The general approach
for providing secure communications
between two independent domains or communities (each maintaining distinct
directories) relies on identity assertion, where a trust relationship
is established between two distinct domains using a certificate exchange
during the setup of the physical Secure Sockets Layer (SSL) connection
between the two domains.
About this task
Authentication of Session Initiation
Protocol (SIP) messages
that are sent by end users needs to occur only in the local domain
for the user. All user messages pass through the SIP container local
domain before being sent on to the external domain. If a message is
received from a external domain over a secured connection that is
mutually authenticated in the manner described as follows, it is assumed
that the message is authenticated by the external domain because of
the trust relationship. An administrator can enable support for external
domains in the SIP proxy as follows:
Procedure
- Enable
client authentication within the SSL repertoire
that is assigned to all the inbound channel chains (or endpoints)
that are to receive inbound connections from external domains.
- Ensure that all trusted certificate authorities
are set
up in the trust store that is assigned to the SSL repertoires mentioned
in the previous step. Set up the asymmetric key pair (public
and private keys) for the local domain, with the proper chain of certificates
that is associated with the local domain.
- Configure
the distinguished names (DNs) that are associated
with the external domains to support. The DN is part of the X.509
certificate that is sent by the external domain server when the SSL
connection is set up. Within the configuration model, each SIP external
domain entry includes a field for the external DN.
- Assuming that the SIP infrastructure is deployed within
each domain, provide the DN to the external domain administrator that
is included in the local domain's public certificate. With this action,
the external domain administrator can configure the proper external
DN.
With this approach, the Java™ Secure
Socket Extension (JSSE) is responsible for authorizing the certificate
that is received over a new inbound connection from a external domain.
This authorization is based on the agreed upon certificate authorities
whose certificates are set up in the local trust store. If the external
domain certificate is authorized, it is then the responsibility of
the SIP proxy to filter the connections, based on the DN that is associated
with the external domain certificate. The proxy also validates outbound
connections by ensuring that the DN that is received in the remote
server certificate matches the DN configured for the external domain.
The
SIP proxy must recognize when identity assertion is in use so that
it can inform the SIP container that no message authentication is
required over this mutually authenticated connection. This communication
is done by adding the P-Preferred-Identity SIP header, which is described
in RFC 3325, in all SIP messages that are sent from the proxy to the
SIP container that arrive over the authenticated connection. The SIP
container only recognizes this header when it is received from a device
that resides in the trusted domain, specifically the SIP proxy. It
is up to the SIP proxy to remove this header from any inbound messages
that are received over any connections to remote devices that are
not considered part of the trusted domain. You can also use this header
to support the addition of proxy authentication.