cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29213
Views
46
Helpful
15
Replies

Jabber Certificate

Hi,

 

I'm deploying CUCM,CUC & IM-P version 10.5

When Jabber start, it ask to accept certificate

i need to know the best way for certificate deployment with Jabber

 

My thought is to generate CSR from the voice servers and to submit it to CA and to upload it again to the voice servers

And then to import these signed certificates into the user devices certificate store.

 

Is the above is true ?

Also is it true that it isn't recommended to use the servers self signed certificates ?

 

Also for expressway, I think it is a must to sign the generated CSR using public CA not private CA ?

 

 

Please confirm me above points that it is confusing me after reading many posts on forums and cisco

 

Thanks

Haitham

2 Accepted Solutions

Accepted Solutions

William Bell
VIP Alumni
VIP Alumni

Haitham,

There are a couple of different design scenarios that may adjust the following recommendations, ever so slightly. So, keep that in mind.

I definitely recommend not using self-signed certificates if you want to minimize impact to the user. For UC services on your corporate network, I recommend using an Enterprise CA (i.e. internally provisioned CA). For UC services on your external network/perimeter/DMZ, I recommend using a Public CA.

UC services on your internal network include:

  • VCS-C / Expressway-C
  • CUCM
  • CUCM IM&P
  • Unity Connection

UC servers on your external/perimeter network (or Edge)

  • VCS-E / Expressway-E

The Edge comes into play if you are implementing the Mobile and Remote Access (MRA) functionality under the Collaboration Edge architecture. Technically, you don't need a Public CA to sign the VCS-E/Expressway-E certificate for MRA but it is considered best practice if you plan on using the same appliance for XMPP federation or B2B video at some point. 

 

Jabber clients outside of your organization (teleworkers, etc.) that are leveraging MRA must trust the certificate on the VCS-E/Expressway-E only.

Jabber clients on your Enterprise network (including VPN) must trust the certificates on the CUCM, IM&P, Unity Connection.

The VCS-C/Expressway-C must trust the VCS-E/Expressway-E, CUCM, IM&P, and Unity Connection. 

The VCS-E/Expressway-E must trust the VCS-C/Expressway-C (plus any external XMPP federation peers or video call processing agents, but that is independent of Jabber)

 

By "trust" I mean that the client has the appropriate certificates in their trust store. Further, the client must trust all CUCM cluster nodes used for UDS and TFTP services, all Unity Connection nodes, and all IM&P nodes. That could be a lot of certs. So, the easiest method is to leverage a CA to sign certs. 

You DO NOT need to use a public CA for UC application nodes on your enterprise network. You can most certainly deploy (or use) an internal/enterprise CA. That is my typical approach. I have done it both ways but 90% of my deployments have used an enterprise (internal) CA for the UC app nodes on the enterprise network.

 

You do need to make sure that the entire certificate chain for the root CA and any intermediary CAs is installed in your client trust store.

For J4W (Jabber for Windows) you can use group policies. For OSX you can add to the key chain. For mobile appliances, you can use a mobile device manager. Mileage varies depending on what you have in your environment. Yes, it is an additional moving part but it isn't that difficult if you break it into its smaller parts.

If you decide to use a public CA for the certs on your enterprise UC app servers then you MUST follow certain guidelines:

1. All references to the "servers" needs to be FQDN ( e.g. System>Server in UCM). Public CAs won't sign CSRs with IP addresses as the subject or SAN.

2. You must use a valid FQDN (somewhere during Q3CY2014 I read an article where Digicert is going to reject CSRs where the FQDN of the subject or SAN is invalid. For example "mycompany.priv" or "internalADEnviron.local" is invalid)

 

HTH.

 

-Bill (@ucguerrilla)

http://ucguerrilla.com

 

 

 

 

 

 

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

View solution in original post

Not sure about verisign but I just did that for a customer, though I used SAN certs as this was version 10.5 and all IMP and CUCM nodes were signed with single SAN cert.

As to your steps:

1. upload the root cert in tomcat-trust, xmpp-trust

2. generate CSR

3. send CSR to CA for signing

4. upload signed cert in tomcat and xmpp

5. restart tomcat and xmpp services

View solution in original post

15 Replies 15

Chris Deren
Hall of Fame
Hall of Fame

Did you review all install/config documentation for IMP/Expressway/etc as this is pretty clear there what is needed?

Yes, you need trusted certs on all UC servers signed by your CA, as to endpoints it depends on what type of endpoints you have, i.e. PCs may already have your AD root trusted cert, so you might not need anything there, mobile devices i.e. iPhone would require pushing them via MDM or like.

Hi,

I need this certificate for Jabber win and Jabber IPhone 

 

So what the way is to get generated CSR from all CUCM,CUC,IM-P & Expressway and to send it to Microsoft team or I can sign it my self ? How to do that?

Then I'll upload these certificates again to the servers as tomcat-trust ?

and after that I'm finished ?

 

Thanks

Haitham

Each application has directions on how to do this, some examples:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-60/112108-sslcert-cucm-00.html

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/8_6_1/cucos/osg_861_cm/iptpch6.html

There are some good documents/discussions with screen shots on this forum if you search for them as well.

Hi,

 

I decided to sign the certificate in a private CA as a test and if succeed, I'll go for public CA

Only I need to confirm these points:

1. I'll get the generate tomcat certificate in CUCM,CUC & IM-P servers from all nodes and sign it in the CA and then import it again to the servers as tomcat-trust

2. the same as above for XMPP for IM-P servers

3. Do I need to change the hostname in system>server menu in cucm also in cluster topology in IM-P also for CUC ? and is it will be hostname only or FQDN ?

4. Also for expressway-C and expressway-E I'll generate CSR and sign it and re-import it

5. when going with public CA, Can I do it for only Expressway-E that I hear about when using public CA , you need your domain as cucm.domain.com to be published !!

I think I need it for expressway-E only !!

 

Thanks

Haitham

You can sign all certs internally as you describe except for the Expressway-E which you want signed by public CA.

Hi,

 

I need to confirm for something

I have a customer gave me a public certificate for his domain as abc.net , it is as from verisign

It is .cer file

 

Now can I upload this certificate to all collaboration servers as cucm, cuc, im&p & expressway without generating CSR that this certificate will be trusted for all mobile and pc users. Noting that all my servers are in the same domain abc.net and it is global one

 

And if ok. Will I upload it as tomcat-trust ?

 

Thanks

Haitham

 

So you only got the root certificate?  If so that does not establish the identify of the server, you now need to issues CSR and have the CSR signed by the same CA that issued the root cert and then upload the cert to the applications, i.e. tomcat cert on CUCM.

Chris

do I need to use this root certificate ?

Also we'll need 2 CA for IM&P to sign both XMPP and HTTP also ?

 

 

 

Thanks

Yes, you need the root and any intermediate certs if applicable in the -trust before the actual signed cert can be validated.  You can use one CA for both XMPP and tomcat, so same root cert but separately signed XMPP and tomcat certs.

Thanks Chris

It is because I read that the Public CA mayn't sign 2 certificate with the same FQDN as for IM&P. So I may need another CA for XMPP.

 

Only my final confirmation for the steps:

Now all servers, I'll generate tomcat CSR

Then sign on public CA

Then upload as tomcat-trust after uploading the root certificate (.cer file)

Is the root cert uploaded also as tomcat-trust ?

 

Thanks

Not sure about verisign but I just did that for a customer, though I used SAN certs as this was version 10.5 and all IMP and CUCM nodes were signed with single SAN cert.

As to your steps:

1. upload the root cert in tomcat-trust, xmpp-trust

2. generate CSR

3. send CSR to CA for signing

4. upload signed cert in tomcat and xmpp

5. restart tomcat and xmpp services

Jason Aarons
Level 6
Level 6

Public CAs everywhere, unless you plan to put your private CA root/intermediate on everyone's iPhone, Android, etc.  Impossible to do.

 

Follow the guides....

Gordon Ross
Level 9
Level 9

For Jabber, you need to get the following certificates signed by your CA:

 

 - CallManager

 - Tomcat

 - XMPP

 - VCS

 

As Jason says, using a commercial CA is easier as you avoid the hassle of having to install your CA certificate on all devices.

 

GTG

Please rate all helpful posts.

William Bell
VIP Alumni
VIP Alumni

Haitham,

There are a couple of different design scenarios that may adjust the following recommendations, ever so slightly. So, keep that in mind.

I definitely recommend not using self-signed certificates if you want to minimize impact to the user. For UC services on your corporate network, I recommend using an Enterprise CA (i.e. internally provisioned CA). For UC services on your external network/perimeter/DMZ, I recommend using a Public CA.

UC services on your internal network include:

  • VCS-C / Expressway-C
  • CUCM
  • CUCM IM&P
  • Unity Connection

UC servers on your external/perimeter network (or Edge)

  • VCS-E / Expressway-E

The Edge comes into play if you are implementing the Mobile and Remote Access (MRA) functionality under the Collaboration Edge architecture. Technically, you don't need a Public CA to sign the VCS-E/Expressway-E certificate for MRA but it is considered best practice if you plan on using the same appliance for XMPP federation or B2B video at some point. 

 

Jabber clients outside of your organization (teleworkers, etc.) that are leveraging MRA must trust the certificate on the VCS-E/Expressway-E only.

Jabber clients on your Enterprise network (including VPN) must trust the certificates on the CUCM, IM&P, Unity Connection.

The VCS-C/Expressway-C must trust the VCS-E/Expressway-E, CUCM, IM&P, and Unity Connection. 

The VCS-E/Expressway-E must trust the VCS-C/Expressway-C (plus any external XMPP federation peers or video call processing agents, but that is independent of Jabber)

 

By "trust" I mean that the client has the appropriate certificates in their trust store. Further, the client must trust all CUCM cluster nodes used for UDS and TFTP services, all Unity Connection nodes, and all IM&P nodes. That could be a lot of certs. So, the easiest method is to leverage a CA to sign certs. 

You DO NOT need to use a public CA for UC application nodes on your enterprise network. You can most certainly deploy (or use) an internal/enterprise CA. That is my typical approach. I have done it both ways but 90% of my deployments have used an enterprise (internal) CA for the UC app nodes on the enterprise network.

 

You do need to make sure that the entire certificate chain for the root CA and any intermediary CAs is installed in your client trust store.

For J4W (Jabber for Windows) you can use group policies. For OSX you can add to the key chain. For mobile appliances, you can use a mobile device manager. Mileage varies depending on what you have in your environment. Yes, it is an additional moving part but it isn't that difficult if you break it into its smaller parts.

If you decide to use a public CA for the certs on your enterprise UC app servers then you MUST follow certain guidelines:

1. All references to the "servers" needs to be FQDN ( e.g. System>Server in UCM). Public CAs won't sign CSRs with IP addresses as the subject or SAN.

2. You must use a valid FQDN (somewhere during Q3CY2014 I read an article where Digicert is going to reject CSRs where the FQDN of the subject or SAN is invalid. For example "mycompany.priv" or "internalADEnviron.local" is invalid)

 

HTH.

 

-Bill (@ucguerrilla)

http://ucguerrilla.com

 

 

 

 

 

 

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: