Cisco Cisco Expressway Maintenance Manual
The LDAP server must be configured to use the certificate. To do this:
■
Edit /etc/openldap/slapd.conf and add the following three lines:
TLSCACertificateFile <path to CA certificate>
TLSCertificateFile <path to LDAP server certificate>
TLSCertificateKeyFile <path to LDAP private key>
TLSCertificateFile <path to LDAP server certificate>
TLSCertificateKeyFile <path to LDAP private key>
The OpenLDAP daemon (
slapd
) must be restarted for the TLS settings to take effect.
To configure the Expressway to use TLS on the connection to the LDAP server you must upload the CA’s certificate as
a trusted CA certificate. This can be done on the Expressway by going to: Maintenance > Security certificates >
Trusted CA certificate.
a trusted CA certificate. This can be done on the Expressway by going to: Maintenance > Security certificates >
Trusted CA certificate.
Changing the Default SSH Key
Using the default key means that SSH sessions established to the Expressway may be vulnerable to "man-in-the-
middle" attacks, so we recommend that you generate new SSH keys that are unique to your Expressway.
middle" attacks, so we recommend that you generate new SSH keys that are unique to your Expressway.
An alarm message "Security alert: the SSH service is using the default key” is displayed if your Expressway is still
configured with its factory default SSH key.
configured with its factory default SSH key.
To generate a new SSH key for the Expressway:
1.
Log into the CLI as root.
2.
Type regeneratesshkey.
3.
Type exit to log out of the root account.
4.
Log in to the web interface.
5.
Go to Maintenance > Restart. You are taken to the Restart page.
6.
Check the number of calls and registrations currently in place.
7.
Click Restart system and then confirm the restart when asked.
If you have a clustered Expressway system you must generate new SSH keys for every cluster peer. Log into each
peer in turn and follow the instructions above. You do not have to decluster or disable replication.
peer in turn and follow the instructions above. You do not have to decluster or disable replication.
When you next log in to the Expressway over SSH you may receive a warning that the key identity of the
Expressway has changed. Please follow the appropriate process for your SSH client to suppress this warning.
Expressway has changed. Please follow the appropriate process for your SSH client to suppress this warning.
If your Expressway is subsequently downgraded to an earlier version of Expressway firmware, the default SSH
keys will be restored.
keys will be restored.
Restoring Default Configuration (Factory Reset)
Very rarely, it may become necessary to run the “factory-reset” script on your system. This reinstalls the software
image and resets the configuration to the functional minimum.
image and resets the configuration to the functional minimum.
Note
: Restoring default configuration causes the system to use its current default values, which may be different from
the previously configured values, particularly if the system has been upgraded from an older version. In particular this
may affect port settings, such as multiplexed media ports. After restoring default configuration you may want to reset
those port settings to match the expected behavior of your firewall.
may affect port settings, such as multiplexed media ports. After restoring default configuration you may want to reset
those port settings to match the expected behavior of your firewall.
Prerequisite Files
The
factory-reset
procedure described below rebuilds the system based on the most recent successfully-installed
software image. The files that are used for this reinstallation are stored in the /mnt/harddisk/factory-reset/ folder on
the system. These files are:
the system. These files are:
■
A text file containing just the 16-character Release Key, named rk
■
A file containing the software image in tar.gz format, named tandberg-image.tar.gz
335
Cisco Expressway Administrator Guide
Reference Material