Cisco ASA Series Cli Configuration Manual page 1288

Information About Cisco Unified Presence
http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht
ml
Trust Relationship in the Presence Federation
Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you
can set it up on an internal CA.
Establishing a trust relationship cross enterprises or across administrative domains is key for federation.
Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a
certificate with the FQDN of the Cisco UP (certificate impersonation).
For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to
trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy
must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that
enterprise (Enterprise X in
CA, or by using self-signed certificates.
To establish a trusted relationship between the ASA and the remote entity (Entity Y), the ASA can enroll
with the CA on behalf of Entity X (Cisco UP). In the enrollment request, the Entity X identity (domain
name) is used.
Figure 1-3
using the Cisco UP FQDN as if the ASA is the Cisco UP.
Figure 1-3
Enroll with FQDN
TLS (Self-signed,
or from local CA)
Cisco ASA Series CLI Configuration Guide
1-4
Figure
shows the way to establish the trust relationship. The ASA enrolls with the third party CA by
How the Security Appliance Represents Cisco Unified Presence – Certificate Impersonate
3rd Party CA
Certificate
Authority
of Cisco UP
Certificate
Cisco UP ASA
Certificate with
Private Key
Inspected and
Modified
Key 1
(if needed)
1-1), the entity and the ASA could authenticate each other via a local
Internet
TLS (Cisco UP Certificate)
Key 2
Chapter 1 Configuring Cisco Unified Presence
Microsoft Presence Server
Access LCS/OCS
Proxy Director