Jabber Interoperability Options AIM Gateway from Jabber, Inc. LCS Gateway Sametime Gateway Setup Guide Product: SIP Gateways 5.2 Document Version: B

Transcription

1 Jabber Interoperability Options AIM Gateway from Jabber, Inc. LCS Gateway Sametime Gateway Setup Guide Product: SIP Gateways 5.2 Document Version: B

2 Disclaimers Trademarks Copyright 2008 Jabber, Inc. The information contained in this document is proprietary to Jabber, Inc. This information is considered confidential and is not to be disclosed to any outside parties without the express written consent of Jabber, Inc. This document is provided for information purposes only, and the information herein is subject to change without notice. Jabber, Inc. does not provide any warranties covering and specifically disclaims any liability in connection with this document. JABBER and the light bulb logo are either trademarks or registered trademarks of Jabber, Inc. The AIM Gateway from Jabber product is authorized to work with AOL Instant Messenger service, has been certified to meet AOL s standards for operation as part of the AIM Certified Partner Program, and is authorized under U.S. Pat. Nos. 5,724,508, 5,774,670, 6,336,133, 6,339,784, 6,449,344, 6,496,851, 6,539,421. Portions of this product 2003 America Online, Inc. all rights reserved. AOL and AIM are registered marks and Instant Messenger is a trademark, of America Online, Inc. Windows, Windows Server, Microsoft, and LCS are registered trademarks of Microsoft Corporation in the United States and other countries. IBM and Sametime are registered trademarks of IBM Corporation. All other trademarks are the property of their respective owners. Contact Information 1899 Wynkoop Street, Suite 600 Denver, Colorado Jabber Interoperability Options Setup Guide Page ii

3 Table of Contents Chapter 1. Introduction... 5 Gateway Setup Checklist 6 The AIM Gateway from Jabber, Inc. 6 System Requirements 7 System Architecture 7 The LCS Gateway 8 System Requirements 9 System Architecture 9 The Sametime Gateway 10 System Requirements 11 System Architecture 11 Support for SIP/SIMPLE Standards 12 Exceptions 12 Limitations 12 Chapter 2. Gateway Installation Installing the Jabber XCP Server 15 Downloading the Gateways 15 Installing the Gateways 16 Removing Unneeded Components 17 Chapter 3. Configuring a Single Gateway in the Demilitarized Zone Setup Checklist 20 Configuring the Gateway 21 Adding an Outgoing Connection Attempt Rule 24 Configuring an OpenPort 25 Configuring a Jabber Administrator 25 Configuring a Router-to-Router Connection 25 Chapter 4. Configuring Multiple Gateways Behind Your Firewall Setup Checklist 27 Configuring the SIP Proxy 28 Configuring the Gateways 31 Adding an Outgoing Connection Attempt Rule 32 Configuring OpenPorts 32 Jabber Interoperability Options Setup Guide Page iii

4 Configuring the Single Domain Name Support Component 33 Configuring Jabber Administrators 35 Configuring Router-to-Router Connections 35 Chapter 5. Shared Configurations Configuring a Server-to-Server Connection Manager 36 Adding an Outgoing Connection Attempt Rule in the S2SCP 38 Configuring an OpenPort 39 Adding the Gateway s S2SCP as a Jabber Administrator 40 Configuring a Router-to-Router Connection 42 Non-Standard SIP Host Configurations 43 Third-Party Hosts 44 Non-Standard SRV Records 45 Custom Gateway Connections 47 Chapter 6. Network Access and Certificate Authentication AIM Gateway from Jabber, Inc 49 Enabling Access to the AOL SIP Access Gateway 49 Certificate Authentication 51 Obtaining a Signed Certificate 52 LCS Gateway 54 Configuring Your LCS Server 54 Publishing an SRV Record on your DNS Server 55 Obtaining a Signed Certificate 55 Sametime Gateway 59 Modifying your DNS Configuration 59 Configuring the Lotus Domino Administrator 59 Jabber Interoperability Options Setup Guide Page iv

5 Chapter 1. Introduction Jabber, Inc. provides three gateways that communicate using SIP/SIMPLE protocol standards: AOL Instant Messenger TM (AIM ), Microsoft Live Communications Server (LCS ), and IBM Lotus Sametime. These gateways allow users of XMPP IM clients such as Jabber Messenger to add AIM-certified AOL, LCS, and Lotus IM users to their rosters and to some SIP-based systems. The gateways do not require XMPP client users to have authorization on remote systems; they are completely transparent from the user s perspective. The SIP gateways run with Jabber XCP 5.2 SP1 and SP2. They are sold separately from the Jabber XCP server, and require additional installation. This guide provides instructions for installing a single gateway in the DMZ, and for installing multiple gateways of the same type behind your firewall. It also provides instructions for setting up your gateway servers to access the gateway s network. If you plan to install and run gateways of different types (for example, an AIM gateway and an LCS gateway), contact Jabber support at for more information. This chapter provides the following sections: Gateway Setup Checklist The AIM Gateway from Jabber, Inc. The LCS Gateway The Sametime Gateway Support for SIP/SIMPLE Standards Jabber Interoperability Options Setup Guide Introduction Page 5

6 Gateway Setup Checklist Gateway Setup Checklist The following checklist provides a summary of the tasks that you must perform to set up your gateways in the Jabber XCP server environment. Jabber, Inc. recommends that each gateway be installed and run on its own computer. Read the gateway overviews that are provided in this chapter. Install the Jabber XCP server, core package only, on the gateway s computer as described on page 15. Download the gateway installer as described on page 15. Install the gateway package as described on page 16. Remove unneeded components from the Jabber XCP server on the gateway computer as described on page 17. If you are planning to run only one gateway, follow the instructions in Chapter 3, Configuring a Single Gateway in the Demilitarized Zone. If you are planning to run multiple gateways of the same type, follow the instructions in Chapter 4, Configuring Multiple Gateways Behind Your Firewall. Create any necessary certificates and private keys, and enable network access for your gateway as described in Chapter 6, Network Access and Certificate Authentication. The AIM Gateway from Jabber, Inc. The AIM Gateway from Jabber, Inc. allows the sanctioned exchange of messages and presence between Jabber users and users of AOL Instant Messenger (AIM). After you purchase the gateway, you must contact your Jabber Support Representative in order to gain access to the AOL network and to activate the gateway. The AIM Gateway from Jabber, Inc. communicates using SIP/SIMPLE protocol standards with the AOL SIP Access Gateway (SAG). The SAG handles the translation into the protocols needed by internal AOL systems. (See Enabling Access to the AOL SIP Access Gateway on page 49 for more information.) Jabber Interoperability Options Setup Guide Introduction Page 6

7 The AIM Gateway from Jabber, Inc. Using the gateway, Jabber users can add AIM contacts to their rosters in the same way they add Jabber contacts. AIM contact IDs have the same format as Jabber contacts; for example, Only authorized XMPP clients are allowed to add AIM contacts. You can run multiple AIM gateways in your Jabber XCP environment. System Requirements This section lists the system requirements for the AIM Gateway from Jabber, Inc. Ports Port 5269 must be accessible to the Internet if you want your Jabber XCP server to communicate with other XMPP servers over the Internet. This port is probably already configured in your environment. Port 5061 (used by the AIM Gateway from Jabber, Inc.) must be available for incoming SIP/SIMPLE over TLS traffic. If you are using the Sametime gateway in addition to the AIM Gateway from Jabber, Inc., port 5060 must be available for incoming SIP/SIMPLE over TCP traffic. Memory Allow at least 1 GB of memory above the 512 MB required for the Jabber XCP server. System Architecture Figure 1 illustrates a single AIM Gateway from Jabber, Inc. running in the DMZ. As shown, the AIM Gateway consists of a Server-to-Server Connection Manager (S2SCM), which is configured with an S2S Command Processor (S2SCP) and an AIM Gateway Director. An OpenPort connection is configured to enable the gateway s S2SCP to connect to the Jabber XCP router. Finally, a Router-to-Router connection is configured from the primary Jabber XCP server to the gateway s server to enable the servers to communicate. Port 5061 is available on the firewall for incoming SIP/SIMPLE over TLS traffic. Jabber Interoperability Options Setup Guide Introduction Page 7

8 The LCS Gateway XMPP Client DMZ AIM Client Jabber XCP router Router-to-Router connection Jabber XCP router OpenPort ID=cm-1_s2scp-1 Host filter=aol.com AOL Network Primary Jabber XCP server The LCS Gateway S2SCM S2SCP AIM Gateway Director Port=5061 Figure 1. AIM Gateway from Jabber, Inc. Port 5061 Port 5269 AOL SIP Access Gateway Internal AOL Servers The LCS gateway allows the exchange of messages and presence between Jabber users and users of Microsoft Live Communications Server 2005 SP1. Using the gateway, Jabber users can add LCS contacts to their rosters in the same way they add Jabber contacts. LCS contact IDs use the same format as Jabber contacts; for example, You can run multiple LCS gateways in your Jabber XCP environment. Jabber Interoperability Options Setup Guide Introduction Page 8

9 The LCS Gateway In order for your LCS server to work correctly with the LCS gateway, the LCS server s certificate must be configured to act as both TLS client and server. The Extended Key Usage parameter in the certificate must either not be present, or it must contain both of the lines TLS Web Server Authentication and TLS Web Client Authentication. See Configuring Your LCS Server on page 54 for examples of correctly-configured certificates. System Requirements This section lists the system requirements for the LCS gateway. LCS Both your LCS server and the LCS Access Proxy must be running LCS 2005 SP1. Enhanced federation must be enabled on the LCS server. The Jabber XCP domain must be configured as an authorized domain that is allowed to federate with the LCS server. Microsoft Office Communicator 2005 is the only supported client for LCS users. Ports Port 5269 must be accessible to the Internet if you want your Jabber XCP server to communicate with other Jabber servers over the Internet. This port is probably already configured in your environment. Port 5061 (used by the LCS gateway) must be available for incoming SIP/SIMPLE over TLS traffic. If you are using the Sametime gateway in addition to the LCS gateway, port 5060 must be available for incoming SIP/SIMPLE over TCP traffic. Memory Allow at least 1 GB of memory above the 512 MB required for the Jabber XCP server. System Architecture Figure 2 illustrates a single LCS gateway running in the DMZ. As shown, the LCS gateway consists of a Server-to-Server Connection Manager (S2SCM), which is configured with an S2S Command Processor (S2SCP) and a SIP/SIMPLE Gateway Director. An OpenPort connection is configured to enable the gateway s S2SCP to connect to the Jabber XCP router. Finally, a Router-to-Router connection is configured from the Jabber Interoperability Options Setup Guide Introduction Page 9

10 The Sametime Gateway primary Jabber XCP server to the gateway s server to enable the servers to communicate. Port 5061 is available on the firewall for incoming SIP/SIMPLE over TLS traffic. cindy@example.com jane@company.com XMPP Client DMZ LCS Client Jabber XCP Router Jabber XCP Server example.com Router-to-Router connection Figure 2. LCS gateway The Sametime Gateway Jabber XCP Router S2SCM S2SCP SIP/SIMPLE Gateway Director Port=5061 OpenPort ID=cm-1_s2scp-1 Host filter= company.com Port 5061 Port 5269 Firewall LCS 2005 Access Proxy LCS 2005 Standard or Enterprise Server The Sametime gateway allows Jabber users to exchange messages and presence with Lotus IM (Sametime) users. Jabber users can add Sametime contacts to their rosters in the same way they add Jabber contacts. Sametime contact IDs use the same format as Jabber IDs; for example, jblack@example.com. The Sametime gateway has been tested against Sametime 6.5.x and 7.0, which do not support SIP Proxy configurations. Therefore, only one Sametime gateway can be run in your Jabber XCP environment. Jabber Interoperability Options Setup Guide Introduction Page 10

11 The Sametime Gateway System Requirements This section lists the system requirements for the Sametime gateway. Lotus The Sametime gateway runs with Lotus Sametime 6.5.x and 7.0. Memory Allow at least 1 GB of memory above the 512 MB required for the Jabber XCP server. Ports Port 5060 must be available for incoming SIP/SIMPLE over TCP traffic. cindy@denver.xmpp.com Jabber XCP Router XMPP Client System Architecture Figure 3 illustrates a Sametime gateway running in the DMZ. As shown, the Sametime gateway consists of a Server-to-Server Connection Manager (S2SCM), which is configured with an S2S Command Processor (S2SCP) and a SIP/SIMPLE Gateway Director. An OpenPort connection is configured to enable the gateway s S2SCP to connect to the Jabber XCP router. Finally, a Router-to-Router connection is configured from the primary Jabber XCP server to the gateway s server to enable the servers to communicate. Port 5060 is available on the firewall for incoming SIP/SIMPLE over TLS traffic. Router-to-Router connection Jabber XCP Router DMZ OpenPort ID=cm-1_s2scp-1 Host filter= example.sip.com Lotus IM Client sip:john@example.sip.com denver.xmpp.com Figure 3. Sametime gateway S2SCM S2SCP SIP/SIMPLE Gateway Director Port=5060 Port 5060 Port 5269 SIP Connector Lotus IM Server example.sip.com Jabber Interoperability Options Setup Guide Introduction Page 11

12 Support for SIP/SIMPLE Standards Support for SIP/SIMPLE Standards The gateways support the following SIP/SIMPLE standards. Standard RFC Description SIP Core 3261 SIP: Session Initiation Protocol 3263 Session Initiation Protocol (SIP): Locating SIP Servers 3265 Session Initiation Protocol (SIP): Specific Event Notification SIMPLE 3428 Session Initiation Protocol (SIP) Extension for Instant Messaging Exceptions 3856 A Presence Event Package for the Session Initiation Protocol (SIP) IMPP 3859 Common Profile for Presence (CPP) 3860 Common Profile for Instant Messaging (CPIM) 3861 Address Resolution for Instant Messaging and Presence 3862 Common Presence and Instant Messaging (CPIM): Message Format 3863 Presence Information Data Format (PIDF) 4480 Rich Presence Extensions to the Presence Information Data Format (PIDF) The gateways support the standards mentioned in the previous table with the following exceptions: The gateways do not authenticate SIP/SIMPLE users. Sametime gateway only Supports SIP/SIMPLE over TCP, but does not support TLS. Limitations The SIP/SIMPLE protocol imposes the following limitations for setting up subscriptions: All gateways Subscriptions must be set up on both sides. The gateway user is added to the XMPP user s roster, and then the XMPP user is added to the gateway user s roster. (For Lotus IM users, XMPP users are considered to be in an external community.) Jabber Interoperability Options Setup Guide Introduction Page 12

13 Support for SIP/SIMPLE Standards LCS and AIM gateways only When a Jabber user removes an LCS or AIM contact (or vice versa), the user is not automatically removed from the contact s roster. Unlike XMPP, SIP/SIMPLE does not facilitate the automatic removal of contacts from both rosters. LCS- and AIM-to-XMPP subscriptions are refreshed every hour. When the XMPP server is restarted, LCS and AIM users may not see XMPP users presence for a maximum of the subscription interval that has been set up on the LCS or AOL IM server (until the next refresh occurs). Sametime gateway only Lotus IM-to-XMPP subscriptions are refreshed every 10 minutes. When the XMPP server is restarted, Lotus IM users may not see XMPP users presence for a maximum of the subscription interval set up on the Lotus IM server (until the next refresh occurs). When a Lotus IM user adds an XMPP user to the roster, the subscription request is not sent until the Lotus IM user logs out and then logs back in. Jabber Interoperability Options Setup Guide Introduction Page 13

14 Chapter 2. Gateway Installation The SIP gateways run with Jabber XCP 5.2 SP1 and SP2. The gateways require that you already have a primary Jabber XCP server installed and running in your environment. Jabber, Inc. recommends that you install each gateway on its own, separate Jabber XCP server as described in this chapter. The gateway servers can be located behind your firewall or, if you are running only one gateway, in your demilitarized zone (DMZ). If you are planning to run multiple AIM or LCS gateways in your Jabber XCP environment, perform this procedure on each gateway server and on the SIP Proxy server in the DMZ. (Due to Sametime limitations, only one Sametime gateway can run in your Jabber XCP environment.) The following sections are provided: Installing the Jabber XCP Server Downloading the Gateways Installing the Gateways Removing Unneeded Components Jabber Interoperability Options Setup Guide Gateway Installation Page 14

15 Installing the Jabber XCP Server Installing the Jabber XCP Server Jabber, Inc. recommends that you install each gateway on its own Jabber XCP server not on your primary Jabber XCP server. As a result, each gateway server is dedicated exclusively to handling gateway traffic. On each gateway server 1. Install Jabber XCP 5.2 SP1 or SP2 (core package only). 2. During installation, when you are asked for the Realm, enter a value that is unique within your Jabber XCP environment. Each gateway server must have a different realm from that of the primary Jabber XCP server and from all other gateway servers. 3. Install the Jabber XCP server license. 4. If this computer is running Solaris or Linux, set the $JABBER_HOME environment variable to the Jabber XCP installation directory; for example: Downloading the Gateways export JABBER_HOME=/opt/jabber/XCP_5.2 Before you can install the SIP gateways, you must download their installers, which are available on your web page on the Jabber Support site. The gateway installers are listed below. L, S, and W denote Linux, Solaris, and Windows respectively: SIPGW-5.2-L.tar.gz SIPGW-5.2-S.tar.gz SIPGW-5.2-W.zip AIMGW-5.2-L.tar.gz AIMGW-5.2-S.tar.gz AIMGW-5.2-W.zip The SIPGW installers install the LCS and Sametime gateways, and the AIMGW installers install the AIM Gateway from Jabber, Inc. Jabber Interoperability Options Setup Guide Gateway Installation Page 15

16 Installing the Gateways On each gateway server 1. Access the Jabber Support website at: 2. Log in using your username and password. 3. In the left pane, click Downloads. 4. In the Download column, locate and click the appropriate gateway s installer to start the download. 5. Select the location on your server where you want to save the file, and click Save. 6. When the download has completed, extract the installation package. Installing the Gateways Before you install a gateway, make sure that you have installed Jabber XCP 5.2 SP1 or SP2 on the gateway s computer as described on page 15. To install a gateway 1. Make sure that the Jabber XCP server and the Controller are not running on the gateway s server. 2. Change to the directory where you downloaded the gateway s installer script. 3. Install the gateway as follows: If your gateway server is running Solaris or Linux, enter one of the following commands, where gateway is aimgw or sipgw. (The aimgw package installs the AIM Gateway from Jabber, Inc., and the sipgw package installs the Sametime and LCS gateways.)./xcp-gateway-installer-5.2.x.x-linux.bin --prefix=$jabber_home./xcp-gateway-installer-5.2.x.x-solaris8.bin --prefix=$jabber_home The --prefix argument ensures that the gateway is installed in the directory where the Jabber XCP server is installed. Jabber Interoperability Options Setup Guide Gateway Installation Page 16

17 Removing Unneeded Components If your gateway server is running Microsoft Windows Server 2000 or 2003, double-click the gateway-installer-5.2.x.x-windows.exe file, where gateway is sipgw or aimgw. (The aimgw package installs the AIM Gateway from Jabber, Inc., and the sipgw package installs the Sametime and LCS gateways.) 4. When you are asked if you want to install the gateway in the existing directory, enter y. AIM Gateway from Jabber, Inc: If the AIM Gateway s CM cannot access DNS, install a DNS server locally on the gateway s server. Provide resolution for the required hosts, and do not allow the DNS server to perform recursive lookups. Removing Unneeded Components Before you begin configuring your gateways, you need to remove the Jabber Session Manager, and the Connection Manager and Text Conferencing components from each gateway s server. To remove unneeded components 1. On the gateway s server, change to the xcpinstalldir/bin directory and enter the following command to start the Controller:./runcontroller start 2. Access the Controller in a browser window and start the Jabber XCP server. 3. In the Router area, click the Remove link for the Jabber Session Manager. Jabber Interoperability Options Setup Guide Gateway Installation Page 17

18 Removing Unneeded Components 4. In the Components area, click the Stop link beside Text Conferencing, and then click Remove to remove it from the server. 5. Stop and remove the Connection Manager. 6. Repeat this process on each gateway s server if you have multiple gateways. You are now ready to add and configure the gateways as described in the following chapters. Jabber Interoperability Options Setup Guide Gateway Installation Page 18

19 Chapter 3. Configuring a Single Gateway in the Demilitarized Zone This chapter provides instructions for setting up the most basic gateway configuration, which consists of a single gateway running in the demilitarized zone (DMZ). This setup is appropriate if there are 4000 or fewer users on the system with whom you are federating; for example, 4000 or fewer AIM users. Before you configure the gateway, make sure that you have done the following: Installed the core Jabber XCP server and the gateway package on the gateway s computer as described in Chapter 2. Used the Controller on the gateway s server to remove the Jabber Session Manager, and to stop and remove the Connection Manager and Text Conferencing components. Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 19

20 Setup Checklist The following figure illustrates the single gateway setup for the AIM Gateway from Jabber, Inc. XMPP Client DMZ AIM Client Jabber XCP router Primary Jabber XCP server Setup Checklist Router-to-Router connection Jabber XCP router S2SCM S2SCP AIM Gateway Director Port=5061 Figure 4. Single gateway running in the DMZ OpenPort ID=cm-1_s2scp-1 Host filter=aol.com Port 5061 Port 5269 AOL SIP Access Gateway AOL Network Internal AOL Servers Setting up one gateway to run in the DMZ involves the following tasks, which are described in the remainder of this chapter. On the gateway server: Configure the gateway Add an outgoing connection attempt rule Configure an OpenPort On the primary Jabber XCP server: Configure Jabber administrators Configure a Router-to-Router connection Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 20

21 Configuring the Gateway Configuring the Gateway Perform this procedure using the Jabber XCP Controller on the gateway s server. To configure the gateway 1. Configure a Server-to-Server Connection Manager on the gateway s server as described starting on page 36. Stay in the Controller s Basic configuration view for the following steps. 2. In the S2S Command Processor Configuration screen under Director Configuration, select the gateway in the drop-down list. (The SIP/SIMPLE Gateway Director is used to configure the LCS and Sametime gateways, and the AIM Gateway director is used to configure the AIM Gateway from Jabber, Inc.) 3. Click Go to display the gateway s configuration screen. The configuration screens for the SIP/SIMPLE and AIM gateways are identical. The AIM Gateway Configuration screen is shown in the following figure for example purposes only. 4. In the gateway s configuration screen, make a note of the ID. You will need to use this ID later on in the gateway s configuration. Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 21

22 Configuring the Gateway 5. You must first configure a SIP transport. The AIM and LCS gateways use the TLS transport, and the Sametime gateway uses the TCP transport. Select the appropriate transport for your gateway in the drop-down list, and click Go. 6. Configure the transport using the parameter descriptions provided on the following pages, then click Submit to save the configuration. The TLS Transport Configuration screen is shown in the following figure. (The TCP transport configuration is described following the TLS transport description.) The TLS transport parameters are described below. Parameter Hostname of external interface IP Address Port Domain used for TLS certificate Description The hostname of the IP address on which this component is running. The IP address of the server on which this component is running. SIP servers will use this address to connect to the component. Leave the default setting of This is the port used by the TLS server. The domain used when creating the certificate. This value is contained in the common name field in the certificate. Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 22

23 Configuring the Gateway Parameter Full path to certificate file Full path to the CA certificate file (optional) Description The full path to the location of the certificate file. Both the certificate and the key are contained in this file. The path to the CA certificate file that is used to verify incoming client certificates. This file contains the certificates of the Certificate Authorities that you trust. (This parameter is optional.) The TCP Transport Configuration screen is shown in the following figure. The TCP transport parameters are described below. Parameter Hostname of external interface IP address Port Description The hostname of the IP address on which this component is running. The IP address of the server on which this component is running. SIP servers will use this address to connect to the gateway. The port on which this component listens for connections from SIP connectors. 7. Under Host Configuration, click the radio button above Local Configuration to enable the option. 8. Click Go to configure a new SIP Host. Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 23

24 Adding an Outgoing Connection Attempt Rule 9. Configure the SIP Host parameters as described in the following table. Parameter Description Remote server hostname Server type The hostname of the remote service that is connecting to this gateway; for example: aol.com Notes: If all of the remote hosts with which you want to communicate are of the same type (such as LCS), you can enter an asterisk (*) for the hostname. If you are communicating with hosts of different types (for example, with an AOL host and an LCS host), you can enter aol.com for the AIM gateway, then add another SIP Host and enter an asterisk (*) for its hostname. This configuration enables every host that is not aol.com to be recognized as an LCS host. The type of remote server that is connecting to this gateway. If the remote service to which your gateway is connecting has a non-standard configuration, follow the instructions in Non-Standard SIP Host Configurations on page 43 to use Intermediate and Advanced parameters to further configure the SIP host. 10. Click Submit to save your configuration. You are returned to the gateway configuration screen. 11. Click Submit again to return to the S2S Command Processor Configuration screen. Adding an Outgoing Connection Attempt Rule Add an outgoing connection attempt rule in each gateway s S2S Command Processor as described on page 38. Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 24

25 Configuring an OpenPort Configuring an OpenPort Configure an OpenPort connection on your gateway server as described on page 39. Configuring a Jabber Administrator On your primary Jabber XCP server, edit the Jabber Session Manager, and add the ID and realm of the gateway s S2S Command Processor as a Jabber administrator as described on page 40. Configuring a Router-to-Router Connection On your primary Jabber XCP server, configure a Router-to-Router connection to enable it to communicate with the gateway s server as described on page 42. Jabber Interoperability Options Setup Guide Configuring a Single Gateway in the Demilitarized Zone Page 25

26 Chapter 4. Configuring Multiple Gateways Behind Your Firewall This chapter provides instructions for setting up multiple gateways of the same type behind your firewall. The gateways each run on their own Jabber XCP servers and use a SIP Proxy located in the DMZ to communicate with the remote service. If you are configuring a Sametime gateway, this chapter does not apply to you. The Sametime gateway has been tested against Sametime 6.5.x and 7.0, which do not support SIP Proxy configurations; therefore you can configure only one Sametime gateway in a Jabber XCP environment. Before you configure the gateways, make sure that you have done the following: Installed the core Jabber XCP server and the gateway package on each gateway s computer as described in Chapter 2. Installed the core Jabber XCP server and the gateway package on a computer in the DMZ as described in Chapter 2. The SIP Proxy will run on this computer. Used the Controller on the gateway and SIP Proxy servers to remove the Jabber Session Manager, and to stop and remove the Connection Manager and Text Conferencing components. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 26

27 Setup Checklist The following figure illustrates a multiple gateway setup for the AIM Gateway from Jabber, Inc. cindy@example.com DMZ jane@aol.com XMPP Client AIM Client SDNS Component Jabber XCP Core Router Router-to-Router Connection AOL Network Jabber XCP Core Router S2SCM S2SCP AIM Gateway Director Router-to-Router Connection OpenPort Jabber XCP Core Router S2SCM S2SCP AIM Gateway Director Router-to-Router Connection Figure 5. Multiple gateway setup OpenPort Firewall Jabber XCP Core Router SIP Proxy Component Firewall AOL SIP Access Gateway Internal AOL Servers Setup Checklist Setting up multiple gateways behind your firewall involves the following tasks, which are described in the remainder of this chapter. On the server in the DMZ: Configure the SIP Proxy component Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 27

28 Configuring the SIP Proxy On each gateway server: Configure the gateways Add an outgoing connection attempt rule Configure OpenPort connections On the primary Jabber XCP server: Configure the Single Domain Name Support component Configure Jabber administrators Configure Router-to-Router connections Configuring the SIP Proxy The SIP Proxy component, which runs on a Jabber XCP server in the DMZ, is used to balance the load coming in over multiple gateways of the same type. For example, if you are running multiple AIM gateways, you must configure one SIP Proxy in the DMZ to handle information coming in from the AOL network. Perform this procedure on a Jabber XCP server that is located in the DMZ. The core server package and the gateway package must both be installed on this server. To configure the SIP Proxy component 1. On the Jabber XCP server in the DMZ, change to the Controller s Basic configuration view. 2. In the Components area on the Controller s main screen, select SIP Proxy in the list, and then click Go. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 28

29 Configuring the SIP Proxy 3. In the SIP Proxy Configuration screen, make a note of the component s ID. You will need to use this ID when you configure the gateways. 4. Under Hostnames for this Component, leave the Host Filters text box empty. Host filters are not used for the SIP Proxy, since the proxy does not receive XMPP communications. 5. In the Gateway SDNS service ID text box, enter the ID of the SDNS component that you have configured for the gateway. (If you have not yet configured the SDNS component, you will need to return to this configuration screen later to enter its ID.) 6. Under Add a new SIP Transport, select the appropriate transport, and click Go. The AIM and LCS gateways use the TLS transport, and the Sametime gateway uses the TCP transport. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 29

30 Configuring the SIP Proxy Configure the transport using the parameter descriptions provided in Step 6 beginning on page Under Host Configuration, click Local Configuration, and then click Go. The SIP Host Configuration page is displayed. 8. Configure the SIP Host parameters as described in the following table. Parameter Remote server hostname Description The hostname of the remote service that is connecting to this gateway; for example: aol.com Notes: If all of the remote hosts with which you want to communicate are of the same type (such as LCS), you can enter an asterisk (*) for the hostname. If you are communicating with hosts of different types (for example, with an AOL host and an LCS host), you can enter aol.com for the AIM gateway, then add another SIP Host and enter an asterisk (*) for its hostname. This configuration enables every host that is not aol.com to be recognized as an LCS host. Server type The type of remote server that is connecting to this gateway. 9. Click Submit to save your configuration. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 30

31 Configuring the Gateways If the remote service to which your gateways are connecting uses a non-standard configuration, follow the instructions in Non-Standard SIP Host Configurations on page 43 to use Intermediate and Advanced parameters to further configure the SIP host. 10. Configure component logging and SNMP for the SIP Proxy component if needed. 11. Click Submit to save your configuration. Configuring the Gateways Perform this procedure on each gateway s server. Each gateway is configured within an S2S Command Processor as a director. The SIP/SIMPLE Gateway Director is used to configure the LCS and Sametime gateways, and the AIM Gateway director is used to configure the AIM Gateway from Jabber, Inc. To configure the gateway 1. Configure a Server-to-Server Connection Manager on the gateway s server as described starting on page Configure the gateway s basic settings using the instructions in steps 1 through 6 in Configuring the Gateway starting on page Change to the Controller s Intermediate configuration view. 4. Click the check box next to Outbound Proxy to enable the option. 5. Configure the Outbound Proxy parameters are described below: Parameter Proxy Hostname or IP address Description The hostname or IP address of the machine on which the SIP Proxy is running. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 31

32 Adding an Outgoing Connection Attempt Rule Proxy Port Parameter Proxy Transport Description The SIP stack port being used by the proxy. If the proxy is using TLS, this is the TLS port; if the proxy is using TCP, this is the TCP port. Select the type of SIP transport being used. 6. Under Host Configuration, click the radio button above ID of the component to get this configuration from, and enter the ID of the SIP Proxy component; for example: sip-proxy-1.proxy 7. Click Submit to save your configuration. You are returned to the gateway s configuration screen. 8. Click Submit again to return to the S2S Command Processor Configuration screen. Adding an Outgoing Connection Attempt Rule Add an outgoing connection attempt rule in each gateway s S2S Command Processor as described on page 38. Configuring OpenPorts Configure an OpenPort connection on each gateway s server as described on page 39. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 32

33 Configuring the Single Domain Name Support Component Configuring the Single Domain Name Support Component The Single Domain Name Support (SDNS) component, which runs on your primary Jabber XCP server, distributes the load of outgoing requests for a single domain over multiple gateways of the same type. SDNS allows the gateways to function side by side, thereby reducing performance bottlenecks and increasing the number of concurrent users that are supported on each gateway. Therefore, if you are running multiple LCS gateways or multiple AIM gateways, you must configure an SDNS component on the primary Jabber XCP server to balance the outgoing requests between the gateways. Perform this procedure on your primary Jabber XCP server. To configure an SDNS component 1. On your primary Jabber XCP server, change to the Controller s Advanced configuration view. 2. In the Components area on the Controller s main screen, select Single Domain Name Support in the drop-down list, and click OK. 3. In the SDNS Configuration screen, make a note of the SDNS component s ID. You will need this ID when you configure the SIP Proxy. 4. Scroll down to the Hostnames for this Component area. 5. Enter an asterisk (*) in the Host Filters text box. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 33

34 Configuring the Single Domain Name Support Component 6. Scroll down to the Single Domain Name Support Configuration area, and click the radio button next to Modulo Mapping Algorithm to enable the feature. 7. Under Algorithm Input Generator, select originator_algo_input in the Load dropdown list. 8. Leave the Use component presence parameter set to No, since the gateways are stateful components. 9. In the Component ID(s) text box, enter the ID and realm of each gateway s S2S Command Processor; for example: cm-2_s2scp-1.gateway1 cm-3_s2scp-1.gateway2 Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 34

35 Configuring Jabber Administrators 10. Scroll to the bottom of the screen and click Submit to save your configuration. (The SDNS component requires no further configuration for the gateways.) Configuring Jabber Administrators On your primary Jabber XCP server, edit the Jabber Session Manager, and add the ID and realm of each gateway s S2S Command Processor as a Jabber administrator as described on page 40. Configuring Router-to-Router Connections On your primary Jabber XCP server, configure a Router-to-Router connection for each remote gateway server as described on page 42. Jabber Interoperability Options Setup Guide Configuring Multiple Gateways Behind Your Firewall Page 35

36 Chapter 5. Shared Configurations This chapter provides instructions for configuring the Jabber XCP server components and features that are common to all of the gateways. Its sections contain procedures that are referenced from Chapter 3 and from Chapter 4 as part of the overall gateway setup process, and thus should not be read as a stand-alone chapter. The following sections are provided: Configuring a Server-to-Server Connection Manager Adding an Outgoing Connection Attempt Rule in the S2SCP Configuring an OpenPort Adding the Gateway s S2SCP as a Jabber Administrator Configuring a Router-to-Router Connection Non-Standard SIP Host Configurations Configuring a Server-to-Server Connection Manager For maximum performance and reliability, we recommend that you configure your gateway in its own Server-to-Server (S2S) Connection Manager. Perform this procedure on each gateway s server. To configure the S2S Connection Manager 1. Access the Jabber XCP Controller on the gateway s server. 2. Change to the Controller s Basic configuration view. Jabber Interoperability Options Setup Guide Shared Configurations Page 36

37 Configuring a Server-to-Server Connection Manager 3. In the Components area on the Controller s main page, click Go to add a new Connection Manager. 4. Under Add a New Command Processor area, select S2S Command Processor in the list, and then click Go. 5. On the S2S Command Processor Configuration page, remove the two default XMPP directors. 6. Under Outgoing Connection Attempt Rules, remove the three default rules. 7. Add and configure your gateway(s) as described in Chapter 3, Configuring a Single Gateway in the Demilitarized Zone or in Chapter 4, Configuring Multiple Gateways Behind Your Firewall. Jabber Interoperability Options Setup Guide Shared Configurations Page 37

38 Adding an Outgoing Connection Attempt Rule in the S2SCP Adding an Outgoing Connection Attempt Rule in the S2SCP On the S2S Command Processor Configuration page, you must add an outgoing connection attempt rule that is specific to your gateway. Perform this procedure on each gateway s server. To add an outgoing connection attempt rule 1. On the S2S Command Processor Configuration page, scroll down to the Outgoing Connection Attempt Rules area. The S2SCP configuration includes three XMPP rules by default. If you have not done so already, remove each existing rule before adding the new rule. 2. Click Go to display the Rule Configuration page. 3. Configure the following parameters: Parameter Director ID DNS SRV lookup to use Description Enter the gateway director s ID without the realm; for example: cm-1_s2scp-1_sipsd-1 Enter any string; for example: abcdefg Jabber Interoperability Options Setup Guide Shared Configurations Page 38

39 Configuring an OpenPort 4. Click Submit to save the rule. You are returned to the S2S Command Processor Configuration page. 5. Click Submit to save your configuration. Configuring an OpenPort You must add an OpenPort connection on the gateway s server to allow the S2S Command Processor to connect to the router. Perform this procedure on each gateway s server. To configure an OpenPort 1. Using the Controller on the gateway s Jabber XCP server, change to the Intermediate configuration view. 2. In the Components area on the Controller s main page, select OpenPort in the list, and click Go. 3. When you are asked for the ID of the OpenPort, enter the ID of the gateway s S2S Command Processor (without the realm); for example: cm-1_s2scp-1 4. Click OK. 5. On the OpenPort Configuration page, enter a new Description. Jabber Interoperability Options Setup Guide Shared Configurations Page 39

40 Adding the Gateway s S2SCP as a Jabber Administrator 6. If you are configuring a single gateway, enter the gateway service s hostname in the Host Filters box under Hostnames for this Component. If you are configuring multiple gateways of the same type using SDNS, leave the box blank. 7. Click Submit to save your configuration. You are returned to the Controller s main page. Adding the Gateway s S2SCP as a Jabber Administrator You must add the ID and realm of the gateway s S2S Command Processor as a Jabber administrator on your primary Jabber XCP server. This configuration is necessary to push presence and roster subscriptions to the remote service s network. Perform this procedure on your primary Jabber XCP server. To add the S2SCP as a Jabber administrator 1. On your primary Jabber XCP server, change to the Controller s Intermediate configuration view. 2. In the Router area on the Controller s main page, click the Edit link beside Jabber Session Manager. Jabber Interoperability Options Setup Guide Shared Configurations Page 40

41 Adding the Gateway s S2SCP as a Jabber Administrator 3. In the Optional Modules section on the Jabber Session Manager Configuration page, make sure that the check box beside mod_admin is checked as shown in the following figure. 4. Scroll down to the Jabber Administrators section, and enter the ID and realm of the gateway s S2S Command Processor in the Administrator(s) box. For example: cm-1_s2scp-1.gateway1 If you do not know the gateway server s realm, access the gateway s Controller, and click the Edit link beside Global router settings in the Router area. The Realm is the second parameter on the Global Settings Configuration page. 5. Scroll to the bottom of the Jabber Session Manager Configuration page, and click Submit to save your configuration. Jabber Interoperability Options Setup Guide Shared Configurations Page 41

42 Configuring a Router-to-Router Connection Configuring a Router-to-Router Connection You must configure a Router-to-Router (R2R) connection for each gateway on your primary Jabber XCP server to enable the servers to communicate. Perform this procedure on your primary Jabber XCP server. You must configure a separate Router-to-Router connection for each gateway server. To configure a router-to-router connection 1. On your primary Jabber XCP server, change to the Controller s Advanced configuration view. 2. In the Components area on the Controller s main page, select Router-to-Router Connection in the list. 3. Click Go to display the Router-to-Router Connection Configuration page. Jabber Interoperability Options Setup Guide Shared Configurations Page 42

43 Non-Standard SIP Host Configurations 4. On the Router-to-Router Connection Configuration page, configure the following parameters: Parameter Component IP Port Description Enter the gateway server s IP address. Enter the gateway server s Master Accept Port (the default Master Accept Port is 7400). Password Enter the password specified for the gateway server s Master Accept Port. 5. Click Submit to save your configuration. Non-Standard SIP Host Configurations The SIP Host Configuration page, which is accessed from the gateway s configuration page, contains additional parameters that you can use to configure your gateway to communicate with remote services that have non-standard setups. For example, you might need to configure these parameters if your gateway is communicating with a third party Jabber Interoperability Options Setup Guide Shared Configurations Page 43

44 Non-Standard SIP Host Configurations that uses AIM for their IM framework, or if the remote service uses a non-standard SRV record. You may also need to configure custom parameters to attempt to establish communication with services that Jabber, Inc. does not support. This section covers the following non-standard configurations: Third-Party Hosts Non-Standard SRV Records Custom Gateway Connections Perform these procedures on the SIP Host Configuration page on the gateway s server. Third-Party Hosts If your gateway communicates with third parties that use the remote service s IM framework, you must map the third-party hostnames to the remote server s hostname. For example, you might want to set up your gateway so that Jabber users can chat with AIM users who are located at example.com and at yourco.com. In this case, example.com and yourco.com must be mapped to aol.com. To configure third-party hosts 1. Change to the Controller s Intermediate configuration view. 2. On the SIP Host Configuration page, enter the hostname of the remote server. 3. Select the remote server type in the list. 4. In the Hostname(s) box, enter the hostnames that map to the remote server hostname. The following figure illustrates how the configuration might look for the AIM Gateway from Jabber, Inc. Jabber Interoperability Options Setup Guide Shared Configurations Page 44

45 Non-Standard SIP Host Configurations 5. When you have finished mapping hostnames, click Submit to save your SIP Host configuration. You are returned to the gateway s configuration page. 6. Click Submit on the gateway s configuration page. You are returned to the S2S Command Processor Configuration page. Non-Standard SRV Records If your gateway connects to a remote service that uses non-standard SRV records, you must configure one or more DNS lookup rules. These rules specify the order and DNS lookup properties for the gateway to use when making outbound connections. To configure DNS lookup rules 1. Change to the Controller s Intermediate configuration view. 2. On the SIP Host Configuration page, enter the hostname of the remote server. 3. Select the remote server type in the list. 4. Under DNS Lookup Rules, click Go to add a rule. 5. On the DNS Lookup Rule Configuration page, enter a description of the rule, and select one of the options. The gateway will try this option first when establishing an outgoing connection. Jabber Interoperability Options Setup Guide Shared Configurations Page 45

46 Non-Standard SIP Host Configurations The DNS Lookup Rule Configuration options are described below: Parameter Custom DNS SRV record to use Port to use instead of DNS SRV record Use a well known DNS SRV record Description Enter the path to a custom DNS SRV record. Enter a port to use if no DNS SRV record is available. Select standard or service in the list. 6. Click Submit to save the rule. You are returned to the SIP Host Configuration page. 7. Click Go to create another rule for the gateway to try if communication cannot be established with the remote service using the first rule. You can configure a rule for each option if needed. 8. When you have finished configuring DNS lookup rules, click Submit on the SIP Host Configuration page to save your configuration. You are returned to the gateway s configuration page. 9. Click Submit in the gateway s configuration page. You are returned to the S2S Command Processor Configuration page. Jabber Interoperability Options Setup Guide Shared Configurations Page 46

47 Non-Standard SIP Host Configurations Custom Gateway Connections If your gateway connects to a remote service that does not use the standard SIMPLE services that Jabber, Inc. supports (i.e., AIM, LCS, or Sametime 6.5 and 7.0), you can configure custom parameters to attempt to establish communication. To configure communication with non-standard services 1. Change to the Controller s Advanced configuration view. 2. Enter the hostname of the remote server. 3. Leave the Server Type option set to unknown. 4. Click the check box next to Custom configuration to enable the options. 5. Configure the parameters as described below. Transport Parameter Description Select the type of transport used by your non-standard SIMPLE service. Jabber Interoperability Options Setup Guide Shared Configurations Page 47

48 Non-Standard SIP Host Configurations Parameter SIP Messaging Mode SIP PIDF type Description Select page or session, depending on the type of messaging mode used by the service. Session mode creates a session when you send a one-to-one chat message. Page mode sends a message and forgets about it. The LCS and AIM gateways support session mode, and the Sametime gateway supports page mode. Select pidf or rpid, depending on the type of presence used by the service. 6. Click Submit to save your SIP Host configuration. You are returned to the gateway s configuration page. 7. Click Submit in the gateway s configuration page. You are returned to the S2S Command Processor Configuration page. Jabber Interoperability Options Setup Guide Shared Configurations Page 48

49 Chapter 6. Network Access and Certificate Authentication This chapter provides instructions for enabling your gateways to communicate with their network hosts, and for obtaining the proper certificate authentication from your Certificate Authority. The following sections provide instructions for the three gateways: AIM Gateway from Jabber, Inc LCS Gateway Sametime Gateway AIM Gateway from Jabber, Inc To complete the configuration of your AIM Gateway from Jabber, Inc., you must enable access to the AOL SIP Access Gateway (SAG), and obtain certificate authentication. Enabling Access to the AOL SIP Access Gateway Much of the information in this section was taken from AOL s Enterprise Instant Messaging (EIM) Federation Specifications Guide, version 1.0 February 23, Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 49

50 AIM Gateway from Jabber, Inc In order to enable access to the AOL network from an External System, AOL must collect certain information about that system and the domains it will serve, along with relevant contact and security information. When you purchase the AIM Gateway from Jabber, Inc., please provide the following information to your Jabber Account Representative: The signed certificate The contact and domain information provided in Table 1 Table 1. Information required for access to AOL IM Network Data Element Description General Contact Information Customer ID Customer Name Contact Name Contact Address Contact Contact Phone For each domain operated by the Customer Domain Name AIM gateway name AIM gateway port Domain Contact Name Name of the Enterprise, Company or other organization who purchased access to AOL Network First and Last names of the Technical Contact for issues related SAG access and communications Mailing address of the Technical Contact address of the Technical Contact Telephone number of the Technical Contact Fully qualified domain name of the domain that will be connecting to the AOL Network Fully qualified domain name of the gateway that will be used for the domain TLS port of the gateway that will be used for the domain Domain Contact Address Domain Contact If different from General Contact Information for the Customer Domain Contact Phone You must also grant inbound TLS access to the AIM Gateway from Jabber, Inc. by allowing the following SAG IP addresses on your firewall: Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 50

51 AIM Gateway from Jabber, Inc If you are using the gateway to communicate with AIM Identity Services Customers, you must map all of these SAG IP addresses (in the /etc/hosts file) to the name of the host with which AOL users will be addressed. For example, one line may look like: example.aol.com Certificate Authentication Provisioning requirements Trusted certificate authorities Since the AOL Network requires client certificate authentication for access, a successful deployment requires that AOL trust the issuer of the server certificate for the company s AIM Gateway from Jabber, Inc., or that AOL trust the root to which that issuer chains. The following requirements apply to the certificate that must be installed on the gateway s server in the DMZ: The certificate must support both client and server authentication. The certificate must to be issued by a root CA that is trusted by the AOL SIP Access Gateway (SAG). The trusted CAs are listed in the next section. The certificate s Subject CN must match the Jabber server s fully qualified domain name. The certificate must conform to RFC 3280 certificate standards and include both server and client authentication EKU flags. When configuring your AIM Gateway, you will need to request a certificate with TLS Web Server and TLS Web Client Authentication from a Certificate Authority (CA) that is trusted by AOL SAG. The Certificate Authorities that are trusted by the AOL SAG are listed below: VeriSign, Inc. (US) Xcert EZ by DST (US) - Thawte (GB) - Japan Certification Services, Inc. (JP) The USERTRUST Network (US) - RSA Data Security, Inc. (US) Camerfirma SA (ES) - GeoTrust Inc. (US) - TrustCenter (DE) - Tumbleweed / ValiCert, Inc. (US) - Comodo (GB) - Trustis Limited (GB) - ComSign Secured (IL) - IPS Seguridad CA (ES) - GlobalSign nv-sa (BE) - Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 51

52 AIM Gateway from Jabber, Inc Obtaining a Signed Certificate This section describes how to obtain a signed certificate, which is required for running the gateway. OpenSSL, which is an Open Source toolkit for implementing SSL and TLS, is used to generate the certificate request and the private key. OpenSSL is included in the Jabber XCP Server installation package. (You can read more about OpenSSL at Generating a certificate request and a private key For the OpenSSL command to work, you must set the OPENSSL_CONF environment variable to the path where openssl.cnf resides. The commands documented in the following sections for obtaining a signed certificate were used in the Jabber, Inc. environment during testing and should be considered examples only. You may need to alter the commands slightly to work in your own environment. The steps involved in obtaining a signed certificate include: Generating a certificate request and a private key Generating a domain key Obtaining the signed certificate Combining the.pem files You must first generate a certificate request and a private key using OpenSSL. To generate a certificate request and a private key 1. Execute the following command on the computer where you installed the gateway. $ openssl req -new -out domaincert.csr 2. When you are prompted for the PEM pass phrase, enter a password, and confirm the password at the next prompt. 3. Answer the prompts described in the following table. Prompt Country Name (2 letter code) [AU]: Response Enter the 2-letter code for your country; for example, US Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 52

53 AIM Gateway from Jabber, Inc Prompt State of Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Response Enter the name of your state or province; for example, Colorado Enter the name of your city; for example, Denver Enter the name of your company; for example, Example Inc Enter the name of your organization; for example, Product Development Generating a domain key After you have answered the prompts, the following files are created: privkey.pem domaincert.csr You must use the private key file to generate a domain key using OpenSSL. Common Name (eg, YOUR name) []: Address []: A challenge password []: An optional company name []: To generate a domain key 1. Enter the following command on the gateway s server: openssl rsa -in privkey.pem -out domainkey.pem Enter the gateway s domain; for example, gateway.example.com Enter your address; for example, rjones@example.com Caution! Do not enter anything at this prompt. Press ENTER to leave it blank. This prompt is optional. You can enter an optional company name or press ENTER to leave it blank. 2. When you are prompted for a password, enter the PEM password you used in Step 2 in the previous section. The.pem file is generated. Obtaining the signed certificate You must submit the certificate request file to your Certificate Authority to be signed and returned to you. The steps may vary depending on your particular process. To obtain the signed certificate 1. Submit the certificate request file to your CA. This is the domaincert.csr file that you created in Generating a certificate request and a private key on page 52. When the CA has signed the certificate, they will send it back to you either in.pem format as domaincert.pem, or in DER format as domaincert.crt. Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 53

54 LCS Gateway If your CA sent you the certificate as a.pem file, skip to Combining the.pem files on page 54. However, if they sent it in DER format, you must convert it to PEM format as described in the following step. 2. In the directory that contains domaincert.crt, enter the following command: openssl x509 -in domaincert.crt -inform DER -out domaincert.pem Combining the.pem files This command converts the certificate file from DER to PEM format and creates the domaincert.pem file. You must now combine the contents of the domainkey.pem and the domaincert.pem files into one file and place it on the gateway s server. LCS Gateway To combine the.pem files 1. Combine the contents of the domainkey.pem and the domaincert.pem files into one file named [gateway_server_fqdn].pem. For example: gateway.example.com.pem 2. Create a sips directory in $JABBER_HOME/certs on the gateway s server. 3. Copy the [gateway_server_fqdn].pem file into $JABBER_HOME/certs/sips. 4. Delete the domainkey.pem and domaincert.pem files. To complete your LCS gateway configuration, you must ensure that your LCS server is configured properly. You must also publish an SRV record on your DNS server, and obtain a signed certificate for the gateway s server. Configuring Your LCS Server The certificate for any LCS server must be configured to act as both TLS client and server. The Extended Key Usage parameter in the certificate must either not be present, or it must contain both of the lines TLS Web Server Authentication and TLS Web Client Authentication. Two examples of correctly-configured certificates are shown below: Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 54

55 LCS Gateway Example 1 (Extended Key Usage parameter is not present): X509v3 Subject Key Identifier: 0B:F9:8F:DC:2E:74:F1:54:0C:BC:1B:03:3A:E8:D3:BA:D2:CA:D1:38 X509v3 Authority Key Identifier: keyid:09:46:07:f5:8e:e4:6d:50:6e:bb:d1:ea:3b:1e:36:2e:76:1a:e2:91 Example 2 (Extended Key Usage parameter has both lines): X509v3 Subject Key Identifier: F6:F1:88:4B:E1:B8:62:82:46:87:6F:BA:B6:0F:3D:AD:78:46:C2:D5 X509v3 Extended Key Usage: TLS Web Server Authentication TLS Web Client Authentication X509v3 Authority Key Identifier: keyid:09:46:07:f5:8e:e4:6d:50:6e:bb:d1:ea:3b:1e:36:2e:76:1a:e2:91 Publishing an SRV Record on your DNS Server In order for the LCS 2005 Access Proxies to communicate with your LCS gateway, an SRV record must be published on your DNS server. An example SRV record for the LCS gateway is shown below: _SIPfederationTLS._TCP.example.com IN SRV lcsgw lcsgw IN A The SRV record maps the LCS gateway domain name to the IP address where the LCS gateway is going to run. Obtaining a Signed Certificate The connection between the LCS gateway and the LCS 2005 Access Proxy must be mutual TLS. Certificates are presented by both sides as part of the TLS handshake. For the LCS gateway, you do not have to use a 3 rd -party CA; you can use a self-signed certificate if preferred. The certificate must conform to RFC 3280 certificate standards and include both server and client authentication EKU flags. On Solaris or Linux servers If your LCS gateway is running on a Solaris or Linux system, follow the instructions in Obtaining a Signed Certificate on page 52 to obtain a signed certificate. Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 55

56 LCS Gateway On Microsoft Windows Server 2000 or 2003 If your LCS gateway is running on a Microsoft Windows Server 2000 or 2003, you must export the Windows Cert Authority root certificate in a fashion that LCS prefers. You can then send this root certificate to anyone with whom you are federating so that they can add it to their trusted list. On the Windows server 1. From Control Panel, open Administrative Tools > Certificate Authority. 2. In the right pane, right-click the name of your server, and select Properties in the menu. Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 56

57 LCS Gateway 3. In the Properties dialog box, click the View Certificate button. 4. In the Certificate dialog box, view the Details tab. 5. Click the Copy To File button. The Certificate Export Wizard opens. Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 57

58 LCS Gateway 6. In the Certificate Export Wizard, select the DER encoded binary X.509 format, and then click Next. 7. Browse to the location in which you want to save the file, and enter a filename. 8. Finish the export operation. The certificate is saved in the selected location as filename.csr. Jabber Interoperability Options Setup Guide Network Access and Certificate Authentication Page 58