Solved: Thanks Jaime,

AntonyKamunde · ‎11-17-2016

Hello there,

Just completed Cisco expressway implementation, and have one quick question.

Does Jabber Client and Cisco Expressway E. mutually exchange certificates during authentication?. Does Expressway E reject a connection if the certificate presented by Jabber client is not a match?.. I am now just seeing a prompt that server certificate is not trusted, but the connection is established if user has CUCM profile created.

Jaime Valencia · ‎11-18-2016

It seems that right now IOS only provides this on-prem, but Android does offer this over MRA

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_7/cjab_b_planning-guide-jabber-117/cjab_b_planning-guide-jabber-117_chapter_011.html#CJAB_RF_S3DFB912_00

That would be the alternative for what they want, but SSO is required.

HTH

java

if this helps, please rate

View solution in original post

Chris Deren · ‎11-18-2016

Jabber client needs to trust the CUCM, UCXN, IMP certs which means they have to have common root and intermediate certs or better yet the applications' Tomcat certs are signed by public CA. If any of the applications are not trusted i.e. using self signed cert the Jabber client will be presented with warning which you can accept. This is very similar to when you go to https web page on your browser where the web server does not have trusted certificate.

AntonyKamunde · ‎11-18-2016

Thanks Chris ,

I my setup , this is already the case, user is prompted if jabber does not have trust relationship with the CUCM. However, our security folks what an option to impose trust - meaning if the cert presented is not trusted, jabber should not be able to connect & and the user can not establish a connection. We are using MDM to manage our device sand the requirement is that if a device is not managed via MDM, then it should not connect at all.

Is the warning for non trusted cert by design or there is a way to impose a cert match.

Regards

Antony

Jaime Valencia · ‎11-18-2016

Jabber documentation dedicates a whole chapter to certificates, if you haven't, I strongly suggest you read it, it explains how the pop-up to accept certificates is by design, unless the certs are already in the device trust store, you'll be prompted to accept or decline them.

As to what you're asking, that would be certificate based (SSO) authentication over MRA, so only devices enrolled on the MDM would be able to login, and this is only on iOS.

HTH

java

if this helps, please rate

AntonyKamunde · ‎11-18-2016

Thanks Jaime,

I have read through the Jabber certificate, but my question is on the second;

How to ensure that only devices enrolled on the MDM are able to login; Have you come across this use case, and how do you go around implementing this?. As I mentioned, our security folks want to make sure that only MDM enrolled devices can successfully connect to Expressway E, without overriding the cert warning. They insist that the Expressway E and Jabber trust relationship must be two way.

I am also trying to think of any risks from a security perspective, when users override the warning.

Regards Antony.

Jaime Valencia · ‎11-18-2016

It seems that right now IOS only provides this on-prem, but Android does offer this over MRA

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/11_7/cjab_b_planning-guide-jabber-117/cjab_b_planning-guide-jabber-117_chapter_011.html#CJAB_RF_S3DFB912_00

That would be the alternative for what they want, but SSO is required.

HTH

java

if this helps, please rate

AntonyKamunde · ‎11-18-2016

Thanks Jaime,

This answers the question & provides the link I have been looking for.

We need to upgrade the servers to supported versions.

Many thanks

Antony

Jabber client & Cisco Expressway Mutual certificate exchange