Cisco Cisco TelePresence MCU 4510 Release Notes
Appendix: Transitioning to certificate-based security
Cisco TelePresence MCU 4.4 (3.42) Release Notes
Page 22 of 24
Appendix: Transitioning to certificate-based security
Certificate-based security methods carry a risk of inadvertently blocking all login access to the MCU. (If
problems occur with the client certificate or the trust store, you will need to fall back to HTTP. If you cannot
fall back—because HTTP is disabled or because HTTP to HTTPS redirection is set—then all access
methods will be blocked.) To avoid this we strongly recommend that you follow the corresponding procedure
below when implementing certificate-based security options:
problems occur with the client certificate or the trust store, you will need to fall back to HTTP. If you cannot
fall back—because HTTP is disabled or because HTTP to HTTPS redirection is set—then all access
methods will be blocked.) To avoid this we strongly recommend that you follow the corresponding procedure
below when implementing certificate-based security options:
n
n
n
Enabling client certificates and certificate login (HTTPS connections)
To transition access handling for HTTPS connections from standard, password-based access to required
client certificate validation and optionally to allow certificate-based login, do the following:
client certificate validation and optionally to allow certificate-based login, do the following:
1. Ensure that an appropriate HTTPS trust store is installed on the MCU (
Network > SSL certificates
) and
that the web browser(s) to be used to access the MCU are configured with a valid client certificate.
2. Go to
Network > Services
and enable both HTTP and HTTPS.
3. Go to
Settings > Security
and disable Redirect HTTP requests to HTTPS (uncheck the check box).
This ensures that you can fall back to HTTP if problems occur.
4. Go to
Network > SSL certificates
.
a. Scroll to the
HTTPS trust store
section.
b. Set Client certificate security to Verify certificate (to have client certificate validation but no
certificate login) or Certificate-based authentication allowed (to have client certificate validation and to
allow certificate-based login).
allow certificate-based login).
c. Click Apply changes.
5. Now test that you are able to log in to the MCU over an HTTPS connection.
a. First verify that you can log in using the standard password login mechanism.
b. If you specified Certificate-based authentication allowed in the previous step, also verify that
b. If you specified Certificate-based authentication allowed in the previous step, also verify that
certificate-based login is working as expected. This step is recommended, although strictly not
essential as Certificate-based authentication allowed mode still allows password login if certificate
login fails.
essential as Certificate-based authentication allowed mode still allows password login if certificate
login fails.
Note: Provided that this procedure is successful, you can now disable HTTP (
Network > Services
) or
enable redirection from HTTP to HTTPS (
Settings > Security
) if either are required by your configuration.
Enabling OCSP checking
CAUTION:
The MCU will only perform OCSP checking if client certificate security mode is enabled. To do
this go to
Network > SSL certificates
and set the Client certificate security option. When you first enable
OCSP checking, set Client certificate security to one of the 'lesser' modes (Verify certificate or Certificate-
based authentication allowed). If you want to set it to Certificate-based authentication required, only do so
after you have completed the procedure for
based authentication allowed). If you want to set it to Certificate-based authentication required, only do so
after you have completed the procedure for
and you
are certain that OCSP checking is working correctly.
To enable OCSP checking for the MCU, do the following: