The following workflow diagram shows the high-level steps to configure security on the IM and Presence Service node deployment.
The following table lists the tasks to perform to set up security on the IM and Presence Service node deployment. For detailed instructions, see the procedures that are related to the tasks outlined in the workflow.
![]() Note | Optionally, you can create a banner that users acknowledge as part of their login to any IM and Presence Service interface. |
You can create a banner that users acknowledge as part of their login to any IM and Presence Service interface. You create a .txt file using any text editor, include important notifications they want users to be made aware of, and upload it to the Cisco Unified IM and Presence OS Administration page. This banner will then appear on all IM and Presence Service interfaces notifying users of important information before they login, including legal warnings and obligations. The following interfaces will display this banner before and after a user logs in: Cisco Unified CM IM and Presence Administration, Cisco Unified IM and Presence Operating System Administration, Cisco Unified IM and Presence Serviceability, Cisco Unified IM and Presence Reporting, and IM and Presence Disaster Recovery System.
Step 1 | Create a .txt file with the contents you want to display in the banner. | ||
Step 2 | Sign in to Cisco Unified IM and Presence Operating System Administration. | ||
Step 3 | Choose . | ||
Step 4 | Click Browse and locate the .txt file. | ||
Step 5 | Click
Upload
File.
The banner will appear before and after login on most IM and Presence Service interfaces.
|
This section describes the different certificates required for the clients and services on IM and Presence Service.
LDAP uses the tomcat certificate because directory/directory-trust is now tomcat/ttrust. |
|||
Microsoft Lync/OCS Call Control |
|||
The trust certificates for cup-xmpp-s2s are stored in cup-xmpp-trust along with the general XMPP trust certificates. |
This module describes the exchange of self-signed certificates between the Cisco Unified Communications Manager node and the IM and Presence Service node. You can use the Certificate Import Tool on IM and Presence Service to automatically import the Cisco Unified Communications Manager certificate to IM and Presence Service. However, you must manually upload the IM and Presence Service certificate to Cisco Unified Communications Manager.
Only perform these procedures if you require a secure connection between IM and Presence Service and Cisco Unified Communications Manager.
Configure the following items on Cisco Unified Communications Manager:
Step 1 | Choose . | ||
Step 2 | Choose IM and Presence (IM/P) Service Trust from the Certificate Trust Store menu. | ||
Step 3 | Enter the IP address, hostname or FQDN of the Cisco Unified Communications Manager node. | ||
Step 4 | Enter a port number to communicate with the Cisco Unified Communications Manager node. | ||
Step 5 | Click Submit.
|
Import the Cisco Unified Communications Manager certificate to IM and Presence Service.
Proceed to download the certificate from IM and Presence Service.
Step 1 | Choose IM and Presence Service. on | ||
Step 2 | Click Find. | ||
Step 3 | Choose the cup.pem file. | ||
Step 4 | Click
Download and save the file to your local computer.
|
Proceed to upload the IM and Presence Service certificate to Cisco Unified Communications Manager.
Proceed to restart the Cisco Unified Communications Manager CallManager service.
Upload the IM and Presence Service certificate to Cisco Unified Communications Manager.
Proceed to configure SIP security settings on IM and Presence Service.
This section describes how to upload the following types of CA signed certificates to an IM and Presence Service deployment:
The high-level steps to upload a CA signed Tomcat certificate to IM and Presence Service are:
When you upload the Root and Intermediate Certificates, you must upload each certificate in the certificate chain to IM and Presence Service from the Root Certificate down to the last Intermediate Certificate, as follows:
root > intermediate-1 > intermediate-2 > … > intermediate-N
With each certificate that you upload in the chain, you must specify which previously uploaded certificate signed it. For example:
You must upload the Root Certificate and the Intermediate Certificates, if any, to the trust store of the related leaf certificate on the IM and Presence database publisher node. Complete the following procedure to upload the Root Certificate and the Intermediate Certificate of the signing Certificate Authority (CA) to the IM and Presence Service deployment.
Step 1 | On the IM and Presence database publisher node, choose . |
Step 2 | Click Upload Certificate/Certificate chain. |
Step 3 | From the Certificate Name drop-down list, choose tomcat-trust. |
Step 4 | Enter a description for the signed certificate. |
Step 5 | Click Browse to locate the file for the Root Certificate. |
Step 6 | Click Upload File. |
Step 7 | Upload each Intermediate Certificate in the same way using the Upload Certificate/Certificate chain window. |
Restart the Cisco Intercluster Sync Agent service.
After you upload the Root and Intermediate certificates to the IM and Presence database publisher node, you must restart the Cisco Intercluster Sync Agent service on that node. This service restart ensures that the CA certificates are synced immediately to all other clusters.
![]() Note | You can also restart the Cisco Intercluster Sync Agent service from the Cisco Unified Serviceability GUI. |
Verify that the CA certificates have synced to the other clusters.
After the Cisco Intercluster Sync Agent service has restarted, you must ensure that the CA certificate(s) have been correctly synchronized to other clusters. Complete the following procedure on each of the other IM and Presence database publisher nodes.
Step 1 | Choose . |
Step 2 | Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates and verify that is has passed. |
Step 3 | If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue. |
Step 4 | Choose System Troubleshooter page. and click the link associated with the intercluster peer that was identified on the |
Step 5 | Click Force Manual Sync. |
Step 6 | Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh. |
Step 7 | Verify that the Certificate Status field shows "Connection is secure". |
Step 8 | If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 7. |
Step 9 | Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is correctly established between the clusters and that the CA certificates that you uploaded are synced to the other clusters. |
Upload the signed certificate to each IM and Presence Service node.
When the CA certificates have correctly synced to all clusters, you can upload the appropriate signed certificate to each IM and Presence Service node.
![]() Note | Cisco recommends that you sign all required tomcat certificates for a cluster and upload them at the same time. This process reduces the time to recover intercluster communications. |
Step 1 | Choose . |
Step 2 | Click Upload Certificate/Certificate chain. |
Step 3 | From the Certificate Name drop-down list, choose tomcat. |
Step 4 | Enter a description for the signed certificate. |
Step 5 | Click Browse to locate the file to upload. |
Step 6 | Click Upload File. |
Step 7 | Repeat for each IM and Presence Service node. |
For more information about certificate management, see the Cisco Unified Communications Operating System Administration Guide.
What to Do Next
Restart the Cisco Tomcat service.
After you upload the tomcat certificate to each IM and Presence Service node, you must restart the Cisco Tomcat service on each node.
Verify that intercluster syncing is operating correctly.
After the Cisco Tomcat service has restarted for all affected nodes within the cluster, you must verify that intercluster syncing is operating correctly. Complete the following procedure on each IM and Presence database publisher node in the other clusters.
Step 1 | Choose . |
Step 2 | Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates test and verify that is has passed. |
Step 3 | If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue |
Step 4 | Choose System Troubleshooter page. and click the link associated with the intercluster peer that was identified on the |
Step 5 | Click Force Manual Sync. |
Step 6 | Check the Also resync peer's Tomcat certificates checkbox and click OK. |
Step 7 | Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh. |
Step 8 | Verify that the Certificate Status field shows "Connection is secure". |
Step 9 | If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 8. |
Step 10 | Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is now re-established between this cluster and the cluster for which the certificates were uploaded. |
The high-level steps to upload a CA signed cup-xmpp certificate to IM and Presence Service are:
When you upload the Root and Intermediate Certificates, you must upload each certificate in the certificate chain to IM and Presence Service from the Root Certificate down to the last Intermediate Certificate, as follows:
root > intermediate-1 > intermediate-2 > … > intermediate-N
With each certificate that you upload in the chain, you must specify which previously uploaded certificate signed it. For example:
You must upload the Root Certificate and the Intermediate Certificates, if any, to the cup-xmpp-trust store on the IM and Presence database publisher node. Complete the following procedure to upload the Root Certificate and the Intermediate Certificate of the signing Certificate Authority (CA) to the IM and Presence Service deployment.
Step 1 | On the IM and Presence database publisher node, choose . |
Step 2 | Click Upload Certificate/Certificate chain. |
Step 3 | From the Certificate Name drop-down list, choose cup-xmpp-trust. |
Step 4 | Enter a description for the signed certificate. |
Step 5 | Click Browse to locate the file for the Root Certificate. |
Step 6 | Click Upload File. |
Step 7 | Upload each Intermediate Certificate in the same way using the Upload Certificate/Certificate chain window. |
Restart the Cisco Intercluster Sync Agent service.
After you upload the Root and Intermediate certificates to the IM and Presence database publisher node, you must restart the Cisco Intercluster Sync Agent service on that node. This service restart ensures that the CA certificates are synced immediately to all other clusters.
![]() Note | You can also restart the Cisco Intercluster Sync Agent service from the Cisco Unified Serviceability GUI. |
Verify that the CA certificates have synced to the other clusters.
After the Cisco Intercluster Sync Agent service has restarted, you must ensure that the CA certificate(s) have been correctly synchronized to other clusters. Complete the following procedure on each of the other IM and Presence database publisher nodes.
Step 1 | Choose . |
Step 2 | Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates and verify that is has passed. |
Step 3 | If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue. |
Step 4 | Choose System Troubleshooter page. and click the link associated with the intercluster peer that was identified on the |
Step 5 | Click Force Manual Sync. |
Step 6 | Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh. |
Step 7 | Verify that the Certificate Status field shows "Connection is secure". |
Step 8 | If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 7. |
Step 9 | Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is correctly established between the clusters and that the CA certificates that you uploaded are synced to the other clusters. |
Upload the signed certificate to each IM and Presence Service node.
When the CA certificates have correctly synced to all clusters, you can upload the appropriate signed cup-xmpp certificate to each IM and Presence Service node.
![]() Note | Cisco recommends that you sign all required cup-xmpp certificates for a cluster and upload them at the same time so that service impacts can be managed within a single maintenance window. |
Step 1 | Choose . |
Step 2 | Click Upload Certificate/Certificate chain. |
Step 3 | From the Certificate Name drop-down list, choose cup-xmpp. |
Step 4 | Enter a description for the signed certificate. |
Step 5 | Click Browse to locate the file to upload. |
Step 6 | Click Upload File. |
Step 7 | Repeat for each IM and Presence Service node. |
For more information about certificate management, see the Cisco Unified Communications Operating System Administration Guide .
What to Do Next
Restart the Cisco XCP Router service on all nodes.
![]() Caution | A restart of the Cisco XCP Router affects service. |
After you upload the cup-xmpp certificate to each IM and Presence Service node, you must restart the Cisco XCP Router service on each node.
![]() Note | You can also restart the Cisco XCP Router service from the Cisco Unified IM and Presence Serviceability GUI. |
The high-level steps to upload a CA signed cup-xmpp-s2s certificate to IM and Presence Service are:
When you upload the Root and Intermediate Certificates, you must upload each certificate in the certificate chain to IM and Presence Service from the Root Certificate down to the last Intermediate Certificate, as follows:
root > intermediate-1 > intermediate-2 > … > intermediate-N
With each certificate that you upload in the chain, you must specify which previously uploaded certificate signed it. For example:
You must upload the Root Certificate and the Intermediate Certificates, if any, to the cup-xmpp-trust store on the IM and Presence database publisher node. Complete the following procedure to upload the Root Certificate and the Intermediate Certificate of the signing Certificate Authority (CA) to the IM and Presence Service deployment.
Step 1 | On the IM and Presence database publisher node, choose . |
Step 2 | Click Upload Certificate/Certificate chain. |
Step 3 | From the Certificate Name drop-down list, choose cup-xmpp-trust. |
Step 4 | Enter a description for the signed certificate. |
Step 5 | Click Browse to locate the file for the Root Certificate. |
Step 6 | Click Upload File. |
Step 7 | Upload each Intermediate Certificate in the same way using the Upload Certificate/Certificate chain window. |
Verify that the CA certificates have synced to other clusters.
After the Cisco Intercluster Sync Agent service has restarted, you must ensure that the CA certificate(s) have been correctly synchronized to other clusters. Complete the following procedure on each of the other IM and Presence database publisher nodes.
Step 1 | Choose . |
Step 2 | Under Inter-clustering Troubleshooter, find the test Verify that each TLS-enabled inter-cluster peer has successfully exchanged security certificates and verify that is has passed. |
Step 3 | If the test shows an error, note the intercluster peer IP address; it should reference the cluster on which you uploaded the CA certificate(s). Continue with the following steps to resolve the issue. |
Step 4 | Choose System Troubleshooter page. and click the link associated with the intercluster peer that was identified on the |
Step 5 | Click Force Manual Sync. |
Step 6 | Allow 60 seconds for the Inter-cluster Peer Status panel to auto-refresh. |
Step 7 | Verify that the Certificate Status field shows "Connection is secure". |
Step 8 | If the Certificate Status field does not show "Connection is secure", restart the Cisco Intercluster Sync Agent service on the IM and Presence database publisher node and then repeat steps 5 to 7. |
Step 9 | Verify that the Certificate Status now shows "Connection is secure". This means that intercluster syncing is correctly established between the clusters and that the CA certificates that you uploaded are synced to the other clusters. |
Upload the signed certificate to each IM and Presence Service node.
When the CA certificates have correctly synced to all clusters, you can upload the appropriate signed certificate to each IM and Presence Service federation node. You do not need to upload the certificate to all nodes, only nodes for federation.
![]() Note | Cisco recommends that you sign all required cup-xmpp-s2s certificates for a cluster and upload them at the same time. |
Step 1 | Choose Cisco Unified IM and Presence OS AdministrationSecurityCertificate Management. |
Step 2 | Click Upload Certificate/Certificate chain. |
Step 3 | From the Certificate Name drop-down list, choose cup-xmpp. |
Step 4 | Enter a description for the signed certificate. |
Step 5 | Click Browse to locate the file to upload. |
Step 6 | Click Upload File. |
Step 7 | Repeat for each IM and Presence Service federation node. |
For more information about certificate management, see the Cisco Unified Communications Operating System Administration Guide.
What to Do Next
Restart the Cisco XCP XMPP Federation Connection Manager service on the affected nodes.
After you upload the cup-xmpp-s2s certificate to each IM and Presence Service federation node, you must restart the Cisco XCP XMPP Federation Connection Manager service on each federation node.
To support cross navigation for serviceability between nodes in the same cluster, the Cisco Tomcat service trust stores between IM and Presence Service and Cisco Unified Communications Manager are automatically synchronized.
When CA-signed certificates are generated to replace the original self-signed trust certificates on either IM and Presence Service or Cisco Unified Communications Manager the original self-signed trust certificates persist in the service trust store of both nodes. If you want to delete the self-signed trust certificates, you must delete them on both the IM and Presence Service and Cisco Unified Communications Manager nodes.
You have configured the IM and Presence Service nodes with CA-signed certificates, and waited 30 minutes for the Cisco Intercluster Sync Agent Service to perform its periodic clean-up task on a given IM and Presence Service node.
Step 1 | Log in to the Cisco Unified IM and Presence Operating System Administration user interface, choose . | ||
Step 2 | Click Find. The Certificate List appears.
| ||
Step 3 | Click the link for the self-signed trust certificate you wish to delete.
Be certain that you have configured a CA-signed certificate for the service associated with the service trust store. | ||
Step 4 | Click Delete.
|
Repeat the above procedure for each IM and Presence Service node in the cluster and on any intercluster peers to ensure complete removal of unnecessary self-signed trust certificates across the deployment.
If the service is Tomcat, you must check for the IM and Presence Service node's self signed tomcat-trust certificate on the Cisco Unified Communications Manager node. See, Delete Self-Signed Tomcat-Trust Certificates from Cisco Unified Communications Manager.
There is a self-signed tomcat-trust certificate in the Cisco Unified Communications Manager service trust store for each node in the cluster. These are the only certificates that you delete from the Cisco Unified Communications Manager node.
Ensure that you have configured the cluster's IM and Presence Service nodes with CA-signed certificates, and you have waited for 30 minutes to allow the certificates to propagate to the Cisco Unified Communications Manager node.
Step 1 | Log in to the Cisco Unified Operating System Administration user interface, choose . The Certificate List window appears. | ||
Step 2 | To filter the search results, choose Certificate and begins with from the drop-down lists and then enter tomcat-trust in the empty field. Click Find. The Certificate List window expands with the tomcat-trust certificates listed. | ||
Step 3 | Identify the links that contain an IM and Presence Service node's hostname or FQDN in its name. These are self-signed certificates associated with this service and an IM and Presence Service node. | ||
Step 4 | Click the link to an IM and Presence Service node's self-signed tomcat-trust certificate. A new window appears that shows the tomcat-trust certificate details. | ||
Step 5 | Confirm in the Certificate Details that this is a self-signed certificate by ensuring that the Issuer Name CN= and the Subject Name CN= values match. | ||
Step 6 | If you have confirmed that it is a self-signed certificate and you are certain that the CA-signed certificate has propagated to the Cisco Unified Communications Manager node, click Delete.
| ||
Step 7 | Repeat steps 4, 5, and 6 for each IM and Presence Service node in the cluster. |
When you import an IM and Presence Service certificate, IM and Presence Service automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.
When you import an IM and Presence Service certificate, IM and Presence Service automatically attempts to add the TLS peer subject to the TLS peer subject list, and to the TLS context list. Verify the TLS peer subject and TLS context configuration is set up to your requirements.
Step 1 | Choose . |
Step 2 | Click Find. |
Step 3 | Choose Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context. |
Step 4 | From the list of available TLS peer subjects, choose the TLS peer subject that you configured. |
Step 5 | Move this TLS peer subject to Selected TLS Peer Subjects. |
Step 6 | Click Save. |
Step 7 | Choose . |
Step 8 | Restart the
Cisco SIP Proxy service.
You must restart the SIP proxy service before any changes that you make to the TLS context take effect. |
IM and Presence Service provides increased security for XMPP-based configuration. The following table describes these XMPP security modes. To configure the XMPP security modes on IM and Presence Service, choose .
If you turn on this setting, IM and Presence Service establishes a secure TLS connection between the IM and Presence Service nodes and XMPP client applications in a cluster. IM and Presence Service turns on this secure mode by default. We recommend that you do not turn off this secure mode unless the XMPP client application can protect the client login credentials in nonsecure mode. If you do turn off the secure mode, verify that you can secure the XMPP client-to-node communication in some other way. |
|
If you turn on this setting, IM and Presence Service establishes a secure TLS connection between XMPP routers in the same cluster, or in different clusters. IM and Presence Service automatically replicates the XMPP certificate within the cluster and across clusters as an XMPP trust certificate. An XMPP router will attempt to establish a TLS connection with any other XMPP router that is in the same cluster or a different cluster, and is available to establish a TLS connection. |
|
If you turn on this setting, IM and Presence Service establishes a secure TLS connection between the IM and Presence Service nodes and XMPP-based API client applications. If you turn on this setting, upload the certificates or signing certificates for the web client in the cup-xmpp-trust repository on IM and Presence Service. |
If you update the XMPP security settings, restart the services. Perform one of these actions:
Restart the Cisco XCP Connection Manager if you edit Enable XMPP Client To IM/P Service Secure Mode. Choose to restart this service.
Restart the Cisco XCP Router if you edit the Enable XMPP Router-to-Router Secure Mode. Choose to restart this service.
Restart the Cisco XCP Web Connection Manager if you edit Enable Web Client To IM/P Service Secure Mode. Choose to restart this service.
Step 1 | Choose . |
Step 2 | Perform one of
the following tasks:
|
Step 3 | Click Save. |
If you update the XMPP security settings, restart the following service using one of the following actions:
Restart the Cisco XCP Connection Manager if you edit Enable XMPP Client To IM/P Service Secure Mode. Choose to restart this service.
Restart the Cisco XCP Web Connection Manager if you edit Enable Web Client To IM/P Service Secure Mode. Choose to restart this service.
Proceed to turn on the services that support XMPP clients on the IM and Presence Service node.
Perform this procedure on each node in your IM and Presence Service cluster.
Step 1 | Choose . | ||
Step 2 | Choose the IM and Presence Service node from the Server menu. | ||
Step 3 | Turn on the
following services:
| ||
Step 4 | Click
Save.
|
To support group chat between XMPP federation partners over TLS, you must enable wildcards for XMPP security certificates.
By default, the XMPP federation security certificate cup-xmpp-s2s contains all domains hosted by the IM and Presence Service deployment. These are added as Subject Alternative Name (SAN) entries within the certificate. You must supply wildcards for all hosted domains within the same certificate. So instead of a SAN entry of "example.com", the XMPP security certificate must contain a SAN entry of "*.example.com". The wildcard is needed because the group chat server aliases are sub-domains of one of the hosted domains on the IM and Presence Service system. For example: "conference.example.com".
![]() Tip | To view the cup-xmpp-s2s certificate on any node, choose and click on the cup-xmpp-s2s link . |
You must regenerate the XMPP federation security certificates on all nodes within the cluster where the Cisco XMPP Federation Connection Manager service is running and XMPP Federation is enabled. This security setting must be enabled on all IM and Presence Service clusters to support XMPP Federation Group Chat over TLS.