Re: Issue installing cup-xmpp-trust Certificate

joeharb · ‎06-27-2013

We are in the process of deploying/testing the cisco jabber sdk. We want the clients to connect via https:, rather than http:. We have installed the tomcat cert and the administration of the box is working without issue via https. From the documentation/information I have found there needs to be a cert installed under the cup-xmpp-trust store. I have generated the csr for this and recieved the cert, the same method was used as for the tomcat cert. When I upload the cert, which is a full chain, I see the Root and CA certs in the cup-xmpp-trust store. There is also the system generated "Trusted local cluster own-certificate" and the actual cert that is the server that was part of the chain, this one has the same name as the system generated but "-1" before the .pem. When I browse to https://padcup01.csi.corp:7335/httpbinding I get the cert error and when I view the details it shows that this is the system generated. I can delete the self signed but after a period of time the only certs listed in the cup-xmpp-trust are the 2 Issued as part of the chain the the system generated, the one that was part of the chain is no longer present.

Am I going about this the wrong way?

Thanks,

Joe

Jonathan Schulenberg · ‎07-10-2013

The actual certificate of the IM&P server wouldn't be in the -trust store. After generating the CSR, signing it, and then uploading the actual cert (without the chain) it would go in the cup-xmpp store. You should then see the self-signed cert replaced by the one you just uploaded under Certificate Management. The rest of the chain (root and any intermediary CAs) would still go in -trust on all nodes of the IM&P cluster. You would also need to restart XCP Router for the cert to be picked up.

Please remember to rate helpful responses and identify helpful or correct answers.

mcaldogne · ‎09-12-2013

Hi Joe!

Have you solved this Issue? We have the same Problem with our CUPS 8.6.

Thanks,

Mirko

joeharb · ‎09-12-2013

Yes, after working with TAC we got it resolved.

It has been awhile and I am not sure of all the details but I am pretty sure we had to install the root and any chain certs in the cup-trust store. Then we were able to installl either the full chain or the specific machine cert into the cup-xmpp-trust. I think that without the parent cert the machine cert wasn't valid and that is why it was being removed.

Let me know if this helps,

Thanks,

Joe

mcaldogne · ‎09-16-2013

Thank you very much for your reply.

We already tried this way but it is not working. I think we will open a TAC case too.

Thanks,

Mirko

wosele · ‎09-17-2013

Issue has been resolved. Here the solution for reference:

In Presence Administration under System -> Security -> Settings -> XMPP Certificate Settings
change Domain name und flag "Use Domain Name for XMPP Certificate Subject Common Name"
(this was the missing part the rest is straightforward)
Generate CSR and sign it.
Import signing CA certificate as cup-xmpp-trust.
Import signed certificate as cup-xmpp.
Restart Cisco UP XCP Web Connection Manager

ryan_oconnell · ‎03-04-2014

Hello Wosele

When you say

In Presence Administration under System -> Security -> Settings -> XMPP Certificate Settings

change Domain name und flag "Use Domain Name for XMPP Certificate Subject Common Name"

What do you change the Domain name to be?

See picture below. Lets say my IM&P presense domain currently being used is "example.com" but the IM&P server itself is in the "example.root.local" domain. Do I update the domain in the picture below to match the HOST server name or match the IM and Presence domain found under "System -> Cluster Topology -> Settings"

Thanks

Steve Maggitti · ‎03-04-2014

I would think it woudl be the IM & P domain name, but in my case that is the same as the host domain so I can't say for sure. After the first time, it does not take too long to generate certs, so I guess you could try it one way and redo the domain name and certs if necessary. Good luck!