Integration for IBM Sametime uses certificate validation to establish secure
connections with servers.
When attempting to
establish secure connections, servers present Cisco UC Integration for IBM
Sametime with certificates. Cisco UC Integration for IBM Sametime validates
those certificates against certificates in the Microsoft Windows certificate
store. If the certificates are not present in the certificate store, the client
prompts the user to confirm if they want to connect to the server.
servers present the following certificates to establish a secure connection
with Cisco UC Integration for IBM Sametime.
Cisco Unified Presence
Unified Communications Manager IM and Presence
Unified Communications Manager
apply the most recent system upgrade (SU) for Cisco Unified Presence or Cisco
Unified Communications Manager IM and Presence before you begin the certificate
certificates apply to all server versions. For example, both Cisco Unified
Presence version 8.x and Cisco Unified Communications Manager IM and Presence
version 9.x and higher present the client with XMPP and HTTP certificates.
Each node in
a cluster, subscribers and publishers, runs a Tomcat service and can present
the client with an HTTP certificate.
plan to sign the certificates for each node in the cluster.
Signed by Certificate Authority
using server certificates that are signed by one of the following types of
Certificate Authority (CA):
Public CA- A
third-party company verifies the server identity and issues a trusted
Private CA- You create
and manage a local CA and issue trusted certificates.
process varies for each server and can vary between server versions. You should
consult the appropriate server documentation for detailed instructions on how
to get certificates signed by a CA. However, the following steps provide a
high-level overview of the procedure:
Certificate Signing Request (CSR) on each server that can present a certificate
to the client.
CSR to the CA.
certificates that the CA issues to each server.
Signing Request Formats and Requirements
typically require CSRs to conform to specific formats. For example, a public CA
might only accept CSRs that:
Do not contain certain
characters, such as @&!, in the Organization, OU, or other fields.
Use specific bit lengths in
the server's public key.
Likewise, if you
submit CSRs from multiple nodes, public CAs might require that the information
is consistent in all CSRs.
To prevent issues
with your CSRs, you should review the format requirements from the public CA to
which you plan to submit the CSRs. You should then ensure that the information
you enter when configuring your server conforms to the format that the public
One Certificate Per
FQDN: some public CAs sign only one certificate per fully qualified domain
For example, to
sign HTTP and XMPP certificates for a single Cisco Unified Communications
Manager IM and Presence node, you might need to submit each CSR to different
Server Identity in
As part of the
signing process, the CA specifies the server identity in the certificate. When
the client validates that certificate, it checks that:
authority has issued the certificate.
of the server that presents the certificate matches the identity of the server
specified in the certificate.
generally require a fully qualified domain name (FQDN) as the server identity,
not an IP address.
The client checks
the following identifier fields in server certificates for an identity match:
Subject CN field can contain a wildcard (*) as
the leftmost character, for example, *.cisco.com
If users attempt
to connect to a server with an IP address, and the server certificate
identifies the server with an FQDN, the client cannot identify the server as
trusted and prompts the user.
If your server
certificates identify the servers with FQDNs, you should plan to specify each
server name as FQDN throughout your environment.
identifies XMPP certificates using the XMPP domain, rather than FQDN. The XMPP
certificates must contain the XMPP domain in an identifier field.
When the client
attempts to connect to the presence server, the presence server provides the
XMPP domain to the client. The client can then validate the identity of the
presence server against the XMPP certificate.
following steps to ensure the presence server provides the XMPP domain to the
administration interface for your presence server, as follows:
Communications Manager IM and Presence
Cisco Unified CM IM and Presence Administration
Cisco Unified Presence Administration
Systerm > Security > Settings.
Certificate Settings section.
presence server domain in the following field:Domain name for XMPP
Server-to-Server Certificate Subject Alternative Name.
Domain Name for XMPP Certificate Subject Alternative Name.
Certificates on Client Computers
certificate should have an associated root certificate present in the trust
store on client computers. Cisco UC Integration for IBM Sametime validates the
certificates that servers present against the root certificates in the trust
If you get server
certificates signed by a public CA, the public CA should already have a root
certificate present in the trust store on the client computer. In this case,
you do not need to import root certificates on the client computers.
You should import
root certificates into the Microsoft Windows certificate store if:
certificates are signed by a CA that does not already exist in the trust store,
such as a private CA.
private CA certificate to the Trusted Root Certification Authorities store.
certificates are self-signed.
self-signed certificates to the Enterprise Trust store.
certificates are not present in the trust store, Cisco UC Integration for IBM
Sametime prompts users to accept certificates from each server in your
When the client
prompts users to accept a certificate, users can:
Accept the certificate
The client saves
the certificate to the Enterprise Trust store.
Decline the certificate
Does not save the
Does not connect to the
Displays an error
restart the client, it prompts them to accept the certificate again.
You can use any
appropriate method to import certificates into the Microsoft Windows
certificate store, including the following. For detailed instructions on
importing certificates, refer to the appropriate Microsoft documentation.
Import Wizard to import certificates individually.
Deploy certificates to
users with the CertMgr.exe command line tool on Microsoft Windows Server.
requires you to use the Certificate Manager too, CertMgr.exe, not the
Certificates Microsoft Management console, CertMgr.msc.
Deploy certificates to
users with a Group Policy object (GPO) on Microsoft Windows Server.