-
Interdomain Federation for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
-
Overview of this integration
-
Preparations for this integration
-
Configuration workflows for interdomain federation
-
Configuration of IM and Presence for SIP federation
-
SIP federation security certificate configuration (with Cisco Adaptive\n\t Security Appliance)
-
Cisco Adaptive Security Appliance configuration for SIP federation
-
Configuration of TLS Proxy on Cisco Adaptive Security Appliance
-
Configure interdomain federation to Microsoft OCS/Lync within an enterprise
-
Configuration of foreign server components for SIP federation
-
Configuration of load balancer for redundancy for SIP federation
-
Configuration of IM and Presence for XMPP federation
-
Security certificate configuration for XMPP federation
-
Serviceability configuration for federation
-
Federation integration verification
-
Troubleshooting a SIP federation integration
-
Troubleshooting an XMPP federation integration
-
Sample Cisco Adaptive Security Appliance configuration
-
Configuration of security certificate exchange between Cisco Adaptive Security Appliance and Microsoft Access Edge using VeriSign
-
Integration debugging information
-
Feedback
Contents
- Security certificate configuration for XMPP federation
- Configure domain for XMPP certificate
- Use a self-signed certificate for XMPP federation
- Use of a CA-signed Certificate for XMPP federation
- Generate certificate signing request for XMPP federation
- Upload CA-signed certificate for XMPP federation
- Import root CA certificate for XMPP federation
Security certificate configuration for XMPP federation
To configure security for XMPP federation, you must complete the following procedures:
- Configure the domain for the XMPP certificate.
- Create the certificate once using one of the following types of certificates:
- Import the root CA certificate.
You must repeat this procedure every time you federate with a new enterprise whose CA you do not already trust. Likewise, you should follow this procedure if the new enterprise uses self-signed certificates, where the self-signed certificates are uploaded instead of the Root CA certificate.
- Configure domain for XMPP certificate
- Use a self-signed certificate for XMPP federation
- Use of a CA-signed Certificate for XMPP federation
- Import root CA certificate for XMPP federation
Configure domain for XMPP certificate
ProcedureFor XMPP Federation, the Subject Common Name (CN) for the certificate must contain the domain of the IM and Presence server.
What to Do Next
Create the certificate once using one of the following procedures:
- Use a self-signed certificate for XMPP federation
- Use of a CA-signed Certificate for XMPP federation Troubleshooting Tips
- If you make any changes to this configuration, you must restart the Cisco XCP Router service. Select to restart this service.
- If you change server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco XCP Router service.
Use a self-signed certificate for XMPP federation
ProcedureThis section describes how to use a self-signed certificate for XMPP federation. For information about using a CA-signed certificate, see Use of a CA-signed Certificate for XMPP federation.
Step 1 Select . Step 2 Select Generate New. Step 3 Select cup-xmpp-s2s from the Certificate Name drop-down list and select Generate. Step 4 Restart the Cisco XCP Router service. Select to restart this service. Step 5 Download and send the certificate to another enterprise so that it can be added as a trusted certificate on their XMPP server. This can be a IM and Presence server or another XMPP server.
What to Do Next
Use of a CA-signed Certificate for XMPP federation
This section describes how to use a CA-signed certificate. For information about using a self-signed certificate, see Use a self-signed certificate for XMPP federation.
- Generate certificate signing request for XMPP federation
- Upload CA-signed certificate for XMPP federation
Generate certificate signing request for XMPP federation
This procedure describes how to generate a Certificate Signing Request (CSR) for a Microsoft Certificate Services CA.
Note
While this procedure is to generate a CSR for signing a Microsoft Certificate Services CA, the steps to generate the CSR (Steps 1 to 3) apply when requesting a certificate from any Certificate Authority.
Before You BeginProcedureConfigure the domain for the XMPP certificate, see Configure domain for XMPP certificate
Step 1 Select on IM and Presence. Step 2 To generate the CSR, perform these steps: Step 3 To download the .csr file to your local machine: Step 4 Using a text editor, open the cup-xmpp-s2s.csr file. Step 5 Copy the contents of the CSR file. You must copy all information from and including
- BEGIN CERTIFICATE REQUEST
to and including
END CERTIFICATE REQUEST -
Step 6 On your internet browser, browse to your CA server, for example: http://<name of your Issuing CA Server>/certsrv
Step 7 Select Request a certificate. Step 8 Select Advanced certificate request. Step 9 Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Step 10 Paste the contents of the CSR file (that you copied in step 5) into the Saved Request field. Step 11 Select Submit. Step 12 On your internet browser, return to the URL: http://<name of your Issuing CA Server>/certsrv
Step 13 Select View the status of a pending certificate request. Step 14 Click on the certificate request that you issued in the previous section. Step 15 Select Base 64 encoded. Step 16 Select Download certificate. Step 17 Save the certificate to your local machine:
What to Do Next
Upload CA-signed certificate for XMPP federation
Upload CA-signed certificate for XMPP federation
Before You BeginProcedureComplete the steps in Generate certificate signing request for XMPP federation.
Step 1 Select on IM and Presence. Step 2 Select Upload Certificate. Step 3 Select cup-xmpp-s2s for Certificate Name. Step 4 Specify the name of the root certificate in the Root Certificate Field. Step 5 Select Upload File. Step 6 Browse to the location of the CA-signed certificate that you saved to your local machine. Step 7 Select Upload File. Step 8 Restart the Cisco XCP Router service. Select to restart this service.
What to Do Next
Import root CA certificate for XMPP federation
Procedure
Note
This section describes how to manually upload the XMPP S2S trust certificates to IM and Presence. You can also use the Certificate Import Tool to automatically upload XMPP S2S trust certificates. To access the Certificate Import Tool, select , and see the Online Help for instructions on how to use this tool.
If IM and Presence federates with an enterprise, and a commonly trusted Certificate Authority (CA) signs the certificate of that enterprise, you must upload the root certificate from the CA to IM and Presence server.
If IM and Presence federates with an enterprise that uses a self-signed certificate rather than a certificate signed by a commonly trusted CA, you can upload the self-signed certificate using this procedure.
Step 1 Select on IM and Presence. Step 2 Select Upload Certificate. Step 3 Select cup-xmpp-trust for Certificate Name.
Note Leave the Root Name field blank.
Step 4 Select Browse, and browse to the location of the root CA certificate that you previously downloaded and saved to you local machine. Step 5 Select Upload File to upload the certificate to the IM and Presence server.
Note You must repeat this procedure every time you federate with a new enterprise whose CA you do not already trust. Likewise, you should follow this procedure if the new enterprise uses self-signed certificates, where the self-signed certificates are uploaded instead of the Root CA certificate.
If your trust certificate is self-signed, you cannot turn on the Require client side certificates parameter in the XMPP federation security settings window.
