Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)
Download this chapter
SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)
Download the complete book
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1) (PDF - 3 MB)
 Feedback

Contents

SIP federation security certificate configuration (with Cisco Adaptive Security Appliance)


Note

IM and Presence Release 9.0(1) or later supports interdomain federation with Microsoft Lync. Any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.

Security certificate exchange between IM and Presence and Cisco Adaptive Security Appliance

Generate key pair and trustpoints on Cisco Adaptive Security Appliance

You need to generate the key pair for this certification (for example cup_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to IM and Presence (for example cup_proxy). You need to specify the enrollment type as "self" to indicate you are generating a self-signed certificate on Cisco Adaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.

Before You Begin

Ensure you carried out the configuration tasks described in the following chapters:

Procedure
    Step 1   On the Cisco Adaptive Security Appliance, enter the following commands: 
    >Enable >password
>config t
    Step 2   Enter this command to generate the key pair for this certification: 
    crypto key generate rsa label cup_proxy_key modulus 1024
    Step 3   Enter the following sequence of commands to create a trustpoint for IM and Presence: 
    crypto ca trustpoint <name of trustpoint e.g.cup_proxy>
(config-ca-trustpoint)# enrollment self
(config-ca-trustpoint)# fqdn none
(config-ca-trustpoint)# subject-name cn=<ASA inside interface ip address>
(config-ca-trustpoint)# keypair cup_proxy_key

    Troubleshooting Tip

    Enter the command show crypto key mypubkey rsa to check that the key pair is generated.

    What to Do Next

    Generate self-signed certificate on Cisco Adaptive Security Appliance

    Generate self-signed certificate on Cisco Adaptive Security Appliance

    Before You Begin
    Procedure
      Step 1   Enter this command to generate the self-signed certificate: 
      (config-ca-trustpoint)# crypto ca enroll <name of trustpoint e.g.cup_proxy>
      Step 2   Enter no when you are prompted to include the device serial number in the subject name.
      Step 3   Enter yes when you are prompted to generate the self-signed certificate.
      Step 4   Enter this command to prepare the certificate to export to IM and Presence: 
      crypto ca export cup_proxy identity-certificate

      The PEM encoded identity certificate displays on screen, for example:

      -----BEGIN CERTIFICATE-----MIIBnDCCAQWgAwIBAgIBMTANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlDVVAt……..
-----END CERTIFICATE-----
      Step 5   Copy and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Wordpad or Notepad with a .pem extension.
      Step 6   Save the .pem file to your local machine.
      What to Do Next

      Import self-signed certificate onto IM and Presence

      Import self-signed certificate onto IM and Presence

      Before You Begin

      Complete the steps in Generate self-signed certificate on Cisco Adaptive Security Appliance

      Procedure
        Step 1   Select Cisco Unified IM and Presence Operating System Administration > Security > Certificate Management on IM and Presence.
        Step 2   Click Upload Certificate.
        Step 3   Select cup-trust for Certificate Name.
        Note   

        Leave the Root Name field blank.

        Step 4   Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer.
        Step 5   Click Upload File to upload the certificate to the IM and Presence server.

        Troubleshooting Tips

        Perform a find on the certificate list, you will see an <asa ip address>.pem and an <asa ip address>.der in the certificate list.

        What to Do Next

        Generate new certificate on IM and Presence

        Generate new certificate on IM and Presence

        Before You Begin

        Complete the steps in Import self-signed certificate onto IM and Presence

        Procedure
          Step 1   Select Cisco Unified IM and Presence Operating System Administration > Security > Certificate Management on IM and Presence.
          Step 2   Click Generate New.
          Step 3   Select cup for the certificate name.
          What to Do Next

          Import IM and Presence certificate into Cisco Adaptive Security Appliance

          Import IM and Presence certificate into Cisco Adaptive Security Appliance

          In order to import the IM and Presence certificate onto Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from IM and Presence (e.g. cert_from_cup), and specify the enrollment type as "terminal" to indicate that you will paste the certificate received from IM and Presence into the terminal.


          Note

          It is essential that IM and Presence, Cisco Unified Communications Manager and Cisco Adaptive Security Appliance servers are all syncing off the same NTP source.

          Before You Begin
          • Complete the steps in Generate new certificate on IM and Presence.
          • You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
          Procedure
            Step 1   Enter config mode, type: 
            >Enable >password
>config t
            Step 2   Enter this sequence of commands to create a trustpoint for the imported IM and Presence certificate: 
            crypto ca trustpoint cert_from_cupenrollment terminal
            Step 3   Enter this command to import the certificate from IM and Presence: 
            crypto ca authenticate cert_from_cup
            Step 4   Select Cisco Unified IM and Presence Operating System Administration > Security > Certificate Management on IM and Presence.
            Step 5   Click Find.
            Step 6   Locate the IM and Presence certificate that you created in the previous procedure.
            Step 7   Click Download.
            Step 8   Open the cup.pem file using one of the recommended text editors.
            Step 9   Cut and paste the contents of the cup.pem into the Cisco Adaptive Security Appliance prompt window.
            Step 10   Enter quit.
            Step 11   Enter y when you are prompted to accept the certificate.

            Troubleshooting Tips

            Run the command show crypto ca certificate to view the certificate.

            What to Do Next

            Security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) with Microsoft CA

            Security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) with Microsoft CA

            These procedures are an example, and demonstrate how to configure certificates using the Microsoft CA.


            Note

            An example of this procedure using the VeriSign CA is provided in the appendix of this guide.

            CA trustpoints

            When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.

            You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.

            In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL:

            http:/​/​www.microsoft.com/​Downloads/​details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2D01&displaylang=en

            The SCEP add-on must be installed on the Microsoft CA that you are configuring the certificates on.

            Download the SCEP add-on as follows:

            • Download and run scepsetup.exe.
            • Select local system account.
            • Deselect SCEP challenge phrase to enroll.
            • Enter the details of the CA.

            When you click Finish, retrieve the SCEP URL. You will use this URL during trustpoint enrollment on Cisco Adaptive Security Appliance.

            Configure certificate on Cisco Adaptive Security Appliance using SCEP enrollment

            Procedure
              Step 1   Enter this command to generate a key pair for the CA: 
              crypto key generate rsa label public_key_for_ca  modulus 1024
              Step 2   Enter this command to generate a trustpoint to identify the CA. 
              crypto ca trustpoint <trustpoint_name>
              Step 3   Use the "client-types" sub-command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a "client-types ssl" configuration which indicates that SSL client connections can be validated using this trustpoint: 
              (config-ca-trustpoint)# client-types ssl
              Step 4   Enter this command to configure the FQDN of the public IM and Presence address: 
              fqdn <fqdn_public_cup_address>
              Note   

              You may be issued a warning regarding VPN authentication here.

              Step 5   Enter this command to configure a keypair for the trustpoint: 
              keypair public_key_for_ca
              Step 6   Enter this command to configure the enrollment method for the trustpoint: 
              enrollment url http://<ip address of CA>/certsrv/mscep/mscep.dll
              Step 7   Enter this command to obtain the CA certificate for the trustpoint you configured: 
              crypto ca authenticate <trustpoint_name>
INFO: Certificate has the following attributes:
Fingerprint:     cc966ba6 90dfe235 6fe632fc 2e521e48
              Step 8   Enter yes when you are prompted to accept the certificate from the CA. 
              Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.
              Step 9   Run the crypto ca enroll command. 
              crypto ca enroll <trustpoint_name>

              The following warning output displays:

              %WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
              Step 10   Enter yes when you are prompted to continue with the enrollment. 
              Would you like to continue with this enrollment? [yes/no]: yes% Start certificate enrollment..
              Step 11   Enter a password when you are prompted to create a challenge password. 
              % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: **********
Re-enter password: **********
              Step 12   Enter no when you are prompted to include the device serial number in the subject name.
              Step 13   Enter yes when you are prompted to request the certificate from the CA. 
              Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority
              Step 14   Go to the CA and issue the pending certificate (if the certificate was not issued automatically).
              What to Do Next

              Certificate configuration for external Access Edge interface

              Configure certificate on Cisco Adaptive Security Appliance using manual enrollment

              Enrolling a trustpoint by uploading a CA certificate:

              Procedure
                Step 1   Enter this command to generate a key pair for the CA: 
                crypto key generate rsa label public_key_for_ca  modulus 1024
                Step 2   Enter this sequence of commands to generate a trustpoint to identify the CA: 
                crypto ca trustpoint <name of trustpoint>
fqdn <fqdn_public_cup_address>
client-types ssl
keypair public_key_for_ca
                Note   
                • The FQDN value must be the FQDN of the public IM and Presence address.
                • The keypair value must be the keypair created for the CA.
                Step 3   Enter this command to configure the enrollment method for the trustpoint: 
                enrollment terminal
                Step 4   Enter this command to authenticate the certificate: 
                crypto ca authenticate <trustpoint_name>
                Step 5   Acquire the root certificate of the CA:
                1. Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv.
                2. Select Download a CA certificate, certificate chain, or CRL.
                3. Select Base 64.
                4. Download the CA certificate.
                5. Save the certificate as a .cer file, for example CARoot.cer.
                Step 6   Open the root certificate (.cer file) in a text editor.
                Step 7   Copy and paste this certificate into the Cisco Adaptive Security Appliance terminal.
                Step 8   Enter yes when you are prompted to accept the certificate.

                Generating a CSR for Cisco Adaptive Security Appliance Public Certificate

                Step 9   Enter this command to send an enrollment request to the CA: 
                crypto ca enroll <trustpoint_name>
                Step 10   Enter no when you are asked if you want to include the device serial number in the subject name.
                Step 11   Enter yes when you are asked to Display Certificate Request to terminal.
                Step 12   Copy and paste this base-64 certificate into a text editor (to use in a later step).
                Step 13   Enter no when you are asked to redisplay the enrollment request.
                Step 14   Paste the base-64 certificate (that you copied in step 4) into the certificate request page of your CA:
                1. Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv.
                2. Select Request a certificate.
                3. Select Advanced Certificate request.
                4. Select Submit a certificate request by using a base-64-encoded CMC orPKCS#10 file...
                5. Paste the base-64 certificate (that you copied in step 4).
                6. Submit the request and issue the certificate from the CA.
                7. Download the certificate and save as a *.cer file.
                8. Open the certificate in a text editor and paste the contents into the terminal. End with the word 'quit' on a separate line.
                Step 15   Enter this command to import the certificate that you receive from the CA: 
                crypto ca <trustpoint_name> import certificate
                Step 16   Enter yes when you are asked if you want to continue with the enrollment.
                What to Do Next

                Certificate configuration for external Access Edge interface

                Certificate configuration for external Access Edge interface

                This procedure describes how to configure the certificate on the Access Edge server with a standalone CA.

                Download CA certification chain

                Procedure
                  Step 1   On the Access Edge Server, click Start > Run.
                  Step 2   Enter http://<name of your Issuing CA Server>/certsrv, and click OK.
                  Step 3   Click Download a CA certificate, certificate chain, or CRL from the Select a task menu.
                  Step 4   Click Download CA certificate chain from Download a CA Certificate, Certificate Chain, or CRL menu.
                  Step 5   Click Save in the File Download dialog box.
                  Step 6   Save the file on a hard disk drive on your server. This file has an extension of .p7b. If you open this .p7b file, the chain displays the following two certificates:
                  1. name of Standalone root CA certificate
                  2. name of Standalone subordinate CA certificate (if any)
                  What to Do Next

                  Install CA certification chain

                  Install CA certification chain

                  Before You Begin

                  Complete the steps inDownload CA certification chain

                  Procedure
                    Step 1   Click Start > Run.
                    Step 2   Enter mmc, and click OK.
                    Step 3   Select Add/Remove Snap-in from the File menu.
                    Step 4   Click Add in the Add/Remove Snap-in dialog box.
                    Step 5   Select Certificates in the list of Available Standalone Snap-ins.
                    Step 6   Click Add.
                    Step 7   Select Computer account.
                    Step 8   Click Next.
                    Step 9   In the Select Computer dialog box, perform the following tasks:
                    1. Ensure that <Local Computer> (the computer this console is running on) is selected
                    2. Click Finish.
                    Step 10   Click Close.
                    Step 11   Click OK.
                    Step 12   In the left pane of the Certificates console, expand Certificates: Local Computer.
                    Step 13   Expand Trusted Root Certification Authorities.
                    Step 14   Right-click Certificates, and point to All Tasks.
                    Step 15   Click Import.
                    Step 16   In the Import Wizard, click Next.
                    Step 17   Click Browse and go to where you saved the certificate chain.
                    Step 18   Select the file, and click Open.
                    Step 19   Click Next.
                    Step 20   Leave the default value Place all certificates in the store and ensure that Trusted Root Certification Authorities appears under the Certificate store.
                    Step 21   Click Next.
                    Step 22   Click Finish.
                    What to Do Next

                    Request certificate from CA server

                    Request certificate from CA server

                    Before You Begin

                    Complete the steps in Install CA certification chain

                    Procedure
                      Step 1   Log in to the Access Edge server and open a web browser.
                      Step 2   Open the following URL: http://<ca_server_IP_address>/certsrv
                      Step 3   Click Request a Certificate.
                      Step 4   Click Advanced Certificate Request.
                      Step 5   Click Create and submit a request to this CA.
                      Step 6   Click Other in the Type of Certificate Needed list.
                      Step 7   Enter the FQDN of the Access Edge external interface for the Subject Common Name,
                      Step 8   Enter the following OID in the OID field:

                      1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

                      Note   

                      A comma separates the two 1s in the middle of the OID.

                      Step 9   Perform one of the following procedures:
                      1. If you are using Windows Certificate Authority 2003, check Store certificate in the local computer certificate store in Key Options.
                      2. If you are using Windows Certificate Authority 2008, refer to the workaround described in the Troubleshooting Tips of this section. Enter a friendly name.
                      Step 10   Enter a friendly name.
                      Step 11   Click Submit.
                      What to Do Next

                      Download certificate from CA server

                      Download certificate from CA server

                      Before You Begin

                      Complete the steps in Request certificate from CA server

                      Procedure
                        Step 1   Launch the CA console by selecting Start > Administrative Tools > Certificate Authority.
                        Step 2   Click on Pending Requests in the left pane.
                        Step 3   Right-click on the certificate request that you submitted in the right pane,.
                        Step 4   Click All Tasks > Issue.
                        Step 5   Open http://<local_server>/certsrv on the Access Edge server that CA is running on.
                        Step 6   Click on your certificate request from View the Status of a Pending Certificate Request.
                        Step 7   Click Install this certificate.
                        What to Do Next

                        Upload certificate onto Access Edge

                        Upload certificate onto Access Edge

                        This procedure describes how to upload the certificate on the Access Edge server using the Certificate Wizard. You can also import the certificates manually on the Access Edge server by selecting Microsoft Office Communications Server 2007 > Properties > Edge Interfaces.

                        Before You Begin

                        Complete the steps in Download certificate from CA server

                        Procedure
                          Step 1   Select Start > Administrative Tools > Computer Management on the Access Edge server.
                          Step 2   Right-click on Microsoft Office Communications Server 2007 in the left pane.
                          Step 3   Click Certificates.
                          Step 4   Click Next.
                          Step 5   Click the Assign an existing certificate task option.
                          Step 6   Click Next.
                          Step 7   Select the certificate that you wish to use for the External Access Edge Interface, and click Next.
                          Step 8   Click Next.
                          Step 9   Click the Edge Server Public Interface checkbox, and click Next.
                          Step 10   Click Next.
                          Step 11   Click Finish.
                          What to Do Next

                          Configuration of TLS Proxy on Cisco Adaptive Security Appliance

                          Create custom certificate for Access Edge using enterprise certificate authority

                          Refer to these instructions if you are using a Microsoft Enterprise Certificate Authority to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.

                          Before You Begin

                          These steps require that the Certificate Authority is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.

                          For additional details about these steps, refer to the Microsoft instructions: http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx

                          Create and issue custom certificate template

                          Procedure
                            Step 1   Follow Steps 1- 6 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

                            http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx#BKMK_​siteserver1

                            Tip   

                            For Step 5, use a more appropriate name for this specific template, such as Mutual Authentication Certificate.

                            Step 2   Follow these steps in place of Steps 7-12 from the Microsoft site:
                            1. Select the Extensions tab. Make sure that under Application Policies that both Client Authentication and Server Authentication are present and that no other Policies are present. If these policies are not available, then you must add them before proceeding.
                              • In the Edit Application Policies Extension dialog box, select Add.
                              • In the Add Application Policy dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Add.
                              • In the Edit Application Policies Extension dialog box, select any other policy that may be present and then select Remove.

                              In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Client Authentication, Server Authentication.

                            2. Select the Issuance Requirement tab. If you do not want the Certificate to be automatically issued, then select CA certificate manager approval. Otherwise, leave this option blank.
                            3. Select the Security tab and ensure that all required users and groups have both read and enroll permission.
                            4. Select the Request Handling tab and select the CSP button.
                            5. On the CSP Selection dialog box select Requests must use one of the following CSP’s.
                            6. From the list of CSP’s select Microsoft Basic Cryptographic Provider v1.0 and Microsoft Enhanced Cryptographic Provider v1.0, and select OK.
                            Step 3   Continue with Steps 13-15 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

                            http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx#BKMK_​siteserver1

                            What to Do Next

                            Request site server signing certificate

                            Request site server signing certificate

                            Procedure
                              Step 1   Follow Steps 1-6 from the Microsoft site: Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server.

                              http:/​/​technet.microsoft.com/​en-us/​library/​bb694035.aspx#BKMK_​siteserver2

                              Tip   

                              For Step 5, select the name of the certificate template you created previously, such as Mutual Authentication Certificate and enter the external FQDN of the access edge in the Name field.

                              Step 2   Follow these steps in place of Steps 7-8 from the Microsoft site:
                              1. If the certificate request is automatically issued then you will be presented with an option to install the signed certificate. Select Install this Certificate.
                              2. If the certificate request is not automatically issued then you will need to wait for the administrator to issue the certificate. Once issued:
                                • On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.
                                • On the Welcome page, select View the status of a pending certificate request.
                              3. Select the issued certificate and select Install this Certificate.

                              Security Certificate configuration on Lync Edge server for TLS federation

                              The following guide from Microsoft's TechNet Library (http:/​/​technet.microsoft.com/​en-us/​library/​gg398409.aspx) explains how to configure certificates on Access Edge for TLS federation with Microsoft Lync. IM and Presence requires Mutual TLS authentication for federated connections, therefore you must configure Microsoft Lync certificates to support both Server and Client Authentication. When you follow the above guide, skip section 2 and move instead to section 3 which describes how to create a certificate request for the external interface of the Edge Server to support public IM connectivity with AOL. AOL has the same mutual TLS authentication requirement as IM and Presence. You can also use this guide to configure Lync Server to federate directly with IM and Presence over TLS.

                              For information about how to configure static routes on Lync server for direct federation, see Static route configuration for interdomain federation to Microsoft Lync within enterprise.

                              Security certificate exchange between Cisco Adaptive Security Appliance and AOL SIP access gateway

                              AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority. AOL has an established trust list of Certificate Authorities (CA) such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.

                              A sample configuration workflow that describes in detail how to configure certificate exchange between Cisco Adaptive Security Appliance and a foreign domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.

                              To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:


                              Note

                              The IM and Presence server certificate subject CN must match FQDN of the IM and Presence server. The public Certificate on Cisco Adaptive Security Appliance for IM and Presence and the CN must be the same as the Federation Routing IM and Presence FQDN service parameter value.

                              • Submit the CSR to the Verisign CA.
                              • Verisign CA provides you with the following certificates:
                                • Verisign signed certificate
                                • Verisign subordinate intermediate root certificate
                                • Verisign root CA certificate
                              • On Cisco Adaptive Security Appliance, delete the temporary root certificate used to generate the Certificate Signing Request.
                              • Import the Verisign subordinate intermediate root certificate to Cisco Adaptive Security Appliance.
                              • Create a trustpoint for the Verisign root CA certificate on Cisco Adaptive Security Appliance.
                              • Import the Verisign root CA certificate to Cisco Adaptive Security Appliance, and then import the Verisign signed certificate to Cisco Adaptive Security Appliance.
                              • Provide the VeriSign root and intermediate certificates to AOL.

                              Note

                              You must provide AOL with the root CA if the CA is not already in the AOL trust list.

                              Related Tasks
                              Related References
                              Related Information