10-10-2013 07:13 AM - edited 03-17-2019 03:37 PM
hi
i have just upgraded some of my cisco jabber for windows clients to the latest release 9.2.6 (upgraded from 9.2.3)
i noticed that the first time the client startsup i get certificate warnings for our CUCM-PUB, SUB, CUC device and CUPS server. (all version 8.6)
all use the standard cisco SSL certificate (have not deployed 3rd party SSL certificates)
is there a way to get all these certificates trusted by the client machines, it has never prompted me before and works fine with 9.2.3
on the mac clients i have added them to the keychain when i first deployed the clients (manual job) but i like to see if i can automate this for my 30 windows clients (the users will not click on this themselves and will use it as an excuse not to load jabber (they don't like the call window pop ups but that is something for jabber 9.6 client
any idea how to get these certificates trusted by the windows computers (we have an 2008 r2 active directory so could do something with an group policy and or use our own internal windows certificate authority)
many thankss
11-11-2013 12:33 PM
when i run show web-security i get this
admin: show web-security
[
Version: V3
Serial Number: 441991719279266168307794
SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Issuer Name: CN=mydomain-CA, DC=mydomain, DC=com
Validity From: Mon Oct 28 15:32:30 GMT 2013
To: Wed Oct 28 15:32:30 GMT 2015
Subject Name: CN=uk-cucm-pub.mydomain.com, OU=IT, O=mydomain, L=London, ST=London, C=GB
Key: RSA (1.2.840.113549.1.1.1)
Key value: 3082010a0282010100d2a01565f2533b3602158e83fede75fef2751aa957902e0e556e814bb7e6aaed5d5138b6cf3d87d59f5c4be2740ab9f5dc3318a34ab551daa817f6ccd562c3c628f75ef278ed81bbd816ec44d178da86850c3bdd74b727cde092616e7674785c45efc88e98ba4d89da97fc92ac2901f41c23ed692460a1d64c171a6d5613dfe2e1bab2b82f5f1a5d9fe55b067e858a0d2cd48a8be59c9e54cccdac1238acd2738128626252b3e69198fc852217f930d6cd2bc6a3481452be355bae6c6ccfc7d5e86a39ff7b0304cfb53e1555ccc8c4224cf661f912946b4e0db2926991d704f65cd92546155048cecb0f11c5046f743434d1577cbb4c175611acdf2fbf33bfb30203010001
Extensions: 7 present
[
Extension: ExtKeyUsageSyntax (OID.2.5.29.37)
Critical: false
Usage oids: 1.3.6.1.5.5.7.3.1,
]
[
Extension: KeyUsage (OID.2.5.29.15)
Critical: false
Usages: digitalSignature, keyEncipherment,
]
[
Extension: SubjectKeyIdentifier (OID.2.5.29.14)
Critical: false
keyID: 8e9c68b7e4acc73c6734b1df3d9ca0a7ccb7183d
]
[
Extension: AuthorityKeyIdentifier (OID.2.5.29.35)
Critical: false
keyID: 88c4622540d7efbbdac1af207249c77c287f9c6c
]
[
Extension: CRLDistributionPoints (OID.2.5.29.31)
Critical: false
[
distributionPoint
fullName: 1 names
1) ldap:///CN=mydomain-CA,CN=UK-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (uri)
[
]
[
Extension: AuthorityInfoAccessSyntax (OID.1.3.6.1.5.5.7.1.1)
Critical: false
[
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: ldap:///CN=mydomain-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?cACertificate?base?objectClass=certificationAuthority (uri)
[
]
[
Extension: (OID.1.3.6.1.4.1.311.20.2)
Critical: false
Value: 04141e12005700650062005300650072007600650072 ]
Signature:
lots of text
]-----BEGIN CERTIFICATE-----
certificate characters
-----END CERTIFICATE-----
no sign of subject alternate names in those details so am not sure how i would change this
on your cucm system are your host details listed as ip address or host name, mine are listed as ip address and perhaps the certificate mismatch is caused by these settings?
Host Name/IP Address Description
10.33.2.20 PUBLISHER
10.33.2.21 SUBSCRIBER 1
if the cucm servers were listed as uk-cucm-pub or uk-cucm-pub.mydomain.com and uk-cucm-sub.mydomain.com perhaps it would accept the certificates
11-11-2013 01:05 PM
This is how I changed mine.
admin:set web-security ?
Syntax:
set web-security orgunit orgname locality state [country] [alternatehostname]
orgunit mandatory organizational unit
orgname mandatory organizational name
locality mandatory location of organization
state mandatory state of organization
country optional country code can not be changed
alternatehostname optional alternate host name
I opened a TAC case to resolve this as well. In Cluster Topology I was asked if I used hostname or FQDN. Also sent other settings to check for FQDN versus Hostname. Sent this link as well.
More to come.
11-12-2013 02:39 AM
my cisco integrator (insight in the UK) emailed me this and having checked all these settings i noticed an issue with the TFTP server hostname/ip address mismatch
How to Prevent Identity Mismatch
When a Jabber Client attempts to connect to a server with an IP address and the server certificate identifies the server with an FQDN, the client cannot identify the server as trusted and prompts the user. So, if your server certificates identify the servers with FQDNs, you will need to specify the server name as FQDN throughout many places on your servers.
In the table below you will find all of the places that need to specify the server name as it appears in the certificate, whether it be IP address or FQDN.
Server | Location – Setting much Match Certificate |
Cisco Jabber Clients | Login Server Address (Differs for clients, Normally under Connection Settings) |
Cisco Unified Presence (8.x and below) | **All Node Names (System -> Cluster Topology) **WARNING: Make sure if you change this to FQDN you can resolve this via DNS or servers will get stuck in starting state!! TFTP Servers (Application -> Cisco Jabber -> Settings)
Primary and Secondary CCMCIP (Application -> Cisco Jabber -> CCMCIP Profile)
Voicemail Host Name (Application -> Cisco Jabber -> Voicemail Server)
Mailstore Name (Application -> Cisco Jabber -> Mailstore)
Conferencing Host Name(Application -> Cisco Jabber -> Conferencing Server) (Meeting Place Only) XMPP Domain (See Section Provide XMPP Domain to Clients below) |
Cisco Unified Communications Manager IM and Presence (9.x and above) | **All Node Names (System -> Cluster Topology) **WARNING: Make sure if you change this to FQDN you can resolve this via DNS or servers will get stuck in starting state!! TFTP Servers (Application -> Cisco Jabber -> Settings)
Primary and Secondary CCMCIP (Application -> Legacy Clients -> CCMCIP Profile)
XMPP Domain (See Section Provide XMPP Domain to Clients below) |
Cisco Unified Communications Manager (8.x and below) | Server Name (System -> Server) (**Only if Secure SIP**) |
Cisco Unified Communications Manager (9.x and above) | Server Name (System -> Server) (**Only if Secure SIP**)
IM and Presence Server (User Management -> User Settings -> UC Service -> IM and Presence)
Voicemail Host Name (User Management -> User Settings -> UC Service -> Voicemail) Mailstore Name (User Management -> User Settings -> UC Service -> Mailstore)
Conferencing Host Name ((User Management -> User Settings -> UC Service -> Conferencing) (Meeting Place Only) |
Cisco Unity Connection (All Versions) | No Change needed |
i checked everything and i had an IP listed for the TFTP servers and not the FQDN, i changed this to FQDN and exited the jabber clients and launched them and now it is working fine, no more SSL notifications.
interestingly i also only had the ip address for the CUC voicemail host name listed but this seems to make no difference, it is the mailstore that is important (should have FQDN listed) but i will change it anyway
01-13-2014 10:01 AM
We got this working by doing a couple things. First, using the web server template worked to generate the certificate. Thanks for the informtion on that. Next, our vendor upgraded our Presence server from 8.6.4 to 8.6.5, and all of a sudden it could process subject alternate names. I also added the XMPP domain under System > Security Settings, even though documentation makes it sound like that will be needed for vesion 9.x, not 8.x. Last there was a profile using ip's instead of fqdn's for the call managers so clients continued to get certificate errors until that was fixed.
So things seemed to work in this order: 1) update Presence server 2) add XMPP domain 3) regenerate all Presence certs and use web server template in Windows CA, and 4) make sure FQDN's used instead of ip's.
Thanks everyone!
03-04-2014 04:12 AM
Hello Steve,
I posted this question here
https://supportforums.cisco.com/message/4044007#4044007
Asking about what settings you use under 2) Add XMPP Domain
Can you comment on this?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide