+

Search Tips   |   Advanced Search

 

Communicating with external domains

 

The general approach for providing secure communications between two independent domains or communities (each maintaining distinct directories) relies on identity assertion, where a trust relationship is established between two distinct domains using a certificate exchange during the setup of the physical SSL connection between the two domains.

 

Overview

Authentication of Session Initiation Protocol (SIP) messages that are sent by end users needs to occur only in the local domain for the user. All user messages traverse through the SIP container local domain before being sent on to the remote domain. If a message is received from a remote domain over a secured connection that is mutually authenticated in the manner described as follows, it is assumed that the message is authenticated by the remote domain because of the trust relationship. An administrator can enable support for external domains in the SIP proxy as follows:

 

Procedure

  1. Enable client authentication within the SSL repertoire that is assigned to all the inbound channel chains (or endpoints) that are to receive inbound connections from remote domains.

  2. Ensure that all trusted certificate authorities are set up in the trust store that are assigned to the SSL repertoires mentioned in the previous step. Set up the asymmetric key pair (public and private keys) for the local domain, with the proper chain of certificates that are associated with the local domain.

  3. Configure all the distinguished names (DNs) that are associated with the remote domains to support. The DN is part of the X.509 certificate that is sent by the remote domain server when the SSL connection is set up. Within the configuration model, each SIP external domain entry includes a field for the remote DN.

  4. Assuming that the SIP infrastructure is deployed within each independent domain, provide the DN to the remote domain administrator that is included in local domains public certificate. With this action, the remote domain administrator can configure the proper external domain DN.

    With this approach, the Java Secure Socket Extension (JSSE) is responsible for authorizing the certificate that is received over a new inbound connection from a remote domain. This authorization is based on the agreed upon certificate authorities whose certificates are set up in the local trust store. If the remote domain certificate is authorized, it is then the responsibility of the SIP proxy to filter the connections, based on the DN that is associated with the remote domain certificate. The proxy also validates outbound connections by ensuring that the DN that is received in the remote server certificate matches the DN configured for the remote external domain.

    The SIP proxy must recognize when identity assertion is in use so that it can inform the SIP container that no message authentication is required over this mutually authenticated connection. This communication is done by adding the P-Preferred-Identity SIP header, which is described in RFC 3325, in all SIP messages that are sent from the proxy to the SIP container that arrive over the authenticated connection. The SIP container only recognizes this header when it is received from a device that resides in the trusted domain, specifically the SIP proxy. It is up to the SIP proxy to remove this header from any inbound messages that are received over any connections to remote devices that are not considered part of the trusted domain. You can also use this header to support the addition of proxy authentication.


 

Related tasks


Installing a Session Initiation Protocol proxy server