Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

Published byApril O’Connor’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel."— Presentation transcript:

1 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel

2 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Cluster Wide Single SAN Certificate – High Level Benefits Cluster Wide Single SAN Certificate – Over View Administrator User Experience Then Administrator User Experience Now Cluster Wide Single SAN Certificate – Details SRSV High Availability change in Unity Connection 10.5 with SAN Certificate Troubleshooting Backup Slides Cluster Wide Single SAN Certificate Configuration Additional Information

3 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Supports a single Subject Alternative Name (SAN) certificate per Tomcat certificate across the nodes in a cluster Reduced TCO for getting public CA signed certificates as only one certificate is needed in the cluster Improved Admin experience as management of certificate (CSR generation, Certificate upload) can be done from any node in the cluster Improved end user experience for applications (Jabber, Web Clients) with reduced or no certificate warnings with public CA certificate

4 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Single Cluster-wide certificate for unit : Tomcat Multi-server CSR can be generated on any server and corresponding Certificate uploaded from any other server in the cluster Editable parent domain field during CSR generation to allow for greater flexibility - for both Single and multi-server CSR Editable Common Name to conform to certain Certificate Authorities - for both Single and multi-server CSR Improved Security Default Hash Algorithm changed from SHA1 to SHA256 during “Generate CSR” Default Key Length changed from 1024 to 2048 during “Generate CSR”

5 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Subscriber Publisher Admin For both Publisher and Subscriber Admin needs to do the following: 1.Login 2.Generate CSR 3.Download CSR 4.Send this CSR to CA (over email, etc.) 5.Wait for Cert 6.Upload Cert and all chain certs on that node

6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Subscriber Publisher Admin Admin needs to do following: 1.Login to Publisher/Subscriber node 2.Generate CSR – Automatically distributed to other node in the cluster 3.Download CSR from any of the node 4.Send this CSR to CA (over email, etc.) 5.Wait for Certificate 6.Upload Certificate and all chain certificates on Publisher/Subscriber – distributed to other node in the cluster

7 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Comparison of Single Server vs Multi Server SAN Certificate Single Server CertificateMulti Server Certificate It contains a single FQDN or domain in either the CN field and/or SAN extensions It contains multiple FQDNs or domains present in SAN extensions The system uses a single certificate for both Publisher and Subscriber in a cluster A single certificate identifies both Publisher and Subscriber in the cluster Generation of single server certificate can become an overhead for the administrator in a cluster because the administrator needs to perform steps such as generate Certificate Signing Request (CSR), send CSR to CA for signing, upload signed certificate etc. on both Publisher and Subscriber server of the cluster There is less overhead for the administrator in managing multi-server certificates since admin performs the steps only once on a given server, and the system distributes the associated private key and signed certificates to other server in the cluster

8 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Certificate Names and Servers CertificateServerCertificate Usage TomcatUnity connection Following are the application that uses this certificate to verify the Unity Connection Servers. 1.SRSV 2.HTTP(s) 3.Unified Messaging 4.IMAP Note :- Wild Card are not supported for SAN Certificates in Unity Connection 10.5.

9 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Example for Tomcat Multiserver SAN Nodes in the cluster are cuc-node-pub.cisco.com, cuc-node-sub.cisco.com Subject Alternative Names: DNS: cuc-node-pub.cisco.com, DNS: cuc-node- sub.cisco.com

10 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Single-Server CSR Changes – Additional flexibility and Security Select Security > Certificate Management on OS admin page Default AlgorithSHA256 Default Key length 2048 Editable

11 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 What will happen if an administrator had configured common DNS A Record for both Publisher and Subscriber for Central Connection Server at Connection SRSV and admin upgraded to Connection SRSV 10.5 ?  The connectivity test between Central Connection Server and Connection SRSV Branch will fail. Reason :  Due to enhanced security now connection SRSV will validate Central Connection Server certificate. As the value of DNS A record configured on connection SRSV for Central connection server(Publisher and subscriber) is not present in certificate which result in test failure.

12 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12  Regenerate the Multi San tomcat certificate at Central connection server with the value of DNS A record configured on connection SRSV for Central connection server(Publisher and subscriber) in SAN field of certificate. Also upload the root certificate in tomcat-trust of Connection SRSV. Solution :

13 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 I. Identify topology details: I.Identify hostnames of both the nodes in the connection cluster II.Which node the CSR was generated and pushed from III.Which node the certificate was uploaded from II. Ensure that “Cisco Tomcat” and “Platform Administrative Web Service” are running, use CLI: I.utils service list III. For Unity Connection Administration 1.Refer to Tomcat traces by enabling the below Micro Trace Level of cuca. General Tools 2. Refer to CUCESync traces for provisioning on Unity Connection SRSV

14 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 CLI Commands examples: CLI to list the log files: file list activelog cuc/diag_Tomcat* file list activelog cuc/diag_CUCE_Sync* CLI to collect specific log file file get activelog cuc/diag_Tomcat_00000001.uc file get activelog cuc/diag_CUCE_Sync00000001.uc

15 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 For Unity Connection Administration Snippet of log diag_Tomcat_00000 :-

16 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Snippet of log diag_CUCESync_00000 :-

17 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Tomcat Logs can also be collected using RTMT :

18 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 CUCESync Logs can also be collected using RTMT :

19 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 If Connectivity test fails between Central Server and Branch ? Ensure that same types of certificates (self-signed or Third Party signed ) should be present on Central Server and Branch. In case of Third Party certificates ensure that root certificates of trusting authority are interchanged. Hostname/FQDN present in the SAN or CN field of the certificates should be same as that of the hostname/FQDN used for the configuration of Central Server and Branch. If any failure occurs while adding HTTP(s) links same checklist need to be performed that is mentioned above for all the nodes if HTTP(s) links.

20 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Error Message - Incase Tomcat service is down on the remote node

21 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Warning Messages Message 1 – Incase Admin generates Self-Signed certificate when multi- server certificate is in place

22 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Warning Messages Message 2 – Incase Admin a single-server CSR, but multi-server certificate is in place

23 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Warning Messages Message 3 – Incase Admin attempts to delete a Certificate from the Trust store

24 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

25 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Steps for generating Multi-Server CA signed Certificate Step No.Action Step 1Login to Cisco Unified Communications Operating System Administration window on any Unity Connection using your administrator password Step 2Generate a CSR on the server Step 3Download the CSR to your PC. Step 4Obtain the root CA certificate or certificate chain to upload on the cluster Step 5Upload the root CA certificate and signed CA certificate to the server. Restart Cisco Tomcat service and also restart the processes that are using tomcat certificates.

26 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Steps for generating Step 1 - Select Security > Certificate Management on OS admin page “Generate CSR” button

27 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Steps for generating Multi Server CSR Step 2a: Click Generate CSR. Default Single-Server CSR page

28 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Steps for generating Multi Server CSR Step 2b: From the Certificate Purpose drop-down list box, select the required certificate purpose Multi-server Option in drop-down

29 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Steps for generating Multi Server CSR Step 2c: From the Distribution drop-down list box, select Multi-server (SAN) Default CN=FQDN- ms (Editable) Auto-populated list of nodes in the cluster Ability to add custom DNS values to the CSR via.txt file (max 200) Ability to add custom DNS values to the CSR manually

30 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Steps for generating Multi Server CSR Step 2d: Click Generate CSR. If Cluster wide OS admin credentials are common Success message with list of nodes where CSR was transferred

31 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Steps for Downloading Multi Server CSR (2 options) Step 3a - Option 1: Click “Download CSR” button on CertManagement Page Download button Select unit and download

32 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Steps for Downloading Multi Server CSR (2 options) Step 3a: Option 2: Click “Find button to list certs” button on CertManagement Page Find button Click Common Name

33 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Steps for Downloading Multi Server CSR (2 options) Step 3a: Option 2 (contd): Pop-up exposed with download and Delete options Click Download CSR button

34 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Steps for Upload of Multi Server CA signed certificate Step 5a: Click Upload Certificate/Certificate Chain Upload Certificate option

35 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Steps for Upload of Multi Server CA signed certificate Step 5b Select the certificate name from the Certificate Name list Select tomcat unit

36 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36 Thank You !

Download ppt "Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel."

Similar presentations

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
Steps to Recover Private Encryption Keys

Steps to Recover Private Encryption Keys
Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Unity Connection Qualification for Prime Collaboration Development Release.

Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Unity Connection Qualification for Prime Collaboration Development Release.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cisco Unity Connection Cross- Origin Resource Sharing (CORS) for VMRest APIs.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cisco Unity Connection Cross- Origin Resource Sharing (CORS) for VMRest APIs.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.

Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
Designed By: Technical Training Department

Designed By: Technical Training Department
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google