1 / 10

TOI : FIPS 140-2 compliance

TOI : FIPS 140-2 compliance. Unity Connection 8.6 Mike Canfield- Test engineer Yolanda Liu – Dev engineer. What is FIPS 140-2. Federal Information Processing Standards Publication 140-2 Security requirements for Cryptographic Modules

svein
Download Presentation

TOI : FIPS 140-2 compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TOI: FIPS 140-2 compliance Unity Connection 8.6 Mike Canfield- Test engineer Yolanda Liu – Dev engineer

  2. What is FIPS 140-2 • Federal Information Processing Standards Publication 140-2 • Security requirements for Cryptographic Modules • Unity Connection uses FIPS compliant crypto libraries • Literally restricts which ciphers and algorithms can be used • Detects if libraries have been tampered with and halts system

  3. Enabling/Disabling FIPS mode • EnableFIPS in CLI with the following command: • DisableFIPS in CLI with the following command: • Command only applies to the current server. To enable FIPS on all the servers in the cluster, run the CLI command on each server. • IMPORTANT: enable/disable FIPS on the next server only when the current server has come back up in FIPS mode. admin:utils fips enable admin:utilsfips disable

  4. FIPS status • Status check in CLI with the following command: • Returns the current FIPS mode • If the system is in FIPS mode the status of the FIPS 140-2 components startup self-tests and integrity check. admin:utils fips status

  5. Fresh install • Install system • Enable FIPS • Configure system as normal

  6. Pre-existing telephony systems Secure ports: SCCP or SIP Edit 4/28/2011: You need to regenerate the root certificate for non-secure telephony integrations too. • Regenerate root certificate • Upload root cert to CUCM • Restart CallManager service on CUCM • Restart Conversation Manager service on Unity Connection • Confirm ports are registered Relevant logs for troubleshooting:CuCsMgrCuMixerTomcat When examining logs look for: SSL, openssl, SSH, type errors

  7. Unified Messaging Service • Set Web-based Authentication Mode from "NTLM/Digest" to "Basic“ • Use "test" button • IMPORTANT: Because “Basic” is used, an IPsec policy must be configured to be secure/FIPS compliant Relevant logs for troubleshooting:CuMbxSyncCuCsMgrTomcat When examining logs look for: SSL, openssl, SSH, type errors

  8. Other IPSec dependencies Please refer to Unity Connection 8.6 documentation Edit 4/28/2011- As an FYI: • Digital Networking • Secure messaging will be protected by IPsec across diginet • UM service (unlikely FIPS systems will have this enabled) • Speechview (unlikely FIPS systems will have this enabled)

  9. Troubleshooting • If the FIPS integrity and self-tests testing fails during boot up, the system halts. Users can try a reboot to check if the condition is a temporary problem. If the issue persists, only option is to decommission the server or use a recovery CD. • It’s very unlikely but FIPS modules can fail FIPS checks during run time. In this case, the client application will likely core. If a restart doesn’t fix the problem, Cisco will need to take a closer look. • Anything dealing with encryption could potentially be impacted by FIPS. If this is suspected, disable FIPS mode and attempt to reproduce the issue to determine possible relationship.

  10. References Other Cisco FIPS 140-2 TOI http://wwwin-eng.cisco.com/Eng/VTG/IPCBU/CUCM/CallManager_MontBlanc/Presentations/FIPS_TOI.pptx http://wwwin-eng.cisco.com/Eng/VTG/IPCBU/CUCM/CallManager_MontBlanc/Presentations/MontBlanc_IR2_UCR2008_FIPS_PKI-IA_IPSec_Auth_TOI.pptx FIPS 140-2 General information http://en.wikipedia.org/wiki/FIPS_140-2 http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

More Related