Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1768
Views
5
Helpful
6
Replies

Jabber Client Secure Device Profile

Go to solution
Chuck Reid
Level 1
Level 1

‎09-29-2020 10:51 AM

Hello,

We noticed that when using Secure device profiles for Jabber clients, that if a user tries to login to another PC, another jabber client, that we have to download the capf certificate again for the new client. If the user then goes back to the first client than we have to download capf again, every time the user changes PC's / clients, they need capf reinstalled, is this normal? Is there a workaround?

 

Thanks,

Chuck Reid

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to Chuck Reid

‎09-29-2020 01:57 PM - edited ‎09-29-2020 01:57 PM

If you wish to use secure profile, yes, CAPF only tracks one certificate which was generated by the device when they enrolled and as explained, the private key the device generated is never exposed. Each time you use a different device, you generate new certificates and new keys only valid to that device.

This is not a problem for IP Phones, but this is expected with soft clients.

HTH

java

if this helps, please rate

View solution in original post

6 Replies 6

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎09-29-2020 11:08 AM

When the phone interacts with CAPF, the phone authenticates itself to CAPF by using an authentication string, existing MIC or LSC certificate, or “null,” generates its public key and private key pair, and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and never gets exposed externally. CAPF signs the phone certificate and then sends the certificate back to the phone in a signed message.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_0_1/secugd/cucm_b_cucm-security-guide-1201/cucm_b_cucm-security-guide-1201_chapter_01010.pdf

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Chuck Reid
Level 1
Level 1
In response to Jaime Valencia

‎09-29-2020 11:13 AM

I reviewed that doc but i don't see a way to avoid the problem of users logging in to jabber from multiple PC's, do you know of a way to mitigate the behavior?

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to Chuck Reid

‎09-29-2020 11:28 AM

That's WAD, read again, highlighted the key points to understand this:

 

When the phone interacts with CAPF, the phone authenticates itself to CAPF by using an authentication string, existing MIC or LSC certificate, or “null,” generates its public key and private key pair, and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and never gets exposed externally. CAPF signs the phone certificate and then sends the certificate back to the phone in a signed message.

 

Above is a 1:1 relationship between CAPF and the device.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Chuck Reid
Level 1
Level 1
In response to Jaime Valencia

‎09-29-2020 11:55 AM

So, does that mean that there is no workaround for users who log into Jabber from more than one client PC?

Anytime a user changes which PC they log onto with Jabber that we will need to set capf to install a new certificate?

 

Thanks,

Chuck

 

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to Chuck Reid

‎09-29-2020 01:57 PM - edited ‎09-29-2020 01:57 PM

If you wish to use secure profile, yes, CAPF only tracks one certificate which was generated by the device when they enrolled and as explained, the private key the device generated is never exposed. Each time you use a different device, you generate new certificates and new keys only valid to that device.

This is not a problem for IP Phones, but this is expected with soft clients.

HTH

java

if this helps, please rate

Go to solution
Chuck Reid
Level 1
Level 1

‎09-30-2020 07:39 AM

Thanks very much for explaining that to me!

0 Helpful
Customers Also Viewed These Support Documents