Jabber and Unity Connection secure notifications on port 7443

Erick Bergquist · ‎05-15-2017

Has anyone tried configuring Jabber to Unity Connection voicemail to be secure with SSL?

We added a SSL certificate to Unity 11.5 connection per docs. Enabled SSL for jetty notifications, restarted tomcat, IMAP server, Jetty, Connection REST service and Jabber is using port 7080 (HTTP) for notifications instead of 7443.

The server was rebooted also.

Tried Jabber 11.8 and 11.9 beta client, no difference.

The tomcat certificate is from CA and is working as the web pages are secured with that and no prompt for the certificate when using web page.

This is using WebEx messenger for the setup of Jabber, not on-prem IM&P server.

Erick

Varundeep Chhatwal · ‎05-16-2017

sorry to ask but i am confused about what is the exact issue you are reporting here

Erick Bergquist · ‎05-16-2017

We are trying to secure jabber and voicemail notifications.

Port 7080 is used for HTTP (Plaintext) and port 7443 is used for HTTPS for this function.

A wireshark packet capture shows HTTP traffic on port 7080 and no traffic on 7443 between client and Unity Connection server.

See the documentation below outlining the ports used for Jabber, both on-premise and cloud webex messenger are the applications where this is supported for per the document.

https://help.webex.com/docs/doc-13473

There is a cisco unity document listing same ports.

Erick

Varundeep Chhatwal · ‎05-16-2017

Can you try enabling the option below option on unity connection

Navigate to System settings --> advance --> API settings and enable " Allow Access to Secure Message Recordings through CUMI"

Matthias Brauchle · ‎06-06-2017

Hi,

I had the same issue.

And found out, that you have to enable SSL on the Jetty Service.

Login to your CUC on the CLI and check the Jetty SSL Status with:

show cuc jetty ssl Status

If it is disabled, you can enable it with:

utils cuc jetty ssl enable

Then you have to restart the Jetty Service and then - Magic - Jabber is using Port 7443.

Be Aware of the Bugs in Jabber 11.8.0!

CSCve15417

3

Jabber certificate prompt for CA-signed certificate when using Secure Jetty.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/11_8/RN/cjab_b_release-notes-for-cisco-jabber-windows-118.html#reference_690DD897530FBB280DDA6AC079F4733C

Greetings!

Adam Pawlowski · ‎06-06-2017

This doesn't seem to be well documented anywhere that I can find. The security guide mentions the word "Jetty" with no further commentary, and the IP communications port guide shows 7080 for Exchange / Jetty EWS notifications, but it neglects to include port 7443.

You can see under wireshark that Jabber will attempt to connect to this port (7080) and be reset - not sure why it falls back to this port when 7443 is not available. This causes it to repeatedly connect/disconnect with an increasing backoff timer until the voicemail is not usable in the client.

In my case 7443 was not open through the server firewall from our clients, but it will be opened soon and I'll test again.

I noted also that the bug that is pointed out in this thread is resolved in 11.8.4 J4W. Based on the logging it wants to prompt for a SSC but it accepts the cert, possibly because I already have accepted it. Pressing "Reset Cisco Jabber" no longer seems to clear the cache for these so I am never prompted for it. I spent a bit of time wondering if it's the cert before concluding that I hadn't actually opened the unlisted port in the firewall. Whoops.

Adam Pawlowski · ‎06-09-2017

Works top notch as expected with the firewall rule open.