Deployment Guide for Cisco Unified Presence Release 8.6
Configuring Security on Cisco Unified Presence
Downloads: This chapterpdf (PDF - 262.0KB) The complete bookPDF (PDF - 3.54MB) | Feedback

Configuring Security on Cisco Unified Presence

Table Of Contents

Configuring Security on Cisco Unified Presence

Creating a Login Banner

Cisco Unified Presence Certificate Types

How to Configure the Certificate Exchange Between Cisco Unified Presence and Cisco Unified Communications Manager

Prerequisites for Configuring Security

Importing the Cisco Unified Communications Manager Certificate to Cisco Unified Presence

Restarting the SIP Proxy Service

Downloading the Certificate from Cisco Unified Presence

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Restarting the Cisco Unified Communications Manager Service

How to Configure the SIP Security Settings on Cisco Unified Presence

Configuring a TLS Peer Subject

Configuring a TLS Context

Configuring the SIP Proxy-to-Proxy Intracluster Protocol Type

How to Configure the XMPP Security Settings on Cisco Unified Presence

XMPP Security Modes

Configuring the XMPP Certificate Settings

Configuring FIPS 140-2 Mode

Overview of FIPS 140-2

Rebooting a Server in FIPS 140-2 Mode

Regeneration of Certificates


Configuring Security on Cisco Unified Presence


July 5, 2013

Creating a Login Banner

Cisco Unified Presence Certificate Types

How to Configure the Certificate Exchange Between Cisco Unified Presence and Cisco Unified Communications Manager

How to Configure the SIP Security Settings on Cisco Unified Presence

How to Configure the XMPP Security Settings on Cisco Unified Presence

Configuring FIPS 140-2 Mode

Creating a Login Banner

In Cisco Unified Presence Release 8.6(4), administrators can create a banner that users acknowledge as part of their login to any Cisco Unified Presence interfaces. The administrator creates a .txt file using any text editor, includes important notifications that users should be made aware of, and uploads it to the Cisco Unified Presence OS Administration page. This banner will then appear on all Cisco Unified Presence interfaces notifying users of important information before they log in, including legal warnings and obligations. The following interfaces will display this banner before and after a user logs in: Cisco Unified Presence Administration, Cisco Unified OS Administration, Serviceability, Reporting, Disaster Recovery System, User Options, and the Cisco Unified Presence CLI prompt.

Procedure


Step 1 Create a .txt file with the contents you want to display in the banner.

Step 2 Sign in to Cisco Unified Operating System Administration.

Step 3 Select Software Upgrades > Customized Logon Message.

Step 4 Select Browse and locate the .txt file.

Step 5 Select Upload File.
The banner will appear before and after login on most Cisco Unified Presence interfaces.


Note The .txt file must be uploaded to each Cisco Unified Presence node separately.



Cisco Unified Presence Certificate Types

This section describes the different certificates required for the clients and services on Cisco Unified Presence.

Table 9-1 Certificate Types for Client Applications on Cisco Unified Presence

Client
Certificate

SIP client (Cisco Unified Personal Communicator Release 7.x, IPPM, Cisco Unified Communications Manager)

tomcat

XMPP client (Cisco Unified Personal Communicator Release 8.0, third-party client)

cup-xmpp


Table 9-2 Certificate Types for Cisco Unified Presence Services

Service
Certificate
Certificate Trust Store
Notes

SIP Proxy

cup

cup-trust

 

Presence Engine

cup

cup-trust

 

SOAP

tomcat

directory-trust

 

AXL

tomcat

directory-trust

 

LDAP

tomcat

directory-trust

LDAP uses the tomcat certificate because directory/directory-trust is now tomcat/ttrust.

Microsoft Exchange

 

cup-trust

 

Microsoft OCS/LCS Call Control

cup

cup-trust

 

SIP Federation

cup

cup-trust

 

XMPP Federation

Cup-xmpp-s2s

cup-xmpp-trust

The trust certificates for cup-xmpp-s2s are stored in cup-xmpp-trust along with the general XMPP trust certificates.


Related Topics

Section "(Cisco Unified Personal Communicator Release 8.x) Configuring Settings" in the Cisco Unified Personal Communicator Administration Guide for Cisco Unified Presence Release 8.x

How to Configure the XMPP Security Settings on Cisco Unified Presence

Configuring a Secure Connection Between Cisco Unified Presence and the LDAP Directory

How to Configure the Certificate Exchange Between Cisco Unified Presence and Cisco Unified Communications Manager

This module describes the exchange of self-signed certificates between the Cisco Unified Communications Manager server and the Cisco Unified Presence server. You can use the Certificate Import Tool on Cisco Unified Presence to automatically import the Cisco Unified Communications Manager certificate to Cisco Unified Presence. However, you must manually upload the Cisco Unified Presence certificate to Cisco Unified Communications Manager.

Only perform these procedures if you require a secure connection between Cisco Unified Presence and Cisco Unified Communications Manager.

Prerequisites for Configuring Security

Importing the Cisco Unified Communications Manager Certificate to Cisco Unified Presence

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Downloading the Certificate from Cisco Unified Presence

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Restarting the Cisco Unified Communications Manager Service

Prerequisites for Configuring Security

Configure the following items on Cisco Unified Communications Manager:

Configure a SIP security profile for Cisco Unified Presence.

Configure a SIP trunk for Cisco Unified Presence:

Associate the security profile with the SIP trunk.

Configure the SIP trunk with the subject Common Name (CN) of Cisco Unified Presence certificate.


Note In Cisco Unified Presence Release 8.6(5), Subject Common Name has been renamed to Subject Alternative Name.


Related Topic

How to Configure the SIP Trunk on Cisco Unified Communications Manager

Importing the Cisco Unified Communications Manager Certificate to Cisco Unified Presence

Procedure


Step 1 Select Cisco Unified Presence Administration > System > Security > Certificate Import Tool.

Step 2 Select CUP Service Trust from the Certificate Trust Store menu.

Step 3 Enter the IP address, hostname or FQDN of the Cisco Unified Communications Manager server.

Step 4 Enter a port number to communicate with the Cisco Unified Communications Manager server.

Step 5 Select Submit.


Troubleshooting Tip

After the Certificate Import Tool completes the import operation, it reports whether or not it successfully connected to Cisco Unified Communications Manager, and whether or not it successfully downloaded the certificate from Cisco Unified Communications Manager. If the Certificate Import Tool reports a failure, see the Online Help for a recommended action. You can also manually import the certificate by selecting Cisco Unified OS Administration > Security > Certificate Management.

What To Do Next

Restarting the SIP Proxy Service

Restarting the SIP Proxy Service

Before You Begin

Import the Cisco Unified Communications Manager certificate to Cisco Unified Presence.

Procedure


Step 1 Select Cisco Unified Serviceability > Tools > Control Center - Feature Services on Cisco Unified Presence,

Step 2 Select Cisco UP SIP Proxy.

Step 3 Select Restart.


What To Do Next

Downloading the Certificate from Cisco Unified Presence

Downloading the Certificate from Cisco Unified Presence

Procedure


Step 1 Select Cisco Unified OS Administration > Security > Certificate Management on Cisco Unified Presence.

Step 2 Select Find.

Step 3 Select the cup.pem file.

Step 4 Select Download and save the file to your local computer.


Troubleshooting Tip

Ignore any errors that Cisco Unified Presence displays regarding access to the cup.csr file; The CA (Certificate Authority) does not need to sign the certificate that you exchange with Cisco Unified Communications Manager.

What To Do Next

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Before You Begin

Download the certificate from Cisco Unified Presence.

Procedure


Step 1 Select Cisco Unified OS Administration > Security > Certificate Management on Cisco Unified Communications Manager.

Step 2 Select Upload Certificate.

Step 3 Select Callmanager-trust from the Certificate Name menu.

Step 4 Browse and select the certificate (.pem file) previously downloaded from Cisco Unified Presence.

Step 5 Select Upload File.


Related Topic

Downloading the Certificate from Cisco Unified Presence

What To Do Next

Restarting the Cisco Unified Communications Manager Service

Restarting the Cisco Unified Communications Manager Service

Before You Begin

Upload the Cisco Unified Presence certificate to Cisco Unified Communications Manager.

Procedure.


Step 1 Select Cisco Unified Serviceability > Tools > Control Center - Feature Services. on Cisco Unified Communications Manager.

Step 2 Select Cisco CallManager.

Step 3 Select Restart.


Related Topic

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

What To Do Next

How to Configure the SIP Security Settings on Cisco Unified Presence

How to Configure the SIP Security Settings on Cisco Unified Presence

Configuring a TLS Peer Subject

Configuring a TLS Context

Configuring the SIP Proxy-to-Proxy Intracluster Protocol Type

Configuring a TLS Peer Subject

When you import a Cisco Unified Presence certificate, Cisco Unified Presence automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

Procedure


Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Peer Subjects.

Step 2 Select Add New.

Step 3 Perform one of the following actions for the Peer Subject Name:

Enter the subject CN of the certificate that the server presents.

Open the certificate, look for the CN and paste it here.

Step 4 Enter the name of the server in the Description field.

Step 5 Select Save.


What To Do Next

Configuring a TLS Context

Configuring a TLS Context

When you import a Cisco Unified Presence certificate, Cisco Unified Presence automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

Before You Begin

Configure a TLS peer subject on Cisco Unified Presence.

Procedure


Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration.

Step 2 Select Find.

Step 3 Select Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

Step 4 From the list of available TLS peer subjects, select the TLS peer subject that you configured.

Step 5 Move this TLS peer subject to Selected TLS Peer Subjects.

Step 6 Select Save.

Step 7 Select Cisco Unified Presence Serviceability > Tools > Service Activation.

Step 8 Restart the Cisco Unified Presence SIP Proxy service.


Troubleshooting Tip

You must restart the SIP proxy service before any changes that you make to the TLS context take effect.

Related Topics

Configuring a TLS Peer Subject

Restarting the SIP Proxy Service

Configuring the SIP Proxy-to-Proxy Intracluster Protocol Type

Select the protocol that Cisco Unified Presence uses to route SIP messages securely in an intracluster deployment. The default value is the TLS protocol. Use TLS if a cluster node sends traffic over a unsecured network and you want a secure (encrypted) connection channel.

Procedure


Step 1 Select System > Security > General Settings.

Step 2 Select a protocol type from the SIP Intra-cluster Proxy-to-Proxy Transport Protocol menu.

Step 3 Select Save.


Troubleshooting Tip

You must restart the SIP proxy service before any changes that you make to the SIP proxy protocol take effect.

Related Topic

Restarting the SIP Proxy Service

How to Configure the XMPP Security Settings on Cisco Unified Presence

XMPP Security Modes

Configuring the XMPP Certificate Settings

XMPP Security Modes

Cisco Unified Presence provides increased security for XMPP-based configuration. Table 9-3 describes these XMPP secure modes. To configure the XMPP secure modes on Cisco Unified Presence, select Cisco Unified Presence Administration > System > Security > Settings.

Table 9-3

Secure Mode
Description

Enable XMPP Client To CUP Service Secure Mode

If you turn on this setting, Cisco Unified Presence establishes a secure TLS connection between the Cisco Unified Presence servers and XMPP client applications in a cluster. Cisco Unified Presence turns on this secure mode by default.

We recommend that you do not turn off this secure mode unless the XMPP client application can protect the client login credentials in non-secure mode. If you do turn off the secure mode, verify that you can secure the XMPP client-to-server communication in some other way.

Enable XMPP Router-to-Router Secure Mode

If you turn on this setting, Cisco Unified Presence establishes a secure TLS connection between XMPP routers in the same cluster, or in different clusters. Cisco Unified Presence automatically replicates the XMPP certificate within the cluster, and across clusters, as an XMPP trust certificate. An XMPP router will attempt to establish a TLS connection with any other XMPP router that is in the same cluster, or a different cluster, and is available to establish a TLS connection.

Enable Web Client to CUP Service Secure Mode

If you turn on this setting, Cisco Unified Presence establishes a secure TLS connection between the Cisco Unified Presence servers and XMPP-based API client applications.If you turn on this setting, upload the certificates or signing certificates for the web client in the cup-xmpp-trust repository on Cisco Unified Presence.


XMPP Secure Mode Descriptions

Troubleshooting Tips

If you update the XMPP security settings, perform one of these actions:

Restart the Cisco UP XCP Connection Manager if you edit Enable XMPP Client To CUP Service Secure Mode. Select Cisco Unified Serviceability > Tools > Control Center - Feature Services to restart this service.

Restart the Cisco UP XCP Router if you edit the Enable XMPP Router-to-Router Secure Mode. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service.

Restart the Cisco UP XCP Web Connection Manager if you edit Enable Web Client To CUP Service Secure Mode. Select Cisco Unified Serviceability > Tools > Control Center - Feature Services to restart this service.

Related Topics

Integrating Third-Party XMPP Client Applications on Cisco Unified Presence

Configuring the XMPP Certificate Settings

Configuring the XMPP Certificate Settings

Procedure


Step 1 Select Cisco Unified Presence Administration > System > Security > Settings.

Step 2 Enter a server-to-server domain name for this Cisco Unified Presence cluster, for example, `cisco.com'.

Step 3 Check Use Domain Name for XMPP Certificate Subject Common Name if you want the general XMPP certificate to use the same Domain Name as the XMPP server-to-server certificate.


Note In Cisco Unified Presence Release 8.6(5), this check box has been renamed to Use Domain Name for XMPP Certificate Subject Alternative Name.


Step 4 Select Save.

Step 5 Restart the Cisco UP XCP Router service. Select Cisco Unified Serviceability > Tools > Control Center - Network Services > Cisco UP XCP Router to restart this service.


Troubleshooting Tip

If you change the server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco UP XCP Router service.

Related Topic

XMPP Security Modes

Configuring FIPS 140-2 Mode

Overview of FIPS 140-2

Rebooting a Server in FIPS 140-2 Mode

Regeneration of Certificates

Overview of FIPS 140-2

The Federal Information Processing Standard (FIPS) is a U.S. and Canadian government certification standard that defines requirements that cryptographic modules must follow.

When you enable FIPS 140-2 mode, Cisco Unified Presence reboots, runs certification self-tests at startup, performs the cryptographic modules integrity check, and then regenerates the keying materials. At this point, Cisco Unified Presence operates in FIPS 140-2 mode.

Cisco Unified Presence FIPS mode uses FIPS 140-2 level 1 validated OpenSSL FIPS Module version 1.2. The relevant OpenSSL documentation can be found at: http://www.openssl.org/docs/fips/

In Cisco Unified Presence, you can perform the following FIPS-related tasks:

Enable FIPS 140-2 mode

Disable FIPS 140-2 mode

Check the status of FIPS 140-2 mode


Note By default, Cisco Unified Presence is in non-FIPS mode. The administrator must enable FIPS mode. See the Command Line Reference Guide for Cisco Unified Presence for more information.


Rebooting a Server in FIPS 140-2 Mode

When you enable or disable FIPS, the Cisco Unified Presence server is automatically rebooted. When a Cisco Unified Presence server reboots in FIPS 140-2 mode, it will trigger FIPS startup self-tests in each of the FIPS 140-2 modules after rebooting.


Caution If any of these self-tests fail, Cisco Unified Presence halts. If the startup self-test fails because of a transient error, restarting the Cisco Unified Presence server fixes the issue. However, if the start self-test error persists, it indicates a critical problem in the FIPS module and the only option is to use a recovery CD.

Regeneration of Certificates

When FIPS is enabled, all certificates are regenerated. However certificates may not be exchanged between intercluster peers. If this situation arises, follow the procedure below to manually sync the certificates between intercluster peers.


Note Certificates will not be exchanged between intercluster peers where one peer has FIPS enabled and the other peer does not have non-FIPS enabled. You can only sync certificates between intercluster peers when all peers are in FIPS mode.


Procedure


Step 1 Select Cisco Unified Presence Administration > Presence > Inter-Clustering.

Step 2 Select the intercluster peer whose certificate is not present and choose the Force Manual Sync option.

Step 3 Note the configuration details and click Delete.

Step 4 Enable SSO from the CLI using this command:

utils fips enable

The node reboots.

Step 5 Select Cisco Unified Presence Administration > Presence > Inter-Clustering and re-add the intercluster peer.

Step 6 Verify that all certificates are synced.


Note This may take several minutes.


Step 7 If the certificates do not sync after 20 minutes, select the intercluster peer whose certificate is not present and choose the Force Manual Sync option.


Note Cisco recommends that you allow ten minutes after importing intermediate or root Certificate Authority certificates before importing signed certificates.