Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1827
Views
4
Helpful
7
Replies

How do I utilize certificates in VCS for restricted https access

Ricardo Sicheran
Level 1
Level 1

‎03-05-2012 11:16 AM - edited ‎03-17-2019 10:52 PM

Hi All,

One of the security measures that I am thinking of to restrict access to our VCS Starter after assigning it a public ip is to allow https access only if the admin's browser certificate matches that of the VCS. 

I am uncertain if I can use the built in certificate that came with the VCS to do this however and whether it in fact the certificate is unique to that device.

Can you guide me with how this is implemented. 

Thanks!

Labels:
0 Helpful
7 Replies 7

Magnus Ohm
Cisco Employee
Cisco Employee

‎03-05-2012 11:32 AM

Hi Ricardo

We have some good documentation on how to deploy this.

Please look in the VCS administration guide (From page 270)

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-0.pdf

And also some useful information about VCS certificates can be found in this document:

http://www.tandberg.com/collateral/documentation/Deployment_Guides/Cisco_VCS_Certificate_Creation_and_Use_Deployment_Guide.pdf

Hope this helps!

/Magnus

0 Helpful

Ricardo Sicheran
Level 1
Level 1
In response to Magnus Ohm

‎03-06-2012 07:08 AM

Hi Magnus,

Thanks for the links.  Though the documents helped me to understand the process I am unsure about where to get the client certificate for my browser to use.

I realize that the VCS came with a server certificate loaded.  Does the client browser need this certtificate to match that of the VCS?

0 Helpful

awinter2
Level 7
Level 7
In response to Ricardo Sicheran

‎03-07-2012 02:11 AM

Ricardo,

in order to use client certificate-based security on the VCS, you will need to have a CA (Certificate authority) which can create certificates for the clients which will be accessing the VCS via HTTPS.

For this CA you have a lot of options, you could for example use a Windows-based CA or use OpenSSL, for which you should be able to find a lot of useful guides and help online.

Once you have created a CA certficate, you can create client certificates which are signed with your CA certificate (and I also recommend you create a server certificate for the VCS). You will then have to upload this CA certificate to the VCS (and the server certificate and key if you chose to create this) and install a client certificate on each computer which you plan on using to connect to the VCS with.

Depending on which web browser you use for accessing the VCS, the web browser might have to be actively configured to enable client-based certificate checking, while other browsers will automatically prompt you to select which certificate to present once the VCS requests this.

Hope this helps,

Andreas

0 Helpful

Ricardo Sicheran
Level 1
Level 1

‎03-27-2012 05:23 PM

Andreas/Magnus,

Thanks for the guidance.  I managed to create a private key and a certificate request which I used a Windows CA to generate.  I however stumble on this problem though.

tvcs: Event="

Inbound TLS Negotiation Error " Service="SIP " Src-ip="199.19.190.28 " Src-port="52948 " Dst-ip="x.x.x.x" Dst-port="5061

" Detail="sslv3 alert bad certificate

This was a call from a client registered with cisco jabber.com domain not my own.

I presume that the certificate generated by me is used for TLS encryption as well but I believed that verify certificate checking was done for https and that in a call the VCS would use a combination of client and server keys to encrypt traffic.

I need to move to an online service like cacert.org because the VCS-e is in the public internet now and cannot reach our DC to renew the CRL which expire quickly.  Is it that both inbound client and server must have a root CA containing the same authority?

0 Helpful

davidhouska
Level 1
Level 1
In response to Ricardo Sicheran

‎05-03-2013 02:26 AM

Hi,

we are facing the same behavior with calls between Free Jabber servers and our VCS. Running VCS version 7.2.2.

"sslv3 alert bad certificate"

Have you resolved the issue?

Thank you.

0 Helpful

Randy Valverde Rojas
Cisco Employee
Cisco Employee
In response to Ricardo Sicheran

‎04-01-2014 07:14 AM

Hi!

 

Having exactly the same error only with free jabber accounts, everything else works fine, let me know fi you are able to find the solution, I will do teh same on my end

0 Helpful

davidhouska
Level 1
Level 1
In response to Randy Valverde Rojas

‎04-01-2014 07:39 AM

Hi,

in order to communicate with free jabber cloud you have to upload to your VCSe server ceritficate signed by trusted CA. You can choose one of the following:

https://supportforums.cisco.com/docs/DOC-23938

This will resolve your issues with calls with free jabber video users.

Customers Also Viewed These Support Documents