Certificate for CallManager user page web access

Unanswered Question
Sep 27th, 2009
User Badges:

Dear all,


My customer is using CallManager version 7.1. Whenever user access the CallManager user web page by Internet Explorer 7, user get a page talking about the website's security certificate. They need to click on "Continue to this website".


May I ask can this problem be solved by installing a suitable certificate?


Also,user will access this server from internal(by key in private IP address) and Internet(by key in real public IP address). May I ask after I install a suitable certificate, will customer not receive such security message no matter access from internal (by key in private IP addres) and Internet (by key in real public IP address)?


thanks a lot

David

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jonathan Schulenberg Mon, 09/28/2009 - 02:03
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 IP Telephony

You can install a certificate that is signed by a CA that the clients trust. If the customer has an internal CA, they can use that. Otherwise they can buy a certificate from a CA such as Verisign.


You need to import the CA root certificate into the "tomcat-trust" store. You can generate a CSR for tomcat and import that as the "tomcat" certificate after it is signed. I would recommend downloading the self-signed certificate before deleting it AFTER you have uploaded your new certificates. This must be done for every server in the cluster.


Cisco Unified Communications Operating System Administration Guide, Release 7.1(2)

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/cucos/7_1_2/cucos/osg_712_cm.html


As a side note: I don't recommend making UCM available directly from the internet. Typical deployments require VPN access so a firewall can protect it more effectively.

htluo Mon, 09/28/2009 - 04:57
User Badges:
  • Red, 2250 points or more

The security warning was because the client PC does not trust the CUCM certificate.


There's are two scenarios when the certificate is not trusted:


Scenario 1: The issuer of the cert is not in PC's trust store.


Solution: This can be fixed by viewing the cert and import it into the trust store.


Scenario 2: The hostname you're using to request the HTTPS does not match the name in the certificate. e.g. you type https://192.168.1.100. But the name in certificate is cucm.acme.local


Solution: If you're running CUCM 7, you may use "set web-security" command to add alternate name to the cert.


Michael

http://htluo.blogspot.com

Actions

This Discussion