Cisco Cisco TelePresence MCU 4510 Administrator's Guide
Transitioning to certificate-based security
Certificate-based security methods carry a risk of inadvertently blocking all login access to the MCU. (If
problems occur with the client certificate or the trust store, you will need to fall back to HTTP. If you cannot
fall back — because HTTP is disabled or because HTTP to HTTPS redirection is set — then all access
methods will be blocked.) We strongly recommend that you follow the procedure below when implementing
certificate-based security:
problems occur with the client certificate or the trust store, you will need to fall back to HTTP. If you cannot
fall back — because HTTP is disabled or because HTTP to HTTPS redirection is set — then all access
methods will be blocked.) We strongly recommend that you follow the procedure below when implementing
certificate-based security:
n
n
n
Enabling client certificates and certificate login (HTTPS
connections)
connections)
To transition access handling for HTTPS connections from standard, password-based access to required
client certificate validation and optionally to allow certificate-based login, do the following:
client certificate validation and optionally to allow certificate-based login, do the following:
1. Ensure that an appropriate HTTPS trust store is installed on the MCU (
Network > SSL certificates
) and
that the web browser(s) to be used to access the MCU are configured with a valid client certificate.
2. Go to
Network > Services
and enable both HTTP and HTTPS.
3. Go to
Settings > Security
and disable Redirect HTTP requests to HTTPS (uncheck the check box).
This ensures that you can fall back to HTTP if problems occur.
4. Go to
Network > SSL certificates
.
a. Scroll to the
HTTPS trust store
section.
b. Set Client certificate security to Verify certificate (to have client certificate validation but no
certificate login) or Certificate-based authentication allowed (to have client certificate validation and to
allow certificate-based login).
allow certificate-based login).
c. Click Apply changes.
5. Now test that you are able to log in to the MCU over an HTTPS connection.
a. First verify that you can log in using the standard password login mechanism.
b. If you specified Certificate-based authentication allowed in the previous step, also verify that
b. If you specified Certificate-based authentication allowed in the previous step, also verify that
certificate-based login is working as expected. This step is recommended, although strictly not
essential as Certificate-based authentication allowed mode still allows password login if certificate
login fails.
essential as Certificate-based authentication allowed mode still allows password login if certificate
login fails.
Note: Provided that this procedure is successful, you can now disable HTTP (
Network > Services
) or
enable redirection from HTTP to HTTPS (
Settings > Security
) if either are required by your configuration.
Enabling OCSP checking
Caution: The MCU will only perform OCSP checking if client certificate security mode is enabled. To do this
go to
go to
Network > SSL certificates
and set the Client certificate security option. When you first enable
OCSP checking, set Client certificate security to one of the 'lesser' modes (Verify certificate or Certificate-
based authentication allowed). If you want to set it to Certificate-based authentication required, only do so
after you have completed the procedure for
based authentication allowed). If you want to set it to Certificate-based authentication required, only do so
after you have completed the procedure for
and you are
certain that OCSP checking is working correctly.
Cisco TelePresence MCU Series Administrator Guide
Page 260 of 300
Advanced topics
Transitioning to certificate-based security