Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

CA signed certificate for Jabber 4 windows

Hi,

 

I have a CA signed certificate for my J4W which is working my question is how can I get J4W when you login the first time after installation not to prompt for you to accept the certificate and it does it 4 times, after that you never get it a again, but for bulk roll out purposes is there a way I can bypass this issue?

 

Thanks in advance.

Voice CCIE #37771
Everyone's tags (3)
8 REPLIES
Hall of Fame Super Silver

If the certificate is signed

If the certificate is signed by trusted CA and certs are installed on your PCs you should not be prompted, that is the whole idea behind it to trust the connection.  Did you sign the CUCM, IMP and UCXN certs by internal CA and are the trusted CA certs also installed on your PCs?

Chris

HiNo my CUCM, UCX is self

Hi

No my CUCM, UCX is self signed but my IM&P is external CA signed.

No the certificates is not installed on the PC's I thought by just having a trusted CA cert the domain PC's will automatically accept it?

Voice CCIE #37771
Hall of Fame Super Silver

Then this works as expected,

Then this works as expected, if you don't want the cert warnings you need to sign your application certs by internal/exterenal CA and make sure your PCs have the trusted certs as well.

Chris

New Member

I'm just working through this

I'm just working through this too, with a Microsoft domain-integrated CA.

Some of the other posts were not clear in regard to WHICH cert gets dealt with in which way. Someone please let me know if this process below is inaccurate or incomplete.

Assuming you have three different severs and only one of each type: CUCM, IMPS, UCxN

-Generate CSRs for the CUCM, IMPS, UCxN tomcat self-signed certs and export them as clearly named CSR files (3 of).

-Generate a CSR for the IMPS xmpp self-signed cert and export it as a clearly named CSR file (1 of).

-Sign all four CSRs with the CA web browser https://ipaddress/certsrv.

-Export the CA's root certificate in Base64 format using the cert authority name as the file name (only for clarity) e.g. mydomain-AD-CA.cer. Do not rename the file after download.

-Import the CA's root certificate into each Cisco UC server's tomcat-trust and into the IMPS xmpp-trust. This must be done before the next step.

-import the CA-signed Cisco UC server SSL certs (that started out as CSRs) as tomcat certs. Import the CA-signed xmpp cert as an IMPS xmpp cert. This replaces the tomcat (and IMPS xmpp) certs with certs that have been signed by the CA.

-restart the Cisco Tomcat feature service and the Cisco XMPP Router service on each Cisco UC appliance using the CLI "utils service restart Cisco Tomcat"

-restart the Cisco XCP Router network service on IMPS.

-Install the CA's root certificate into the client's (assuming Windows) Manage User Certificates > User > Trusted Root Certification Authorities cert store. If you have a domain-integrated MS CA, this will already exist (and should exist, or something else is wrong, or not completed yet with the PKI Infrastructure setup). Look in the User > Trusted Root Certification Authorities cert store - if you can see the CA's root cert that you just installed = great.

-Test 1: Browse to CUCM by FQDN using IE. https://cucm.mydomain.com/ccmadmin. You should get a perfect alert-free connection to CUCM. This proves that the PKI infrastructure is good.

-Test 2: Start J4W. It should start up without any popup alerts providing the UC Service Profile and CSF Device config only use FQDNs, that match the certificates you signed with the CA

-BTW: If you've previously manually accepted J4W popup alerts, before starting J4W go into Manage User Certificates on the Windows client and find and remove all self-signed Cisco UC  appliance certs. Leaving them there will fool you into thinking you've done a complete job when in fact it's not the case.

---Well that 's the theory anyway.

Hi Richard, I am putting your

Hi Richard,

 

I am putting your steps to the test now will let you know.

Voice CCIE #37771
New Member

Hi BudWhat a way to spend

Hi Bud

What a way to spend Friday night... The kids are watching a movie and here I am on this.

Also just discovered this afternoon that the CUCM server name must be the same as the FQDN in CUCM's CA-signed tomcat cert. I may have missed it in the Cisco documentation as a requirement, but this appears to not be documented in any Jabber or IMPS doc? I proved this:

-Before I started, the CUCM server name (System > Server) was "10.86.1.250"

---- J4W Help > Show connection status > Softphone Address (CCMCIP) showed "10.86.1.250", causing those blasted popup security alerts to continue.

-I changed the CUCM server name (System > Server) from "10.86.1.250" to "cucm", rebooted CUCM and tested

---- J4W Help > Show connection status > Softphone Address (CCMCIP) now showed "cucm",

I changed the CUCM server name (System > Server) from "cucm" to "cucm.unifiednetworks.co.nz", rebooted CUCM and tested

---- J4W Help > Show connection status > Softphone Address (CCMCIP) now showed "cucm.unifiednetworks.co.nz"

Conclusion: whatever is configured the CUCM server name, be that an IP Address, a host-name or a Fully Qualified Domain Name (FQDN), is used by J4W as the CCMCIP Address when the CSF device registers to CUCM. Until this exactly matches the Subject CN in the CA-signed CUCM appliance cert, you will continue to get cert challenges, even if everything else is perfect and every other cert is perfectly formed.

 

Each above test meant I had to exit J4W and manually delete all the test client config files from these four folders (yes. over and over again),. What a pain:

C:\Users\RandS\AppData\Local\Cisco\Unified Communications\Jabber\CSF files

C:\Users\RandS\AppData\Local\Cisco\Jabberwerx (guessing, but I'm close)

C:\Users\RandS\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF files

C:\Users\RandS\AppData\Roaming\Cisco\Jabberwex (guessing, but I'm close)

 

...no wonder my colleagues are abandoning me to do Lync. We can't foist this stuff off on our poor customers.

Hi, Thanks for that luckly it

Hi,

 

Thanks for that luckly it is only Friday morning still here so I am battling away to make my 1900 user roll out as easy as possible.

So what I gather from you is I need to make sure my CCMCIP address is not a IP but a FQDN of the cucm that I used in my CA certificate?

Voice CCIE #37771
New Member

The answer should be Yes but

The answer should be Yes but I can't get over the final hurdle, which is the Jabber CCMCIP address I think. Cisco have not, as far as I'm aware, documented clearly that the CCMCIP address in Jabber appears to need to be the CUCM System > Server Host Name/IP Address based on our tests late last week. Although I've changed mine, it still prompts me for this one cert during first-time startup. It asks if I will Accept the IP Address of my CUCM Publisher, although Help > Show connection status quickly updates this to the correct FQDN after first-time sign-in.

I've been using this process:

1/.  clear out any Cisco UC appliance-specific certs from your browser cert stores to avoid fooling yourself. This gets repeated over and over during testing.

2/. Confirm that your Microsoft CA/PKI is correct --> Use IE to browse to the FQDN of CUCM. If you get a secured https:// connection - good. Any problems are now unlikely to be your Microsoft CA/PKI. Cisco advise that IE is required for Jabber for Windows as it provides its rendering engine, so I test with IE, although I also test with Firefox and Chrome. I only did this once.

3/. If your PKI is good per above, sign in to J4W and check Help > Show connection settings: All servers listed must have an address that matched the Subject CN of the CA-signed Cisco UC appliance CSRs you will have previously worked on (I'm guessing). This gets repeated over and over during testing.

Cheers

Richard

328
Views
0
Helpful
8
Replies