cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8482
Views
5
Helpful
19
Replies

jabber for windows 9.2.6 client

rogierboeken
Level 1
Level 1

hi

i have just upgraded some of my cisco jabber for windows clients to the latest release 9.2.6 (upgraded from 9.2.3)

i noticed that the first time the client startsup i get certificate warnings for our CUCM-PUB, SUB, CUC device and CUPS server. (all version 8.6)

all use the standard cisco SSL certificate (have not deployed 3rd party SSL certificates)

is there a way to get all these certificates trusted by the client machines, it has never prompted me before and works fine with 9.2.3

on the mac clients i have added them to the keychain when i first deployed the clients (manual job) but i like to see if i can automate this for my 30 windows clients (the users will not click on this themselves and will use it as an excuse not to load jabber (they don't like the call window pop ups but that is something for jabber 9.6 client

any idea how to get these certificates trusted by the windows computers (we have an 2008 r2 active directory so could do something with an group policy and or use our own internal windows certificate authority)

many thankss

19 Replies 19

when i run show web-security i get this

admin: show web-security
[
  Version: V3
  Serial Number: 441991719279266168307794
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: CN=mydomain-CA, DC=mydomain, DC=com
  Validity From: Mon Oct 28 15:32:30 GMT 2013
           To:   Wed Oct 28 15:32:30 GMT 2015
  Subject Name: CN=uk-cucm-pub.mydomain.com, OU=IT, O=mydomain, L=London, ST=London, C=GB
  Key: RSA (1.2.840.113549.1.1.1)
    Key value: 3082010a0282010100d2a01565f2533b3602158e83fede75fef2751aa957902e0e556e814bb7e6aaed5d5138b6cf3d87d59f5c4be2740ab9f5dc3318a34ab551daa817f6ccd562c3c628f75ef278ed81bbd816ec44d178da86850c3bdd74b727cde092616e7674785c45efc88e98ba4d89da97fc92ac2901f41c23ed692460a1d64c171a6d5613dfe2e1bab2b82f5f1a5d9fe55b067e858a0d2cd48a8be59c9e54cccdac1238acd2738128626252b3e69198fc852217f930d6cd2bc6a3481452be355bae6c6ccfc7d5e86a39ff7b0304cfb53e1555ccc8c4224cf661f912946b4e0db2926991d704f65cd92546155048cecb0f11c5046f743434d1577cbb4c175611acdf2fbf33bfb30203010001
  Extensions: 7 present
  [
     Extension: ExtKeyUsageSyntax (OID.2.5.29.37)
     Critical: false
     Usage oids: 1.3.6.1.5.5.7.3.1,
  ]
  [
     Extension: KeyUsage (OID.2.5.29.15)
     Critical: false
     Usages: digitalSignature, keyEncipherment,
  ]
  [
     Extension: SubjectKeyIdentifier (OID.2.5.29.14)
     Critical: false
     keyID: 8e9c68b7e4acc73c6734b1df3d9ca0a7ccb7183d
  ]
  [
     Extension: AuthorityKeyIdentifier (OID.2.5.29.35)
     Critical: false
     keyID: 88c4622540d7efbbdac1af207249c77c287f9c6c
  ]
  [
     Extension: CRLDistributionPoints (OID.2.5.29.31)
     Critical: false
     [
     distributionPoint
        fullName: 1 names
          1) ldap:///CN=mydomain-CA,CN=UK-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (uri)

     [
  ]
  [
     Extension: AuthorityInfoAccessSyntax (OID.1.3.6.1.5.5.7.1.1)
     Critical: false
     [
     accessMethod: 1.3.6.1.5.5.7.48.2
     accessLocation: ldap:///CN=mydomain-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?cACertificate?base?objectClass=certificationAuthority (uri)
     [
  ]
  [
     Extension:  (OID.1.3.6.1.4.1.311.20.2)
     Critical: false
     Value: 04141e12005700650062005300650072007600650072  ]

  Signature:
lots of text
]-----BEGIN CERTIFICATE-----
certificate characters
-----END CERTIFICATE-----

no sign of subject alternate names in those details so am not sure how i would change this

on your cucm system are your host details listed as ip address or host name, mine are listed as ip address and perhaps the certificate mismatch is caused by these settings?

Host Name/IP Address Description
10.33.2.20 PUBLISHER
10.33.2.21 SUBSCRIBER 1

if the cucm servers were listed as uk-cucm-pub or uk-cucm-pub.mydomain.com and uk-cucm-sub.mydomain.com perhaps it would accept the certificates

web-security
[
  Version: V3
  Serial Number: 441991719279266168307794
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: CN=Accel-CA, DC=accel, DC=com
  Validity From: Mon Oct 28 15:32:30 GMT 2013
           To:   Wed Oct 28 15:32:30 GMT 2015
  Subject Name: CN=uk-cucm-pub.accel.com, OU=IT, O=Accel, L=London, ST=London, C=GB
  Key: RSA (1.2.840.113549.1.1.1)
    Key value: 3082010a0282010100d2a01565f2533b3602158e83fede75fef2751aa957902e0e556e814bb7e6aaed5d5138b6cf3d87d59f5c4be2740ab9f5dc3318a34ab551daa817f6ccd562c3c628f75ef278ed81bbd816ec44d178da86850c3bdd74b727cde092616e7674785c45efc88e98ba4d89da97fc92ac2901f41c23ed692460a1d64c171a6d5613dfe2e1bab2b82f5f1a5d9fe55b067e858a0d2cd48a8be59c9e54cccdac1238acd2738128626252b3e69198fc852217f930d6cd2bc6a3481452be355bae6c6ccfc7d5e86a39ff7b0304cfb53e1555ccc8c4224cf661f912946b4e0db2926991d704f65cd92546155048cecb0f11c5046f743434d1577cbb4c175611acdf2fbf33bfb30203010001
  Extensions: 7 present
  [
     Extension: ExtKeyUsageSyntax (OID.2.5.29.37)
     Critical: false
     Usage oids: 1.3.6.1.5.5.7.3.1,
  ]
  [
     Extension: KeyUsage (OID.2.5.29.15)
     Critical: false
     Usages: digitalSignature, keyEncipherment,
  ]
  [
     Extension: SubjectKeyIdentifier (OID.2.5.29.14)
     Critical: false
     keyID: 8e9c68b7e4acc73c6734b1df3d9ca0a7ccb7183d
  ]
  [
     Extension: AuthorityKeyIdentifier (OID.2.5.29.35)
     Critical: false
     keyID: 88c4622540d7efbbdac1af207249c77c287f9c6c
  ]
  [
     Extension: CRLDistributionPoints (OID.2.5.29.31)
     Critical: false
     [
     distributionPoint
        fullName: 1 names
          1) ldap:///CN=Accel-CA,CN=UK-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=accel,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (uri)

     [
  ]
  [
     Extension: AuthorityInfoAccessSyntax (OID.1.3.6.1.5.5.7.1.1)
     Critical: false
     [
     accessMethod: 1.3.6.1.5.5.7.48.2
     accessLocation: ldap:///CN=Accel-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=accel,DC=com?cACertificate?base?objectClass=certificationAuthority (uri)
     [
  ]
  [
     Extension:  (OID.1.3.6.1.4.1.311.20.2)
     Critical: false
     Value: 04141e12005700650062005300650072007600650072  ]

  Signature:
  0000: 90 e8 32 00 2e f3 58 ec 18 20 6d 54 0a 49 9c ce [..2...X.. mT.I..]
  0010: 94 90 02 6e 2f 15 1e f2 c3 6c 45 96 14 8e ff 25 [...n/....lE....%]
  0020: 39 db 50 08 03 3b 48 a3 c7 69 7a 03 76 d1 e3 3d [9.P..;H..iz.v..=]
  0030: 73 94 08 7c d3 13 f2 7c 58 ff ba 26 47 ed 6a 50 [s..|...|X..&G.jP]
  0040: 9d 80 f8 64 cc dd 34 9f 95 32 3f 7f 32 04 f4 8b [...d..4..2?.2...]
  0050: 86 e3 9d 23 03 06 06 ad f2 1b e0 0a a6 ed c0 3d [...#...........=]
  0060: d4 dd 57 0f 61 d3 2b 14 d1 d0 3e c4 3a e3 df ac [..W.a.+...>.:...]
  0070: c7 b8 dd 37 ba e2 e6 aa 35 a1 9b 7d 27 b8 d0 5a [...7....5..}'..Z]
  0080: d9 cc d9 89 90 e0 72 de b1 32 4d d2 fc c8 2e c0 [......r..2M.....]
  0090: a1 f9 57 8e b7 9d 1d 00 d8 a8 4d 26 ed c6 92 f6 [..W.......M&....]
  00a0: 99 7a 1c ee 58 8d 76 20 7b af a1 54 0b 57 c3 d3 [.z..X.v {..T.W..]
  00b0: 92 1f 64 d0 04 22 ae 17 c2 2a 1d d1 83 e0 c3 85 [..d.."...*......]
  00c0: 67 4e 94 67 65 e8 e2 39 87 ef 78 f7 41 7e bd 34 [gN.ge..9..x.A~.4]
  00d0: 79 8d be ae 45 5c 56 73 1d 6c 02 bf 3a 93 b4 a9 [y...E\Vs.l..:...]
  00e0: f8 80 76 f1 ad 42 6e 42 cd 54 00 1e ca c5 b8 98 [..v..BnB.T......]
  00f0: 05 a4 dd 3c 89 47 7b 4a 61 af 4b 32 2c 0c 96 a6 [...<.G{Ja.K2,...]

]-----BEGIN CERTIFICATE-----
MIIFOjCCBCKgAwIBAgIKXZhrSwAAAAAAUjANBgkqhkiG9w0BAQUFADA/MRMwEQYK
CZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFYWNjZWwxETAPBgNVBAMT
CEFjY2VsLUNBMB4XDTEzMTAyODE1MzIzMFoXDTE1MTAyODE1MzIzMFowbDELMAkG
A1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMQ4wDAYD
VQQKEwVBY2NlbDELMAkGA1UECxMCSVQxHjAcBgNVBAMTFXVrLWN1Y20tcHViLmFj
Y2VsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKgFWXyUzs2
AhWOg/7edf7ydRqpV5AuDlVugUu35qrtXVE4ts89h9WfXEvidAq59dwzGKNKtVHa
qBf2zNViw8Yo917yeO2Bu9gW7ETReNqGhQw73XS3J83gkmFudnR4XEXvyI6Yuk2J
2pf8kqwpAfQcI+1pJGCh1kwXGm1WE9/i4bqyuC9fGl2f5VsGfoWKDSzUiovlnJ5U
zM2sEjis0nOBKGJiUrPmkZj8hSIX+TDWzSvGo0gUUr41W65sbM/H1ehqOf97AwTP
tT4VVczIxCJM9mH5EpRrTg2ykmmR1wT2XNklRhVQSM7LDxHFBG90NDTRV3y7TBdW
EazfL78zv7MCAwEAAaOCAgkwggIFMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1Ud
DwQEAwIFoDAdBgNVHQ4EFgQUjpxot+SsxzxnNLHfPZygp8y3GD0wHwYDVR0jBBgw
FoAUiMRiJUDX77vawa8gcknHfCh/nGwwgcIGA1UdHwSBujCBtzCBtKCBsaCBroaB
q2xkYXA6Ly8vQ049QWNjZWwtQ0EsQ049VUstQ0EsQ049Q0RQLENOPVB1YmxpYyUy
MEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9
YWNjZWwsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuAYIKwYBBQUHAQEEgaswgagw
gaUGCCsGAQUFBzAChoGYbGRhcDovLy9DTj1BY2NlbC1DQSxDTj1BSUEsQ049UHVi
bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
bixEQz1hY2NlbCxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNz
PWNlcnRpZmljYXRpb25BdXRob3JpdHkwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBT
AGUAcgB2AGUAcjANBgkqhkiG9w0BAQUFAAOCAQEAkOgyAC7zWOwYIG1UCkmczpSQ
Am4vFR7yw2xFlhSO/yU521AIAztIo8dpegN20eM9c5QIfNMT8nxY/7omR+1qUJ2A
+GTM3TSflTI/fzIE9IuG450jAwYGrfIb4Aqm7cA91N1XD2HTKxTR0D7EOuPfrMe4
3Te64uaqNaGbfSe40FrZzNmJkOBy3rEyTdL8yC7AoflXjredHQDYqE0m7caS9pl6
HO5YjXYge6+hVAtXw9OSH2TQBCKuF8IqHdGD4MOFZ06UZ2Xo4jmH73j3QX69NHmN
vq5FXFZzHWwCvzqTtKn4gHbxrUJuQs1UAB7KxbiYBaTdPIlHe0phr0syLAyWpg==
-----END CERTIFICATE-----

This is how I changed mine.

admin:set web-security ?

Syntax:

set web-security orgunit orgname locality state [country] [alternatehostname]

orgunit  mandatory   organizational unit

orgname  mandatory   organizational name

locality mandatory   location of organization

state    mandatory   state of organization

country  optional   country code can not be changed

alternatehostname  optional   alternate host name

I opened a TAC case to resolve this as well.  In Cluster Topology I was asked if I used hostname or FQDN.  Also sent other settings to check for FQDN versus Hostname.  Sent this link as well.

http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_2_5/JABW_BK_CAAD3F25_00_cisco-jabber-for-windows-release-notes_chapter_011.html

More to come.

my cisco integrator (insight in the UK) emailed me this and having checked all these settings i noticed an issue with the TFTP server hostname/ip address mismatch

How to Prevent Identity Mismatch

When a Jabber Client attempts to connect to a server with an IP address and the server certificate identifies the server with an FQDN, the client cannot identify the server as trusted and prompts the user. So, if your server certificates identify the servers with FQDNs, you will need to specify the server name as FQDN throughout many places on your servers.

In the table below you will find all of the places that need to specify the server name as it appears in the certificate, whether it be IP address or FQDN.

Server

Location – Setting much Match Certificate

Cisco Jabber Clients

Login Server Address (Differs for clients, Normally under Connection Settings)

Cisco Unified Presence (8.x and below)

**All Node Names (System -> Cluster Topology)

**WARNING: Make sure if you change this to FQDN you can resolve this via DNS or servers will get stuck in starting state!!

TFTP Servers (Application -> Cisco Jabber -> Settings)

Primary and Secondary CCMCIP (Application -> Cisco Jabber -> CCMCIP Profile)

Voicemail Host Name (Application -> Cisco Jabber -> Voicemail Server)

Mailstore Name (Application -> Cisco Jabber -> Mailstore)

Conferencing Host Name(Application -> Cisco Jabber -> Conferencing Server) (Meeting Place Only)

XMPP Domain (See Section Provide XMPP Domain to Clients below)

Cisco Unified Communications Manager IM and Presence (9.x and above)

**All Node Names (System -> Cluster Topology)

**WARNING: Make sure if you change this to FQDN you can resolve this via DNS or servers will get stuck in starting state!!

TFTP Servers (Application -> Cisco Jabber -> Settings)

Primary and Secondary CCMCIP (Application -> Legacy Clients -> CCMCIP Profile)

XMPP Domain (See Section Provide XMPP Domain to Clients below)

Cisco Unified Communications Manager (8.x and below)

Server Name (System -> Server) (**Only if Secure SIP**)

Cisco Unified Communications Manager (9.x and above)

Server Name (System -> Server) (**Only if Secure SIP**)

IM and Presence Server (User Management -> User Settings -> UC Service -> IM and Presence)

Voicemail Host Name (User Management -> User Settings -> UC Service -> Voicemail)

Mailstore Name (User Management -> User Settings -> UC Service -> Mailstore)

 

Conferencing Host Name ((User Management -> User Settings -> UC Service -> Conferencing) (Meeting Place Only)

Cisco Unity Connection (All Versions)

No Change needed

i checked everything and i had an IP listed for the TFTP servers and not the FQDN, i changed this to FQDN and exited the jabber clients and launched them and now it is working fine, no more SSL notifications.

interestingly i also only had the ip address for the CUC voicemail host name listed but this seems to make no difference, it is the mailstore that is important (should have FQDN listed) but i will change it anyway

We got this working by doing a couple things.  First, using the web server template worked to generate the certificate.  Thanks for the informtion on that.  Next, our vendor upgraded our Presence server from  8.6.4 to 8.6.5, and all of a sudden it could process subject alternate names.  I also added the XMPP domain under System > Security Settings, even though documentation makes it sound like that will be needed for vesion 9.x, not 8.x.  Last there was a profile using ip's instead of fqdn's for the call managers so clients continued to get certificate errors until that was fixed.

So things seemed to work in this order: 1) update Presence server 2) add XMPP domain 3) regenerate all Presence certs and use web server template in Windows CA, and 4) make sure FQDN's used instead of ip's.

Thanks everyone!

Hello Steve,

I posted this  question here

https://supportforums.cisco.com/message/4044007#4044007

Asking about what settings you use under 2) Add XMPP Domain

Can you comment on this?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: