© 2015 Cisco System Inc. All rights reserved Cisco Confidential 1 © 2015 Cisco System Inc. All rights reserved. 1 Next Generation Security Support in Unity.

Slides:



Advertisements
Similar presentations
Web security: SSL and TLS
Advertisements

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Dexter Team IPv6 in Connection 8.5.
SSL Implementation Guide Onno W. Purbo
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Transport Layer Security (TLS) Bill Burr November 2, 2001.
SSL (Secure Socket Layer)
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Unity Connection Qualification for Prime Collaboration Development Release.
© 2013 Cisco System Inc. All rights reserved Cisco Confidential 1 © 2013 Cisco System Inc. All rights reserved. 1 Tenant Partitioning Features in Cisco.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Chapter 8 Web Security.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
SSL Technology Overview and Troubleshooting Tips.
CSCI 6962: Server-side Design and Programming
Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved bit RHEL 6 Update 2 OS Upgrade RHEL TEAM
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 1.x Documentation What you need to know.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Missed Call Notification Unity Connection 11.0
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. 1 Voice Mailbox.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
TOI: FIPS compliance Unity Connection 8.6 Mike Canfield- Test engineer Yolanda Liu – Dev engineer.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Building Security into Your System Bill Major Gregory Ponto.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco Unity Connection 2.0 Phone View Troubleshooting Mike Maas, Unified.
© 2013 Cisco System Inc. All rights reserved Cisco Confidential 1 © 2013 Cisco System Inc. All rights reserved. 1 February 14, 2014 Unity Connection Legal.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
© 2003, Cisco Systems, Inc. All rights reserved. 1 TTS Functionality Via IMAP Unity Connection 1.1 Andrew Biggs UCBU.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
© 2006 Cisco Systems, Inc. All rights reserved.1 Documentation for Cisco Unity 5.0 (Woo)
Virtual Private Network Configuration
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
© 2015 Cisco System Inc. All rights reserved Cisco Confidential 1 © 2015 Cisco System Inc. All rights reserved. 1 Subject Line Customization for Notifications.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
Cisco Unity Connection
Cisco Unity Connection Customized Log-on Message
Cisco Unity Connection Minimum TLS Version Support
Cisco Unity Connection Common PIN
The Secure Sockets Layer (SSL) Protocol
Building Security into Your System
Presentation transcript:

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 1 © 2015 Cisco System Inc. All rights reserved. 1 Next Generation Security Support in Unity Connection 11.0 EDCS

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 2 CUCA - Cisco unity Connection Administration REST - Representational State Transfer CSR - Certificate Signing Request CA - Certificate Authority CUC – Cisco Unity Connection CUCM - Cisco Unified Communication Manager NGE – Next Generation Encryption

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 3 Overview Next Generation Security Ciphers Supporting Interfaces Tomcat/Jetty SIP Interface SRTP Interface REST APIs Troubleshooting References

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 4. 4

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 5 InterfacePre 11.0 ReleaseRelease 11.0 and Onwards TLS versionTLS 1.0TLS TLS 1.2 SIP (Certificates)Only RSA key based self-signed certificates RSA key and EC key based certificates (self-signed and Third party) SIP (Ciphers)AES-128 SHA1 cipher onlyAES-256 SHA384 ciphers only RSA preferred AES-128 SHA256 ciphers only RSA preferred AES-256, AES-128 ciphers ECDSA preferred AES-256, AES-128 ciphers ECDSA only AES-256, AES-128 ciphers RSA preferred AES-128 SHA1 cipher only SRTP(Ciphers)AES-128 SHA1 cipher onlyAll supported AES-256,AES-128 ciphers AEAD AES256 GCM-based ciphers only AEAD AES128 GCM-based ciphers only AES-128 SHA1 cipher only

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 6 InterfacePre 11.0 ReleaseRelease 11.0 and Onwards Tomcat / JettyRSA and SHA based ciphers are supported. TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SHA2 algorithms for next generation security ciphers are supported. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 7. 7

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 8. 8 Brief Description Configuration Use Case

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 9 Certificate PurposeDescription tomcatWeb application and Jetty interface uses tomcat RSA key based certificates. This could be self-signed or Third Party. tomcat-trustTrust store to validate RSA key based certificates for Web applications and Jetty Interface Note : Above Configuration is also applicable for SIP Interface.

© 2015 Cisco System Inc. All rights reserved Cisco Confidential Generate CSR for CUC and get certificate signed from CA 2. Upload root certificate in “tomcat-trust” of CUC 3. Upload leaf certificate in “tomcat” store of CUC 4. Restart “Connection Conversation Manager” on CUC 5. Restart “Cisco Tomcat” on CUC.

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 11

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 12

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 13

© 2015 Cisco System Inc. All rights reserved Cisco Confidential Login to web application (CUCA/Inbox/CPCA). 2. Take the sniffers, CUC should negotiate on the ciphers send by the browser. 3. Ensure ciphers selected by server (CUC) should be first matching cipher in list(depends on ciphers list sent by browser).

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 15 Cisco Confidential. 15 Brief Description Configuration Use Case

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 16 TLS CiphersDescription AES-256 SHA384 ciphers only RSA preferred The option AES-256 SHA384 ciphers only RSA preferred, includes the ciphers in following order: – AES-256 SHA384 RSA – AES-256 SHA384 ECDSA AES-128 SHA256 ciphers only RSA preferred The option AES-128 SHA256 ciphers only RSA preferred, includes the ciphers in following order: – AES-128 SHA256 RSA – AES-128 SHA256 ECDSA AES-256, AES-128 ciphers ECDSA preferred The option AES-256,AES-128 ciphers ECDSA preferred, includes the ciphers in following order: – AES-256 SHA384 ECDSA – AES-128 SHA256 ECDSA – AES-256 SHA384 RSA – AES-128 SHA256 RSA – AES-128 SHA1 RSA

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 17 TLS CiphersDescription AES-256, AES-128 ciphers ECDSA only The option AES-256,AES-128 ciphers ECDSA only, includes the ciphers in following order: – AES-256 SHA384 ECDSA – AES-128 SHA256 ECDSA AES-256, AES-128 ciphers RSA preferred (Default) The option AES-256,AES-128 ciphers RSA preferred, includes the ciphers in following order: – AES-256 SHA384 RSA – AES-128 SHA256 RSA – AES-256 SHA384 ECDSA – AES-128 SHA256 ECDSA – AES-128 SHA1 RSA This cipher provides highest level of security and backward compatibility with connection peers that doesn't support the newer ciphers. AES-128 SHA1 cipher only The option AES-128 SHA1 ciphers only, includes the ciphers in following order: – AES-128 SHA1 RSA

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 18 CUC uses RSA key based tomcat certificates and EC key based CallManager- ECDSA certificates for SIP Interface. When CUC acts as a server it sends certificates based on the negotiated cipher i.e. Cipher received from CUCM and selected on CUC. When CUC acts as a client it sends EC key based certificates if “AES-256, AES- 128 ciphers ECDSA only“ is selected on CUC and with all other options it sends RSA key based certificates.

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 19 Note : For Changes to take effect Connection Conversation Manager Service restart is required.

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 20 Certificate PurposeDescription CallManager-ECDSASIP interface uses EC key based CalllManager-ECDSA certificates. This could be self- signed or Third Party. CallManager-trustTrust store for SIP to validate EC key based CallManager-ECDSA certificates

© 2015 Cisco System Inc. All rights reserved Cisco Confidential Generate CSR for CUC and get certificate signed from CA 2. Generate CSR for CUCM and get certificate signed from CA 3. Upload root certificate in “CallManager-trust” of CUC and in “CallManager-trust” of CUCM 4. Upload leaf certificate in “CallManager –ECDSA” of CUC and in “CallManager- ECDSA” of CUCM 5. Restart CCM service on CUCM and restart Conversation Manager on CUC

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 22

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 23

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 24

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 25

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 26

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 27

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 28 Create a secure SIP integration setup. Configure TLS cipher to “AES-256, AES-128 ciphers ECDSA only” on CUC. Configure TLS cipher to “AES-256, AES-128 ciphers ECDSA only” on CUCM. Place a call and take Sniffers. CUC should negotiate on: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 29 Cisco Confidential. 29 Brief Description Configuration Use Case

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 30 All supported AES- 256,AES-128 ciphers When this option is selected, the AES-256-based ciphers are preferred over the AES- 128-based variants in the order of strength of the cipher suite. This cipher provides highest level of security and backward compatibility with connection peers that doesn't support the newer ciphers. AEAD AES256 GCM- based ciphers only When this option is selected, only the AEAD AES256 GCM based ciphers are recognized and negotiated during media establishment. AEAD AES128 GCM- based ciphers only When this option is selected, only the AEAD AES128 GCM based ciphers are recognized and negotiated during media establishment. AES-128 SHA1 cipher only When this option is selected, only the AES-128-based SHA1ciphers are recognized and negotiated during media establishment NOTE: If there is cipher mismatch during media negotiation and peer supports SRTP fallback, then the call becomes non-SRTP call

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 31 Note : For Changes to take effect Connection Conversation Manager Service restart is required.

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 32 Create a setup with SRTP enabled on it. Configure SRTP cipher to “All supported AES-256, AES-128 ciphers” on CUC. Configure SRTP cipher to “All supported AES-256, AES-128 ciphers” on CUCM. Place a call and Verify the logs and Sniffers. CUC should negotiate on AEAD_AES_256_GCM.

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 33 Cisco Confidential. 33

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 34 vmrest/generalconfigurations This API is used to fetch the existing configuration of SIP TLS cipher on Unity Connection Request URI :: /vmrest/generalconfiguration Response /vmrest/generalconfigurations/070b0cda-accb-4534-af43-2cf8fd9e b0cda-accb-4534-af43-2cf8fd9e Note : For TlsCiphers and SrtpCiphers values, Please refer the doc wiki in References Section

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 35 vmrest/generalconfigurations/ This API is used to modify TLSCipher. Request URI :: /vmrest/generalconfigurations/ Request Response 1 Response Code:204 Ok

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 36 vmrest/generalconfigurations/ This API is used to modify SRTPCipher. Request URI :: /vmrest/generalconfigurations/ RequestResponse 2 Response Code:204 Ok

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 37 Cisco Confidential. 37

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 38 Annotated logs wiki link Tomcat /Jetty and SIP Interface eneration+Security+support+in+Unity+Connection eneration+Security+support+in+Unity+Connection SRTP Interface en+security+ciphers+in+SRTP en+security+ciphers+in+SRTP

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 39 Cisco Unity Connection Administration Guide: SIP Integration guide: ntcucmsip.html ntcucmsip.html OS Administration: osagx.html osagx.html REST API Doc wiki: _General_Configuration#TLS_AND_SRTP_Ciphers

© 2015 Cisco System Inc. All rights reserved Cisco Confidential 40 Thank you.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.