Table Of Contents

Configuring Security on Cisco Unified Presence

Cisco Unified Presence Certificate Types

How to Configure the Certificate Exchange Between Cisco Unified Presence and Cisco Unified Communications Manager

Prerequisites for Configuring Security

Importing the Cisco Unified Communications Manager Certificate to Cisco Unified Presence

Restarting the SIP Proxy Service

Downloading the Certificate from Cisco Unified Presence

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Restarting the Cisco Unified Communications Manager Service

How to Configure the SIP Security Settings on Cisco Unified Presence

Configuring a TLS Peer Subject

Configuring a TLS Context

Configuring the SIP Proxy-to-Proxy Intracluster Protocol Type

How to Configure the XMPP Security Settings on Cisco Unified Presence

XMPP Security Modes

Configuring the XMPP Certificate Settings

Configuring Security on Cisco Unified Presence

---

January 22, 2013

•Cisco Unified Presence Certificate Types

•How to Configure the Certificate Exchange Between Cisco Unified Presence and Cisco Unified Communications Manager

•How to Configure the SIP Security Settings on Cisco Unified Presence

•How to Configure the XMPP Security Settings on Cisco Unified Presence

Cisco Unified Presence Certificate Types

This section describes the different certificates required for the clients and services on Cisco Unified Presence.

Table 7-1 Certificate Types for Client Applications on Cisco Unified Presence

Client	Certificate
SIP client (Cisco Unified Personal Communicator Release 7.x, IPPM, Cisco Unified Communications Manager)	tomcat
XMPP client (Cisco Unified Personal Communicator Release 8.0, third-party client)	cup-xmpp

Table 7-2 Certificate Types for Cisco Unified Presence Services

Service	Certificate	Certificate Trust Store	Notes
SIP Proxy	cup	cup-trust
Presence Engine	cup	cup-trust
SOAP	tomcat	directory-trust
AXL	tomcat	directory-trust
LDAP	tomcat	directory-trust	LDAP uses the tomcat certificate because directory/directory-trust is now tomcat/ttrust.
Microsoft Exchange		cup-trust
Microsoft OCS/LCS Call Control	cup	cup-trust
SIP Federation	cup	cup-trust
XMPP Federation	Cup-xmpp-s2s	cup-xmpp-trust	The trust certificates for cup-xmpp-s2s are stored in cup-xmpp-trust along with the general XMPP trust certificates.

Related Topics

•(Cisco Unified Personal Communicator Release 8.x) Configuring Settings

•How to Configure the XMPP Security Settings on Cisco Unified Presence

•Configuring a Secure Connection Between Cisco Unified Presence and the LDAP Directory

How to Configure the Certificate Exchange Between Cisco Unified Presence and Cisco Unified Communications Manager

This module describes the exchange of self-signed certificates between the Cisco Unified Communications Manager server and the Cisco Unified Presence server. You can use the Certificate Import Tool on Cisco Unified Presence to automatically import the Cisco Unified Communications Manager certificate to Cisco Unified Presence. However, you must manually upload the Cisco Unified Presence certificate to Cisco Unified Communications Manager.

Only perform these procedures if you require a secure connection between Cisco Unified Presence and Cisco Unified Communications Manager.

•Prerequisites for Configuring Security

•Importing the Cisco Unified Communications Manager Certificate to Cisco Unified Presence

•Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

•Downloading the Certificate from Cisco Unified Presence

•Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

•Restarting the Cisco Unified Communications Manager Service

Prerequisites for Configuring Security

Configure the following items on Cisco Unified Communications Manager:

•Configure a SIP security profile for Cisco Unified Presence.

•Configure a SIP trunk for Cisco Unified Presence:

–Associate the security profile with the SIP trunk.

–Configure the SIP trunk with the subject Common Name (CN) of Cisco Unified Presence certificate.

Related Topic

How to Configure the SIP Trunk on Cisco Unified Communications Manager

Importing the Cisco Unified Communications Manager Certificate to Cisco Unified Presence

Procedure

---

Step 1 Select Cisco Unified Presence Administration > System > Security > Certificate Import Tool.

Step 2 Select CUP Trust from the Certificate Trust Store menu.

Step 3 Enter the IP address, hostname or FQDN of the Cisco Unified Communications Manager server.

Step 4 Enter a port number to communicate with the Cisco Unified Communications Manager server.

Step 5 Select Submit.

---

Troubleshooting Tips

Once the Certificate Import Tool completes the import operation, it reports whether or not it successfully connected to Cisco Unified Communications Manager, and whether or not it successfully downloaded the certificate from Cisco Unified Communications Manager. If the Certificate Import Tool reports a failure, see the Online Help for a recommended action. You can also manually import the certificate by selecting Cisco Unified OS Administration > Security > Certificate Management.

What To Do Next

Restarting the SIP Proxy Service

Restarting the SIP Proxy Service

Before You Begin

Import the Cisco Unified Communications Manager certificate to Cisco Unified Presence.

Procedure

---

Step 1 Select Cisco Unified Serviceability > Tools > Control Center - Feature Services on Cisco Unified Presence,

Step 2 Select Cisco UP SIP Proxy.

Step 3 Select Restart.

---

What To Do Next

Downloading the Certificate from Cisco Unified Presence

Downloading the Certificate from Cisco Unified Presence

Procedure

---

Step 1 Select Cisco Unified OS Administration > Security > Certificate Management on Cisco Unified Presence.

Step 2 Select Find.

Step 3 Select the cup.pem file.

Step 4 Select Download and save the file to your local computer.

---

Troubleshooting Tips

Ignore any errors that Cisco Unified Presence displays regarding access to the cup.csr file; The CA (Certificate Authority) does not need to sign the certificate that you exchange with Cisco Unified Communications Manager.

What To Do Next

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

Before You Begin

Download the certificate from Cisco Unified Presence.

Procedure

---

Step 1 Select Cisco Unified OS Administration > Security > Certificate Management on Cisco Unified Communications Manager.

Step 2 Select Upload Certificate.

Step 3 Select Callmanager-trust from the Certificate Name menu.

Step 4 Browse and select the certificate (.pem file) previously downloaded from Cisco Unified Presence.

Step 5 Select Upload File.

---

Related Topic

Downloading the Certificate from Cisco Unified Presence

What To Do Next

Restarting the Cisco Unified Communications Manager Service

Restarting the Cisco Unified Communications Manager Service

Before You Begin

Upload the Cisco Unified Presence certificate to Cisco Unified Communications Manager.

Procedure.

---

Step 1 Select Cisco Unified Serviceability > Tools > Control Center - Feature Services. on Cisco Unified Communications Manager.

Step 2 Select Cisco CallManager.

Step 3 Select Restart.

---

Related Topic

Uploading the Cisco Unified Presence Certificate to Cisco Unified Communications Manager

What To Do Next

How to Configure the SIP Security Settings on Cisco Unified Presence

How to Configure the SIP Security Settings on Cisco Unified Presence

•Configuring a TLS Peer Subject

•Configuring a TLS Context

•Configuring the SIP Proxy-to-Proxy Intracluster Protocol Type

Configuring a TLS Peer Subject

When you import a Cisco Unified Presence certificate, Cisco Unified Presence automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

Procedure

---

Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Peer Subjects.

Step 2 Select Add New.

Step 3 Perform one of the following actions for the Peer Subject Name:

a. Enter the subject CN of the certificate that the server presents.

b. Open the certificate, look for the CN and paste it here.

Step 4 Enter the name of the server in the Description field.

Step 5 Select Save.

---

What To Do Next

Configuring a TLS Context

Configuring a TLS Context

When you import a Cisco Unified Presence certificate, Cisco Unified Presence automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.

Before You Begin

Configure a TLS peer subject on Cisco Unified Presence.

Procedure

---

Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration.

Step 2 Select Find.

Step 3 Select Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

Step 4 From the list of available TLS peer subjects, select the TLS peer subject that you configured.

Step 5 Move this TLS peer subject to Selected TLS Peer Subjects.

Step 6 Select Save.

Step 7 Select Cisco Unified Presence Serviceability > Tools > Service Activation.

Step 8 Restart the Cisco Unified Presence SIP Proxy service.

---

Troubleshooting Tips

You must restart the SIP proxy service before any changes that you make to the TLS context take effect.

Related Topics

•Configuring a TLS Peer Subject

•Restarting the SIP Proxy Service

Configuring the SIP Proxy-to-Proxy Intracluster Protocol Type

Select the protocol that Cisco Unified Presence uses to route SIP messages securely in an intracluster deployment. The default value is the TLS protocol. Use TLS if a cluster node sends traffic over a unsecured network and you want a secure (encrypted) connection channel.

Procedure

---

Step 1 Select System > Security > General Settings.

Step 2 Select a protocol type from the SIP Intra-cluster Proxy-to-Proxy Transport Protocol menu.

Step 3 Select Save.

---

Troubleshooting Tips

You must restart the SIP proxy service before any changes that you make to the SIP proxy protocol take effect.

Related Topic

Restarting the SIP Proxy Service

How to Configure the XMPP Security Settings on Cisco Unified Presence

•XMPP Security Modes

•Configuring the XMPP Certificate Settings

XMPP Security Modes

Cisco Unified Presence provides increased security for XMPP-based configuration.Table 7-3 describes these XMPP secure modes. To configure the XMPP secure modes on Cisco Unified Presence, select Cisco Unified Presence Administration > System > Security > Settings.

Table 7-3

Secure Mode	Description
Enable XMPP Client To CUP Secure Mode	If you turn on this setting, Cisco Unified Presence establishes a secure TLS connection between the Cisco Unified Presence servers and XMPP client applications in a cluster. Cisco Unified Presence turns on this secure mode by default. We recommend that you do not turn off this secure mode unless the XMPP client application can protect the client login credentials in non-secure mode. If you do turn off the secure mode, verify that you can secure the XMPP client-to-server communication in some other way.
Enable XMPP Router-to-Router Secure Mode	If you turn on this setting, Cisco Unified Presence establishes a secure TLS connection between XMPP routers in the same cluster, or in different clusters. Cisco Unified Presence automatically replicates the XMPP certificate within the cluster, and across clusters, as an XMPP trust certificate. An XMPP router will attempt to establish a TLS connection with any other XMPP router that is in the same cluster, or a different cluster, and is available to establish a TLS connection.
Enable Web Client to CUP Secure Mode	If you turn on this setting, Cisco Unified Presence establishes a secure TLS connection between the Cisco Unified Presence servers and XMPP-based API client applications.If you turn on this setting, upload the certificates or signing certificates for the web client in the cup-xmpp-trust repository on Cisco Unified Presence.

XMPP Secure Mode Descriptions

Troubleshooting Tips

If you update the XMPP security settings, perform one of these actions:

•If you are running Cisco Unified Presence Release 8.0(x), restart the Cisco UP XCP Router. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service.

•If you are running Cisco Unified Presence Release 8.5(x), restart the services as follows:

–Restart the Cisco UP XCP Connection Manager if you edit Enable XMPP Client To CUP Secure Mode. Select Cisco Unified Serviceability > Tools > Control Center - Feature Services to restart this service.

–Restart the Cisco UP XCP Router if you edit the Enable XMPP Router-to-Router Secure Mode. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service.

–Restart the Cisco UP XCP Web Connection Manager if you edit Enable Web Client To CUP Secure Mode. Select Cisco Unified Serviceability > Tools > Control Center - Feature Services to restart this service.

Related Topics

•Integrating Third-Party XMPP Client Applications on Cisco Unified Presence

•Configuring the XMPP Certificate Settings

Configuring the XMPP Certificate Settings

Procedure

---

Step 1 Select Cisco Unified Presence Administration > System > Security > Settings.

Step 2 Enter a server-to-server domain name for this Cisco Unified Presence cluster, for example, `cisco.com'.

Step 3 Check Use Domain Name for XMPP Certificate Subject Common Name if you want the general XMPP certificate to use the same Domain Name as the XMPP server-to-server certificate.

Step 4 Select Save.

Step 5 Restart the Cisco UP XCP Router service. Select Cisco Unified Serviceability > Tools > Control Center - Network Services > Cisco UP XCP Router to restart this service.

---

Troubleshooting Tips

If you change the server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco UP XCP Router service.

Related Topic

XMPP Security Modes