Cisco Systems Pki Users Manual Keon Sentry Implementation Guide For Directory Server Poducts
NOT AVAILABLE to the manual f0b7fa8e-2b88-4165-b713-13dbf3271792
2015-01-05
: Cisco-Systems Cisco-Systems-Pki-Users-Manual-202921 cisco-systems-pki-users-manual-202921 cisco-systems pdf
Open the PDF directly: View PDF .
Page Count: 7
Download | |
Open PDF In Browser | View PDF |
RSA Keon Ready Implementation Guide For PKI 3rd Party Applications Last Modified May 3, 2004 1. Partner Information Partner Name Web Site Product Name Version & Platform Product Description Cisco Systems, Inc. www.cisco.com Cisco Certificate Authority Proxy Function (CAPF) CAPF Version 1.0(1) CallManager Version 4.0(1) CAPF Communicates with the Certificate Authority (CA) server on behalf of the phone. CAPF implements parts of the certificate generation procedure that are too processing-intensive for the phone, and it interacts with the phone for key generation and certificate installation. The CAPF server can be configured to request certificates from customer-specified certificate authorities on behalf of the phone, or it can be configured to generate certificates locally. Product Category RSA Product Interaction Networks and Comunications RSA Keon Certificate Authority 1 2 3 4 5 6 7 8 9 * 8 # 1 2 3 4 5 6 7 8 9 * 8 # 1 2 3 4 5 6 7 8 9 * 8 # 1 2 3 4 5 6 7 8 9 * 8 # Page: 1 2. Contact Information Email Phone Web Sales contact Support Contact 1-800-553-NETS www.cisco.com tac@cisco.com 1-800-553-2447 www.cisco.com/en/US/support/index.htm l 3. Product Requirements Hardware requirements Component Name: CAPF CAPF Cisco CallManager (7815, 7825, 7835, 7845, 7855, 7865) Software requirements Component Name: CAPF Operating System Windows 2000 Server Version (Patch-level) SP4 Page: 2 4. Product Configuration Using CAPF to Generate Phone Certificates Perform the following procedure to use the Certificate Authority Proxy Function, and install a certificate on a 7940 or 7960 IP Phone. Procedure Step 1 Perform one of the following tasks: • Choose Start > Programs > CAPF. • On the desktop, double-click the CAPF icon. Step 2 A Command Line Interface displays. Enter your username. Step 3 Enter your password. Tip CAPF displays the default or existing configured parameters. If this is the first time that you have used CAPF, the utility automatically generates a 1024-bit key pair and a self-signed certificate for CAPF; the self-signed certificate automatically gets added to C:\Program Files\Cisco\Certificates on all servers in the cluster. If this is not your first time to use CAPF, be aware that a key pair/certificate is not generated unless you enter an explicit command during the configuration. Step 4 If you want to change the existing parameters that display, for example, the listening port for the phone, enter the appropriate commands. Step 5 If the CAPF CLI continues to display, go to Step 10. Step 6 If CAPF utility does not display because you rebooted the server after you updated the CTL file, perform one of the following tasks: • Choose Start > Programs > CAPF. • On the desktop, double-click the CAPF icon. Step 7 A Command Line Interface displays. Enter your username. Step 8 Enter your password. Step 9 Perform the following tasks, depending on the method for issuing certificates for the phones: • If the CAPF utility will issue the certificates, go to Step 11. • If a Cisco-approved, third-party certificate authority will issue certificates, enter issue cert ca, press Enter. • Enter set ca-server [userpassword ] [type ] | dns >, press Enter. The user and password are optional and the type should be “keon”..Example set ca-server type keon ip 10.100.1.10 • Enter set jurisdiction-ID , press Enter. Note: The default port for SCEP is 446. This will become configurable in a later Cisco release. • Go to Step 11. Step 10 At the CAPF prompt, enter get phone-info. If you add phones to the database after the initial retrieval from the Cisco CallManager database, you must issue this command again. Step 11 At the CAPF prompt, enter set cert upgrade all, press Enter. This command configures all devices for the certificate upgrade. To configure a specific phone for upgrade, issue the following command: set cert upgrade id Page: 3 Step 12 At the CAPF prompt, perform the following task, depending on what you want to accomplish: • If you plan to use the authentication string that the get phone-info command creates, go to Step 14. • If you want to generate an authentication string for a specific phone, issue the following command: set auth-string id Caution If you want to set the authentication string to Null or if you want to generate new authentication strings, enter the command, set auth-string [ ], at the CAPF prompt; press Enter. Cisco strongly recommends that you use null authentication only in closed, secure environments. Step 13 At the next CAPF prompt, enter show auth-string all, press Enter. The phone information from the database displays for each phone. If thousands of phones exist in the cluster, all phones may not display in the CLI. The CAPF utility logs the phone record information in C:\ProgramFiles\Cisco\CAPF\Trace\CAPF.csv. If you have access to software that converts CSV files, such as Microsoft Excel, you can convert the CAPF.csv file and view the records by using that software. The utility also writes the entries to the log file. To display a single device name and authentication string, issue the following command: show auth-string id Step 14 Determine the phone user that is associated with the Device Name by performing the following procedure: a. On the server where you installed the CAPF utility, obtain the CSV file, CAPF.csv, from C:\Program Files\Cisco\CAPF\Trace. b. By using software that converts CSV files, export this file to a format in which you can view the phone record information. Page: 4 5. Product Operation Install the locally significant certificate on the phone. Step 1 Obtain the CAPF authentication string that was set when the CAPF utility was configured. Step 2 On the Cisco IP Phone 7960 and 7940, press the Settings button to access the Settings menu. Step 3 Scroll to the Certificate option; press the Select softkey. Step 4 Scroll to the Update Certificates option; press the Select softkey. Step 5 Choose the Auth. String option; press the Select softkey. The phone prompts you for an authentication string. Step 6 Enter the authentication string for your phone and press the Validat. softkey. The phone installs, updates, or remove the certificate, depending on the current CAPF configuration. Monitor the progress of the certificate installation by viewing the messages in the status line on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade. At any time, you can stop the process by choosing the Cancel Operation option on the Certificates menu. You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting. Page: 5 6. Certification Checklist for 3rd Party Applications Date Tested: January 15, 2004 Product Tested Version RSA Keon Certificate Authority CAPF 6.5.1 1.0(1) Test Case Result Certificate Enrollment P10 Certificate Request P7 Response installed correctly CMP Certificate Request CMP Response installed correctly SCEP Certificate Request SCEP Response installed correctly N/A N/A N/A N/A Pass Pass Import Certificate Import PKCS#12 envelope Import via cut & paste Install Root Certificate via cut/paste Install SubCA Certificate via cut/paste Install Root Certificate via SCEP Install SubCA Certificate via SCEP Verify Certificate chain is installed N/A N/A N/A N/A Pass N/A N/A Certificate Usage S/MIME Document and Files SSL Client Authentication Sign N/A N/A Encrypt N/A N/A Pass LDAP Support Name lookup Certificate retrieval Status Check of Certificate Success with a valid certificate Fails with a revoked certificate Fails with a suspended certificate Pass with a re-instated certificate N/A N/A OCSP N/A N/A N/A N/A RSA Keon Web Passport / RSA SecurID Passage Support Access certificates via MS CAPI (Internet Explorer) Access certificates via PKCS#11 (Netscape) PAR/SWA SSL CRL N/A N/A N/A N/A Other N/A N/A N/A N/A Passage N/A N/A KWP N/A N/A *P=Pass or Yes F=Fail N/A=Non-available function Page: 6 7. Known Issues 1. No known issues. Page: 7
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : Yes Page Count : 7 XMP Toolkit : XMP toolkit 2.9.1-13, framework 1.6 About : uuid:c036c088-ffae-46ec-9356-7d88099543ba Producer : Acrobat Distiller 6.0 (Windows) Company : RSA Security Inc. Source Modified : D:20040506190308 Tag Ad Hoc Review Cycle ID : -1745934208 Tag Email Subject : RSA Keon Implementation Guide Tag Author Email : tomhill@cisco.com Tag Author Email Display Name : Tom Hill Headline : Create Date : 2004:05:06 15:03:21-04:00 Creator Tool : Acrobat PDFMaker 6.0 for Word Modify Date : 2004:05:06 15:03:57-04:00 Metadata Date : 2004:05:06 15:03:57-04:00 Document ID : uuid:10d8b821-3582-4022-bc4f-d4444ff14b84 Version ID : 3 Format : application/pdf Title : Keon Sentry Implementation Guide for Directory Server Poducts Creator : Tom Hill (tomhill) Subject : Tagged PDF : Yes Author : Tom Hill (tomhill)EXIF Metadata provided by EXIF.tools