security-settings

This command configures various TLS certificate security settings.

Syntax

(config-network)# security-settings
(network-security)#

Command

Description

encryption-key {assign|clear|display|generate}

Defines password obfuscation using an encryption key (AES-256 algorithm with a 16-bit random CFB initialization vector).

assign <key>: Manually defines the key.
clear: Deletes the key.
display: Displays the key if configured, but only partially and with asterisks, for example, "%3[-***".
generate: Device generates the key instead of manually.

peer-hostname-verification-mode{0|1|2}

Enables the device to verify the Subject Name of a TLS certificate received from SIP entities for authentication and establishing TLS connections:

0 = Disable (default)
1 = Verify Subject Name only when acting as a client for the TLS connection.
2 = Verify Subject Name when acting as a server or client for the TLS connection.

sips-require-client-certificate{off|on}

Defines the device's mode of operation regarding mutual authentication and certificate verification for TLS connections.

off = Disable
Device acts as a client: Verification of the server’s certificate depends on the VerifyServerCertificate parameter.
Device acts as a server: The device does not request the client certificate.
on = Enable
Device acts as a client: Verification of the server certificate is required to establish the TLS connection.
Device acts as a server: The device requires the receipt and verification of the client certificate to establish the TLS connection.

Note: For the parameter to take effect, a device reset is required.

tls-expiry-check-period

Defines the periodic interval (in days) for checking the TLS server certificate expiry date.

tls-expiry-check-start

Defines the number of days before the installed TLS server certificate is to expire when the device sends an SNMP trap event to notify of this.

fips140mode {off|on}

 Enables FIPS 140-2 conformance mode for TLS.

Note: Applicable only to specific products.

tls-re-hndshk-int

Defines the time interval (in minutes) between TLS Re-Handshakes initiated by the device.

tls-rmt-subs-name

Defines the Subject Name that is compared with the name defined in the remote side certificate when establishing TLS connections.

tls-vrfy-srvr-cert {off|on}

Enables the device, when acting as a client for TLS connections, to verify the Server certificate. The certificate is verified with the Root CA information.

Command Mode

Privileged User

Example

This example enables the device to verify the Server certificate with the Root CA information:

(config-network)# security-settings
(network-security)# tls-vrfy-srvr-cert on