TOI FIPS 140 2 compliance Unity Connection 8

TOI: FIPS 140 -2 compliance Unity Connection 8. 6 Mike Canfield- Test engineer Yolanda Liu – Dev engineer

What is FIPS 140 -2 Federal Information Processing Standards Publication 140 -2 Security requirements for Cryptographic Modules Unity Connection uses FIPS compliant crypto libraries • • • Literally restricts which ciphers and algorithms can be used Detects if libraries have been tampered with and halts system

Enabling/Disabling FIPS mode • Enable FIPS in CLI with the following command: admin: utils fips enable • Disable FIPS in CLI with the following command: admin: utils fips disable • Command only applies to the current server. To enable FIPS on all the servers in the cluster, run the CLI command on each server. • IMPORTANT: enable/disable FIPS on the next server only when the current server has come back up in FIPS mode.

FIPS status • Status check in CLI with the following command: admin: utils fips status • Returns the current FIPS mode • If the system is in FIPS mode the status of the FIPS 140 -2 components startup self-tests and integrity check.

Fresh install • Install system • Enable FIPS • Configure system as normal

Pre-existing telephony systems Secure ports: SCCP or SIP Edit 4/28/2011: You need to regenerate the root certificate for non-secure telephony integrations too. 1. 2. 3. 4. Regenerate root certificate Upload root cert to CUCM Restart Call. Manager service on CUCM Restart Conversation Manager service on Unity Connection 5. Confirm ports are registered Relevant logs for troubleshooting: Cu. Cs. Mgr Cu. Mixer Tomcat When examining logs look for: SSL, openssl, SSH, type errors

Unified Messaging Service • • • Set Web-based Authentication Mode from "NTLM/Digest" to "Basic“ Use "test" button IMPORTANT: Because “Basic” is used, an IPsec policy must be configured to be secure/FIPS compliant Relevant logs for troubleshooting: Cu. Mbx. Sync Cu. Cs. Mgr Tomcat When examining logs look for: SSL, openssl, SSH, type errors

Other IPSec dependencies Please refer to Unity Connection 8. 6 documentation Edit 4/28/2011 - As an FYI: • Digital Networking – Secure messaging will be protected by IPsec across diginet • UM service (unlikely FIPS systems will have this enabled) • Speechview (unlikely FIPS systems will have this enabled)

Troubleshooting • If the FIPS integrity and self-tests testing fails during boot up, the system halts. Users can try a reboot to check if the condition is a temporary problem. If the issue persists, only option is to decommission the server or use a recovery CD. • It’s very unlikely but FIPS modules can fail FIPS checks during run time. In this case, the client application will likely core. If a restart doesn’t fix the problem, Cisco will need to take a closer look. • Anything dealing with encryption could potentially be impacted by FIPS. If this is suspected, disable FIPS mode and attempt to reproduce the issue to determine possible relationship.

References Other Cisco FIPS 140 -2 TOI http: //wwwineng. cisco. com/Eng/VTG/IPCBU/CUCM/Call. Manager_Mont. Blanc/Presentations/FIPS_TOI. ppt x http: //wwwineng. cisco. com/Eng/VTG/IPCBU/CUCM/Call. Manager_Mont. Blanc/Presentations/Mont. Blanc_I R 2_UCR 2008_FIPS_PKI-IA_IPSec_Auth_TOI. pptx FIPS 140 -2 General information http: //en. wikipedia. org/wiki/FIPS_140 -2 http: //csrc. nist. gov/publications/fips 140 -2/fips 1402. pdf