plcm-security-settings-v3.xsd Documentation

Imported Namespaces

Target Namespace

Elements

plcm-cipher  PlcmCipher

Represents a single security cipher and its configuration (enabled, disabled, allowed for FIPS, etc.).

plcm-security-settings-v3  PlcmSecuritySettingsV3

Security settings switch between enhanced security mode and a custom security mode in which one or more insecure capabilities are allowed. Content-Type: application/vnd.plcm.plcm-security-settings-v3+xml All attributes are used in ETag calculation except for entity-tag and atom-links.


Complex Types

PlcmSecuritySettingsV3 Fields

NameTypeDescriptionAttributes
atomLinkList List of linkSee Definition of link
signaling-ciphersList of PlcmCipher
management-ciphersList of PlcmCipher
security-modeSecurityMode ENHANCED security mode is the recommended setting for normal operation. CUSTOM security mode enables one or more of the unsecured methods of network access listed below in leaf nodes. Mandatory
allow-console-accessxs:boolean Enables an authorized system user to log into the system using the system console. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core or Edge configuration). Action required for the change to take effect: None.
allow-ssh-accessxs:boolean Enables an authorized system user to log into the system using an SSH connection. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core configuration; False for Edge configuration). Action required for the change to take effect: None.
allow-ssh-root-accessxs:boolean Enables an authorized system root user to log into the system using an SSH connection. This low-level direct access is not required for normal daily operation, routine maintenance, or even standard troubleshooting, all of which can be done through the administrative GUI. In certain situations, enabling this option may assist Polycom Global Services personnel in more fully understanding the state of a troubled system or correcting problems. You may wish to enable this option only when asked to do so by Polycom Global Services. Note: If this field remains null then it will automatically be set to the default value (True for Core configuration; False for Edge configuration). Action required for the change to take effect: None.
ssh-idle-timeoutxs:int Number of seconds before an idle SSH connection will be closed. The value must be greater than zero if provided or else a default will be chosen by the system. It is up to the server whether the provided value will be adheared to or not, and/or how strictly, and no warning/error/status will be provided.
unencrypted-enterprise-directory-access-allowedxs:boolean The Polycom RealPresence DMA system uses SSL or TLS encryption when connecting to an Active Directory server, and will fail to connect to an Active Directory server (including domain controllers if you import global groups) that is not configured to support encryption. If this option is enabled, the Polycom RealPresence DMA system will be able to attempt to connect using an unencrypted protocol if an encrypted connection cannot be established. In normal daily operation, this option should only be used for diagnostic purposes. By toggling it on, you can determine whether encryption is the cause of a failure to connect to Active Directory or to load group data. It is recommended that you correctly configure the relevant servers rather than enabling this option for normal daily operation. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None.
unencrypted-mcu-access-allowedxs:boolean The Polycom RealPresence DMA system uses only HTTPS for the conference control connection to RealPresence Collaboration Server or RMX MCUs, and therefore can't control an MCU that accepts only HTTP (the default). This option enables the system to fall back to HTTP for MCUs not configured for HTTPS. It is recommended that you configure your MCUs to accept encrypted connections rather than enabling this option. When unencrypted connections are used, the RealPresence Collaboration Server or RMX login name and password are sent unencrypted over the network. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
http-calendar-notifications-allowedxs:boolean If calendaring is enabled, the Polycom RealPresence DMA system gives the Microsoft Exchange server an HTTPS URL to which the Exchange server can deliver calendar notifications. In that case, the Polycom RealPresence DMA system must have a certificate that the Exchange server accepts in order for the HTTPS connection to work. If this option is enabled, the Polycom RealPresence DMA system does not require HTTPS for calendar notifications. It is recommended that you install a certificate trusted by the Exchange server to allow using an HTTPS URL for notifications rather than enabling this option. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None.
basic-calendar-auth-allowedxs:boolean If calendaring is enabled, the Polycom RealPresence DMA system authenticates itself with the Exchange server using NTLM authentication. If this option is selected, the Polycom RealPresence DMA system still attempts to use NTLM first; however, if that fails or isn't enabled on the Exchange server, then the RealPresence DMA system falls back to HTTP Basic authentication (username and password). It is recommended that you use NTLM authentication rather than enabling this option. In order for either NTLM or HTTP Basic authentication to work, they must be enabled on the Exchange server. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None.
non-fips-cipher-allowedxs:boolean When true, non-FIPS ciphers are allowed. Non-FIPS ciphers are not allowed when false. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart.
skip-server-cert-validationxs:boolean When the Polycom RealPresence DMA system connects to a server, it validates that server's certificate. This option configures the system to accept any certificate presented to it without validating it. It is recommended that you use valid certificates for all servers that the system may need to contact rather than enabling this option. Depending on system configuration, this may include: - MCUs - Active Directory - Exchange - RealPresence Resource Manager or CMA system - Other RealPresence DMA systems - Endpoints Note: Either the Common Name (CN) or Subject Alternate Name (SAN) field of the server's certificate must contain the address or host name specified for the server in the Polycom RealPresence DMA system. Polycom MCUs don't include their management IP address in the SAN field of the CSR (Certificate Signing Request), so their certificates identify them only by the CN. Therefore, in the Polycom RealPresence DMA system, a Polycom MCU's management interface must be identified by the name specified in the CN field (usually the FQDN), and not by IP address. Similarly, an Active Directory server certificate often specifies only the FQDN. Thus, in the Polycom RealPresence DMA system, identify the enterprise directory server by FQDN, and not by IP address. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
skip-call-signaling-certxs:boolean During encrypted call signaling (SIP over TLS), the Polycom RealPresence DMA system requires the remote party (endpoint or MCU) to present a valid certificate. This is known as mTLS or two-way TLS. This option configures the system to accept any certificate (or none). It is recommended that you install valid certificates on your endpoints and MCUs rather than enabling this option. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
allow-anon-eventsxs:boolean The SIP SUBSCRIBE/NOTIFY conference notification service (as described in RFCs 3265 and 4575) allows SIP devices to subscribe to a conference and receive conference rosters and notifications of conference events. Normally, the subscribing endpoints are conference participants. This option configures the system to let devices subscribe to a conference without being participants in the conference. Note: A subscription to a conference by a non-participant consumes a call license. Call history doesn't include data for non-participant subscriptions. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
skip-login-certxs:boolean This option may be configured in any security mode. If this option is turned off, you can only connect to the Polycom RealPresence DMA system if your browser presents a client certificate issued by a CA that the system trusts (this is known as mTLS for administrative connections). Turn this option off only if: - You've implemented a complete public key infrastructure (PKI) system, including a CA server, client software (and optionally hardware, tokens, or smartcards), and the appropriate operational procedures. - The CA's public certificate is installed in the Polycom RealPresence DMA system so that it trusts the CA. - All authorized users, including yourself, have a client certificate signed by the CA that authenticates them to the Polycom RealPresence DMA system. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
ipv6-dst-unreachablexs:boolean This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system enables an internal firewall rule that blocks outbound IPv6 ICMP destination unreachable messages. If this option is on, that firewall rule is disabled. Note: The Polycom RealPresence DMA system currently doesn't send such messages, regardless of this setting. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
ipv6-echo-replyxs:boolean This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system doesn't reply to echo request messages sent to multicast addresses (multicast pings). If this option is on, the system responds to multicast pings. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: None.
ignore-sip-privacy-headerxs:boolean This option may be configured in any security mode. If this option is off, the Polycom RealPresence DMA system rejects incoming SIP calls that include a 'critical' flag in the Privacy header and sends a 500 response status. If this option is on, the flag is ignored and such calls are accepted. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None.
prevent-sip-privacy-critical-flag-propagationxs:boolean This option may be configured in any security mode. If this option is off, the 'critical' flag in the Privacy header of incoming SIP messages is not removed when the message is propagated. If this option is on, the 'critical' flag is removed from the Privacy header. If the Privacy header has no remaining flags after the 'critical' flag is removed, the system removes the Privacy header from the message. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: None.
allow-secure-protocol-sslv3xs:boolean This option may be configured in any security mode. When enabled, the system can use the SSL v3 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (False). Action required for the change to take effect: Application restart.
allow-secure-protocol-tlsv10xs:boolean This option may be configured in any security mode. When enabled, the system can use the TLS v1.0 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart.
allow-secure-protocol-tlsv11xs:boolean This option may be configured in any security mode. When enabled, the system can use the TLS v1.1 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart.
allow-secure-protocol-tlsv12xs:boolean This option may be configured in any security mode. When enabled, the system can use the TLS v1.2 secure protocol for HTTPS communication. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: Application restart.
enforce-tls-for-ldapxs:boolean This option is used to enforce TLS for LDAP.
enable-access-proxy-whitelist-authxs:boolean This option is used to enable access proxy white list authentication for LDAP and XMPP access.
allow-booting-from-usb-or-optical-drivexs:boolean When enabled, the system can be booted from the optical drive or a USB device. Note: This setting does not apply to DMA Virtual Edition. Note: If this field remains null then it will automatically be set to the default value (True). Action required for the change to take effect: System reboot.
last-modified-byxs:string This field indicates the last user to modify security settings. This is a read-only parameter.
min-dhe-key-size-inboundxs:short The minimum Diffie-Hellman ephemeral key size to accept from clients and other servers when negotiating TLS connections. Clients and other servers that use DHE keys smaller than this size will fail to connect.
dhe-key-size-outboundxs:short The Diffie-Hellman ephemeral key size that the local server will use when negotiating TLS connections to other servers.
entity-tagEntityTag The unique value generated from the server object instance. This value is the same value that MUST be applied to the HTTP Entity Tag (ETag) header for a single instance of this object. Client modification of this field is not allowed for this instance.

PlcmCipher Fields

NameTypeDescriptionAttributes
for-protocolsList of SecureProtocols
namexs:string Textual name of the cipher suitable for display and/or labeling. Mandatory
id-namexs:string Programmatic identifier for the cipher that may or may not be the same as the name. Mandatory
classesList of xs:string Values (optional) that can be used to group similar ciphers (3DES, RC4, AES, ECDH, etc.).
enabledxs:boolean States the particular cipher is enabled or disabled Mandatory
is-a-defaultxs:boolean Is the cipher enabled in the default cipher set or not.
valid-for-fipsxs:boolean Is the cipher valid for a FIPS configuration or not.


Simple Types


NameTypeRestrictions
SecureProtocolsxs:string
Value must be one of:
  • TLS_1_3
  • TLS_1_2
  • TLS_1_1
  • TLS_1_0
  • SSL_V3
EntityTagxs:string
Length of value must be >=1
Length of value must be <=64
SecurityModexs:string
Value must be one of:
  • ENHANCED
  • CUSTOM
  • UNKNOWN