Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
2
Replies

Jabber 9.2.5 and above forced Certificates

ryan_oconnell
Level 3
Level 3

‎03-13-2014 07:10 AM - edited ‎03-17-2019 04:01 PM

Hello all,

As some of you may already know as of Jabber version 9.2.5 the client force’s Certificates. If there is not a Certificate that is signed by a trusted CA, then the self-signed Cert is used.

There is no way that I have found to get around this unfortunately and the end result is the first time Jabber client is launched on a PC the person must accept in my case 7 certificate warnings (2xUCM,2xCUC,2xIMP,1xCWMS) that the host it’s connecting to is using self-signed Certs.

You have 3 options to avoid this

  • Stay on version 9.2.4 for the rest of your life, or until Cisco makes this an option we can opt out of
  • Deploy the 7 self-signed certs out to all the PC’s (not sure why this is even a real option!!!!)
  • Lastly you can generate CSR requests from CUCM, CUC, IMP and CWMS servers to be signed by a trusted CA

I will set the record straight first. I know very little about Cert's except the fact I dont' like working with them.

Now for my questions: I have 3

There are dozens of Cert providers out there, how do I find a LIST of CA’s that the application servers above already trust so I can avoid deploying ROOT CA’s as well to my Applications servers and PC's?

 

I'm following the guild below, in it there is a section called "What methods are available for certificate validation?

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

In this section it describes 

Here is a possible requirement you might encounter:

One Certificate Per FQDN: Some public CAs sign only one certificate per fully qualified domain name (FQDN).

For example, in order to sign the HTTP and XMPP certificates for a single CUCM IM and Presence node, you might need to submit each CSR to different public CAs.

I really don't understand this? Surely they dont' mean get the cert for HTTP from one CA and the XMPP from another CA??

Lastly:

Is there a roadmap to make this Feature and or Annoyance user customizable? I'm happy to stay on 9.2.4 if there is a less costly / annoying version in the works for the near future.

Appreciate your help and feedback

 

Ryan

Labels:
0 Helpful
2 Replies 2

j-lehmann
Level 4
Level 4

‎03-14-2014 08:53 AM

Hi, We use the Last jabber 9.6 Build. To avoid the cert question we use dring the Installation the following switches, the cert Switch is here the Import Switch.. msiexec.exe /i CiscoJabberSetup.msi CLEAR=1 AUTHENTICATOR=CUP CUP_ADDRESS=vCUPPUB1.example.com SERVICES_DOMAIN=example.com CERTIFICATE_VALIDATION=DISABLE -joerg
0 Helpful

ryan_oconnell
Level 3
Level 3
In response to j-lehmann

‎03-14-2014 08:55 AM

Awesome I'll give this a try.

 

So is this only an install swtich commmand or can the same be accomplished using jabber-config.xml

 

Ryan

0 Helpful
Customers Also Viewed These Support Documents