Cisco Acano X-series 開発者ガイド
Cisco Meeting Server Release 2.0 : MMP Command Line Reference
31
Command/Examples
Description/Notes
cac ocsp enable|disable
Online Certificate Status Protocol (OCSP) is a mechanism for
checking the validity and revocation status of certificates. The
MMP can use this to work out whether the CAC used for a login is
valid and, in particular, has not been revoked.
If the MMP is configured to be in "strict" CAC mode (no password
logins allowed – see above), then access to the MMP can be
restricted centrally by revoking certificates.
checking the validity and revocation status of certificates. The
MMP can use this to work out whether the CAC used for a login is
valid and, in particular, has not been revoked.
If the MMP is configured to be in "strict" CAC mode (no password
logins allowed – see above), then access to the MMP can be
restricted centrally by revoking certificates.
OCSP can be enabled without special configuration. In this mode,
the URL of the OCSP responder will be read from the CAC
credentials presented to the MMP if present. If an OCSP responder
is not present, or the OCSP responder is not available (is down,
can't be routed to, etc.), then CAC logins fail.
the URL of the OCSP responder will be read from the CAC
credentials presented to the MMP if present. If an OCSP responder
is not present, or the OCSP responder is not available (is down,
can't be routed to, etc.), then CAC logins fail.
cac ocsp responder <URL|none>
To configure a URL for an OCSP responder, use this command.
This URL will override any provided by the CAC.
This URL will override any provided by the CAC.
cac ocsp certs <key-file> <crt-
file>
file>
Some OCSP responders require OCSP requests to be signed by
the requestor. This command specifies a private key and (matching)
public certificate for this operation:
the requestor. This command specifies a private key and (matching)
public certificate for this operation:
It is likely that the OCSP responder will require that the signing
certificate is signed by a particular authority, perhaps the issuer of
the CAC certificates. This is a site-local consideration.
certificate is signed by a particular authority, perhaps the issuer of
the CAC certificates. This is a site-local consideration.
cac ocsp certs none
Removes the certificate configuration
7.2.1 SSH login configuration
SSH login using CAC requires extra configuration steps because X509-based public key
exchange is not widely supported by SSH clients. The public X509 certificate from the CAC
needs to be extracted and uploaded by SFTP to the MMP as an SSH public key. There are
various methods to get the public X509 certificate from the CAC; one of the easiest is to use a
CAC-enabled web browser to export the key:
exchange is not widely supported by SSH clients. The public X509 certificate from the CAC
needs to be extracted and uploaded by SFTP to the MMP as an SSH public key. There are
various methods to get the public X509 certificate from the CAC; one of the easiest is to use a
CAC-enabled web browser to export the key:
Firefox and Chrome:
Follow the instructions to export the credentials.
After export, upload the pkcs#12 file to <username>.pub MMP using SFTP, where <username>
is the username of the associated user. Then execute the following command as explained
is the username of the associated user. Then execute the following command as explained
:
pki pkcs12-to-ssh <username>
Internet Explorer:
IE can export the CAC (public) credentials as X509 encoded as DER, which can be uploaded
and used without further steps (cf. pkcs#12)
and used without further steps (cf. pkcs#12)
7 MMP User Account Commands