Cisco Unified MeetingPlace, Release 7.0 -- How to Configure Secure Sockets Layer

From DocWiki

Jump to: navigation, search

Main page: Cisco Unified MeetingPlace, Release 7.0

Up one level: Configuration




Secure Sockets Layer (SSL) secures information shared in a web conference by encrypting the data for travel across the network.


Complete the following procedures in the order shown to configure SSL.


Contents

Restrictions for Configuring Secure Sockets Layer

  • If you are using SSL on an external Web Server, make sure that the hostname on the SSL certificate resolves to the external Web Server IP address.
  • If you are using SSL on a system with a segmented DNS, make sure that the hostname on the SSL certificate differs from the segmented DNS name.
  • Self-signed certificates are not supported.
  • Make sure that both the [Home Page] and [Web Conferencing] use hostnames, not IP addresses.
  • If users will access your Web Server through a firewall, make sure that TCP port 443 is open inbound on your firewall for both of the hostnames or IP addresses on your server.
  • You can use SSL on any Web Server (internal or DMZ); however, you cannot use or configure WIA (Windows Integrated Authentication) on that server.



Changing the Web Server Hostname From an IP Address to a Hostname

The Web Server hostname was populated during the Cisco Unified MeetingPlace Web Conferencing installation. The [Home Page] was assigned the first IP address in the operating system. The [Web Conferencing] was assigned the second IP address in the operating system. You should not need to redefine these unless either of the following applies:

  • You want users to be able to access the Cisco Unified MeetingPlace Web Server by using the fully qualified domain name (FQDN) of the server or
  • You plan to configure SSL for this server. If enabling SSL, you must use hostnames rather than IP addresses.


Before You Begin

This procedure assumes that you have already installed Cisco Unified MeetingPlace Web Conferencing.


Restrictions

Do not perform this procedure if the Web Server is not in a Domain Name Server (DNS).


Procedure
  1. Open your web browser and enter the URL of your Web Server.
    • For internal Web Servers, the default URL structure is http://<server>, where <server> is the name of your internal Web Server.
    • For external (DMZ) Web Servers running Release 7.0.1, the default URL structure is http://<server>/mpweb/admin/, where <server> is the name of your external Web Server.
    • For external Web Servers running Release 7.0.2 or later releases, you can only access the administration pages for the external (DMZ) server from the server box itself and only through port 8002. If you try to access the administration pages on the external (DMZ) server by using http://<server>/mpweb/admin/, the system will display a 404 "Page Not Found" error.
      To access the administration pages for the external (DMZ) server, you must be on the web server box and enter the following URL: http://localhost:8002/mpweb/admin/
      Note: If SSL is enabled on your system, you must still enter the URL with http and not https.
      The system automatically logs you in as the user called "technician" with technician privileges.
  2. Sign in to the end-user web interface.
  3. Click Admin if you are not already on the Cisco Unified MeetingPlace Web Administration page.
  4. Click Web Server.
  5. Scroll down to the "View" section of the page.
  6. Click the name of the Web Server that you want to configure.
    Information about this Web Server populates the "Edit" section of the page.
  7. For [Home Page], enter the fully qualified domain name (FQDN) of the primary network interface on the Web Server.
    Example: hostname.domain.com.
    Note: This hostname must be resolvable by its intended users.
  8. For [Web Conferencing], enter the FQDN of the secondary network interface on the Web Server.
    Example: hostnamewc.domain.com.
    Note: This hostname must be different from that used for Hostname [Home Page]. It must be resolvable by its intended users. Depending on your hostname choice, the hostnames might not have been automatically registered with the DNS during the OS installation. We recommend that you check the DNS, both the forward and reverse lookup zones, and add entries manually if needed.
  9. Click Submit.
  10. (Optional) If you are working on a Windows system with Internet Explorer, click Test Server Configuration.


Related Topics


What to Do Next

NOTE: When you restart the Web Server, all manual changes made to the registry are lost.



Creating a New Certificate Signing Request and Obtaining a Certificate File

Use the SSL/TLS configuration page to generate certificate signing requests to send to an authorized Certificate Authority in order to apply for a digital identity certificate. You need two certificates: one for the Home Page hostname, and one for the Web Conferencing hostname.


Before You Begin

Complete Changing the Web Server Hostname From an IP Address to a Hostname.


Procedure
  1. Sign in to the end-user web interface.
  2. Click Admin.
  3. Click SSL/TLS.
  4. Click the Edit icon for the Web Conferencing hostname.
  5. Enter your company name and organization unit/department in the applicable fields.
  6. Enter the complete, official names of your city/locality and state/province in the applicable fields.
    Note: Do not use abbreviations.
  7. Select your country/region.
  8. Click Generate Request.
    The new certificate signing request (CSR) displays in the text box. The request is signed with an auto-generated private key.
  9. Click the Private Key link to see the value of the private key.
  10. Copy the contents of the CSR text box to a text file and send this file to your certificate provider in return for a certificate file.
    Caution! If your certificate provider asks for your server type, specify Apache or Custom, not Microsoft or IIS. If you attempt to install a Microsoft or IIS certificate by using the SSL/TLS configuration pages, Cisco Unified MeetingPlace Web Conferencing will not restart when you attempt to reboot the system. Instead it will log an error about the certificate and disable SSL so that you can restart and fix the problem.
  11. Click Back to return to the main Administration page.
  12. Repeat Step 3 through Step 11 for the Web Conferencing hostname.


What to Do Next

When you receive the .cer files from your certificate provider, proceed to Applying the SSL Certificate.


Applying the SSL Certificate

When you receive the certificate files from your certificate provider, apply the certificates to the Cisco Unified MeetingPlace website by completing the following procedure.


Before You Begin

Complete Creating a New Certificate Signing Request and Obtaining a Certificate File.


Procedure
  1. Sign in to the end-user web interface.
  2. Click Admin.
  3. Click SSL/TLS.
  4. Click the Edit icon for the Web Conferencing hostname.
  5. Open the certificate file for the Web Conferencing hostname in a text editor, and copy the text to the clipboard.
  6. In the text box at the bottom of the page, paste the text from the certificate you obtained for this hostname.
    Make sure the text you paste includes the begin and end certificate delimiters.
  7. Click Install Certificate.
    The host is now set up with a certificate.
  8. Click Back to return to the main Administration page.
  9. (Release 7.0.1 systems only) Repeat Step 3 through Step 8 for the Home Page hostname.


What to Do Next

Proceed to Enabling SSL.


Enabling SSL

Complete this procedure to enable the Require SSL field on the Web Server administration page.


Before You Begin
  • Make sure that you are still on the SSL/TLS page.


Procedure
  1. Click Toggle SSL to turn SSL on.
  2. Click Reboot Server.
    The server shuts down and restarts.
    Note: If the Web Server cannot validate the SSL certificates, the server will log an error and toggle SSL to off. In this case, you will need to restart the Cisco Unified MeetingPlace Web Conferencing service and fix the issue, then repeat the steps in this procedure.

NOTE: When you restart the Web Server, all manual changes made to the registry are lost.


What to do Next

Proceed to Testing the Web Server Over an HTTPS Connection.


Testing the Web Server Over an HTTPS Connection

Before You Begin

Complete Enabling SSL.


Procedure
  1. Use a web browser to connect to https://hostname.domain.com, the Fully Qualified Domain Name, of the Web Server.
    • If the Cisco Unified MeetingPlace home page displays, the connection to the Home Page hostname is successful.
    • If any security warning dialog boxes appear, configure SSL not to show the dialog boxes.
      For detailed information, see Microsoft Knowledge Base Articles 813618 and 257873 on the Microsoft website.
  2. Sign in to the end-user web interface.
  3. Click Immediate Meeting.
    If the meeting console opens, the connection to the Web Conferencing hostname is successful.


Disabling Secure Sockets Layer on the Web Server

Procedure
  1. Sign in to the end-user web interface.
  2. Click Admin.
  3. Click SSL/TLS.
  4. Click Toggle SSL to turn SSL off.
  5. Click Reboot Server.
    The server shuts down and restarts.


Note: When you restart the Web Server, all manual changes made to the registry are lost.


(Optional) Disabling Support for Low Encryption Ciphers and SSL v2

Cisco authorizes Cisco Unified MeetingPlace Web Conferencing customers to disable the support for low encryption ciphers and SSL v2 on their Cisco Unified MeetingPlace Web Servers based on their security requirements.


You must assume all work related to this security hardening as well as the operational consequences of this security lock-down, including the fact that some end-users might be unable to use the Cisco Unified MeetingPlace Web Servers because of incompatible browsers/ client SSL implementation, or encryption strength limitations.


To perform this lock-down for the Microsoft IIS web server component used by Cisco Unified MeetingPlace Web Conferencing, see the following Microsoft Knowledge Base articles:


How to Control the Ciphers for SSL and TLS on IIS (IIS restart required): http://support.microsoft.com/default.aspx?scid=KB;en-us;q216482


How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (Windows restart required): http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030


How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (Windows restart required): http://support.microsoft.com/default.aspx?scid=kb;en-us;187498


To perform this lock-down for the Adobe Connect application web server used by Cisco Unified MeetingPlace Web Conferencing, see the following Adobe article: http://livedocs.adobe.com/fms/2/docs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00000300.html


Note: You can find the Server.xml file that contains the SSLCipherSuite tag to be edited in the following folder on the Cisco Unified MeetingPlace Web Server: C:\Program Files\Cisco Systems\MPWeb\WebConf\comserv\win32\conf


Caution! Any upgrade of the Cisco Unified MeetingPlace Web Conferencing software with a maintenance release will overwrite the changes that you have made in Server.xml. These changes must be re-applied after the upgrade.

Rating: 0.0/5 (0 votes cast)

Personal tools