FIPS 1402 compliance Unity Connection 86 Mike Canfield Test engineer Yolanda Liu Dev engineer What is FIPS 1402 Federal Information Processing Standards Publication 1402 Security requirements for Cryptographic Modules ID: 266007
Download Presentation The PPT/PDF document "TOI :" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
TOI: FIPS 140-2 compliance
Unity Connection 8.6
Mike Canfield- Test engineer
Yolanda Liu – Dev engineerSlide2
What is FIPS 140-2
Federal Information Processing Standards Publication 140-2
Security requirements for Cryptographic Modules
Unity Connection uses
FIPS
compliant crypto
libraries
Literally restricts which ciphers and algorithms can be used
Detects if libraries have been tampered with and halts systemSlide3
Enabling/Disabling FIPS mode
Enable
FIPS
in CLI with the following command:
Disable FIPS in CLI with the following command:Command only applies to the current server. To enable FIPS on all the servers in the cluster, run the CLI command on each server. IMPORTANT: enable/disable FIPS on the next server only when the current server has come back up in FIPS mode.
admin:utils fips enable
admin:utils
fips
disableSlide4
FIPS status
Status
check in
CLI
with the following command:
Returns the current FIPS mode If the system is in FIPS mode the status of the FIPS 140-2 components startup self-tests and integrity check.
admin:utils fips statusSlide5
Fresh installInstall system
Enable
FIPS
Configure system as normalSlide6
Pre-existing telephony systems
Secure ports:
SCCP
or SIP
Edit 4/28/2011: You need to regenerate the root certificate for non-secure telephony integrations too.
Regenerate root certificateUpload root cert to CUCMRestart CallManager service on CUCMRestart Conversation Manager service on Unity Connection
Confirm ports are registeredRelevant logs for troubleshooting:CuCsMgrCuMixer
Tomcat
When examining logs look for:
SSL
,
openssl
,
SSH
, type errorsSlide7
Unified Messaging Service
Set Web-based Authentication Mode from "
NTLM
/Digest" to "Basic“
Use "test" button
IMPORTANT: Because “Basic” is used, an IPsec policy must be configured to be secure/FIPS compliantRelevant logs for troubleshooting:CuMbxSyncCuCsMgrTomcat
When examining logs look for: SSL, openssl, SSH, type errorsSlide8
Other IPSec dependencies
Please refer to Unity Connection 8.6 documentation
Edit 4/28/2011- As an FYI:
Digital Networking
Secure messaging will be protected by
IPsec across diginetUM service (unlikely FIPS systems will have this enabled)Speechview (unlikely FIPS systems will have this enabled)Slide9
Troubleshooting
If the
FIPS
integrity and self-tests testing fails during boot up, the system halts. Users can try a reboot to check if the condition is a temporary problem. If the issue persists, only option is to decommission the server or use a recovery CD.
It’s very unlikely but
FIPS modules can fail FIPS checks during run time. In this case, the client application will likely core. If a restart doesn’t fix the problem, Cisco will need to take a closer look. Anything dealing with encryption could potentially be impacted by FIPS. If this is suspected, disable FIPS mode and attempt to reproduce the issue to determine possible relationship.Slide10
References
Other Cisco
FIPS
140-2
TOI
http://wwwin-eng.cisco.com/Eng/VTG/IPCBU/CUCM/CallManager_MontBlanc/Presentations/FIPS_TOI.pptx http://wwwin-eng.cisco.com/Eng/VTG/IPCBU/CUCM/CallManager_MontBlanc/Presentations/MontBlanc_IR2_UCR2008_FIPS_PKI-IA_IPSec_Auth_TOI.pptxFIPS 140-2 General informationhttp://en.wikipedia.org/wiki/FIPS_140-2http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf