01-25-2018 03:42 AM - edited 03-17-2019 07:18 PM
Hi Everyone
My customer has two IRPM and 2 WMS Serve, when the guest want to join meeting using URL they are getting security alert. I think we need to use public CA for IRPM server. Can you please someone explain me procedure ? I have no experince about that proceudre.
Thanks
01-25-2018 05:03 AM
What is your WebEx Site URL?
-Dejan
01-25-2018 05:08 AM
01-25-2018 05:13 AM
Ok,
I confirmed via https://www.sslshopper.com/ssl-checker.html#hostname=meeting.video.zorlu.com that currently you have only self-signed SSL certs installed on the system.
Can you share with me what version of CWMS you have installed?
What domain you use for hostnames of Internal CWMS VMs (Admin and Media VMs) and Admin Site URL (is it .com, .net, or .local, .internal domain)?
Are all users (internal and external) resolving the WebEx Site URL to Public VIP on IRP VM (non-split horizon DNS), or internal users are resolving the WebEx Site URL to Private VIP on Admin VM?
Thank you.
-Dejan
01-25-2018 06:07 AM
Hi
We are using video.zorlu.com all user are able to resolve this FQDN
What should i do resolotion ? I have no experince with CWMS
Version: Version: 2.6.1.39.B-AE
All users domain is zorlu.com (You mean that is AD domain)
Thanks
01-25-2018 06:53 AM
Hi,
Based on the information I have (missing some pieces but should be ok), you should do the following:
1. Go to CWMS Administration > Settings > Security > Certificates on CWMS System.
2. In Internal SSL Certificate section, click on More Options > Generate CSR (certificate signing request)
3. Populate the needed information and complete the process.
4. Download the CSR.zip file.
5. Extract this file as it will contain csr.pem and privatekey.pem file. (privatekey.pem file keep somewhere safe and don't share with anyone).
6. Use csr.pem file and reach out to any Public Certification Authority (Verisign, GoDaddy, Thawte, etc.) and purchase a SAN SSL cert based on the CSR you will provide them. Based on my SSL checker run it seems you have 50 user system with only Admin and IRP VM in the solution, so you should need the SSL cert for these:
Common Name: - it will be Admin Site URL (meetingsadmin.video.zorlu.com)
Subject Alternative Names: - it will include FQDN of the Admin VM (wmsm.video.zorlu.com), Admin Site URL (meetingsadmin.video.zorlu.com), and WebEx Site URL (meeting.video.zorlu.com)
7. Once Certification Authority issues you the SAN SSL cert based on your CSR, and provides you with their Intermediate SSL certs, you can proceed to create an SSL cert bundle file based on the information in this article: https://supportforums.cisco.com/t5/collaboration-voice-and-video/cwms-ssl-certificates-intermediate-ssl-cert-chains-and-different/ta-p/3138702
8. Once you have SSL cert bundle file created properly and you are ready to install it, go to CWMS Administration > Settings > Security > Certificates on CWMS System, click on Import Certificate
9. Browse the the SSL cert bundle location and select the cert bundle you created (no need to enter any passphrase), and upload it.
10. Once uploaded the system will be placed into Maintenance Mode.
11. Click Continue and Done to complete the SSL cert upload process.
12. Finally, go to CWMS Administration Dashboard and turn OFF Maintenance Mode.
13. Once the system comes out of MM, you can use this link: https://www.sslshopper.com/ssl-checker.html#hostname=meeting.video.zorlu.com to confirm that the system is now using proper SSL cert and all looks in good order. From that point on you shouldn't see any certificate warnings when accessing WebEx Site URL or joining meetings.
P.S. Your version of CWMS is rather old and vulnerable to many defects, so I would suggest updating it at least to 2.8 MR1 Patch 2. This is the order of updates you must do:
1. 2.6 > 2.6 MR3 update
2. 2.6 MR3 > 2.8 base (2.8.1.17)
3. 2.8 base > 2.8 MR1 (2.8.1.1023)
4. 2.8 MR1 > 2.8 MR1 Patch 2 (2.8.1.1070)
All these updates are considered minor updates so you can follow the documentation for minor updates: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_8/Administration_Guide/cwms_b_cwms-administration-2-8/cwms_b_cwms-administration-2-8test_chapter_01000.html#task_16A8E168CF7A4DAFBEBDA284BE3213BF
NOTE2: Before running any update, always put the system into Maintenance Mode, do a graceful shut down of the VMs (in vCenter: Power > Shut Down Guest), take VM snapshots on each VM, power them ON which will boot them in Maintenance Window, and then start the update. When the update is completed successfully, make sure to DELETE VM snapshots from all the VMs to avoid performance issues. Info on how to take and remove snapshots can be found here: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_8/Administration_Guide/cwms_b_cwms-administration-2-8/cwms_b_cwms-administration-2-8test_chapter_01.html#task_A0F5735130C245A0B22E30BFF3161337
I hope this helps.
-Dejan
01-25-2018 07:06 AM
Thanks detailed explanation, i have two irp and two wms i understand that i need to create new csr for each irp right ?
i will send my csr.pem ca provider but how can do bundle cert when i receive my public CA ?
thanks
01-25-2018 07:12 AM
Based on SSL checker, I don't see any information about the HA system. Are you sure it is properly added and configured? If HA is added, when I run SSL checked, I should be able to see information about the HA Admin VM as well.
IRP VMs hostnames are not included in SSL certificate as they are not needed. Only Admin Site URL, WebEx Site URL and FQDNs of internal VMs are included in the SSL cert.
As for bundling, please review the link I've included in the Step 7 of the instructions.
-Dejan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide