Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)
Security configuration on IM and Presence
Download this chapter
Security configuration on IM and PresenceSecurity configuration on IM and Presence
Download the complete book
Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1)Deployment Guide for IM and Presence Service on Cisco Unified Communications Manager, Release 9.0(1) (PDF - 5 MB)
 Feedback

Contents

Security configuration on IM and Presence

Create login banner

You can create a banner that users acknowledge as part of their login to any IM and Presence interface. You create a .txt file using any text editor, include important notifications they want users to be made aware of, and upload it to the Cisco Unified IM and Presence OS Administration page. This banner will then appear on all IM and Presence interfaces notifying users of important information before they login, including legal warnings and obligations. The following interfaces will display this banner before and after a user logs in: Cisco Unified CM IM and Presence Administration, Cisco Unified IM and Presence Operating System Administration, Cisco Unified IM and Presence Serviceability, Cisco Unified IM and Presence Reporting, IM and Presence Disaster Recovery System, and Cisco Unified CM IM and Presence User Options.

Procedure
    Step 1   Create a .txt file with the contents you want to display in the banner.
    Step 2   Sign in to Cisco Unified IM and Presence Operating System Administration.
    Step 3   Select Software Upgrades > Customized Logon Message.
    Step 4   Select Browse and locate the .txt file.
    Step 5   Select Upload File.

    The banner will appear before and after login on most IM and Presence interfaces.

    Note   

    The .txt file must be uploaded to each IM and Presence node separately.

    IM and Presence certificate types

    This section describes the different certificates required for the clients and services on IM and Presence.

    Table 1 Certificate Types for Client Applications on IM and Presence

    Client

    Certificate

    SIP client (Cisco Unified Communications Manager)

    tomcat

    XMPP client (Cisco Unified Personal Communicator Release 8.0, third-party client)

    cup-xmpp
    Table 2 Certificate Types for IM and Presence Services

    Service

    Certificate

    Certificate Trust Store

    Notes

    SIP Proxy

    cup

    cup-trust

    Presence Engine

    cup

    cup-trust

    SOAP

    tomcat

    directory-trust

    AXL

    tomcat

    directory-trust

    LDAP

    tomcat

    directory-trust

    LDAP uses the tomcat certificate because directory/directory-trust is now tomcat/ttrust.

    Microsoft Exchange

    cup-trust

    Microsoft OCS/LCS Call Control

    cup

    cup-trust

    SIP Federation

    cup

    cup-trust

    XMPP Federation

    Cup-xmpp-s2s

    cup-xmpp-trust

    The trust certificates for cup-xmpp-s2s are stored in cup-xmpp-trust along with the general XMPP trust certificates.
    Related Tasks
    Related Information

    Certificate exchange configuration between IM and Presence and Cisco Unified Communications Manager

    This module describes the exchange of self-signed certificates between the Cisco Unified Communications Manager server and the IM and Presence server. You can use the Certificate Import Tool on IM and Presence to automatically import the Cisco Unified Communications Manager certificate to IM and Presence. However, you must manually upload the IM and Presence certificate to Cisco Unified Communications Manager.

    Only perform these procedures if you require a secure connection between IM and Presence and Cisco Unified Communications Manager.

    Prerequisites for configuring security

    Configure the following items on Cisco Unified Communications Manager:

    • Configure a SIP security profile for IM and Presence.
    • Configure a SIP trunk for IM and Presence:
      • Associate the security profile with the SIP trunk.
      • Configure the SIP trunk with the subject Common Name (CN) of IM and Presence certificate.
    Related Information

    Import Cisco Unified Communications Manager Certificate to IM and Presence

    Procedure
      Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > Certificate Import Tool.
      Step 2   Select IM and Presence (IM/P) Service Trust from the Certificate Trust Store menu.
      Step 3   Enter the IP address, hostname or FQDN of the Cisco Unified Communications Manager server.
      Step 4   Enter a port number to communicate with the Cisco Unified Communications Manager server.
      Step 5   Select Submit.

      Troubleshooting Tip

      After the Certificate Import Tool completes the import operation, it reports whether or not it successfully connected to Cisco Unified Communications Manager, and whether or not it successfully downloaded the certificate from Cisco Unified Communications Manager. If the Certificate Import Tool reports a failure, see the Online Help for a recommended action. You can also manually import the certificate by selecting Cisco Unified IM and Presence OS Administration > Security > Certificate Management.

      What to Do Next

      Restart SIP proxy service

      Restart SIP proxy service

      Before You Begin

      Import the Cisco Unified Communications Manager certificate to IM and Presence.

      Procedure
        Step 1   Select Cisco Unified IM and Presence Serviceability > Tools > Control Center - Feature Services on IM and Presence,
        Step 2   Select Cisco SIP Proxy.
        Step 3   Select Restart.
        What to Do Next

        Download certificate from IM and Presence

        Download certificate from IM and Presence

        Procedure
          Step 1   Select Cisco Unified IM and Presence OS Administration > Security > Certificate Management on IM and Presence.
          Step 2   Select Find.
          Step 3   Select the cup.pem file.
          Step 4   Select Download and save the file to your local computer.

          Troubleshooting Tip

          Ignore any errors that IM and Presence displays regarding access to the cup.csr file; The CA (Certificate Authority) does not need to sign the certificate that you exchange with Cisco Unified Communications Manager.

          What to Do Next

          Upload IM and Presence certificate to Cisco Unified Communications Manager

          Upload IM and Presence certificate to Cisco Unified Communications Manager

          Before You Begin

          Download the certificate from IM and Presence.

          Procedure
            Step 1   Select Cisco Unified OS Administration > Security > Certificate Management on Cisco Unified Communications Manager.
            Step 2   Select Upload Certificate.
            Step 3   Select Callmanager-trust from the Certificate Name menu.
            Step 4   Browse and select the certificate (.pem file) previously downloaded from IM and Presence.
            Step 5   Select Upload File.

            Related Topic

            Download certificate from IM and Presence

            What to Do Next

            Restart Cisco Unified Communications Manager service

            Restart Cisco Unified Communications Manager service

            Before You Begin

            Upload the IM and Presence certificate to Cisco Unified Communications Manager.

            Procedure
              Step 1   Select Cisco Unified Serviceability > Tools > Control Center - Feature Services. on Cisco Unified Communications Manager.
              Step 2   Select Cisco CallManager.
              Step 3   Select Restart.

              Related Topic

              Upload IM and Presence certificate to Cisco Unified Communications Manager

              What to Do Next

              SIP security settings configuration on IM and Presence

              SIP security settings configuration on IM and Presence

              Configure TLS peer subject

              When you import an IM and Presence certificate, IM and Presence automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

              Procedure
                Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Peer Subjects.
                Step 2   Select Add New.
                Step 3   Perform one of the following actions for the Peer Subject Name:
                1. Enter the subject CN of the certificate that the server presents.
                2. Open the certificate, look for the CN and paste it here.
                Step 4   Enter the name of the server in the Description field.
                Step 5   Select Save.
                What to Do Next

                Configure TLS context

                Configure TLS context

                When you import an IM and Presence certificate, IM and Presence automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

                Before You Begin

                Configure a TLS peer subject on IM and Presence.

                Procedure
                  Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > TLS Context Configuration.
                  Step 2   Select Find.
                  Step 3   Select Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.
                  Step 4   From the list of available TLS peer subjects, select the TLS peer subject that you configured.
                  Step 5   Move this TLS peer subject to Selected TLS Peer Subjects.
                  Step 6   Select Save.
                  Step 7   Select Cisco Unified IM and Presence Serviceability > Tools > Service Activation.
                  Step 8   Restart the Cisco SIP Proxy service.

                  Troubleshooting Tip

                  You must restart the SIP proxy service before any changes that you make to the TLS context take effect.

                  Related Tasks

                  Configure SIP proxy-to-proxy intracluster protocol type

                  Select the protocol that IM and Presence uses to route SIP messages securely in an intracluster deployment. The default value is the TLS protocol. Use TLS if a cluster node sends traffic over a unsecured network and you want a secure (encrypted) connection channel.

                  Procedure
                    Step 1   Select System > Security > General Settings.
                    Step 2   Select a protocol type from the SIP Intra-cluster Proxy-to-Proxy Transport Protocol menu.
                    Step 3   Select Save.

                    Troubleshooting Tip

                    You must restart the SIP proxy service before any changes that you make to the SIP proxy protocol take effect.

                    Related Tasks

                    XMPP security settings configuration on IM and Presence

                    XMPP security modes

                    IM and Presence provides increased security for XMPP-based configuration. The following table describes these XMPP secure modes. To configure the XMPP secure modes on IM and Presence, select Cisco Unified CM IM and Presence Administration > System > Security > Settings.

                    Table 3 XMPP Secure Mode Descriptions

                    Secure Mode

                    Description

                    Enable XMPP Client To IM/P Service Secure Mode

                    If you turn on this setting, IM and Presence establishes a secure TLS connection between the IM and Presence servers and XMPP client applications in a cluster. IM and Presence turns on this secure mode by default.

                    We recommend that you do not turn off this secure mode unless the XMPP client application can protect the client login credentials in non-secure mode. If you do turn off the secure mode, verify that you can secure the XMPP client-to-server communication in some other way.

                    Enable XMPP Router-to-Router Secure Mode

                    If you turn on this setting, IM and Presence establishes a secure TLS connection between XMPP routers in the same cluster, or in different clusters. IM and Presence automatically replicates the XMPP certificate within the cluster, and across clusters, as an XMPP trust certificate. An XMPP router will attempt to establish a TLS connection with any other XMPP router that is in the same cluster, or a different cluster, and is available to establish a TLS connection.

                    Enable Web Client to IM/P Service Secure Mode

                    If you turn on this setting, IM and Presence establishes a secure TLS connection between the IM and Presence servers and XMPP-based API client applications.If you turn on this setting, upload the certificates or signing certificates for the web client in the cup-xmpp-trust repository on IM and Presence.

                    Troubleshooting Tips

                    If you update the XMPP security settings, perform one of these actions:

                    • Restart the services as follows:
                      • Restart the Cisco XCP Connection Manager if you edit Enable XMPP Client To IM/P Service Secure Mode. Select Cisco Unified IM and Presence Serviceability > Tools > Control Center - Feature Servicesto restart this service.
                      • Restart the Cisco XCP Router if you edit the Enable XMPP Router-to-Router Secure Mode. Select Cisco Unified IM and Presence Serviceability > Tools > Control Center - Network Services to restart this service.
                      • Restart the Cisco XCP Web Connection Manager if you edit Enable Web Client To IM/P Service Secure Mode. Select Cisco Unified IM and Presence Serviceability > Tools > Control Center - Feature Services to restart this service.
                    Related Tasks
                    Related Information

                    Configure XMPP certificate settings

                    Procedure
                      Step 1   Select Cisco Unified CM IM and Presence Administration > System > Security > Settings.
                      Step 2   Enter a server-to-server domain name for this IM and Presence cluster, for example, ‘cisco.com’.
                      Step 3   Check Use Domain Name for XMPP Certificate Subject Common Name if you want the general XMPP certificate to use the same Domain Name as the XMPP server-to-server certificate.
                      Step 4   Select Save.
                      Step 5   Restart the Cisco XCP Router service. Select Cisco Unified IM and Presence Serviceability > Tools > Control Center - Network Services > Cisco XCP Router to restart this service.

                      Troubleshooting Tip

                      If you change the server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco XCP Router service.

                      Related References

                      FIPS 140-2 mode configuration

                      Overview of FIPS 140-2 mode

                      The Federal Information Processing Standard (FIPS) is a U.S. and Canadian government certification standard that defines requirements that cryptographic modules must follow.

                      The IM and Presence Service is FIPS 140-2 compliant, in accordance with the U.S. National Institute of Standards (NIST), and can operate in FIPS mode, level 1 compliance.

                      When you enable FIPS 140-2 mode, IM and Presence reboots, runs certification self-tests at start-up, performs the cryptographic modules integrity check, and then regenerates the keying materials. At this point, IM and Presence operates in FIPS 140-2 mode.

                      IM and Presence meets FIPS requirements, including the following: it performs startup self-tests and restricts to a list of approved cryptographic functions.

                      IM and Presence FIPS mode uses FIPS 140-2 level 1 validated OpenSSL FIPS Module version 1.2. The relevant OpenSSL documentation can be found at: http:/​/​www.openssl.org/​docs/​fips/​

                      In IM and Presence, you can perform the following FIPS-related tasks:

                      • Enable FIPS 140-2 mode
                      • Disable FIPS 140-2 mode
                      • Check the status of FIPS 140-2 mode

                      Note

                      By default, IM and Presence is in non-FIPS mode. You must enable FIPS mode using the CLI. For more information, see the Command Line Interface Reference Guide for Cisco Unified Solutions.

                      Server reboot in FIPS 140-2 mode

                      When FIPS is enabled or disabled, the IM and Presence server is automatically rebooted. When an IM and Presence server reboots in FIPS 140-2 mode, it will trigger FIPS startup selft-tests in each of the FIPS 140-2 modules after rebooting.


                      Caution

                      If any of these self-tests fail, IM and Presence halts. If the startup self-test fails because of a transient error, restarting the IM and Presence server fixes the issue. However, if the start self-test error persists, it indicates a critical problem in the FIPS module and the only option it is to use a recovery CD.