Represents a single security cipher and its configuration (enabled, disabled, allowed for FIPS, etc.).
Security settings switch between enhanced security mode and a custom security mode in which one or more insecure capabilities are allowed. Content-Type: application/vnd.plcm.plcm-security-settings-v3+xml All attributes are used in ETag calculation except for entity-tag and atom-links.
| Name | Type | Description | Attributes |
|---|---|---|---|
| atomLinkList | List of link | See Definition of link | |
| signaling-ciphers | List of PlcmCipher | ||
| management-ciphers | List of PlcmCipher | ||
| security-mode | SecurityMode | ENHANCED security mode is the recommended setting for normal operation. CUSTOM security mode enables one or more of the unsecured methods of network access listed below in leaf nodes. | Mandatory |
| allow-console-access | xs:boolean | Enables an authorized system user to log into the system using the system console. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core or Edge configuration). Action required for the change to take effect: None. | |
| allow-ssh-access | xs:boolean | Enables an authorized system user to log into the system using an SSH connection. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core configuration; False for Edge configuration). Action required for the change to take effect: None. | |
| allow-ssh-root-access | xs:boolean | Enables an authorized system root user to log into the system using an SSH connection. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core configuration; False for Edge configuration). Action required for the change to take effect: None. | |
| ssh-idle-timeout | xs:int | Number of seconds before an idle SSH connection will be closed. The value must be greater than zero if provided or else a default will be chosen by the system. It is up to the server whether the provided value will be adheared to or not, and/or how strictly, and no warning/error/status will be provided. | |
| unencrypted-enterprise-directory-access-allowed | xs:boolean | The Polycom RealPresence DMA system uses SSL or TLS encryption when connecting to an Active Directory server, and will fail to connect to an Active Directory server (including domain controllers if you import global groups) that is not configured to support encryption. If this option is enabled, the Polycom RealPresence DMA system will be able to attempt to connect using an unencrypted protocol if an encrypted connection cannot be established. In normal daily operation, this option should only be used for diagnostic purposes. By toggling it on, you can determine whether encryption is the cause of a failure to connect to Active Directory or to load group data. It is recommended that you correctly configure the relevant servers rather than enabling this option for normal daily operation. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None. | |
| unencrypted-mcu-access-allowed | xs:boolean | The Polycom RealPresence DMA system uses only HTTPS for the conference control connection to RealPresence Collaboration Server or RMX MCUs, and therefore can't control an MCU that accepts only HTTP (the default). This option enables the system to fall back to HTTP for MCUs not configured for HTTPS. It is recommended that you configure your MCUs to accept encrypted connections rather than enabling this option. When unencrypted connections are used, the RealPresence Collaboration Server or RMX login name and password are sent unencrypted over the network. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| http-calendar-notifications-allowed | xs:boolean | If calendaring is enabled, the Polycom RealPresence DMA system gives the Microsoft Exchange server an HTTPS URL to which the Exchange server can deliver calendar notifications. In that case, the Polycom RealPresence DMA system must have a certificate that the Exchange server accepts in order for the HTTPS connection to work. If this option is enabled, the Polycom RealPresence DMA system does not require HTTPS for calendar notifications. It is recommended that you install a certificate trusted by the Exchange server to allow using an HTTPS URL for notifications rather than enabling this option. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None. | |
| basic-calendar-auth-allowed | xs:boolean | If calendaring is enabled, the Polycom RealPresence DMA system authenticates itself with the Exchange server using NTLM authentication. If this option is selected, the Polycom RealPresence DMA system still attempts to use NTLM first; however, if that fails or isn't enabled on the Exchange server, then the RealPresence DMA system falls back to HTTP Basic authentication (username and password). It is recommended that you use NTLM authentication rather than enabling this option. In order for either NTLM or HTTP Basic authentication to work, they must be enabled on the Exchange server. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None. | |
| non-fips-cipher-allowed | xs:boolean | When true, non-FIPS ciphers are allowed. Non-FIPS ciphers are not allowed when false. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart. | |
| skip-server-cert-validation | xs:boolean | When the Polycom RealPresence DMA system connects to a server, it validates that server's certificate. This option configures the system to accept any certificate presented to it without validating it. It is recommended that you use valid certificates for all servers that the system may need to contact rather than enabling this option. Depending on system configuration, this may include: - MCUs - Active Directory - Exchange - RealPresence Resource Manager or CMA system - Other RealPresence DMA systems - Endpoints Note: Either the Common Name (CN) or Subject Alternate Name (SAN) field of the server's certificate must contain the address or host name specified for the server in the Polycom RealPresence DMA system. Polycom MCUs don't include their management IP address in the SAN field of the CSR (Certificate Signing Request), so their certificates identify them only by the CN. Therefore, in the Polycom RealPresence DMA system, a Polycom MCU's management interface must be identified by the name specified in the CN field (usually the FQDN), and not by IP address. Similarly, an Active Directory server certificate often specifies only the FQDN. Thus, in the Polycom RealPresence DMA system, identify the enterprise directory server by FQDN, and not by IP address. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| skip-call-signaling-cert | xs:boolean | During encrypted call signaling (SIP over TLS), the Polycom RealPresence DMA system requires the remote party (endpoint or MCU) to present a valid certificate. This is known as mTLS or two-way TLS. This option configures the system to accept any certificate (or none). It is recommended that you install valid certificates on your endpoints and MCUs rather than enabling this option. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| allow-anon-events | xs:boolean | The SIP SUBSCRIBE/NOTIFY conference notification service (as described in RFCs 3265 and 4575) allows SIP devices to subscribe to a conference and receive conference rosters and notifications of conference events. Normally, the subscribing endpoints are conference participants. This option configures the system to let devices subscribe to a conference without being participants in the conference. Note: A subscription to a conference by a non-participant consumes a call license. Call history doesn't include data for non-participant subscriptions. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| skip-login-cert | xs:boolean | This option may be configured in any security mode. If this option is turned off, you can only connect to the Polycom RealPresence DMA system if your browser presents a client certificate issued by a CA that the system trusts (this is known as mTLS for administrative connections). Turn this option off only if: - You've implemented a complete public key infrastructure (PKI) system, including a CA server, client software (and optionally hardware, tokens, or smartcards), and the appropriate operational procedures. - The CA's public certificate is installed in the Polycom RealPresence DMA system so that it trusts the CA. - All authorized users, including yourself, have a client certificate signed by the CA that authenticates them to the Polycom RealPresence DMA system. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| ipv6-dst-unreachable | xs:boolean | This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system enables an internal firewall rule that blocks outbound IPv6 ICMP destination unreachable messages. If this option is on, that firewall rule is disabled. Note: The Polycom RealPresence DMA system currently doesn't send such messages, regardless of this setting. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| ipv6-echo-reply | xs:boolean | This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system doesn't reply to echo request messages sent to multicast addresses (multicast pings). If this option is on, the system responds to multicast pings. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None. | |
| ignore-sip-privacy-header | xs:boolean | This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system rejects incoming SIP calls that include a 'critical' flag in the Privacy header and sends a 500 response status. If this option is on, the flag is ignored and such calls are accepted. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None. | |
| prevent-sip-privacy-critical-flag-propagation | xs:boolean | This option may be configured in any security mode. If this option is off, the 'critical' flag in the Privacy header of incoming SIP messages is not removed when the message is propagated. If this option is on, the 'critical' flag is removed from the Privacy header. If the Privacy header has no remaining flags after the 'critical' flag is removed, the system removes the Privacy header from the message. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None. | |
| allow-secure-protocol-sslv3 | xs:boolean | This option may be configured in any security mode. When enabled, the system can use the SSL v3 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: Application restart. | |
| allow-secure-protocol-tlsv10 | xs:boolean | This option may be configured in any security mode. When enabled, the system can use the TLS v1.0 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart. | |
| allow-secure-protocol-tlsv11 | xs:boolean | This option may be configured in any security mode. When enabled, the system can use the TLS v1.1 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart. | |
| allow-secure-protocol-tlsv12 | xs:boolean | This option may be configured in any security mode. When enabled, the system can use the TLS v1.2 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart. | |
| enforce-tls-for-ldap | xs:boolean | This option is used to enforce TLS for LDAP. | |
| enable-access-proxy-whitelist-auth | xs:boolean | This option is used to enable access proxy white list authentication for LDAP and XMPP access. | |
| allow-booting-from-usb-or-optical-drive | xs:boolean | When enabled, the system can be booted from the optical drive or a USB device. Note: This setting does not apply to DMA Virtual Edition. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: System reboot. | |
| last-modified-by | xs:string | This field indicates the last user to modify security settings. This is a read-only parameter. | |
| min-dhe-key-size-inbound | xs:short | The minimum Diffie-Hellman ephemeral key size to accept from clients and other servers when negotiating TLS connections. Clients and other servers that use DHE keys smaller than this size will fail to connect. | |
| dhe-key-size-outbound | xs:short | The Diffie-Hellman ephemeral key size that the local server will use when negotiating TLS connections to other servers. | |
| entity-tag | EntityTag | The unique value generated from the server object instance. This value is the same value that MUST be applied to the HTTP Entity Tag (ETag) header for a single instance of this object. Client modification of this field is not allowed for this instance. |
| Name | Type | Description | Attributes |
|---|---|---|---|
| for-protocols | List of SecureProtocols | ||
| name | xs:string | Textual name of the cipher suitable for display and/or labeling. | Mandatory |
| id-name | xs:string | Programmatic identifier for the cipher that may or may not be the same as the name. | Mandatory |
| classes | List of xs:string | Values (optional) that can be used to group similar ciphers (3DES, RC4, AES, ECDH, etc.). | |
| enabled | xs:boolean | States the particular cipher is enabled or disabled | Mandatory |
| is-a-default | xs:boolean | Is the cipher enabled in the default cipher set or not. | |
| valid-for-fips | xs:boolean | Is the cipher valid for a FIPS configuration or not. |
| Name | Type | Restrictions |
|---|---|---|
| SecureProtocols | xs:string | Value must be one of:
|
| EntityTag | xs:string | Length of value must be >=1 Length of value must be <=64 |
| SecurityMode | xs:string | Value must be one of:
|