XMPP Cluster

Configuring XMPP

The XMPP service in CMS is used to handle all registration and authentication for Cisco Meeting Apps (CMA), including the web-based WebRTC CMA client. The Call Bridge itself also acts as an XMPP client for authentication purposes and will therefore need to be configured as other clients. XMPP resiliency is a feature that is supported for production environments starting with the 2.1 release of CMS. This is what you will configure in this lab.

XMPP Basic Configuration

As with the other services, begin by configuring XMPP on server cms1a. As you can probably guess by now, the first step is to configure the certificates.

Cisco Meeting Server Name Password
cms1a.pod2.cms.lab c1sco123
cms1a> xmpp certs cms1a.key cms1a.cer cmslab-root-ca.cer

Next, define the listening interface:

cms1a> xmpp listen a

The XMPP service requires a unique domain. This is the login domain for users. In other words, when a user attempts to sign in with the CMA application (or via the WebRTC client), they will enter userID@logindomain. For this lab, this would be userid@conf.pod2.cms.lab. Why isn’t it just pod2.cms.lab? In our particular deployment, we have chosen our Unified CM domain, which Jabber users on Unified CM will use, as pod2.cms.lab, therefore you need another domain for the CMS users in order to route calls to and from CMS via SIP domains.

Configure the XMPP Domain with the following command:

cms1a> xmpp domain conf.pod2.cms.lab

Now enable the XMPP service:

cms1a> xmpp enable SUCCESS: Callbridge activated SUCCESS: Domain configured SUCCESS: Key and certificate pair match SUCCESS: certificate verified against CA bundle SUCCESS: XMPP server enabled

Within the XMPP service, you must create credentials for each Call Bridge to use when registering with the XMPP service. These names are arbitrary (and unrelated to the unique names you configured for Call Bridge clustering). On one XMPP server, you must add the three Call Bridges, then enter these credentials on the other XMPP servers in the cluster, as this configuration is not put into the clustered database. Later on you will configure each Call Bridge to use this name and secret to register with the XMPP service.

Now configure the XMPP service on cms1a with three Call Bridge devices cms1a, cms1b, and cms1c. Each account will be assigned random passwords. These will later be entered on the other Call Bridge servers to log into this XMPP server. Enter the following commands:

cms1a> xmpp callbridge add cb-cms1a Success : true Callbridge : cb-cms1a Domain : conf.pod2.cms.lab Secret : PnJlVicMatlvmcU8Ab1 # This value will be different cms1a> xmpp callbridge add cb-cms1b Success : true Callbridge : cb-cms1b Domain : conf.pod2.cms.lab Secret : CnM11SQ0eWe5NbNnAb1 # This value will be different cms1a> xmpp callbridge add cb-cms1c Success : true Callbridge : cb-cms1c Domain : conf.pod2.cms.lab Secret : s7uenzRfvZdaD0lgAb1 # This value will be different

As you can see, the credentials are visible in plain text from the MMP. This information will be used later. At any time, you can use the xmpp callbridge list command to retrieve the values. In a normal deployment you would want to launch a text editor copy the output of the above command to record the value of the Secret for each server. These credentials will be required several more times throughout the installation process. You can also use the xmpp callbridge list command at any time to retrieve them as well. We will provide an automated method to retrieve the credentials using the xmpp callbridge list command later in the lab, so writing this down now is not required.

Configuring XMPP Clustering

XMPP clustering is officially supported starting with the 2.1 release of CMS. You must have an odd number of XMPP nodes since it requires more than 50% of the nodes to be available for failover to occur. The recommended value is 3 and the maximum number of XMPP nodes is currently 5.

XMPP Clustering on cms1a

Before enabling XMPP clustering, you must disable the XMPP service. Start by connecting to cms1a and disabling the XMPP service as follows:

Cisco Meeting Server Name Password
cms1a.pod2.cms.lab c1sco123
cms1a> xmpp disable

The database clustering process requires a certificate file that contains all the certificates from all XMPP servers. If you recall, you created this file when you created the combined certificate file earlier. You named the file cms1abc.cer. All you have to do is configure the XMPP service to look at this file with the following command:

cms1a> xmpp cluster trust cms1abc.cer

Then, on cms1a, the master CMS server, enable XMPP clustering:

cms1a> xmpp cluster enable

And then initialize the cluster:

cms1a> xmpp cluster initialize

The XMPP service can now be re-enabled:

cms1a> xmpp enable SUCCESS: Callbridge activated SUCCESS: Domain configured SUCCESS: Key and certificate pair match SUCCESS: certificate verified against CA bundle SUCCESS: XMPP server enabled

You can now check the XMPP cluster state. It will start out as a Follower, but should eventually become Leader with only itself as a peer after a few seconds. Issue the following command a few times until you see the server become a Leader:

cms1a> xmpp cluster status State: LEADER List of peers 10.0.102.51:5222 (Leader) Last state change: 2017-Apr-18 15:17:59 Key file : cms1a.key Certificate file : cms1a.cer Trust bundle : cms1abc.cer

XMPP Clustering on cms1b

Now you must configure XMPP on the two remaining servers, starting with cms1b.

Cisco Meeting Server Name Password
cms1b.pod2.cms.lab c1sco123

First, configure the certificates for the XMPP service:

cms1b> xmpp certs cms1b.key cms1b.cer cmslab-root-ca.cer

Next, assign the listening interface, the domain, and enable the process.

cms1b> xmpp listen a cms1b> xmpp domain conf.pod2.cms.lab cms1b> xmpp enable SUCCESS: Callbridge activated SUCCESS: Domain configured SUCCESS: Key and certificate pair match SUCCESS: certificate verified against CA bundle SUCCESS: XMPP server enabled

The Call Bridges, acting as XMPP clients, will be configured with the credentials (the Secret) you generated earlier. You need all XMPP servers to accept those same credentials so you must configure them on the other servers in the cluster. As mentioned earlier you can connect to cms1a and issue the xmpp callbridge list to retrieve the secret values or use the link below to automatically retrieve the secrets you previously created. You will use the xmpp callbridge add-secret command to configure these credentials on the other servers. On cms1b, do the following.

NOTE: As you add the Secret, you won't see any characters echoed back on your screen, however after you press Enter, the output will show the value you entered for the Secret. Be sure to compare the output with the secret you intended to paste in to make sure it matches. If the Secret value is incorrect, you have to remove the client with the xmpp callbridge del command, then re-add it with the xmpp callbridge add-secret command shown above. The important thing to note is that when you are done, the xmpp callbridge list command output must be the same on all Call Bridges.

You can perform the manual copy/paste of the strings from the xmpp callbridge list command as shown below or to make it easier, you can click HERE to automatically generate the text you need to paste which will appear below.

cms1b> xmpp callbridge add-secret cb-cms1a Enter callbridge secret ## Paste in the Secret for cb-cms1a and press Enter ## Success : true Callbridge : cb-cms1a Domain : pod2.cms.lab Secret : ## should be the same as what you entered into CMS1A - Click HERE to auto-populate ## cms1b> xmpp callbridge add-secret cb-cms1b Enter callbridge secret ## Paste in the Secret for cb-cms1b and press Enter ## Success : true Callbridge : cb-cms1b Domain : conf.pod2.cms.lab Secret : ## should be the same as what you entered into CMS1A - Click HERE to auto-populate ## cms1b> xmpp callbridge add-secret cb-cms1c Enter callbridge secret ## Paste in the Secret for cb-cms1c and press Enter ## Success : true Callbridge : cb-cms1c Domain : conf.pod2.cms.lab Secret : ## should be the same as what you entered into CMS1A - Click HERE to auto-populate ##

Now you can add cms1b to the cluster. As before, the the XMPP service must first be stopped as follows:

cms1b> xmpp disable

Then then configure the Certificate trust list:

cms1b> xmpp cluster trust cms1abc.cer

Now enable XMPP clustering:

cms1b> xmpp cluster enable

Next, re-enable the XMPP service:

cms1b> xmpp enable SUCCESS: Callbridge activated SUCCESS: Domain configured SUCCESS: Key and certificate pair match SUCCESS: certificate verified against CA bundle SUCCESS: XMPP server enabled

Now you can join this server to the cluster:

cms1b> xmpp cluster join 10.0.102.51 Success Current configuration: Configuration 1: - 1138785658573525144: 10.0.102.51:5222 Attempting to change cluster membership to the following: 299513273336054337: 10.0.102.52:5222 (given as 10.0.102.52:5222) 1138785658573525144: 10.0.102.51:5222 Membership change result: OK Current configuration: Configuration 5759: - 299513273336054337: 10.0.102.52:5222 - 1138785658573525144: 10.0.102.51:5222

If you check the cluster status, you should see both peers:

cms1b> xmpp cluster status State: FOLLOWER List of peers 10.0.102.51:5222 (Leader) 10.0.102.52:5222 Last state change: 2017-Apr-18 20:23:04 Key file : cms1b.key Certificate file : cms1b.cer Trust bundle : cms1abc.cer

XMPP Clustering on cms1c

Repeat the same process on the last node, cms1c to enable XMPP and add it to the cluster.

Cisco Meeting Server Name Password
cms1c.pod2.cms.lab c1sco123

Enter these commands on cms1c (use the clipboard icon on the right below to copy the all the commands to clipboard then paste):

xmpp certs cms1c.key cms1c.cer cmslab-root-ca.cer xmpp listen a xmpp domain conf.pod2.cms.lab xmpp enable

Add the Call Bridge credentials for cb-cms1a, cb-cms1b, and cb-cms1c, so they match the ones originally generated just as you did for cms1b.

You can perform the manual copy/paste of the strings from the xmpp callbridge list command as shown below or to make it easier, you can click HERE to automatically generate the text you need to paste which will appear below.

cms1c> xmpp callbridge add-secret cb-cms1a Enter callbridge secret ## Paste in the Secret for cb-cms1a and press Enter ## Success : true Callbridge : cb-cms1a Domain : pod2.cms.lab Secret : ## should be the same as what you entered into CMS1A - Click HERE to auto-populate ## cms1c> xmpp callbridge add-secret cb-cms1b Enter callbridge secret ## Paste in the Secret for cb-cms1b and press Enter ## Success : true Callbridge : cb-cms1b Domain : conf.pod2.cms.lab Secret : ## should be the same as what you entered into CMS1A - Click HERE to auto-populate ## cms1c> xmpp callbridge add-secret cb-cms1c Enter callbridge secret ## Paste in the Secret for cb-cms1c and press Enter ## Success : true Callbridge : cb-cms1c Domain : conf.pod2.cms.lab Secret : ## should be the same as what you entered into CMS1A - Click HERE to auto-populate ##

Now set the cluster trust and turn on clustering, which requires the XMPP service to be off. Enter the following commands:

xmpp disable xmpp cluster trust cms1abc.cer xmpp cluster enable xmpp enable

If the start was successful, then you are ready to join cms1c to the cluster leader, cms1a with the following command:

cms1c> xmpp cluster join 10.0.102.51 Success Current configuration: Configuration 5759: - 299513273336054337: 10.0.102.52:5222 - 1138785658573525144: 10.0.102.51:5222 Attempting to change cluster membership to the following: 7770274060842686592: 10.0.102.53:5222 (given as 10.0.102.53:5222) 299513273336054337: 10.0.102.52:5222 1138785658573525144: 10.0.102.51:5222 Membership change result: OK Current configuration: Configuration 6124: - 7770274060842686592: 10.0.102.53:5222 - 299513273336054337: 10.0.102.52:5222 - 1138785658573525144: 10.0.102.51:5222

Now the cluster status shows all three peers with only one leader.  Note that this could be any of the servers and after a reboot or other failure, the leader may change.

cms1c> xmpp cluster status State: FOLLOWER List of peers 10.0.102.52:5222 10.0.102.51:5222 (Leader) 10.0.102.53:5222 Last state change: 2017-Apr-18 20:23:07 Key file : cms1c.key Certificate file : cms1c.cer Trust bundle : cms1abc.cer

Connect Call Bridge to XMPP

Now that the XMPP cluster is up, you must configure the Call Bridge services to connect to the XMPP cluster. This configuration is done through Web Admin.

Configure cms1a to connect to the XMPP Cluster

Start with cms1a by following these steps:

  1. Browse to the cms1a Web Admin page at https://cms1a.pod2.cms.lab:8443
  2. Enter your credentials (username: admin password: c1sco123) and press Submit
  3. Navigate to Configuration > General
  4. For the Unique Call Bridge name, enter cb-cms1a, the value you entered for the Call Bridge in the XMPP configuration in the previous section.
  5. On the Domain line, enter the XMPP domain, which is conf.pod2.cms.lab

    NOTE: A Server address could be configured to make this Call Bridge connect to a specific XMPP server, however this will not allow the Call Bridge to fail over to another XMPP server should the local one become unavailable. You will leave the value blank so that the server will query the DNS server for the _xmpp-component._tcp.conf.pod2.cms.lab SRV Record. This query will return the list of all the XMPP servers in the cluster. This means that the Call Bridge could potentially connect to an XMPP server in the cluster running on a different server.
  6. Click the [change] link next to the Shared secret box
  7. In the Shared secret box, you once again need a copy of the shared secret that was generated on cms1a. You can either access the CLI interface of cms1a.pod2.cms.lab (with password c1sco123) and use the xmpp callbridge list command to retrieve the Secret value for cb-cms1a or click HERE to run a script that will retrieve them for you and display it in a popup web browser window. Copy the secret for cb-cms1a into the Shared secret box.
  8. Paste the same secret in the Confirm shared secret box
  9. Scroll down and click Submit
  10. Now navigate back to the Status > General page to see if the Call Bride service connected to the XMPP service successfully.
  11. You should see that the XMPP connection is in a connected state. The Authentication service should also now show up as registered as a result of being connected to the XMPP server. Later you will configure LDAP for authentication.

As mentioned earlier, if the Server field is left blank, the Call Bridge will perform a DNS SRV lookup for _xmpp-component._tcp.conf.pod2.cms.lab to find an available XMPP server. This will resolve to cms1a.pod2.cms.lab, cms1b.pod2.cms.lab, and cms1c.pod2.cms.lab. Call Bridge will pick one of the three, not necessarily the local server, but if that device fails, it will re-register to another XMPP server.

Feel free to connect to the CLI interface and use the dns lookup command to verify. Note that the order of records returned may be different than what is shown, however you should see all three of your servers on the list.

Cisco Meeting Server Name Password
cms1a.pod2.cms.lab c1sco123
cms1a> dns lookup SRV _xmpp-component._tcp.conf.pod2.cms.lab Trying _xmpp-component._tcp.conf.pod2.cms.lab -------------------------------------------------------------------------------- DNAME: cms1a.pod2.cms.lab. PRIORITY: 10 WEIGHT: 10 PORT: 5222 DNSSEC SECURE:NO A RESULTS FOR cms1a.pod2.cms.lab. Trying cms1a.pod2.cms.lab. 10.0.102.51 (IS NOT DNSSEC SECURE) AAAA RESULTS FOR cms1a.pod2.cms.lab. Trying cms1a.pod2.cms.lab. No results -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- DNAME: cms1b.pod2.cms.lab. PRIORITY: 10 WEIGHT: 10 PORT: 5222 DNSSEC SECURE:NO A RESULTS FOR cms1b.pod2.cms.lab. Trying cms1b.pod2.cms.lab. 10.0.102.52 (IS NOT DNSSEC SECURE) AAAA RESULTS FOR cms1b.pod2.cms.lab. Trying cms1b.pod2.cms.lab. No results -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- DNAME: cms1c.pod2.cms.lab. PRIORITY: 10 WEIGHT: 10 PORT: 5222 DNSSEC SECURE:NO A RESULTS FOR cms1c.pod2.cms.lab. Trying cms1c.pod2.cms.lab. 10.0.102.53 (IS NOT DNSSEC SECURE) AAAA RESULTS FOR cms1c.pod2.cms.lab. Trying cms1c.pod2.cms.lab. No results -------------------------------------------------------------------------------- cms1a>

You can see that three CMS XMPP servers are returned.

Configure cms1b to connect to the XMPP Cluster

Now that you have configured cms1a to connect to the XMPP cluster, you must do the same for the other two Call Bridge servers. Repeat the same steps for cms1b and cms1c as shown below:

  1. Log in to the cms1b Web Admin Configuration > General page at https://cms1b.pod2.cms.lab:8443 (username: admin password: c1sco123)
  2. For the Unique Call Bridge name, enter cb-cms1b.
  3. On the Domain line, enter the XMPP domain, which is conf.pod2.cms.lab
  4. Click the [change] link next to the Shared secret box
  5. In the Shared secret, paste the secret that was returned by the MMP previously for cb-cms1b. You can either access the CLI interface of cms1a.pod2.cms.lab (with password c1sco123) and use the xmpp callbridge list command or click HERE to pop up a window with the Secret value for cb-cms1b.
  6. Paste the same secret in the Confirm shared secret box
  7. Click Submit
  8. Now navigate back to the Status > General page check the status of the XMPP server. If the service is not connected, chances are that the Call Bridge's name or the secret was entered incorrectly. Both can be confirmed by re-entering the information found from the MMP with the xmpp callbridge list command.

Configure cms1c to connect to the XMPP Cluster

Finally configure the connection to the XMPP server on cms1c:

  1. Log in to the cms1c Web Admin Configuration > General page at https://cms1c.pod2.cms.lab:8443 (username: admin password: c1sco123)
  2. For the Unique Call Bridge name, enter cb-cms1c.
  3. On the Domain line, enter the XMPP domain, which is conf.pod2.cms.lab
  4. Click the [change] link next to the Shared secret box
  5. In the Shared secret, paste the secret that was returned by the MMP previously for cb-cms1c. You can either access the CLI interface of cms1a.pod2.cms.lab (with password c1sco123) and use the xmpp callbridge list command or click HERE to pop up a window with the Secret value for cb-cms1c.
  6. Paste the same secret in the Confirm shared secret box
  7. Click Submit
  8. Now navigate back to the Status > General page check the status of the XMPP server. If the service is not connected, chances are that the Call Bridge's name or the secret was entered incorrectly. Both can be confirmed from the MMP with the xmpp callbridge list command.

You have now completed the XMPP service configuration.