Cisco Bug: CSCvh59932 - "utils fips_common_criteria enable" Causes Certs To Be Regenerated & System Reboot

Last Modified

Feb 13, 2018

Products (1)

Cisco Unified Communications Manager (CallManager)

Known Affected Releases

12.0(1.10000.10)

Description (partial)

Symptom:
Issues the "utils fips_common_criteria enable" command from CLI and CUCM will regenerate all certs along with a node reboot.

Conditions:
Below is what will be expected when issuing "utils fips_common_criteria enable" and the prompts to be added into the "Command Line Interface Reference Guide for Cisco Unified Communications Solutions, Release 12.0(1)" link as seen here:
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cli_ref/12_0_1/cucm_b_cli-reference-guide-1201/cucm_b_cucm-cli-reference-guide-1201_chapter_01001.html?bookSearch=true#reference_69C83F668C1B067FAF527F22F2E3395D

******************************************************************************************************************************

admin:utils fips_common_criteria status

Server is not in Common Criteria mode.

admin:utils fips_common_criteria enable

**************************************************************
Warning : TLS 1.0 will be disabled in Common Criteria mode.
**************************************************************

This will enable Common Criteria mode and system will reboot. Do you want to continue? (yes/no) :
yes

Common Criteria requires FIPS mode to be enabled. Do you want to enable FIPS? (yes/no) :
yes

Security Warning : The operation will regenerate certificates for

1)CallManager
3)IPsec
2)Tomcat
4)TVS
5)CAPF
6)SSH
7)ITLRecovery

Any third party CA signed certificates that have been uploaded for the above
components will need to be re-uploaded.
If the system is operating in mixed mode, then the CTL client needs to be run
again to update the CTL file.
If there are other servers in the cluster, please wait and do not change the
FIPS settings on any other node until the FIPS operation on this node is complete
and the system is back up and running.
*********************************************************************************
This will change the system to FIPS mode and will reboot.
*********************************************************************************

Do you want to continue (yes/no) ? yes

Generating certificates...

Setting FIPS mode in operating system.
FIPS mode enabled.

FIPS mode enabled successfully.
********************************************************
It is highly recommended that after your system restarts,
a system backup is performed.
********************************************************
The system will reboot in a few minutes.

******************************************************************************************************************************

View Bug Details in Bug Search Tool Login Required

Why Is Login Required?

Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

Full Description (including symptoms, conditions and workarounds)
Status
Severity
Known Fixed Releases
Related Community Discussions
Number of Related Support Cases

Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

Learn More About Cisco Service Contracts