Solved: What's the impact on CUCM servers when adding new Ciphers

Yarin Ezra · ‎08-06-2023

Hello Cisco Community,

I have a customer that integrated a new version of SFTP Server which uses an SSH Cipher that the CUCM by default do not support.

I found that i can manually add new ciphers to CUCM via OS Administration > Security > Cipher Management and add the new cipher in the designated location.

What would be the impact on adding probably a single cipher key to either locations say "SSH Cipher" or "SSH Key Exchange"?

Nithin Eluvathingal · ‎08-06-2023

Hope this Helps.

SSH Ciphers—The ciphers that are assigned in this field are applicable to SSH connections on Unified Communications Manager and IM and Presence Service.
SSH Key Exchange—The Key Exchange algorithms that are assigned in this field are applicable to the SSH interface on Unified Communications Manager and IM and Presence Service.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1SU3/cucm_b_security_guide_1251SU3/cucm_m_cipher-management_reorg.html

View solution in original post

b.winter · ‎08-06-2023

1) yes
2) depends which you ciphers you want to have enabled.
If you want the default + new ones, then you would paste all of those in the field and save it.

View solution in original post

Nithin Eluvathingal · ‎08-06-2023

Hope this Helps.

SSH Ciphers—The ciphers that are assigned in this field are applicable to SSH connections on Unified Communications Manager and IM and Presence Service.
SSH Key Exchange—The Key Exchange algorithms that are assigned in this field are applicable to the SSH interface on Unified Communications Manager and IM and Presence Service.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1SU3/cucm_b_security_guide_1251SU3/cucm_m_cipher-management_reorg.html

Yarin Ezra · ‎08-06-2023

I've read the Security guide before but it does say "When you configure ciphers on the Cipher Management page, the following ciphers are essentially disabled."

So i wanted to check if someone knew what would be the impact on the cluster if i were to add a SSH Cipher to the list, it would be the only one on the list because by default they are all empty

b.winter · ‎08-06-2023

It's mentioned in the guide:

Yarin Ezra · ‎08-06-2023

If i changed the default SSH Cipher it would only impact the SSH Cipher settings an no other right ?

and if i i change the SSH Cipher do i just include the default Ciphers base on the Guide + the new one that i need for the SFTP Server?

b.winter · ‎08-06-2023

1) yes
2) depends which you ciphers you want to have enabled.
If you want the default + new ones, then you would paste all of those in the field and save it.

Nithin Eluvathingal · ‎08-07-2023

@Yarin Ezra wrote:

If i changed the default SSH Cipher it would only impact the SSH Cipher settings an no other right ?

and if i i change the SSH Cipher do i just include the default Ciphers base on the Guide + the new one that i need for the SFTP Server?

Thats True.

Add additional Ciphers to the list.

Yarin Ezra · ‎08-07-2023

how could i know what are the default ciphers for cucm version 11.5, are they the same values as the 12.5 like the guide above?

b.winter · ‎08-07-2023

Check the information of the corresponding enterprise parameters:

Yarin Ezra · ‎08-07-2023

Awesome thank you, i noticed there were no parameter for SSH Cipher or Key Exchange, is there a way to find those as well? cant find anything about it anywhere