11-17-2016 11:56 AM - edited 03-19-2019 11:50 AM
Hello there,
Just completed Cisco expressway implementation, and have one quick question.
Does Jabber Client and Cisco Expressway E. mutually exchange certificates during authentication?. Does Expressway E reject a connection if the certificate presented by Jabber client is not a match?.. I am now just seeing a prompt that server certificate is not trusted, but the connection is established if user has CUCM profile created.
Solved! Go to Solution.
11-18-2016 08:13 AM
It seems that right now IOS only provides this on-prem, but Android does offer this over MRA
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_7/cjab_b_planning-guide-jabber-117/cjab_b_planning-guide-jabber-117_chapter_011.html#CJAB_RF_S3DFB912_00
That would be the alternative for what they want, but SSO is required.
11-18-2016 06:03 AM
Jabber client needs to trust the CUCM, UCXN, IMP certs which means they have to have common root and intermediate certs or better yet the applications' Tomcat certs are signed by public CA. If any of the applications are not trusted i.e. using self signed cert the Jabber client will be presented with warning which you can accept. This is very similar to when you go to https web page on your browser where the web server does not have trusted certificate.
11-18-2016 06:08 AM
Thanks Chris ,
I my setup , this is already the case, user is prompted if jabber does not have trust relationship with the CUCM. However, our security folks what an option to impose trust - meaning if the cert presented is not trusted, jabber should not be able to connect & and the user can not establish a connection. We are using MDM to manage our device sand the requirement is that if a device is not managed via MDM, then it should not connect at all.
Is the warning for non trusted cert by design or there is a way to impose a cert match.
Regards
Antony
11-18-2016 07:38 AM
Jabber documentation dedicates a whole chapter to certificates, if you haven't, I strongly suggest you read it, it explains how the pop-up to accept certificates is by design, unless the certs are already in the device trust store, you'll be prompted to accept or decline them.
As to what you're asking, that would be certificate based (SSO) authentication over MRA, so only devices enrolled on the MDM would be able to login, and this is only on iOS.
11-18-2016 07:55 AM
Thanks Jaime,
I have read through the Jabber certificate, but my question is on the second;
How to ensure that only devices enrolled on the MDM are able to login; Have you come across this use case, and how do you go around implementing this?. As I mentioned, our security folks want to make sure that only MDM enrolled devices can successfully connect to Expressway E, without overriding the cert warning. They insist that the Expressway E and Jabber trust relationship must be two way.
I am also trying to think of any risks from a security perspective, when users override the warning.
Regards Antony.
11-18-2016 08:13 AM
It seems that right now IOS only provides this on-prem, but Android does offer this over MRA
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_7/cjab_b_planning-guide-jabber-117/cjab_b_planning-guide-jabber-117_chapter_011.html#CJAB_RF_S3DFB912_00
That would be the alternative for what they want, but SSO is required.
11-18-2016 09:30 AM
Thanks Jaime,
This answers the question & provides the link I have been looking for.
We need to upgrade the servers to supported versions.
Many thanks
Antony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide