Jabber Pop-up Certificate Internal

JustForVoice_2 · ‎02-02-2016

Hello everyone,

My customer asked me to disable the pop certificate for Jabber internal communications (later we will disable the external)

I did not implement this before and I read about it and I really appreciate if you can correct the following steps or add more clarifications.

First of all while I’m using CUCM 11, So, I will deal with CUCM publisher only, no need to go for each CUCM and IM & Presence server.

I should request the root CA certificate and install in in CUCM and Unity Connection
From CUCM, Unity, I should follow:

OS Administration>> Security>> Certificate Management>> Upload certificate.

Certificate Purpose: tomcat-trust

And upload the root CA certificate.

Generate CSR:

Certificate Purpose: tomcat

Regarding SAN, what I should do if I have some servers in different domain, like:

PUB.domain1.com

Sub2.domain2.com

Generate and download,

Send the CSR to my customer to send to one of digital certificate issuers.
Once I have the certificate I should upload it to CUCM PUB and Unity Connection
Finally restart tomcat service.

Thanks

Dennis Mink · ‎02-02-2016

this looks pretty complete to me. Just remember to add the CA's cert to the actual (Jabber) client's cert store as well (although it is most likely already in there.)

Please remember to rate useful posts, by clicking on the stars below.

JustForVoice_2 · ‎02-02-2016

Thank you all for your support (+5)

What if I use public certificate? In this case I do not need to add to client's cert store, am I right?

I have the following also, I believe I missed the XMPP cert? so I have to create CSR from IM and presence too?

What if I have different domains for CUCM, Regarding SAN

Deepak Rawat · ‎02-02-2016

SAN includes IM&P as well (no need to generate separate CSR for it) and you can definitely do alternate domains as well. While generating the CSR for SAN, it will auto populate the FQDN of all the CUCM and IM&P servers in the cluster and you can then define alternate dmains under Other Domains field

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html

Most of the known browsers such as FF, IE etc have their own Trusted Cert store that include certs from DigiCert, Verisign etc by default. Hence, you do not need to add them to the client cert store explicitly as they will/should already be present in the Trusted Root Certification Authorities on the client PC

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

Regards

Deepak

JustForVoice_2 · ‎02-02-2016

Thank you for your support

but what about XMPP cert? No need to generate CSR for XMPP in IM and Presence?

Deepak Rawat · ‎02-02-2016

No, check below:

Unified Communications Manager supports a single CA signed certificate with SAN extensions across multiple servers for each of the Tomcat, CallManager, and IM and Presence Service services. The SAN fields are utilized and shared across multiple servers in a cluster for each of the Tomcat, CallManager, cup-xmpp, and cup-xmpp-s2s certificates. The administrator selects between single-server certificates and multiserver certificates with SAN extensions to generate a CSR, and then uploads the certificate or certificate chain.

Reference Document:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051_chapter_01.html#CUCM_RF_SEC52373_00

Regards

Deepak

JustForVoice_2 · ‎02-03-2016

Thank you

Rejohn Cuares · ‎02-02-2016

Make sure you also distribute the trusted root certificate to all clients.

Please rate replies and mark question as "answered" if applicable.