Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Security Certificate Configuration for XMPP Federation
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 5.13MB) | The complete bookePub (ePub - 1.28MB) | Feedback

Security Certificate Configuration for XMPP Federation

Security Certificate Configuration for XMPP Federation

To configure security for XMPP federation, you must complete the following procedures:

  1. Configure the domain for the cup-xmpp certificate.
  2. Create the certificate once using one of the following types of certificates:
    • Self-signed certificate for XMPP federation
    • CA-signed certificate for XMPP federation
  3. Import the root CA certificate. You must repeat this procedure every time you federate with a new enterprise whose CA you do not already trust. Likewise, you should follow this procedure if the new enterprise uses self-signed certificates, where the self-signed certificates are uploaded instead of the root CA certificate.

Security Certificate Configuration for XMPP Federation

To configure security for XMPP federation, you must complete the following procedures:

  1. Configure the domain for the cup-xmpp certificate.
  2. Create the certificate once using one of the following types of certificates:
    • Self-signed certificate for XMPP federation
    • CA-signed certificate for XMPP federation
  3. Import the root CA certificate. You must repeat this procedure every time you federate with a new enterprise whose CA you do not already trust. Likewise, you should follow this procedure if the new enterprise uses self-signed certificates, where the self-signed certificates are uploaded instead of the root CA certificate.

Configure Domain for XMPP Certificate

For XMPP federation, the Subject Common Name (CN) for the certificate must contain the domain of the IM and Presence Service node.

Procedure
    Step 1   Log in to the Cisco Unified CM IM and Presence Administration user interface. Choose System > Security > Settings.
    Step 2   In the Domain name for XMPP Server-to-Server certificate Subject Common name field, enter the domain name of the IM and Presence Service node.
    Tip   

    You can configure a wildcard domain here, for example, *.example.net if you deploy the Chat feature on the IM and Presence Service, and the chat component is a subdomain of the parent domain.

    Step 3   If you want the general XMPP certificate to use the same Domain Name as the XMPP server-to-server certificate, check the Use Domain Name for XMPP Certificate Subject Common Name check box.
    Step 4   Click Save.

    What to Do Next

    Create the certificate once using one of the following procedures:

    • Use a Self-Signed Certificate for XMPP Federation
    • Use of a CA Signed Certificate for XMPP Federation Tips:
    • If you make any changes to this configuration, you must restart the Cisco XCP Router service. Log in to the Cisco Unified IM and Presence Serviceability user interface. Choose Tools > Control Center - Network Services to restart this service.
    • If you change a server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco XCP Router service.

    Use a Self-Signed Certificate for XMPP Federation

    This section describes how to use a self-signed certificate for XMPP federation. For information about using a CA-signed certificate, see Use of a CA Signed Certificate for XMPP Federation.

    Procedure
      Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
      Step 2   Click Generate Self-signed.
      Step 3   From the Certificate Purpose drop-down list, choose cup-xmpp-s2s and click Generate.
      Step 4   Restart the Cisco XCP XMPP Federation Connection Manager service. Log in to the Cisco Unified IM and Presence Serviceability user interface. Choose Tools > Control Center - Network Services to restart this service.
      Step 5   Download and send the certificate to another enterprise so that it can be added as a trusted certificate on their XMPP server. This can be a IM and Presence Service node or another XMPP server.

      What to Do Next

      Use of a CA Signed Certificate for XMPP Federation

      Use of a CA Signed Certificate for XMPP Federation

      This section describes how to use a CA signed certificate. For information about using a self-signed certificate, see Use a Self-Signed Certificate for XMPP Federation.

      Generate a Certificate Signing Request for XMPP Federation

      This procedure describes how to generate a Certificate Signing Request (CSR) for a Microsoft Certificate Services CA.


      Note


      While this procedure is to generate a CSR for signing a Microsoft Certificate Services CA, the steps to generate the CSR (steps 1 to 3) apply when requesting a certificate from any Certificate Authority.


      Before You Begin

      Configure the domain for the XMPP certificate, see Configure Domain for XMPP Certificate

      Procedure
        Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
        Step 2   To generate the CSR, perform these steps:
        1. Click Generate CSR.
        2. From the Certificate Purpose drop-down list, choose cup-xmpp-s2s for the certificate name.
        3. Click Generate.
        4. Click Close, and return to the main certificate window.
        Step 3   To download the .csr file to your local machine:
        1. Click Download CSR.
        2. From Download Certificate Signing Request window, choose the cup-xmpp-s2s.csr file.
        3. Click Download CSR to download this file to your local machine.
        Step 4   Using a text editor, open the cup-xmpp-s2s.csr file.
        Step 5   Copy the contents of the CSR file.

        You must copy all information from and including

        - BEGIN CERTIFICATE REQUEST

        to and including

        END CERTIFICATE REQUEST -

        Step 6   On your internet browser, browse to your CA server, for example: http://<name of your Issuing CA Server>/certsrv .
        Step 7   Click Request a certificate.
        Step 8   Click Advanced certificate request.
        Step 9   Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
        Step 10   Paste the contents of the CSR file (that you copied in step 5) into the Saved Request field.
        Step 11   Click Submit.
        Step 12   On your internet browser, return to the URL: http://<name of your Issuing CA Server>/certsrv .
        Step 13   Click View the status of a pending certificate request.
        Step 14   Click on the certificate request that you issued in the previous section.
        Step 15   Click Base 64 encoded.
        Step 16   Click Download certificate.
        Step 17   Save the certificate to your local machine:
        1. Specify a certificate file name cup-xmpp-s2s.pem.
        2. Save the certificate as type Security Certificate.

        What to Do Next

        Upload a CA-Signed Certificate for XMPP Federation

        Troubleshooting Tips

        • If the list of supported domains on IM and Presence Service changes, then the cup-xmpp-s2s certificate must be regenerated to reflect the new domain list.

        Upload a CA-Signed Certificate for XMPP Federation

        Before You Begin

        Complete the steps in Generate a Certificate Signing Request for XMPP Federation.

        Procedure
          Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management.
          Step 2   Click Upload Certificate/Certificate chain..
          Step 3   Choose cup-xmpp-s2s for Certificate Name.
          Step 4   In the Root Certificate Field, specify the name of the root certificate.
          Step 5   Click Upload File.
          Step 6   Browse to the location of the CA-signed certificate that you saved to your local machine.
          Step 7   Click Upload File.
          Step 8   Restart the Cisco XMPP Federation Connection Manager service. Log in to the Cisco Unified IM and Presence Serviceability user interface. Choose Tools > Control Center - Network Services to restart this service.
          Note    If you upload a multi-server certificate you must restart the XCP Router service on all IM and Presence Service nodes in the cluster.

          What to Do Next

          If you migrate from self-signed to CA-signed certificates, the original self-signed certificates persist in the service trust store of the IM and Presence Service node. Leaving the original self-signed certificates in the service trust store is not an issue because no service presents them. However, if needed, you can delete these trust store certificates.

          See the section Delete Self-Signed Trust Certificates in Part II, Chapter 11 — Security Configuration on IM and Presence Service, in the appropriate release of the Configuration and Administration of IM and Presence Service on Cisco Unified Communications Manager at http:/​/​www.cisco.com/​c/​en/​us/​support/​unified-communications/​unified-communications-manager-callmanager/​products-installation-and-configuration-guides-list.html.

          Import a Root CA Certificate for XMPP Federation


          Note


          This section describes how to manually upload the cup-xmpp-s2s trust certificates to IM and Presence Service. You can also use the Certificate Import Tool to automatically upload cup-xmpp-s2s trust certificates. To access the Certificate Import Tool, log in to the Cisco Unified CM IM and Presence Administration user interface. Choose System > Security > Certificate Import Tool, and see the Online Help for instructions on how to use this tool.


          If IM and Presence Service federates with an enterprise, and a commonly trusted Certificate Authority (CA) signs the certificate of that enterprise, you must upload the root certificate from the CA to an IM and Presence Service node.

          If IM and Presence Service federates with an enterprise that uses a self-signed certificate rather than a certificate signed by a commonly trusted CA, you can upload the self-signed certificate using this procedure.

          Before You Begin

          Download the root CA certificate and save it to your local machine.

          Procedure
            Step 1   Log in to the Cisco Unified IM and Presence Operating System Administration user interface. Choose Security > Certificate Management on IM and Presence Service.
            Step 2   Click Upload Certificate/Certificate chain.
            Step 3   Choose cup-xmpp-trust for Certificate Name.
            Note   

            Leave the Root Name field blank.

            Step 4   Click Browse, and browse to the location of the root CA certificate that you previously downloaded and saved to you local machine.
            Step 5   Click Upload File to upload the certificate to the IM and Presence Service node.
            Note   

            You must repeat this procedure every time you federate with a new enterprise whose CA you do not already trust. Likewise, you should follow this procedure if the new enterprise uses self-signed certificates, where the self-signed certificates are uploaded instead of the Root CA certificate.

            Troubleshooting Tip

            If your trust certificate is self-signed, you cannot turn on the Require client side certificates parameter in the XMPP federation security settings window.