The general approach for providing secure communications between
two independent domains or communities (each maintaining distinct directories)
relies on identity assertion, where a trust relationship is established
between two distinct domains using a certificate exchange during the setup
of the physical Secure Sockets Layer (SSL) connection.
About this task
Authentication of Session Initiation Protocol (SIP) messages that
are sent by users needs to occur only in the local domain for that user. All
user messages pass through the SIP container local domain before being sent
on to the external domain. If a message is received from a external domain
over a secured connection that is mutually authenticated in the procedure
described as follows, it is assumed that the message is authenticated by the
external domain because of the trust relationship. An administrator can use
the following steps to enable support for external domains in the SIP proxy.
Procedure
- Enable client authentication within the SSL repertoire that is
assigned to all the inbound channel chains (or endpoints) that are to receive
inbound connections from external domains.
- Ensure that all trusted certificate authorities are set up in the
trust store that is assigned to the SSL repertoires mentioned in the previous
step. Set up the asymmetric key pair (public and private keys)
for the local domain, with the proper chain of certificates that is associated
with the local domain.
- Configure the distinguished names (DNs) that are associated with
the external domains to support. The DN is part of the X.509 certificate that
is sent by the external domain server when the SSL connection is set up. Within
the configuration model, each SIP external domain entry includes a field for
the external DN.
- Assuming that the SIP infrastructure is deployed within each domain,
provide the DN to the external domain administrator that is included in the
local domain public certificate. With this action, the external
domain administrator can configure the proper external DN.
With
this approach, the Java™ Secure Socket Extension (JSSE) is responsible
for authorizing the certificate that is received over a new inbound connection
from a external domain. This authorization is based on the agreed upon certificate
authorities whose certificates are set up in the local trust store. If the
external domain certificate is authorized, it is then the responsibility of
the SIP proxy to filter the connections, based on the DN that is associated
with the external domain certificate. The proxy also validates outbound connections
by ensuring that the DN that is received in the remote server certificate
matches the DN configured for the external domain.
The SIP proxy must
recognize when identity assertion is in use so that it can inform the SIP
container that no message authentication is required over this mutually authenticated
connection. This communication is done by adding the P-Preferred-Identity
SIP header, which is described in RFC 3325, in all SIP messages that are sent
from the proxy to the SIP container that arrive over the authenticated connection.
The SIP container only recognizes this header when it is received from a device
that resides in the trusted domain, specifically the SIP proxy. It is up to
the SIP proxy to remove this header from any inbound messages that are received
over any connections to remote devices that are not considered part of the
trusted domain. You can also use this header to support the addition of proxy
authentication.