelor of technology degree as well as CCIE(Voice) # 18500, CCNP Voice,  CCNA,  VCP 5 and RHCE certifications.

Remember to use the rating system to let Akhil and Aashish know if you have received an adequate response. 

Akhil & Aashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Collaboration, Voice and Video,  sub-community, IP Telephony discussion forum shortly after the event. This event lasts through January 17, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

22 REPLIES 22

ciscomoderator
Community Manager
Community Manager

Hello Akhil and Aashish,

Here are some of the questions that came directly during your live webcast presentation, hence can you provide answers for these.

-How do I differentiate when using Tomcat for LDAP or HTTPS?

-How can I differentiate between a root CA and identity certificate by looking at certificate?

-How many e tokens  can I use to secure my CUCM cluster?

-Do I need to regenerate all certificates when I upgrade my cluster on same or different hardware?

Thanks!

Hello,

Please find the answers to these questions as follows:

Q. How do I differentiate when using Tomcat for LDAP or HTTPS?

A. Tomcat certificates can be used for HTTPS as well as for LDAP security. The major difference is that, when signed for only HTTPS, Tomcat will be signed by CA as web server certificate template whereas or LDAP it has to be signed by CA as server template. In case of Tomcat, the request is redirected from HTTP to HTTPS i.e. TCP 80 > 8443 and for LDAP it works by redirecting from 389 LDAP to 636 (standalone AD) or 3269 (DC) LDAPS.

Q. How can I differentiate between a root CA and identity certificate by looking at certificate?

A. It is the CN of a certificate that can help distinguish between a CA root and identity certificate. CA root certificate will have same CN for issuer and for Subject name whereas, an identity certificate will have different CN for issuer (CA) and for subject name.

Q. How many e-tokens  can I use to secure my CUCM cluster?

A. Although there’s no fixed maximum number for eTokens that can be used for securing a cluster, a minimum of two eTokens are required and any number of eTokens can be used (ideally between 4-10) for redundancy.

Q. Do I need to regenerate all certificates when I upgrade my cluster on same or different hardware?

A. No, you need not regenerate all certificates when uploading a cluster from one version to another on same or different hardware as DRS backup contains all certificate and keys. However, due to any hostname / certificate impacting field change (any of certificate parameters) or a bug, it may be required to regenerate the certificate that is self-signed and self-generated on CUCM or get a new signed certificate from CA.

Regards,

Akhil Behl
Solutions Architect

Cisco Systems


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Gordon Ross
Engager
Engager

By default, CallManagers automatically exchange their Tomcat certificates.

When using an external CA for signing Tomcat certificates, is there any need to keep these automatically exchanged certificates? After all, they've all been signed by the same CA whose public key you've already imported into the Tomcat-trust store.

Please rate all helpful posts.

Hello Gordon,

I would appreciate if you can extrapolate on your question as it will help us to answer it better.

From what I could understand, your question is if CUCM exchanges Tomcat certificates within a cluster and if redundant (self-signed) certificates can be deleted in case a user wishes to use externally signed certificates.

If that was your query, the answer is two fold. CUCM servers do not replicate Tomcat certificates within a cluster as each server is installed with its unique hostname/FQDN that is used to generate self-signed certificate and it will be meaningless to have different CN certificate replicated to a node that is not going to use that hostname/FQDN.

For latter part, the answer is yes, you can delete any (currently) unused certificates and leverage only the intended CA signed certificate for Tomcat. Infact, CUCM overwrites the Tomcat identity certificate with CA signed identity certificate although, you can end up with as many Tomcat trust certificates as many CA certificates (root) you upload.

Regards,


Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953