Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Security configuration on IM and Presence
Downloads: This chapterpdf (PDF - 1.44MB) The complete bookPDF (PDF - 6.21MB) | The complete bookePub (ePub - 1.26MB) | Feedback

Security Configuration on IM and Presence Service

Contents

Security Configuration on IM and Presence Service

Security Setup Task List

The following workflow diagram shows the high-level steps to configure security on the IM and Presence Service node deployment.

Figure 1. Security Setup Workflow



The following table lists the tasks to perform to set up security on the IM and Presence Service node deployment. For detailed instructions, see the procedures that are related to the tasks outlined in the workflow.


Note


Optionally, you can create a banner that users acknowledge as part of their login to any IM and Presence Service interface.


Table 1 Task List for Security Setup on IM and Presence Service

Task

Description

Configure Certificate Exchange Between IM and Presence Service and Cisco Unified Communications Manager

Perform the following tasks:
  • Import Cisco Unified Communications Manager certificate to IM and Presence Service node, and then restart the SIP proxy service.
    Tip   

    You can import the certificate using either the Certificate Import Tool or manually using Cisco Unified IM and Presence OS Administration from Security > Certificate Management.

  • Download the certificate from IM and Presence Service, and then upload the certificate to Callmanager-trust on Cisco Unified Communications Manager.
  • Restart the Cisco Unified Communications Manager service.
Note   

You must configure a SIP security profile and SIP trunk for IM and Presence Service before you can configure the certificate exchange between Cisco Unified Communications Manager and IM and Presence Service.

Upload CA-Signed Certificates

Upload the Certificate Authority (CA) signed certificates to IM and Presence Service for your deployment, which can be either a single-server or a multi-server deployment. Service restarts are required. See the related tasks for details.
  • tomcat certificate
  • cup-xmpp certificate
  • cup-xmpp-s2s certificate
Tip   

You can upload these certificates on any IM and Presence Service node in the cluster. When this is done, the certificate and the associated signing certificates are automatically distributed to all the other IM and Presence Service nodes in the cluster.

Configure Security Settings on IM and Presence Service

When you import an IM and Presence Service certificate, IM and Presence Service automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

IM and Presence Service provides increased security for XMPP-based configurations. You can configure the XMPP secure modes on IM and Presence Service using Cisco Unified CM IM and Presence Administration from Security > Security > Settings.

Configure FIPS 140-2 Mode

IM and Presence Service meets Federal Information Processing Standard (FIPS) requirements. By default, IM and Presence Service is in non-FIPS mode. You must enable FIPS mode using the CLI. For more information, see the Command Line Interface Reference Guide for Cisco Unified Solutions.

Create Login Banner

You can create a banner that users acknowledge as part of their login to any IM and Presence Service interface. You create a .txt file using any text editor, include important notifications they want users to be made aware of, and upload it to the Cisco Unified IM and Presence OS Administration page. This banner will then appear on all IM and Presence Service interfaces notifying users of important information before they login, including legal warnings and obligations. The following interfaces will display this banner before and after a user logs in: Cisco Unified CM IM and Presence Administration, Cisco Unified IM and Presence Operating System Administration, Cisco Unified IM and Presence Serviceability, Cisco Unified IM and Presence Reporting, IM and Presence Disaster Recovery System, and Cisco Unified CM IM and Presence User Options.

Procedure
    Step 1   Create a .txt file with the contents you want to display in the banner.
    Step 2   Sign in to Cisco Unified IM and Presence Operating System Administration.
    Step 3   Choose Software Upgrades > Customized Logon Message.
    Step 4   Click Browse and locate the .txt file.
    Step 5   Click Upload File.

    The banner will appear before and after login on most IM and Presence Service interfaces.

    Note   

    The .txt file must be uploaded to each IM and Presence Service node separately.


    IM and Presence Service Certificate Types

    This section describes the different certificates required for the clients and services on IM and Presence Service.

    Table 2 Certificate Types for Client Applications on IM and Presence Service

    Client

    Certificate

    SIP client (Cisco Unified Communications Manager)

    tomcat

    XMPP client (Cisco Unified Personal Communicator Release 8.0, third-party client)

    cup-xmpp

    Table 3 Certificate Types for IM and Presence Services

    Service

    Certificate

    Certificate Trust Store

    Notes

    SIP Proxy

    cup

    cup-trust

    Presence Engine

    cup

    cup-trust

    SOAP

    tomcat

    directory-trust

    AXL

    tomcat

    directory-trust

    LDAP

    tomcat

    directory-trust

    LDAP uses the tomcat certificate because directory/directory-trust is now tomcat/ttrust.

    Microsoft Exchange

    cup-trust

    Microsoft Lync/OCS/LCS Call Control

    cup

    cup-trust

    SIP Federation

    cup

    cup-trust

    XMPP Federation

    Cup-xmpp-s2s

    cup-xmpp-trust

    The trust certificates for cup-xmpp-s2s are stored in cup-xmpp-trust along with the general XMPP trust certificates.

    Certificate Exchange Configuration Between IM and Presence Service and Cisco Unified Communications Manager

    This module describes the exchange of self-signed certificates between the Cisco Unified Communications Manager node and the IM and Presence Service node. You can use the Certificate Import Tool on IM and Presence Service to automatically import the Cisco Unified Communications Manager certificate to IM and Presence Service. However, you must manually upload the IM and Presence Service certificate to Cisco Unified Communications Manager.

    Only perform these procedures if you require a secure connection between IM and Presence Service and Cisco Unified Communications Manager.

    Prerequisites for Configuring Security

    Configure the following items on Cisco Unified Communications Manager:

    • Configure a SIP security profile for IM and Presence Service.
    • Configure a SIP trunk for IM and Presence Service:
      • Associate the security profile with the SIP trunk.
      • Configure the SIP trunk with the subject Common Name (CN) of IM and Presence Service certificate.

    Import Cisco Unified Communications Manager Certificate to IM and Presence Service

    Procedure
      Step 1   Choose Cisco Unified CM IM and Presence Administration > System > Security > Certificate Import Tool.
      Step 2   Choose IM and Presence (IM/P) Service Trust from the Certificate Trust Store menu.
      Step 3   Enter the IP address, hostname or FQDN of the Cisco Unified Communications Manager node.
      Step 4   Enter a port number to communicate with the Cisco Unified Communications Manager node.
      Step 5   Click Submit.
      Note   

      After the Certificate Import Tool completes the import operation, it reports whether or not it successfully connected to Cisco Unified Communications Manager, and whether or not it successfully downloaded the certificate from Cisco Unified Communications Manager. If the Certificate Import Tool reports a failure, see the Online Help for a recommended action. You can also manually import the certificate by choosing Cisco Unified IM and Presence OS Administration > Security > Certificate Management.


      What to Do Next

      Proceed to restart the SIP proxy service.

      Restart SIP Proxy Service

      Before You Begin

      Import the Cisco Unified Communications Manager certificate to IM and Presence Service.

      Procedure
        Step 1   Choose Cisco Unified IM and Presence Serviceability > Tools > Control Center - Feature Services on IM and Presence Service,
        Step 2   Choose Cisco SIP Proxy.
        Step 3   Click Restart.

        What to Do Next

        Proceed to download the certificate from IM and Presence Service.

        Download Certificate from IM and Presence Service

        Procedure
          Step 1   Choose Cisco Unified IM and Presence OS Administration > Security > Certificate Management on IM and Presence Service.
          Step 2   Click Find.
          Step 3   Choose the cup.pem file.
          Step 4   Click Download and save the file to your local computer.
          Tip   

          Ignore any errors that IM and Presence Service displays regarding access to the cup.csr file; The CA (Certificate Authority) does not need to sign the certificate that you exchange with Cisco Unified Communications Manager.


          What to Do Next

          Proceed to upload the IM and Presence Service certificate to Cisco Unified Communications Manager.Upload IM and Presence Service Certificate to Cisco Unified Communications Manager

          Upload IM and Presence Service Certificate to Cisco Unified Communications Manager

          Before You Begin

          Download the certificate from IM and Presence Service.

          Procedure
            Step 1   Choose Cisco Unified OS Administration > Security > Certificate Management on Cisco Unified Communications Manager.
            Step 2   Click Upload Certificate.
            Step 3   Choose Callmanager-trust from the Certificate Name menu.
            Step 4   Browse and choose the certificate (.pem file) previously downloaded from IM and Presence Service.
            Step 5   Click Upload File.

            What to Do Next

            Proceed to restart the Cisco Unified Communications Manager CallManager service.

            Restart Cisco Unified Communications Manager Service

            Before You Begin

            Upload the IM and Presence Service certificate to Cisco Unified Communications Manager.

            Procedure
              Step 1   Choose Cisco Unified Serviceability > Tools > Control Center - Feature Services on Cisco Unified Communications Manager.
              Step 2   Choose Cisco CallManager.
              Step 3   Click Restart.

              What to Do Next

              Proceed to configure SIP security settings on IM and Presence Service.

              CA-Signed Certificate Upload to IM and Presence Service

              This section describes how to upload the following types of CA signed certificates to an IM and Presence Service deployment:

              • tomcat certificate
              • cup-xmpp certificate
              • cup-xmpp-s2s certificate

              CA-Signed Tomcat Certificate Task List

              The high-level steps to upload a CA signed Tomcat certificate to IM and Presence Service are:

              1. Upload the Root Certificate and Intermediate Certificate of the signing Certificate Authority to IM and Presence Service.
              2. Restart the Cisco Intercluster Sync Agent service.
              3. Ensure that the CA certificates have been correctly synced to other clusters.
              4. Upload the appropriate signed certificate to each IM and Presence Service node.
              5. Restart the Cisco Tomcat service on all nodes.
              6. Ensure that intercluster syncing is operating correctly.

              Upload Root Certificate and Intermediate Certificate of the Signing Certificate Authority

              When you upload the Root and Intermediate Certificates, you must upload each certificate in the certificate chain to IM and Presence Service from the Root Certificate down to the last Intermediate Certificate, as follows:

              root > intermediate-1 > intermediate-2 > … > intermediate-N

              With each certificate that you upload in the chain, you must specify which previously uploaded certificate signed it. For example:

              • For intermediate-1, the root cert was used to sign it.
              • For intermediate-2, the intermediate-1 cert was used to sign it.

              You must upload the Root Certificate and the Intermediate Certificates, if any, to the trust store of the related leaf certificate on the IM and Presence database publisher node. Complete the following procedure to upload the Root Certificate and the Intermediate Certificate of the signing Certificate Authority (CA) to the IM and Presence Service deployment.

              Procedure
                Step 1   On the IM and Presence database publisher node, choose Cisco Unified IM and Presence OS Administration > Security > Certificate Management.
                Step 2   Click Upload Certificate/Certificate chain.
                Step 3   From the Certificate Name drop-down list, choose tomcat-trust.
                Step 4   Enter a description for the signed certificate.
                Step 5   Click Browse to locate the file for the Root Certificate.
                Step 6   Click Upload File.
                Step 7   Upload each Intermediate Certificate in the same way using the Upload Certificate/Certificate chain window.

                What to Do Next

                Restart the Cisco Intercluster Sync Agent service.

                Restart Cisco Intercluster Sync Agent Service

                After you upload the Root and Intermediate certificates to the IM and Presence database publisher node, you must restart the Cisco Intercluster Sync Agent service on that node. This service restart ensures that the CA certificates are synced immediately to all other clusters.

                Procedure
                  Step 1   Log into the Admin CLI.
                  Step 2   Run the following command: utils service restart Cisco Intercluster Sync Agent


                  Note


                  You can also restart the Cisco Intercluster Sync Agent service from the Cisco Unified Serviceability GUI.

                  What to Do Next

                  Verify that the CA certificates have synced to the other clusters.

                  Verify CA Certificates Have Synchronized to Other Clusters

                  After the Cisco Intercluster Sync Agent service has restarted, you must ensure that the CA certificate(s) have been correctly synchronized to other clusters. Complete the following procedure on each of the other IM and Presence database publisher nodes.

                  Procedure
                    Step 1   Choose Cisco Unified CM IM and Presence Administration > Diagnostics > System Troubleshooter.
                    Step 2   Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates and verify that is has passed.
                    Step 3   If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue.
                    Step 4   Choose Presence > Inter-Clustering and click the link associated with the intercluster peer that was identified on the System Troubleshooter page.
                    Step 5   Click Force Manual Sync.
                    Step 6   Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh.
                    Step 7   Verify that the Certificate Status field shows "Connection is secure".
                    Step 8   If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 7.
                    • To restart the service from the admin CLI run the following command: utils service restart Cisco Intercluster Sync Agent
                    • Alternatively, you can restart this service from the Cisco Unified IM and Presence Serviceability GUI.
                    Step 9   Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is correctly established between the clusters and that the CA certificates that you uploaded are synced to the other clusters.

                    What to Do Next

                    Upload the signed certificate to each IM and Presence Service node.

                    Upload Signed Certificate to Each IM and Presence Service Node

                    When the CA certificates have correctly synced to all clusters, you can upload the appropriate signed certificate to each IM and Presence Service node.


                    Note


                    Cisco recommends that you sign all required tomcat certificates for a cluster and upload them at the same time. This process reduces the time to recover intercluster communications.


                    Procedure
                      Step 1   Choose Cisco Unified IM and Presence OS Administration > Security > Certificate Management.
                      Step 2   Click Upload Certificate/Certificate chain.
                      Step 3   From the Certificate Name drop-down list, choose tomcat.
                      Step 4   Enter a description for the signed certificate.
                      Step 5   Click Browse to locate the file to upload.
                      Step 6   Click Upload File.
                      Step 7   Repeat for each IM and Presence Service node.

                      For more information about certificate management, see the Cisco Unified Communications Operating System Administration Guide.

                      What to Do Next

                      Restart the Cisco Tomcat service.

                      Restart Cisco Tomcat Service

                      After you upload the tomcat certificate to each IM and Presence Service node, you must restart the Cisco Tomcat service on each node.

                      Procedure
                        Step 1   Log into the admin CLI.
                        Step 2   Run the following command: utils service restart Cisco Tomcat
                        Step 3   Repeat for each node.

                        What to Do Next

                        Verify that intercluster syncing is operating correctly.

                        Verify Intercluster Syncing

                        After the Cisco Tomcat service has restarted for all affected nodes within the cluster, you must verify that intercluster syncing is operating correctly. Complete the following procedure on each IM and Presence database publisher node in the other clusters.

                        Procedure
                          Step 1   Choose Cisco Unified CM IM and Presence Administration > Diagnostics > System Troubleshooter.
                          Step 2   Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates test and verify that is has passed.
                          Step 3   If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue
                          Step 4   Choose Presence > Inter-Clustering and click the link associated with the intercluster peer that was identified on the System Troubleshooter page.
                          Step 5   Click Force Manual Sync.
                          Step 6   Check the Also resync peer's Tomcat certificates checkbox and click OK.
                          Step 7   Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh.
                          Step 8   Verify that the Certificate Status field shows "Connection is secure".
                          Step 9   If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 8.
                          • To restart the service from the admin CLI run the following command: utils service restart Cisco Intercluster Sync Agent
                          • Alternatively, you can restart this service from the Cisco Unified IM and Presence Serviceability GUI.
                          Step 10   Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is now re-established between this cluster and the cluster for which the certificates were uploaded.

                          CA-Signed cup-xmpp Certificate Upload

                          The high-level steps to upload a CA signed cup-xmpp certificate to IM and Presence Service are:

                          1. Upload the Root Certificate and Intermediate Certificate of the signing Certificate Authority to IM and Presence Service.
                          2. Restart the Cisco Intercluster Sync Agent service.
                          3. Ensure that the CA certificates have been correctly synced to other clusters.
                          4. Upload the appropriate signed certificate to each IM and Presence Service node.
                          5. Restart the Cisco XCP Router service on all nodes.

                          Upload Root Certificate and Intermediate Certificate of the Signing Certificate Authority

                          When you upload the Root and Intermediate Certificates, you must upload each certificate in the certificate chain to IM and Presence Service from the Root Certificate down to the last Intermediate Certificate, as follows:

                          root > intermediate-1 > intermediate-2 > … > intermediate-N

                          With each certificate that you upload in the chain, you must specify which previously uploaded certificate signed it. For example:

                          • For intermediate-1, the root cert was used to sign it.
                          • For intermediate-2, the intermediate-1 cert was used to sign it.

                          You must upload the Root Certificate and the Intermediate Certificates, if any, to the cup-xmpp-trust store on the IM and Presence database publisher node. Complete the following procedure to upload the Root Certificate and the Intermediate Certificate of the signing Certificate Authority (CA) to the IM and Presence Service deployment.

                          Procedure
                            Step 1   On the IM and Presence database publisher node, choose Cisco Unified IM and Presence OS Administration > Security > Certificate Management.
                            Step 2   Click Upload Certificate/Certificate chain.
                            Step 3   From the Certificate Name drop-down list, choose cup-xmpp-trust.
                            Step 4   Enter a description for the signed certificate.
                            Step 5   Click Browse to locate the file for the Root Certificate.
                            Step 6   Click Upload File.
                            Step 7   Upload each Intermediate Certificate in the same way using the Upload Certificate/Certificate chain window.

                            What to Do Next

                            Restart the Cisco Intercluster Sync Agent service.

                            Restart Cisco Intercluster Sync Agent Service

                            After you upload the Root and Intermediate certificates to the IM and Presence database publisher node, you must restart the Cisco Intercluster Sync Agent service on that node. This service restart ensures that the CA certificates are synced immediately to all other clusters.

                            Procedure
                              Step 1   Log into the Admin CLI.
                              Step 2   Run the following command: utils service restart Cisco Intercluster Sync Agent


                              Note


                              You can also restart the Cisco Intercluster Sync Agent service from the Cisco Unified Serviceability GUI.

                              What to Do Next

                              Verify that the CA certificates have synced to the other clusters.

                              Verify CA Certificates Have Synchronized to Other Clusters

                              After the Cisco Intercluster Sync Agent service has restarted, you must ensure that the CA certificate(s) have been correctly synchronized to other clusters. Complete the following procedure on each of the other IM and Presence database publisher nodes.

                              Procedure
                                Step 1   Choose Cisco Unified CM IM and Presence Administration > Diagnostics > System Troubleshooter.
                                Step 2   Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates and verify that is has passed.
                                Step 3   If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue.
                                Step 4   Choose Presence > Inter-Clustering and click the link associated with the intercluster peer that was identified on the System Troubleshooter page.
                                Step 5   Click Force Manual Sync.
                                Step 6   Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh.
                                Step 7   Verify that the Certificate Status field shows "Connection is secure".
                                Step 8   If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 7.
                                • To restart the service from the admin CLI run the following command: utils service restart Cisco Intercluster Sync Agent
                                • Alternatively, you can restart this service from the Cisco Unified IM and Presence Serviceability GUI.
                                Step 9   Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is correctly established between the clusters and that the CA certificates that you uploaded are synced to the other clusters.

                                What to Do Next

                                Upload the signed certificate to each IM and Presence Service node.

                                Upload Signed Certificate to Each IM and Presence Service Node

                                When the CA certificates have correctly synced to all clusters, you can upload the appropriate signed cup-xmpp certificate to each IM and Presence Service node.


                                Note


                                Cisco recommends that you sign all required cup-xmpp certificates for a cluster and upload them at the same time so that service impacts can be managed within a single maintenance window.
                                Procedure
                                  Step 1   Choose Cisco Unified IM and Presence OS Administration > Security > Certificate Management.
                                  Step 2   Click Upload Certificate/Certificate chain.
                                  Step 3   From the Certificate Name drop-down list, choose cup-xmpp.
                                  Step 4   Enter a description for the signed certificate.
                                  Step 5   Click Browse to locate the file to upload.
                                  Step 6   Click Upload File.
                                  Step 7   Repeat for each IM and Presence Service node.

                                  For more information about certificate management, see the Cisco Unified Communications Operating System Administration Guide .

                                  What to Do Next

                                  Restart the Cisco XCP Router service on all nodes.

                                  Restart Cisco XCP Router Service On All Nodes


                                  Caution


                                  A restart of the Cisco XCP Router affects service.

                                  After you upload the cup-xmpp certificate to each IM and Presence Service node, you must restart the Cisco XCP Router service on each node.

                                  Procedure
                                    Step 1   Log into the admin CLI.
                                    Step 2   Run the following command: utils service restart Cisco XCP Router
                                    Step 3   Repeat for each node.


                                    Note


                                    You can also restart the Cisco XCP Router service from the Cisco Unified IM and Presence Serviceability GUI.

                                    CA-Signed cup-xmpp-s2s Certificate Upload

                                    The high-level steps to upload a CA signed cup-xmpp-s2s certificate to IM and Presence Service are:

                                    1. Upload the Root Certificate and Intermediate Certificate of the signing Certificate Authority to IM and Presence Service.
                                    2. Ensure that the CA certificates have been correctly synced to other clusters.
                                    3. Upload the appropriate signed certificate to IM and Presence Service federation nodes (this certificate is not required on all IM and Presence Service nodes, only those used for federation).
                                    4. Restart the Cisco XCP XMPP Federation Connection Manager service on all affected nodes.

                                    Upload Root Certificate and Intermediate Certificate of Signing Certificate Authority

                                    When you upload the Root and Intermediate Certificates, you must upload each certificate in the certificate chain to IM and Presence Service from the Root Certificate down to the last Intermediate Certificate, as follows:

                                    root > intermediate-1 > intermediate-2 > … > intermediate-N

                                    With each certificate that you upload in the chain, you must specify which previously uploaded certificate signed it. For example:

                                    • For intermediate-1, the root cert was used to sign it.
                                    • For intermediate-2, the intermediate-1 cert was used to sign it.

                                    You must upload the Root Certificate and the Intermediate Certificates, if any, to the cup-xmpp-trust store on the IM and Presence database publisher node. Complete the following procedure to upload the Root Certificate and the Intermediate Certificate of the signing Certificate Authority (CA) to the IM and Presence Service deployment.

                                    Procedure
                                      Step 1   On the IM and Presence database publisher node, choose Cisco Unified IM and Presence OS Administration > Security > Certificate Management.
                                      Step 2   Click Upload Certificate/Certificate chain.
                                      Step 3   From the Certificate Name drop-down list, choose cup-xmpp-trust.
                                      Step 4   Enter a description for the signed certificate.
                                      Step 5   Click Browse to locate the file for the Root Certificate.
                                      Step 6   Click Upload File.
                                      Step 7   Upload each Intermediate Certificate in the same way using the Upload Certificate/Certificate chain window.

                                      What to Do Next

                                      Verify that the CA certificates have synced to other clusters.

                                      Verify CA Certificates Have Synchronized to Other Clusters

                                      After the Cisco Intercluster Sync Agent service has restarted, you must ensure that the CA certificate(s) have been correctly synchronized to other clusters. Complete the following procedure on each of the other IM and Presence database publisher nodes.

                                      Procedure
                                        Step 1   Choose Cisco Unified CM IM and Presence Administration > Diagnostics > System Troubleshooter.
                                        Step 2   Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates and verify that is has passed.
                                        Step 3   If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue.
                                        Step 4   Choose Presence > Inter-Clustering and click the link associated with the intercluster peer that was identified on the System Troubleshooter page.
                                        Step 5   Click Force Manual Sync.
                                        Step 6   Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh.
                                        Step 7   Verify that the Certificate Status field shows "Connection is secure".
                                        Step 8   If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 7.
                                        • To restart the service from the admin CLI run the following command: utils service restart Cisco Intercluster Sync Agent
                                        • Alternatively, you can restart this service from the Cisco Unified IM and Presence Serviceability GUI.
                                        Step 9   Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is correctly established between the clusters and that the CA certificates that you uploaded are synced to the other clusters.

                                        What to Do Next

                                        Upload the signed certificate to each IM and Presence Service node.

                                        Upload Signed Certificate to Federation Nodes

                                        When the CA certificates have correctly synced to all clusters, you can upload the appropriate signed certificate to each IM and Presence Service federation node. You do not need to upload the certificate to all nodes, only nodes for federation.


                                        Note


                                        Cisco recommends that you sign all required cup-xmpp-s2s certificates for a cluster and upload them at the same time.
                                        Procedure
                                          Step 1   Choose Cisco Unified IM and Presence OS AdministrationSecurityCertificate Management.
                                          Step 2   Click Upload Certificate/Certificate chain.
                                          Step 3   From the Certificate Name drop-down list, choose cup-xmpp.
                                          Step 4   Enter a description for the signed certificate.
                                          Step 5   Click Browse to locate the file to upload.
                                          Step 6   Click Upload File.
                                          Step 7   Repeat for each IM and Presence Service federation node.

                                          For more information about certificate management, see the Cisco Unified Communications Operating System Administration Guide.

                                          What to Do Next

                                          Restart the Cisco XCP XMPP Federation Connection Manager service on the affected nodes.

                                          Restart Cisco XCP XMPP Federation Connection Manager Service

                                          After you upload the cup-xmpp-s2s certificate to each IM and Presence Service federation node, you must restart the Cisco XCP XMPP Federation Connection Manager service on each federation node.

                                          Procedure
                                            Step 1   Log into the admin CLI.
                                            Step 2   Run the following command: utils service restart Cisco XCP XMPP Federation Connection Manager
                                            Step 3   Repeat for each federation node.

                                            SIP Security Settings Configuration on IM and Presence Service

                                            Configure TLS Peer Subject

                                            When you import an IM and Presence Service certificate, IM and Presence Service automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

                                            Procedure
                                              Step 1   Choose Cisco Unified CM IM and Presence Administration > System > Security > TLS Peer Subjects.
                                              Step 2   Click Add New.
                                              Step 3   Perform one of the following actions for the Peer Subject Name:
                                              1. Enter the subject CN of the certificate that the node presents.
                                              2. Open the certificate, look for the CN and paste it here.
                                              Step 4   Enter the name of the node in the Description field.
                                              Step 5   Click Save.

                                              What to Do Next

                                              Proceed to configure the TLS context.

                                              Configure TLS Context

                                              When you import an IM and Presence Service certificate, IM and Presence Service automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

                                              Before You Begin

                                              Configure a TLS peer subject on IM and Presence Service.

                                              Procedure
                                                Step 1   Choose Cisco Unified CM IM and Presence Administration > System > Security > TLS Context Configuration.
                                                Step 2   Click Find.
                                                Step 3   Choose Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.
                                                Step 4   From the list of available TLS peer subjects, choose the TLS peer subject that you configured.
                                                Step 5   Move this TLS peer subject to Selected TLS Peer Subjects.
                                                Step 6   Click Save.
                                                Step 7   Choose Cisco Unified IM and Presence Serviceability > Tools > Service Activation.
                                                Step 8   Restart the Cisco SIP Proxy service.

                                                Troubleshooting Tip

                                                You must restart the SIP proxy service before any changes that you make to the TLS context take effect.


                                                Configure SIP Proxy-to-Proxy Intracluster Protocol Type

                                                Choose the protocol that IM and Presence Service uses to route SIP messages securely in an intracluster deployment. The default value is the TLS protocol. Use TLS if a cluster node sends traffic over a unsecured network and you want a secure (encrypted) connection channel.

                                                Procedure
                                                  Step 1   Choose System > Security > General Settings.
                                                  Step 2   Choose a protocol type from the SIP Intra-cluster Proxy-to-Proxy Transport Protocol menu.
                                                  Step 3   Click Save.

                                                  Troubleshooting Tip

                                                  You must restart the SIP proxy service before any changes that you make to the SIP proxy protocol take effect.


                                                  XMPP Security Settings Configuration on IM and Presence Service

                                                  XMPP Security Modes

                                                  IM and Presence Service provides increased security for XMPP-based configuration. The following table describes these XMPP security modes. To configure the XMPP security modes on IM and Presence Service, choose Cisco Unified CM IM and Presence Administration > System > Security > Settings.

                                                  Table 4 XMPP Secure Mode Descriptions

                                                  Secure Mode

                                                  Description

                                                  Enable XMPP Client To IM/P Service Secure Mode

                                                  If you turn on this setting, IM and Presence Service establishes a secure TLS connection between the IM and Presence Service nodes and XMPP client applications in a cluster. IM and Presence Service turns on this secure mode by default.

                                                  We recommend that you do not turn off this secure mode unless the XMPP client application can protect the client login credentials in nonsecure mode. If you do turn off the secure mode, verify that you can secure the XMPP client-to-node communication in some other way.

                                                  Enable XMPP Router-to-Router Secure Mode

                                                  If you turn on this setting, IM and Presence Service establishes a secure TLS connection between XMPP routers in the same cluster, or in different clusters. IM and Presence Service automatically replicates the XMPP certificate within the cluster and across clusters as an XMPP trust certificate. An XMPP router will attempt to establish a TLS connection with any other XMPP router that is in the same cluster or a different cluster, and is available to establish a TLS connection.

                                                  Enable Web Client to IM/P Service Secure Mode

                                                  If you turn on this setting, IM and Presence Service establishes a secure TLS connection between the IM and Presence Service nodes and XMPP-based API client applications. If you turn on this setting, upload the certificates or signing certificates for the web client in the cup-xmpp-trust repository on IM and Presence Service.

                                                  If you update the XMPP security settings, restart the services. Perform one of these actions:

                                                  • Restart the Cisco XCP Connection Manager if you edit Enable XMPP Client To IM/P Service Secure Mode. Choose Cisco Unified IM and Presence Serviceability > Tools > Control Center - Feature Services to restart this service.
                                                  • Restart the Cisco XCP Router if you edit the Enable XMPP Router-to-Router Secure Mode. Choose Cisco Unified IM and Presence Serviceability > Tools > Control Center - Network Services to restart this service.
                                                  • Restart the Cisco XCP Web Connection Manager if you edit Enable Web Client To IM/P Service Secure Mode. Choose Cisco Unified IM and Presence Serviceability > Tools > Control Center - Feature Services to restart this service.

                                                  Configure XMPP certificate settings

                                                  Procedure
                                                    Step 1   Select Cisco Unified Communications Manager IM and Presence Administration > System > Security > Settings.
                                                    Step 2   Enter a node-to-node domain name for this IM and Presence Service cluster, for example, ‘cisco.com’.
                                                    Step 3   Check Use Domain Name for XMPP Certificate Subject Alternative Name if you want the general XMPP certificate to use the same Domain Name as the XMPP node-to-node certificate.
                                                    Note    In Release 9.0(1), this field is called Use Domain Name for XMPP Certificate Subject Common Name.
                                                    Step 4   Select Save.
                                                    Step 5   Restart the Cisco XCP Router service. Select Cisco Unified IM and Presence Serviceability > Tools > Control Center - Network Services > Cisco XCP Router to restart this service.

                                                    Troubleshooting Tip

                                                    If you change the node-to-node domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco XCP Router service.


                                                    Related References

                                                    FIPS 140-2 Mode Configuration

                                                    FIPS 140-2 Mode

                                                    The Federal Information Processing Standard (FIPS) is a U.S. and Canadian government certification standard that defines requirements that cryptographic modules must follow.

                                                    The IM and Presence Service is FIPS 140-2 compliant, in accordance with the U.S. National Institute of Standards (NIST), and can operate in FIPS mode, level 1 compliance.

                                                    When you enable FIPS 140-2 mode, IM and Presence Service reboots, runs certification self-tests at start-up, performs the cryptographic modules integrity check, and then regenerates the keying materials. At this point, IM and Presence Service operates in FIPS 140-2 mode.

                                                    IM and Presence Service meets FIPS requirements, including the following: it performs startup self-tests and restricts to a list of approved cryptographic functions.

                                                    IM and Presence FIPS mode uses FIPS 140-2 level 1 validated OpenSSL FIPS Module version 1.2. The relevant OpenSSL documentation can be found at: http:/​/​www.openssl.org/​docs/​fips/​

                                                    In IM and Presence Service, you can perform the following FIPS-related tasks:

                                                    • Enable FIPS 140-2 mode
                                                    • Disable FIPS 140-2 mode
                                                    • Check the status of FIPS 140-2 mode

                                                    Note


                                                    By default, IM and Presence Service is in non-FIPS mode. You must enable FIPS mode using the CLI. For more information, see the Command Line Interface Reference Guide for Cisco Unified Solutions.


                                                    Node Reboot in FIPS 140-2 Mode

                                                    When FIPS is enabled or disabled, the IM and Presence Service node is automatically rebooted. When an IM and Presence Service node reboots in FIPS 140-2 mode, it will trigger FIPS startup self-tests in each of the FIPS 140-2 modules after rebooting.


                                                    Caution


                                                    If any of these self-tests fail, IM and Presence Service halts. If the startup self-test fails because of a transient error, restarting the IM and Presence Service node fixes the issue. However, if the start self-test error persists, it indicates a critical problem in the FIPS module and the only option it is to use a recovery CD.


                                                    Force Manual Certificate Synchronization

                                                    When FIPS is enabled, all certificates are regenerated. However certificates may not be exchanged between intercluster peers. If this situation arises, follow the procedure below to manually sync the certificates between intercluster peers.


                                                    Note


                                                    Certificates will not be exchanged between intercluster peers where one peer has FIPS enabled and the other peer does not have FIPS enabled. You can only sync certificates between intercluster peers when all peers are in FIPS mode.


                                                    Procedure
                                                      Step 1   Choose Cisco Unified CM IM and Presence Administration > Presence > Inter-Clustering
                                                      Step 2   Select the intercluster peer whose certificate is not present and choose the Force Manual Sync option.
                                                      Step 3   Note the configuration details and click Delete.
                                                      Step 4   Enable FIPS from the CLI using this command: utils fips enable The node reboots.
                                                      Step 5   Choose Cisco Unified CM IM and Presence Administration > Presence > Inter-Clustering and re-add the intercluster peer.
                                                      Step 6   Verify that all certificates are synced.
                                                      Note   

                                                      This may take several minutes.

                                                      Step 7   If the certificates do not sync after 20 minutes, select the intercluster peer whose certificate is not present and choose the Force Manual Sync option.
                                                      Note   

                                                      Cisco recommends that you allow ten minutes after importing intermediate or root Certificate Authority certificates before importing signed certificates.