VoiceBootcam CCNP Collaboration Training - Certificate

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi in this video we're going to talk about the certificate now certificate is one of the most important topic within cisco cooperation and as we are moving into working from home logging from various devices um logging in from hotels we need to have a proper way to secure our communication cisco unified communication manager will use certificate that can use a public infrastructure or pki in order to validate the server and client identity and to enable the encryption concept it presents its certificate to unified communication manager in order to verify its identity now when another system for example a phone or a media server tries to communicate with cisco unified communication manager it will it will not automatically trust that system and usually will deny access to it unless it has a matching certificate in his appropriate trust store trusting the certificate of that particular server a certificate is a file that contains a certificate holder name public key and the digital signature of the certificate authority who actually issued the certificate verifying the authenticity of the client a certificate will prove the identity of the owner of the certificate for cisco unified communication manager to be able to process an encrypted communication you need to enable mixed mode which in order for you to do that you got to make sure that cisco unified communication manager version that you're using is the right version for example cisco has two version of call manager or cucm you have the encrypted unrestricted version and then you have a restricted version so if you're using unrestricted version you may not be able to enable encryption so you need to make sure that the version of the installation that you have that is proper enough that you can enable the encryption and i believe it must be the restricted version now this restricted version may not be available for all the countries so you may want to look into that the mix mode which can be enabled only through the cli mode is basically means that cisco unified communication manager will be able to process an encrypted and unencrypted signaling now by default mix mode is disabled which means that you can only route unencrypted traffic starting with call manager version l10 mix mode is enabled by default prior to version 10 it is record the use of two hardware keys now to enable mix mode enterprise in mix mode you need to go to the enterprise parameter and you can see that mixed mode is disabled to enable you can connect to the command line and issue a following command for example you could issue a command call util cti set cluster mix more and when you enable this command it will of course have to reboot the system and at that moment when you look go back here you will see the version number set to one which is the indication the mixed mode is enabled now to enable mix mode simply associate to your server and issue this command util ctl set dash cluster makes dash mode now this command will require you to reboot and uh it may require you to reboot so feel free to make sure you do that during your maintenance window so what is a certificate well there are many different type of certificate you got a server certificate and you got a certificate authority certificate server certificate basically identify or validate the server that you are working on such as call manager or iman presence and certificate authority certificate is a certificate of the company who is issuing or validating the certificate in other words the company that you actually purchase a certificate from such as verisign uh go to godaddy or zero ssl so when you have a call manager will initiate a request to certificate authority saying hey i would like to purchase a new certificate there are certain settings that you have to do a configuration that you have to do in the call manager which will create a some sort of encrypted file which will you will then upload it to the certificate authority or the company where you're buying the certificate from now once you do that they will issue it after validation they will issue a certificate and that becomes your server certificate now you will need to issue download that certificate and upload it to your call manager the problem with that is that when you upload a call manager a server certificate call manager want to make sure that the certificate that you're uploading is trusted so to do that what you need to do first you need to upload the certificate authority certificate remember what i say certificate authority certificate is a certificate that validates the company who were you purchasing a certificate from so they will typically godaddy or xero ssl they will issue two certificate for you one is your server certificate and other one is going to be called the certificate chain or the root certificate you will upload the root certificate in to tomcat trust or call manager trust both location you will upload it first and then you will upload the server certificate that you have so that is a procedure for cisco unified communication manager to become uh or assign a certificate properly now obviously when your laptop wants to communicate with the call manager whether you're going browser based what not what the call server will do server will send you the server certificate now your laptop or desktop or endpoint or whatever the device that you're using what you what you're going to do you're going to look at the server certificate and find out who's the certificate authority but let's say it is godaddy now usually what happened is your computer or desktop that you're using may already have the root certificate of godaddy or ssl zero ssl or verisign and if it does so which comes with the windows by the way or as you go through various website it might have that when you when you try to validate that you're going to look at your internal certificate list to see that the root certificate of this particular server certificate already exists and if it does is going to validate basically verifies that you are other authenticated person if your computer or laptop does not have the certificate you the computer or laptop will not trust the server certificate that you're trying to let's say connect to what's going to happen is you're going to get in a browser error saying certificate not valid you are connecting with the unencrypted non-secure connection and in some cases some application will fail so this is why it's important that you upload the root certificate onto the desktop or the laptop or the mobile client if it is already non well-known server server certificate that already exists in the market so like i said most common server certificates are probably most likely will be part of your windows installation or your or whatever the operating system you're using or even the browser that you're using now public ca which is the company like verizon godaddy or 0sl issue certificate which will be required on the server that are providing the services a public ca which is an organization usually you can use either a public certificate server like symantec verison godaddy or you could use a private ca which is called based on microsoft certificate server if the public server held a server certificate from the unrecognized ca the connecting device will reject the certificate and connection would fail or might give you a warning a private ca in this case microsoft certificate server are deployed behind the firewall which usually within your network an issue certificate that will be accepted within the enterprise however this certificate will not be recognized by a third-party client because they are internal so what you can do to have the third party client recognize the server certificate issued by your internal ca you take the microsoft certificate server's root certificate and you give it to them or you upload it to their pc then they will their pc will then trust your servers certificate servers so private ca are used to use your certificate to internal servers are commonly called self signed certificate since they are issued by the enterprise to their own servers now this saves enterprise time and money since they're internal and they can easily easily deploy now obviously you have to keep in mind that some third-party application or companies will not automatically trust your certificate because it was not issued from a public environment so certificate signing requests so one the first thing that you're going to do in your call manager is you're going to generate a certificate request as if you're purchasing a certificate server or certificate not the server well when you do generate the request what's going to happen in call manager is going to create two files one is called the private key and one is going to be called certificate signing request or csr csr file which is basically the text file would kind of look like a greek language no offense to great so it's like an encrypted language which is called the public key it will then be sent to the certificates authority certificate authority what we'll do we will after make taking your payment process it encrypted and send you the public key in an encrypt certificate format or encrypted format so now the public key is encrypted with the certificate validated by the certificate authority you will then have an option to upload this certificate into the call manager server as well as a server certificate into the call manager now the server certificate will go to the trust store and the server certificate will go to either call manager or uh tomcat both location so you you will upload all the ca certificate or the root certificate into the into the trust whereas server certificate will go to the respective servers now there are many different certificate requirements cisco unified cm requires a ca certificate authority and a server certificate to be uploaded for each services across a cluster for example a ca and a server certificate must be uploaded for tomcat service for your web access to the server to be encrypted separately you need to upload the call manager server certificate for call manager services certificate can be the same ca which is fine however server certificate must be uploaded once for each type of services so you got tomcat and the call manager tomcat services are used when you're trying to access the web interface of the server such as administration page os administration service availabilities etc call manager is used by cisco phone when they're registering with the call manager so any application endpoint java access accessing the call manager services will use this certificate and they have to be to generate two separately services that support certificate verification are listed in the following table if cisco unified cm is in the cluster then certificate only need to be uploaded once for each services so that means that if you have a publisher one subscriber and one iman presence which happens to be in one cluster you upload the certificate in one location it will get distributed to all the servers so you don't have to repeat the process for all them now the call manager supports two type of certificate we got privacy enhanced mail or pay pm this format contains the x 509 certificate encoded in text or base 64 encrypted and it is supported by cisco vcs and cisco call manager or cocm most common format in unified communication and then you have another type called distinguish encoding rules or der which contains x509 certificate in a binary form and only supported by cisco unified communication manager or cucc ucm it is not supported by other cisco collaboration application the difference between the two types is simply the way certificate is encoded but while cm can support either format uh most other product does not so in this case make sure it is probably better to use the pem format for all all right so that's pretty much all there is for the certificate now let's take a look at the lab of how to generate certificate within your private environment so right now i'm in my call manager and what i'm going to do is that i'm going to log i'm going to make sure now i'm going to generate a certificate based on all three servers okay so that means both publisher subscriber and i am in presence to do that make sure that all of them web interface are accessible okay now whether you can log in or that they're configured that's not the point right now first thing first we're going to go to uh microsoft certificate server hopefully the server is up all right so i have my microsoft certificate server ready to go i'm going to increase the font size now before i do anything here i need to download the ca certificate first so let's go download and i'm going to choose the base certificate and i'm going to choose download ca certificate right there okay so it's downloaded call cert new one in a bracket as long as we if you want you can always rename it so i will go ahead and rename this to root ca okay i will copy that into a different form folder all right so i have the certificate created and it is right now in this folder so next thing i'm going to do is i'm going to log into the call manager and generate a root certificate server certificate request so i'm going to go to the os administration page so go ahead and log in and we're going to generate now there are two ways to generate you can generate certificate for each server individually such as publisher subscriber and i am in presence or i can generate a multi server which will support all three so it's totally up to you which one you want to do for some reason sometime you may want to separate them for security policy reason or you want to keep it all in the same so i'm going to go to certificate and i'm going to say certificate management and it's going to say generate csr right now i do not have any certificate created for this and you can see right here it says not secure and that is an indication the server certificate is not really secure at this stage okay so what you're seeing right here if you look at the call manager trust that is where root certificate goes you will see uh tomcat trust right there that's where the root certificate will go so what we're going to do is generate csr so i'm going to click on that and i will have the option to purpose the certificate so first i'm going to do is create a tomcat certificate so i'm going to choose tomcat then distribution distribution if you specify the server name versus multi-server multi-server if you do a multi-server it's going to create certificate for all the three servers that you have in your cluster publisher one subscriber one i am in presence but if you're doing individually that means you gotta do this process individually to all three servers more time consuming more costly so i'm gonna specify multi server and what it's gonna do is automatically going to find all the servers from the cluster and as you can see i am in presence publisher and subscriber it automatically found that information because it's part of the cluster and as soon as you're trying to click on generate what it's going to do is going to create the public private key and the certificate request and the private key will be distributed onto all the three servers that you have so that they because they must they all have to have that so i'm going to go and generate that it's taking a little time because of the the process of copying the file creating the file in all three servers and copying it it will take a little time so be patient if there is an existing csr that already exists it will overwrite that so you want to make sure all right certificate success it says successfully exported export operation on all three servers so which is a good thing because it has been copied to all those files i'm going to close this and as i close this you'll see that after uh refreshed it you'll see a new download uh option you got one upload and see general csr there will be new button shows up here called download that means you are ready to download the csr now before i do that i want to regenerate another certificate and this one is going to be the call manager one remember we need both tomcat and the call manager so i will select the call manager and now the same thing simply choose the distribution this and when you do a call manager it only creates it for the publisher and subscriber because i am in presence is not a call manager so therefore it does not need the certificate for the i am in presence okay so go ahead and generate that again it's going to upload it to both publisher and subscribers and if you have more than one subscribers it will upload all of those subscribers as long as it's part of the same cluster okay so it's done i will close it now i'm now ready to download both of my requests which means i'm going to take that request go to my certificate authority and i'm going to purchase the certificate server so go ahead and download it you're going to download both in the individually so i'm going to say download tomcat first so tomcat download the csr you'll see tomcat csr downloaded i will go to call manager download call manager csr has been downloaded so i'm going to start with the tomcat first i'm going to go to tomcat csr and you see that this will be like a notepad i'm going to open it in notepad and this is what it looks like so you got a kind of like a encrypted version all i'm going to do is i'm going to copy all all control all to copy it go to microsoft certificate server i'm going to go to make sure i'm in the main page and i'm going to say request certificate okay so i'm going to click on advanced and i'm going to paste that information right there then the certificate template is going to be called vbc client server or any client server name doesn't matter and i'm going to click on submit it will issue certificate has been automatically issued and i have a two format p e i'm format or der format i'm gonna choose the pem base64 and i'm going to click on the first one download i don't need the second one i just need the first one again you can see start new one has been downloaded all right so now i will go back and click on the call manager so i'm going to remember search new one is your tomcat and the call manager that we're going to create is going to be a new certificate make sure the call manager one copy request advance paste and submit okay click on paste six download you got two certificate one search cert new one certain year two certain u1 is my tomcat cert new 2 is my call manager again you can always copy them from those two folder and bring it back to the folder that you want to upload them all so again if you want to be a little bit more uh you know easy on yourself you can rename it to tomcat and you want to rename it to call manager okay so i got my certificate ready i'm ready to upload so you will go back to your call manager right here it says upload certificate remember the root certificate we're going to upload that first so the root certificate will go to the tomcat trust and call manager trust okay so what i'll do let me open x so i'm going to say first tomcat trust now if i try to upload that to tom server certificate first uh let's let's try it so i'm going to go to dev certificate let's say i'm going to do tomcat let's try without the root see what happened usually what's going to happen is that if your column as you can see certificate is not available in the trust store that means the root does not exist so it cannot validate that so we want to upload the root first so we're going to say tomcat trust and we're going to go select the root certificate first and root has to be uploaded to both tomcat trust as well as call manager trust so we're going to make sure that that part is taken care of first so it's done i'm going to go to call manager trust now and choose the same file because it's the same route and once this is done now we're ready to upload your call manager uh rather your uh server certificate so i'm gonna go to tomcat first as you can see tomcat is still using self sign i'm gonna choose tomcat the server version not the root upload it should recognize that right now because it was issued by the same root certificate so again when it's uploading is uploading the certificate on not only this server but also on the publisher subscriber and i am in presence so that's why it takes a little time for it to upload to complete now once the certificate is uploaded what you are need to do you need to log into cli to your server and reboot the server tftp service and various few other services i just reboot the server all right so the tomcat is done i'm going to go ahead and as you can see it says uh hq pop hq sub and iman presence the certificate has been uploaded run util service restart tomcat for this to happen now you're going to do that for all the three servers individually i'm going to go ahead and call manager now and upload so that's basically how you manage certificate on the server at this moment i will ssh into the server or putty into the server while we're waiting for the upload to happen okay all the certificate upload has been done all i have to do right now is reboot the server all three of them and my certificate should be valid once i reboot it make sure you do not go to the server by ip address anymore you have to use the domain name or fully qualified domain name to be able to see it is secure or not okay because certificate use host name fully qualified domain name it does not use ip address for validations so that's pretty much it for our certificate hopefully you got a picture of how to manage your certificate for your environment how to request request a new one a process for all the other website like a godaddy very very sign or zero ssl are very similar from the call magic it's exactly the same from the call manager perspective however process from the service provider could vary because of the web interfaces that they use it may differ from one company to another company so not very hard thing to do in terms of learning a little bit learning curve is required but otherwise the process is same so i hopefully you hope hope you understood the certificate process in the cisco collaboration it can apply to pretty much any other applications that you have that requires ssl so thank you for watching and i will see you in the next video
Info
Channel: VoiceBootcamp Inc
Views: 275
Rating: undefined out of 5
Keywords: ccna ccnp ccie, ccna voice, ucce, icm, callmanager, unified communication, ccie collaboration, amazon aws, amazon aws training, amazon aws certification, cisco ucce training, cisco uccx training
Id: u64saiKEsBA
Channel Id: undefined
Length: 27min 43sec (1663 seconds)
Published: Tue Apr 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.