cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2312
Views
5
Helpful
7
Replies

CWMS security certificate

KY_
Level 4
Level 4


Hi Everyone

My customer has two IRPM  and  2 WMS Serve, when the guest want to join meeting using URL they are getting security alert. I think we need to use public CA for IRPM server. Can you please someone explain me procedure ? I have no  experince about that  proceudre.

Thanks

7 Replies 7

dpetrovi
Cisco Employee
Cisco Employee

What is your WebEx Site URL?

 

-Dejan

dpetrovi
Cisco Employee
Cisco Employee

Ok,

I confirmed via https://www.sslshopper.com/ssl-checker.html#hostname=meeting.video.zorlu.com that currently you have only self-signed SSL certs installed on the system.

 

Can you share with me what version of CWMS you have installed?

What domain you use for hostnames of Internal CWMS VMs (Admin and Media VMs) and Admin Site URL (is it .com, .net, or .local, .internal domain)?

Are all users (internal and external) resolving the WebEx Site URL to Public VIP on IRP VM (non-split horizon DNS), or internal users are resolving the WebEx Site URL to Private VIP on Admin VM?

 

Thank you.

 

-Dejan

 

 

Hi

 

We are using  video.zorlu.com  all user are able to resolve this FQDN

 

 

What should i do resolotion ? I have no experince with  CWMS

Version: Version: 2.6.1.39.B-AE

All users domain is zorlu.com (You mean that is AD domain)

 

Thanks

 

dpetrovi
Cisco Employee
Cisco Employee

Hi,

 

Based on the information I have (missing some pieces but should be ok), you should do the following:

1. Go to CWMS Administration > Settings > Security > Certificates on CWMS System.

2. In Internal SSL Certificate section, click on More Options > Generate CSR  (certificate signing request)

3. Populate the needed information and complete the process.

4. Download the CSR.zip file.

5. Extract this file as it will contain csr.pem and privatekey.pem file. (privatekey.pem file keep somewhere safe and don't share with anyone).

6. Use csr.pem file and reach out to any Public Certification Authority (Verisign, GoDaddy, Thawte, etc.) and purchase a SAN SSL cert based on the CSR you will provide them. Based on my SSL checker run it seems you have 50 user system with only Admin and IRP VM in the solution, so you should need the SSL cert for these:

Common Name: - it will be Admin Site URL (meetingsadmin.video.zorlu.com)

Subject Alternative Names: - it will include FQDN of the Admin VM (wmsm.video.zorlu.com), Admin Site URL (meetingsadmin.video.zorlu.com), and WebEx Site URL (meeting.video.zorlu.com)

7. Once Certification Authority issues you the SAN SSL cert based on your CSR, and provides you with their Intermediate SSL certs, you can proceed to create an SSL cert bundle file based on the information in this article: https://supportforums.cisco.com/t5/collaboration-voice-and-video/cwms-ssl-certificates-intermediate-ssl-cert-chains-and-different/ta-p/3138702

8. Once you have SSL cert bundle file created properly and you are ready to install it, go to CWMS Administration > Settings > Security > Certificates on CWMS System, click on Import Certificate

9. Browse the the SSL cert bundle location and select the cert bundle you created (no need to enter any passphrase), and upload it.

10. Once uploaded the system will be placed into Maintenance Mode. 

11. Click Continue and Done to complete the SSL cert upload process.

12. Finally, go to CWMS Administration Dashboard and turn OFF Maintenance Mode.

13. Once the system comes out of MM, you can use this link: https://www.sslshopper.com/ssl-checker.html#hostname=meeting.video.zorlu.com to confirm that the system is now using proper SSL cert and all looks in good order. From that point on you shouldn't see any certificate warnings when accessing WebEx Site URL or joining meetings.

 

P.S. Your version of CWMS is rather old and vulnerable to many defects, so I would suggest updating it at least to 2.8 MR1 Patch 2. This is the order of updates you must do:

1. 2.6 > 2.6 MR3 update

2. 2.6 MR3 > 2.8 base (2.8.1.17)

3. 2.8 base > 2.8 MR1 (2.8.1.1023)

4. 2.8 MR1 > 2.8 MR1 Patch 2 (2.8.1.1070)

All these updates are considered minor updates so you can follow the documentation for minor updates: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_8/Administration_Guide/cwms_b_cwms-administration-2-8/cwms_b_cwms-administration-2-8test_chapter_01000.html#task_16A8E168CF7A4DAFBEBDA284BE3213BF

 

NOTE2: Before running any update, always put the system into Maintenance Mode, do a graceful shut down of the VMs (in vCenter: Power > Shut Down Guest), take VM snapshots on each VM, power them ON which will boot them in Maintenance Window, and then start the update.   When the update is completed successfully, make sure to DELETE VM snapshots from all the VMs to avoid performance issues. Info on how to take and remove snapshots can be found here: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_8/Administration_Guide/cwms_b_cwms-administration-2-8/cwms_b_cwms-administration-2-8test_chapter_01.html#task_A0F5735130C245A0B22E30BFF3161337

 

I hope this helps.

 

-Dejan

Thanks detailed explanation, i have two irp and two wms i understand that i need to create new csr for each  irp right ?

 

 i will send  my csr.pem ca provider but how can do bundle cert when i receive my public CA ?

 

 

thanks

dpetrovi
Cisco Employee
Cisco Employee

Based on SSL checker, I don't see any information about the HA system. Are you sure it is properly added and configured? If HA is added, when I run SSL checked, I should be able to see information about the HA Admin VM as well. 

 

IRP VMs hostnames are not included in SSL certificate as they are not needed. Only Admin Site URL, WebEx Site URL and FQDNs of internal VMs are included in the SSL cert.

 

As for bundling, please review the link I've included in the Step 7 of the instructions.

 

-Dejan