TOI: FIPS 140-2 compliance
Unity Connection 8.6
Mike Canfield- Test engineer
Yolanda Liu – Dev engineer
What is FIPS 140-2
•
Federal Information Processing Standards Publication
140-2
Security requirements for Cryptographic Modules
Unity Connection uses FIPS compliant crypto libraries
•
•
•
•
Literally restricts which ciphers and algorithms can be used
Detects if libraries have been tampered with and halts system
Enabling/Disabling FIPS mode
• Enable FIPS in CLI with the following command:
admin:utils fips enable
• Disable FIPS in CLI with the following command:
admin:utils fips disable
• Command only applies to the current server. To enable FIPS
on all the servers in the cluster, run the CLI command on each
server.
• IMPORTANT: enable/disable FIPS on the next server only
when the current server has come back up in FIPS mode.
FIPS status
• Status check in CLI with the following command:
admin:utils fips status
• Returns the current FIPS mode
• If the system is in FIPS mode the status of the FIPS 140-2
components startup self-tests and integrity check.
Fresh install
• Install system
• Enable FIPS
• Configure system as normal
Pre-existing telephony systems
Secure ports: SCCP or SIP
Edit 4/28/2011: You need to regenerate the root certificate for non-secure telephony integrations too.
1.
2.
3.
4.
Regenerate root certificate
Upload root cert to CUCM
Restart CallManager service on CUCM
Restart Conversation Manager service on Unity
Connection
5. Confirm ports are registered
Relevant logs for troubleshooting:
CuCsMgr
CuMixer
Tomcat
When examining logs look for: SSL, openssl, SSH, type errors
Unified Messaging Service
•
•
•
Set Web-based Authentication Mode from
"NTLM/Digest" to "Basic“
Use "test" button
IMPORTANT: Because “Basic” is used, an IPsec policy
must be configured to be secure/FIPS compliant
Relevant logs for troubleshooting:
CuMbxSync
CuCsMgr
Tomcat
When examining logs look for: SSL, openssl, SSH, type errors
Other IPSec dependencies
Please refer to Unity Connection 8.6 documentation
Edit 4/28/2011- As an FYI:
• Digital Networking
– Secure messaging will be protected by IPsec across diginet
• UM service (unlikely FIPS systems will have this enabled)
• Speechview (unlikely FIPS systems will have this enabled)
Troubleshooting
• If the FIPS integrity and self-tests testing fails during boot up,
the system halts. Users can try a reboot to check if the
condition is a temporary problem. If the issue persists, only
option is to decommission the server or use a recovery CD.
• It’s very unlikely but FIPS modules can fail FIPS checks during
run time. In this case, the client application will likely core. If a
restart doesn’t fix the problem, Cisco will need to take a closer
look.
• Anything dealing with encryption could potentially be
impacted by FIPS. If this is suspected, disable FIPS mode and
attempt to reproduce the issue to determine possible
relationship.
References
Other Cisco FIPS 140-2 TOI
http://wwwineng.cisco.com/Eng/VTG/IPCBU/CUCM/CallManager_MontBlanc/Presentations/FIPS_TOI.pptx
http://wwwineng.cisco.com/Eng/VTG/IPCBU/CUCM/CallManager_MontBlanc/Presentations/MontBlanc_I
R2_UCR2008_FIPS_PKI-IA_IPSec_Auth_TOI.pptx
FIPS 140-2 General information
http://en.wikipedia.org/wiki/FIPS_140-2
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf