n
System-wide SIP transport mode settings must be TLS:
On
, TCP:
Off
and UDP:
Off
.
n
All SIP zones must use TLS.
n
The VCS cannot be a part of a cluster.
n
SNMP and NTP server configuration cannot use MD5 hashing or DES encryption.
If your system is running as a virtualized application and has never been through an upgrade process:
1. Ensure it has a valid release key (check this via
Maintenance > Option keys
).
2. Perform a system upgrade. You can upgrade the system to the same software release version that it is
currently running.
If you do not complete this step, the activation process described below will fail.
Enabling FIPS140-2 cryptographic mode
CAUTION
: The transition to FIPS140-2 cryptographic mode requires a system reset to be performed. This
will remove all existing configuration data except IP addresses and option keys. To preserve your data you
should take a backup immediately prior to performing the reset, and then restore the backup file when the
reset has completed.
The reset removes all administrator account information and reinstates the default security certificates. To
log in after the reset has completed you will have to use the default admin/TANDBERG credentials. We
recommend that you limit network access to the system during this process until you have secured your
system by restoring previous data or by changing the admin account password from its default value. The
root
account password will also be reset to TANDBERG.
To turn your system into a compliant FIPS140-2 cryptographic system:
1. Enable FIPS140-2 cryptographic mode:
a. Go to
Maintenance > Advanced security
.
b. Set
FIPS140-2 cryptographic mode
to
On
.
c. Click
Save
.
2. Fix any alarms that have been raised that report non-compliant configuration.
3. Take a
system backup
if you want to preserve your current configuration data.
Note that backups taken while in FIPS140-2 mode require password protection.
4. Reset the system and complete the activation of FIPS140-2 mode:
a. Log in to VCS as
root
.
b. Type
fips-activate
The reset takes approximately 30 minutes to complete.
5. When the system has restarted, log in using the default admin/TANDBERG credentials.
You will see several alarms related to non-FIPS140-2 compliance, insecure passwords and missing
default links. You can ignore these alarms if you intend to restore the backup taken prior to the reset.
6.
Restore
your previous data, if required.
Note that while in FIPS140-2 mode, you can only restore backup files that were taken when
FIPS140-2
cryptographic mode
was set
On
. Any previous administrator account information and passwords will be
restored, however the previous
root
account password will not be restored. If the data you are restoring
contains untrusted security certificates, the restart that occurs as part of the restore process may take up
to 6 minutes to complete.
FIPS140-2 compliant features
The following VCS features are FIPS140-2 compliant / use FIPS140-2 compliant algorithms:
Cisco VCS Administrator Guide (X8.1.1)
Page 297 of 507
Maintenance
Advanced security