CUCM 10.0.1.10000-24: issue with secure Jabber and Expressway

raziel78kain · ‎05-28-2014

Hello,

we have an UC infrastructure with a CUCM 10.0.1.10000-24, a CUP 10.0.1.10000-26, and an Expressway-C/E X8.1.1

Furthermore, we have configured several Jabber phones (for Windows, Android, and iPhone)

Let's consider Jabber for Windows, now.

The Jabber phones work correctly with non-secure profiles, both in LAN and by Expressway

But, when we use secure profiles, the Jabber phones only work in LAN, while by Expressway we get an error that, In English, should be the following (as seen by the connection status tool of Jabber for Windows):

"Connection error. Verify that the server information on the Services tab of the Options window and phone are correct. Contact your system administrator for assistance."

What's wrong?

Thanks in advance for your help.

Best regards.

Nirmal Issac · ‎06-01-2014

Could you confirm if the name of Security Profile is added in the Subject Alternate Name field in the certificate of VCS server.

The information can be found in the page 18 of below document.

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-1-1.pdf

raziel78kain · ‎06-02-2014

Hello,

it's a bug:

https://tools.cisco.com/bugsearch/bug/CSCun30200

I've temporarily solved with the workaroud indicated in the link above.

Regards.

enoch · ‎10-22-2014

-- deleted --

Zlatko Trifkovic · ‎01-01-2015

Hello,

I have same issues as yours, with secure profiles on jabber clients. To be worse, in the time connecting jabber client to phone services Cisco CallManager service on primary CUCM is restarted. We have UC infrastructure with CUCMs (10.5.2.10000-5), CUCM IM&P (10.5.2.10000-9) and Expressway-C/E (X8.5).

All servers used FQDN instead of IP address, certificates (tomcat, Call Manager, XMPP) issuing by internal CAs, etc. Security profile on particular telephone have name, which we use during making certificate request on Expressway as Nirmal suggested.

Please, could you send your workaround, because this bug is not yet publicly available.

Regards,

Zlatko

enoch · ‎01-01-2015

FYI, the bug with ID CSCun30200 is about the following:

Openssl does not support 2 self-signed certificates with the same Common Name and, unfortunately, this is the CM's default configuration.

...

It is not possible to configure a UCM for MRA when the UCM uses self signed certs for both the tomcat and CallManager certificates.

Either TLS verify or secure SIP will fail depending upon the order in which the certificates are added. If the tomcat.pem certificate is first in the trusted CA file then TLS verify will work and SIPS will not.

Unfortunately, Cisco doesn't recognize it as a bug, and seems that no improvement has been made so far.

My workaround is to sign the CUCM's tomcat Cert by CA, and keep callmanager Cert self-signed.

Or, you may sign all CUCM's Cert by CA. It makes the Expressway C not required to verify two CUCM's Cert with same CN.

On the other hand, I don't have problem of "CallManager service restarted" during my Lab setup before I found my workaround.

-E