Represents a single security cipher and its configuration (enabled, disabled, allowed for FIPS, etc...).
Security settings switch between enhanced security mode and a custom security mode in which one or more insecure capabilities are allowed. Content-Type: application/vnd.plcm.plcm-security-settings-v2+xml. All attributes are used in ETag calculation except for entity-tag and atom-links.
| Name | Type | Description | Attributes |
|---|---|---|---|
| atomLinkList | Array of Link | See Definition of Link | |
| signalingCiphers | Array of PlcmCipher | ||
| managementCiphers | Array of PlcmCipher | ||
| securityMode | SecurityMode | ENHANCED security mode is the recommended setting for normal operation. CUSTOM security mode enables one or more of the unsecured methods of network access allow secure protocol tlsv11s listed below in leaf nodes. | Mandatory |
| allowLinuxConsoleAccess | boolean | Enables the Linux remote user account to log into the system using SSH. This direct Linux access isn’t needed for normal operation, routine maintenance, or even troubleshooting, all of which can be done through the administrative GUI. In extreme circumstances, this option might enable expert Polycom Global Services personnel to more fully understand the state of a troubled system or correct problems. Enable this option only when asked to do so by Polycom Global Services. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| allowSshRootAccess | boolean | Enables an authorized system root user to log into the system using an SSH connection. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core configuration; False for Edge configuration). Action required for the change to take effect: None. | |
| sshIdleTimeout | int | Number of seconds before an idle SSH connection will be closed. The value must be greater than zero if provided or else a default will be chosen by the system. It is up to the server whether the provided value will be adheared to or not, and/or how strictly, and no warning/error/status will be provided. | |
| unencryptedEnterpriseDirectoryAccessAllowed | boolean | Select to specify that endpoints whose status is Inactive (that is, their registrations have expired) are deleted from the system after the specified number of days.Some dial rule actions, such as Resolve to registered endpoint, can route calls to endpoints with an inactive registration. Deleting the registration record is the only way to prevent resolution to an inactive endpoint. Note :- If this field remains null then it will automatically set to default value i.e. False. Action required for the change to take effect :- none. | |
| unencryptedMcuAccessAllowed | boolean | The Polycom RealPresence DMA system uses only HTTPS for the conference control connection to RealPresence Collaboration Server or RMX MCUs, and therefore can’t control an MCU that accepts only HTTP (the default). This option enables the system to fall back to HTTP for MCUs not configured for HTTPS.Recommend configuring your MCUs to accept encrypted connections rather than enabling this option. When unencrypted connections are used, the RealPresence Collaboration Server or RMX login name and password are sent unencrypted over the network. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| httpCalendarNotificationsAllowed | boolean | If calendaring is enabled, the Polycom RealPresence DMA system gives the Microsoft Exchange server an HTTPS URL to which the Exchange server can deliver calendar notifications. In that case, the Polycom RealPresence DMA system must have a certificate that the Exchange server accepts in order for the HTTPS connection to work.allow secure protocol tlsv11 If this option is selected, the Polycom RealPresence DMA system does not require HTTPS for calendar notifications. Recommend installing a certificate trusted by the Exchange server and using an HTTPS URL for notifications rather than enabling this option. Note :- If this field remains null then it will automatically set to default value i.e. False Action required for the change to take effect :- none. | |
| basicCalendarAuthAllowed | boolean | If calendaring is enabled, the Polycom RealPresence DMA system authenticates itself with the Exchange server using NTLM authentication. If this option is selected, the Polycom RealPresence DMA system still attempts to use NTLM first. But if that fails or isn’t enabled on the Exchange server, then the RealPresence DMA system falls back to HTTP Basic authentication (user name and password). We recommend using NTLM authentication rather than enabling this option. In order for either NTLM or HTTP Basic authentication to work, they must be enabled on the Exchange server. Note :- If this field remains null then it will automatically set to default value i.e. False. Action required for the change to take effect :- none. | |
| nonFipsCipherAllowed | boolean | When true, non-FIPS ciphers are allowed. Non-FIPS ciphers are not allowed when false. Note :- If this field remains null then it will automatically set to default value, which is true. Action required for the change to take effect :- application restart. | |
| skipServerCertValidation | boolean | When the Polycom RealPresence DMA system connects to a server, it validates that server’s certificate. This option configures the system to accept any certificate presented to it without validating it.allow secure protocol tlsv11 Recommend using valid certificates for all servers that the system may need to contact rather than enabling this option. Depending on system configuration, this may include: MCUs Active Directory Exchange RealPresence Resource Manager or CMA system Other RealPresence DMA systems Endpoints Note: Either the Common Name (CN) or Subject Alternate Name (SAN) field of the server’s certificate must contain the address or host name specified for the server in the Polycom RealPresence DMA system. Polycom MCUs don't include their management IP address in the SAN field of the CSR (Certificate Signing Request), so their certificates identify them only by the CN. Therefore, in the Polycom RealPresence DMA system, a Polycom MCU's management interface must be identified by the name specified in the CN field (usually the FQDN), not by IP address. Similarly, an Active Directory server certificate often specifies only the FQDN. So in the Polycom RealPresence DMA system, identify the enterprise directory by FQDN, not by IP address. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| skipCallSignalingCert | boolean | During encrypted call signaling (SIP over TLS), the Polycom RealPresence DMA system requires the remote party (endpoint or MCU) to present a valid certificate. This is known as mTLS or two-way TLS.allow secure protocol tlsv11 This option configures the system to accept any certificate (or none). Recommend installing valid certificates on your endpoints and MCUs rather than enabling this option. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| allowANonEvents | boolean | The SIP SUBSCRIBE/NOTIFY conference notification service (as described in RFCs 3265 and 4575), allows SIP devices to subscribe to a conference and receive conference rosters and notifications of conference events. Normally, the subscribing endpoints are conference participants. This option configures the system to let devices subscribe to a conference without being participants in the conference. Note: A subscription to a conference by a non-participant consumes a call license. Call history doesn’t include data for non-participant subscriptions. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| skipLoginCert | boolean | This option may be configured in any security mode. If this option is turned off, you can only connect to the Polycom RealPresence DMA system if your browser presents a client certificate issued by a CA that the system trusts (this is known as mTLS for administrative connections). Turn this option off only if: You’ve implemented a complete public key infrastructure (PKI) system, including a CA server, client software (and optionally hardware, tokens, or smartcards), and the appropriate operational procedures. The CA’s public certificate is installed in the Polycom RealPresence DMA system so that it trusts the CA. All authorized users, including yourself, have a client certificate signed by the CA that authenticates them to the Polycom RealPresence DMA system. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| ipv6DstUnreachable | boolean | This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system has an internal firewall rule that blocks outbound dallow secure protocol tlsv11estination unreachable messages. If this option is on, that firewall rule is disabled. Note: The Polycom RealPresence DMA system currently doesn’t send such messages, regardless of this setting. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| ipv6EchoReply | boolean | This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system doesn't reply to echo request messages sent to multicast addresses (multicast pings). If this option is on, the system responds to multicast pings. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- none. | |
| ignoreSipPrivacyHeader | boolean | This option may be configured to ignore sip privacy header. Note :- If this field remains null then it will automatically set to default value i.e. False. Action required for the change to take effect :- none. | |
| preventSipPrivacyCriticalFlagPropagation | boolean | This option may be configured to prevent sip privacy critical flag propagation. Note :- If this field remains null then it will automatically set to default value i.e. False. Action required for the change to take effect :- none. | |
| allowSecureProtocolSslv3 | boolean | This option may be configured to allow secure protocol sslv3. Note :- If this field remains null then it will automatically set to default value i.e. False. Action required for the change to take effect :- application restart. | |
| allowSecureProtocolTlsv10 | boolean | This option may be configured to allow secure protocol tlsv10. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- application restart. | |
| allowSecureProtocolTlsv11 | boolean | This option may be configured to allow secure protocol tlsv11. Note :- If this field remains null then it will automatically set to default value i.e. True. Action required for the change to take effect :- application restart. | |
| allowSecureProtocolTlsv12 | boolean | This option may be configured to allow secure protocol tlsv12. Note :- If this field remains null then it will automatically set to default value i.e. True Action required for the change to take effect :- application restart. | |
| enforceTlsForLdap | boolean | This option is used to enforce TLS for LDAP | |
| enableAccessProxyWhitelistAuth | boolean | This option is used to enable access proxy white list authentication for LDAP and XMPP access | |
| allowBootingFromUsbOrOpticalDrive | boolean | This option may be configured to allow booting from the optical drive or a USB device. Note :- If this field remains null then it will automatically set to default value i.e. True. Note :- This setting does not apply to DMA Virtual Edition. Action required for the change to take effect :- system reboot. | |
| lastModifiedBy | string | This option will keep track of last user to modify security settings, this is read-only parameter. | |
| minDheKeySizeInbound | short | The minimum Diffie-Helman Ephemeral key size to accept from clients and other servers when negotiating TLS connections. Clients and other servers that use DHE keys smaller than this size will fail to connect. | |
| dheKeySizeOutbound | short | The Diffie-Helman Ephemeral key size that the local server will use when negotiating TLS connections to other servers. | |
| entityTag | EntityTag | The unique value generated from the server object instance. This value is the same value that MUST be applied to the HTTP Entity Tag (ETag) header for a single instance of this object. Client modification of this field is not allowed for this instance. |
| Name | Type | Description | Attributes |
|---|---|---|---|
| forProtocols | Array of SecureProtocols | ||
| name | string | Textual name of the cipher suitable for display and/or labeling. | Mandatory |
| idName | string | Programatic identifier for the cipher that may or may not be the same as the name. | Mandatory |
| classes | Array of string | Values (optional) that can be used to group similar ciphers (i.e. 3DES, RC4, AES, ECDH, ...). | |
| enabled | boolean | States the particular cipher is enabled or disabled | Mandatory |
| isADefault | boolean | Is the cipher enabled in the default cipher set or not. | |
| validForFips | boolean | Is the cipher valid for a FIPS configuration or not. |
| Name | Type | Restrictions |
|---|---|---|
| SecureProtocols | string | Value must be one of:
|
| EntityTag | string | Length of value must be >=1 Length of value must be <=64 |
| SecurityMode | string | Value must be one of:
|