diff --git a/contrail/environment/modules/contrail/manifests/compute/config.pp b/contrail/environment/modules/contrail/manifests/compute/config.pp
index 93630322..71543bd5 100644
--- a/contrail/environment/modules/contrail/manifests/compute/config.pp
+++ b/contrail/environment/modules/contrail/manifests/compute/config.pp
@@ -36,6 +36,7 @@
     $contrail_logoutput = $::contrail::params::contrail_logoutput,
     $contrail_host_roles = $::contrail::params::host_roles,
     $enable_lbass =  $::contrail::params::enable_lbass,
+    $xmpp_auth_enable =  $::contrail::params::xmpp_auth_enable,
 )  {
     $config_ip_to_use = $::contrail::params::config_ip_to_use
     $keystone_ip_to_use = $::contrail::params::keystone_ip_to_use
@@ -229,6 +230,10 @@
     # Ensure ctrl-details file is present with right content.
     include ::contrail::ctrl_details
 
+    if ($xmpp_auth_enable == true) {
+        include ::contrail::xmpp_cert_files
+    }
+
     if ! defined(File['/opt/contrail/bin/set_rabbit_tcp_params.py']) {
         # check_wsrep
         file { '/opt/contrail/bin/set_rabbit_tcp_params.py' :
@@ -278,6 +283,10 @@
     }
 
     contrail_vrouter_agent_config {
+      'DEFAULT/xmpp_auth_enable' : value => "$xmpp_auth_enable";
+      'DEFAULT/xmpp_server_cert' : value => "/etc/contrail/ssl/certs/server.pem";
+      'DEFAULT/xmpp_server_key' : value => "/etc/contrail/ssl/private/server-privkey.pem";
+      'DEFAULT/xmpp_ca_cert' : value => "/etc/contrail/ssl/certs/ca-cert.pem";
       'DISCOVERY/server' : value => "$discovery_ip";
       'DISCOVERY/max_control_nodes' : value => "$number_control_nodes";
       'HYPERVISOR/type' : value => "$hypervisor_type";
diff --git a/contrail/environment/modules/contrail/manifests/control/config.pp b/contrail/environment/modules/contrail/manifests/control/config.pp
index 1dddabc7..5073d887 100644
--- a/contrail/environment/modules/contrail/manifests/control/config.pp
+++ b/contrail/environment/modules/contrail/manifests/control/config.pp
@@ -6,7 +6,8 @@
     $use_certs = $::contrail::params::use_certs,
     $puppet_server = $::contrail::params::puppet_server,
     $contrail_logoutput = $::contrail::params::contrail_logoutput,
-    $config_ip_to_use = $::contrail::params::config_ip_to_use
+    $config_ip_to_use = $::contrail::params::config_ip_to_use,
+    $xmpp_auth_enable =  $::contrail::params::xmpp_auth_enable,
 ) {
     # Main class code begins here
     case $::operatingsystem {
@@ -43,6 +44,10 @@
     }
 
     contrail_control_config {
+      'DEFAULT/xmpp_auth_enable' : value => "$xmpp_auth_enable";
+      'DEFAULT/xmpp_server_cert' : value => "/etc/contrail/ssl/certs/server.pem";
+      'DEFAULT/xmpp_server_key' : value => "/etc/contrail/ssl/private/server-privkey.pem";
+      'DEFAULT/xmpp_ca_cert' : value => "/etc/contrail/ssl/certs/ca-cert.pem";
       'DEFAULT/hostip'    : value => $host_control_ip;
       'DEFAULT/log_file'  : value => '/var/log/contrail/contrail-control.log';
       'DEFAULT/log_level' : value => 'SYS_NOTICE';
@@ -57,4 +62,8 @@
       'DISCOVERY/server'  : value => $config_ip_to_use;
       'DISCOVERY/port'    : value => '5998';
     }
+
+    if ($xmpp_auth_enable == true) {
+        include ::contrail::xmpp_cert_files
+    }
 }
diff --git a/contrail/environment/modules/contrail/manifests/init.pp b/contrail/environment/modules/contrail/manifests/init.pp
index 925e9f77..d9987fed 100644
--- a/contrail/environment/modules/contrail/manifests/init.pp
+++ b/contrail/environment/modules/contrail/manifests/init.pp
@@ -526,6 +526,10 @@
 #     Flag to include or exclude ceilometer service as part of openstack module dynamically.
 #     (optional) - Defaults to false.
 #
+# [*xmpp_auth_enable*]
+#     Flag for enabling xmpp autherization via cert exchange between agent and control.
+#     (optional) - Defaults to false.
+#
 class contrail (
     $host_ip = undef,
     $uuid = undef,
@@ -660,7 +664,8 @@
     $enable_storage_master = true,
     $enable_ceilometer = false,
     $tor_ha_config = "",
-    $contrail_version = ''
+    $contrail_version = '',
+    $xmpp_auth_enable = false,
 ) {
     class { '::contrail::params':
         # Common Parameters
@@ -697,6 +702,7 @@
 	contrail_upgrade =>			hiera(contrail::contrail_upgrade, hiera(contrail::params::contrail_upgrade, $contrail_upgrade)),
 	contrail_version =>			hiera(contrail::contrail_version, hiera(contrail::params::contrail_version, $contrail_version)),
 	enable_lbass =>				hiera(contrail::enable_lbass, hiera(contrail::params::enable_lbass, $enable_lbass)),
+	xmpp_auth_enable =>			hiera(contrail::xmpp_auth_enable, hiera(contrail::params::xmpp_auth_enable, $xmpp_auth_enable)),
         # HA Parameters
 	haproxy_flag =>				hiera(contrail::ha::haproxy_flag, hiera(contrail::params::haproxy_flag, $haproxy_flag)),
 	internal_vip =>				hiera(contrail::ha::internal_vip, hiera(contrail::params::internal_vip, $internal_vip)),
diff --git a/contrail/environment/modules/contrail/manifests/params.pp b/contrail/environment/modules/contrail/manifests/params.pp
index a111008e..11b2c73d 100644
--- a/contrail/environment/modules/contrail/manifests/params.pp
+++ b/contrail/environment/modules/contrail/manifests/params.pp
@@ -525,6 +525,10 @@
 #     Flag to include or exclude ceilometer service as part of openstack module dynamically.
 #     (optional) - Defaults to false.
 #
+# [*xmpp_auth_enable*]
+#     Flag for enabling xmpp autherization via cert exchange between agent and control.
+#     (optional) - Defaults to false.
+#
 class contrail::params (
     $host_ip,
     $uuid,
@@ -659,7 +663,8 @@
     $enable_storage_master,
     $enable_ceilometer,
     $tor_ha_config,
-    $contrail_version
+    $contrail_version,
+    $xmpp_auth_enable,
 ) {
     if (($contrail_internal_vip != '') or
         ($internal_vip != '') or
diff --git a/contrail/environment/modules/contrail/manifests/xmpp_cert_files.pp b/contrail/environment/modules/contrail/manifests/xmpp_cert_files.pp
new file mode 100644
index 00000000..5fe07c5b
--- /dev/null
+++ b/contrail/environment/modules/contrail/manifests/xmpp_cert_files.pp
@@ -0,0 +1,20 @@
+class contrail::xmpp_cert_files(
+) {
+    file { ["/etc/contrail/ssl",
+            "/etc/contrail/ssl/certs",
+            "/etc/contrail/ssl/private" ] :
+        ensure => directory
+    }
+    file { '/etc/contrail/ssl/certs/server.pem' :
+        require => File['/etc/contrail/ssl/certs'],
+        source => "puppet:///ssl_certs/$hostname.pem"
+    }
+    file { '/etc/contrail/ssl/private/server-privkey.pem' :
+        require => File['/etc/contrail/ssl/private'],
+        source => "puppet:///ssl_certs/$hostname-privkey.pem"
+    }
+    file { '/etc/contrail/ssl/certs/ca-cert.pem' :
+        require => File['/etc/contrail/ssl/certs'],
+        source => "puppet:///ssl_certs/ca-cert.pem"
+    }
+}