Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
142
Views
0
Helpful
0
Replies

Call Manager FIPS Mode Enablement

C_Noble
Level 1
Level 1

‎07-23-2024 08:08 AM

I am preparing to enable FIPS mode on my Call Manager (1Pub 4Subs) which is running Version 14 SU4.
For reference the cluster is in mixed-mode.

I want to see if anyone has experience doing this.  Normally I enable FIPS mode when I first build the cluster, not after the cluster is in operation.

The FIPS guide states the following:

  • In single server clusters, because certificates are regenerated, you need to run the CTL Client or apply the Prepare Cluster for Rollback to pre-8.0 enterprise parameter before you enable FIPS mode. If you do not perform either of these steps, you must manually delete the ITL file after you enable FIPS mode.

  • If you have a single server cluster and applied the Prepare Cluster for Rollback to pre 8.0 enterprise parameter before you enabled FIPS 140-2 mode, you must disable this enterprise parameter after making sure that all the phones registered successfully to the server.

The above language states "single server clusters" need to enable Pre 8.0, which implies that I will not need to enable it.

I am terrified of enabling FIPS without Pre 8.0 and then having to manually remove all the ITL files from the phones.

Here are my questions:

1. Has anyone done this before and can confirm that pre 8.0 is not necessary in multi-server clusters?  I don't have a lab to test this.

2. If phones kept the old ITL file, could I upload the ITL Recovery certificate as a Phone-SAST-Trust instead of removing the ITL files from the phones? 

Thanks for the help!  Please only solve if you are sure of this.  I don't want to get fired

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents