Cisco Cisco TelePresence MCU 4510 Administrator's Guide
Configuring HTTPS verification
The
HTTPS trust store
section is where you can configure certificate-based authentication for users logging
in to the web interface and for applications interacting with the API. This section also lets you configure
whether the MCU should verify server certificates, presented by an OCSP server or by feedback receivers,
before allowing these connections.
whether the MCU should verify server certificates, presented by an OCSP server or by feedback receivers,
before allowing these connections.
CAUTION: If you transition from solely password-based client authentication to any level of certificate-
based client authentication (including those that permit but do not require certificates), it is possible
inadvertently to block client access to the MCU. This can happen if HTTP is disabled or if HTTP to HTTPS
redirection is enabled. In such cases, a certificate that is trusted by the MCU must be presented by the client
side (typically you the administrator) in order to log in. If no such client certificate exists then no one can log
in.
based client authentication (including those that permit but do not require certificates), it is possible
inadvertently to block client access to the MCU. This can happen if HTTP is disabled or if HTTP to HTTPS
redirection is enabled. In such cases, a certificate that is trusted by the MCU must be presented by the client
side (typically you the administrator) in order to log in. If no such client certificate exists then no one can log
in.
We strongly recommend that you first review the option descriptions below and then follow the process in
Configuring client certificate security
1. Go to
Network > SSL certificates
.
2. Go to the
HTTPS trust store
section.
3. Select one of the options from the Client certificate security field.
4. Click Apply changes.
Client certificate security options
Not required
Certificate-based client authentication is not required (default) and client certificates are ignored.
Password-based authentication is required for all client access, whether by users over HTTPS or
applications making API calls.
Password-based authentication is required for all client access, whether by users over HTTPS or
applications making API calls.
Verify
certificate
certificate
Incoming HTTPS connections are only permitted if the client certificate is signed by an authority
that the MCU trusts, but password-based login is still required to authenticate the client, for
HTTPS, API, and other client connections.
that the MCU trusts, but password-based login is still required to authenticate the client, for
HTTPS, API, and other client connections.
Certificate-
based
authentication
allowed
based
authentication
allowed
Incoming HTTPS connections are only permitted if the client certificate is signed by an authority
that the MCU trusts and, if the certificate's common name matches a stored username, the client
logs in as that user. However, if the certificate is trusted and the common name does not match,
the client may log in with username and password.
that the MCU trusts and, if the certificate's common name matches a stored username, the client
logs in as that user. However, if the certificate is trusted and the common name does not match,
the client may log in with username and password.
Certificate-
based
authentication
required
based
authentication
required
Incoming HTTPS connections are only permitted if the client certificate is signed by an authority
that the MCU trusts. The common name of the certificate must also match a stored username
and password-based client authentication is not allowed.
that the MCU trusts. The common name of the certificate must also match a stored username
and password-based client authentication is not allowed.
HTTP and FTP logins are blocked. If Require administrator login is checked (on
Settings >
Security
), then console access is restricted to functions that do not require a login.
Note: The MCU requires every user account to have a password, even if Certificate-based
authentication required is selected and thus clients may not use their passwords. Furthermore, if
the MCU is in advanced account security mode, passwords must be replaced every 60 days.
Users are not prompted to change their passwords when they log in using certificate-based
authentication, so the passwords will expire and generate security warnings.
authentication required is selected and thus clients may not use their passwords. Furthermore, if
the MCU is in advanced account security mode, passwords must be replaced every 60 days.
Users are not prompted to change their passwords when they log in using certificate-based
authentication, so the passwords will expire and generate security warnings.
For the purpose of any timed access restrictions that exist on user accounts (typically password
change intervals and inactive account expiry rules) any log in using a certificate is treated as a
standard password-based login and will reset the timer accordingly.
change intervals and inactive account expiry rules) any log in using a certificate is treated as a
standard password-based login and will reset the timer accordingly.
For information about how these options affect the API interface, see the Cisco TelePresence
MCU API Reference Guide.
MCU API Reference Guide.
Cisco TelePresence MCU Series Administrator Guide
Page 256 of 300
Advanced topics
Configuring SSL certificates