SIP federation security certificate configuration with Cisco Adaptive Security Appliance
IM and Presence Service Release 9.0(1) or later supports interdomain federation with Microsoft Lync. Any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.
Generate key pair and trustpoints on Cisco Adaptive Security Appliance
You need to generate the key pair for this certification (for example cup_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to IM and Presence Service (for example cup_proxy). You need to specify the enrollment type as "self" to indicate you are generating a self-signed certificate on CiscoAdaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.
Before You Begin
Ensure you carried out the configuration tasks described in the following chapters:
Import IM and Presence Service certificate into Cisco Adaptive Security Appliance
In order to import the IM and Presence Service certificate onto Cisco Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from IM and Presence Service (e.g. cert_from_cup), and specify the enrollment type as "terminal" to indicate that you will paste the certificate received from IM and Presence Service into the terminal.
It is essential that IM and Presence Service, Cisco Unified Communications Manager and Cisco Adaptive Security Appliance servers are all syncing off the same NTP source.
When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.
You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.
In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL:
Enter this command to generate a trustpoint to identify the CA.
crypto ca trustpoint <trustpoint_name>
Use the "client-types" sub-command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a "client-types ssl" configuration which indicates that SSL client connections can be validated using this trustpoint:
(config-ca-trustpoint)# client-types ssl
Enter this command to configure the FQDN of the public IM and Presence Service address:
You may be issued a warning regarding VPN authentication here.
Enter this command to configure a keypair for the trustpoint:
Enter this command to configure the enrollment method for the trustpoint:
enrollment url http://<ip address of CA>/certsrv/mscep/mscep.dll
Enter this command to obtain the CA certificate for the trustpoint you configured:
crypto ca authenticate <trustpoint_name>
INFO: Certificate has the following attributes:
Fingerprint: cc966ba6 90dfe235 6fe632fc 2e521e48
Enter yes when you are prompted to accept the certificate from the CA.
Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.
Run the crypto ca enroll command.
crypto ca enroll <trustpoint_name>
The following warning output displays:
%WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Enter yes when you are prompted to continue with the enrollment.
Would you like to continue with this enrollment? [yes/no]: yes% Start certificate enrollment..
Enter a password when you are prompted to create a challenge password.
% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Re-enter password: **********
Enter no when you are prompted to include the device serial number in the subject name.
Enter yes when you are prompted to request the certificate from the CA.
Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority
Go to the CA and issue the pending certificate (if the certificate was not issued automatically).
This procedure describes how to upload the certificate on the Access Edge server using the Certificate Wizard. You can also import the certificates manually on the Access Edge server by selecting Microsoft Office Communications Server 2007 > Properties > Edge Interfaces.
Create custom certificate for Access Edge using enterprise certificate authority
Refer to these instructions if you are using a Microsoft Enterprise Certificate Authority to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.
Before You Begin
These steps require that the Certificate Authority is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.
For Step 5, use a more appropriate name for this specific template, such as Mutual Authentication Certificate.
Follow these steps in place of Steps 7-12 from the Microsoft site:
Select the Extensions tab. Make sure that under Application Policies that both Client Authentication and Server Authentication are present and that no other Policies are present. If these policies are not available, then you must add them before proceeding.
In the Edit Application Policies Extension dialog box, select Add.
In the Add Application Policy dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Add.
In the Edit Application Policies Extension dialog box, select any other policy that may be present and then select Remove.
In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Client Authentication, Server Authentication.
Select the Issuance Requirement tab. If you do not want the Certificate to be automatically issued, then select CA certificate manager approval. Otherwise, leave this option blank.
Select the Security tab and ensure that all required users and groups have both read and enroll permission.
Select the Request Handling tab and select the CSP button.
On the CSP Selection dialog box select Requests must use one of the following CSP’s.
From the list of CSP’s select Microsoft Basic Cryptographic Provider v1.0 and Microsoft Enhanced Cryptographic Provider v1.0, and select OK.
Continue with Steps 13-15 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.
For Step 5, select the name of the certificate template you created previously, such as Mutual Authentication Certificate and enter the external FQDN of the access edge in the Name field.
Follow these steps in place of Steps 7-8 from the Microsoft site:
If the certificate request is automatically issued then you will be presented with an option to install the signed certificate. Select Install this Certificate.
If the certificate request is not automatically issued then you will need to wait for the administrator to issue the certificate. Once issued:
On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.
On the Welcome page, select View the status of a pending certificate request.
Select the issued certificate and select Install this Certificate.
Security certificate configuration on Lync Edge server for TLS federation
The following guide from Microsoft's TechNet Library (http://technet.microsoft.com/en-us/library/gg398409.aspx) explains how to configure certificates on Access Edge for TLS federation with Microsoft Lync. IM and Presence Service requires Mutual TLS authentication for federated connections, therefore you must configure Microsoft Lync certificates to support both Server and Client Authentication. When you follow the above guide, skip section 2 and move instead to section 3 which describes how to create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL. AOL has the same mutual TLS authentication requirement as IM and Presence Service. You can also use this guide to configure Lync Server to federate directly with IM and Presence Service over TLS.
Security certificate exchange between Cisco Adaptive Security Appliance and AOL SIP access gateway
AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority. AOL has an established trust list of Certificate Authorities (CA) such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.
A sample configuration workflow that describes in detail how to configure certificate exchange between Cisco Adaptive Security Appliance and a foreign domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.
To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:
The IM and Presence Service server certificate subject CN must match FQDN of the IM and Presence Service node. The public Certificate on Cisco Adaptive Security Appliance for IM and Presence Service and the CN must be the same as the Federation Routing IM and Presence FQDN service parameter value.
Submit the CSR to the Verisign CA.
Verisign CA provides you with the following certificates: