CUCM 10.0.1.10000-24: issue with secure Jabber and Expressway
we have an UC infrastructure with a CUCM 10.0.1.10000-24, a CUP 10.0.1.10000-26, and an Expressway-C/E X8.1.1
Furthermore, we have configured several Jabber phones (for Windows, Android, and iPhone)
Let's consider Jabber for Windows, now.
The Jabber phones work correctly with non-secure profiles, both in LAN and by Expressway
But, when we use secure profiles, the Jabber phones only work in LAN, while by Expressway we get an error that, In English, should be the following (as seen by the connection status tool of Jabber for Windows):
"Connection error. Verify that the server information on the Services tab of the Options window and phone are correct. Contact your system administrator for assistance."
I have same issues as yours, with secure profiles on jabber clients. To be worse, in the time connecting jabber client to phone services Cisco CallManager service on primary CUCM is restarted. We have UC infrastructure with CUCMs (10.5.2.10000-5), CUCM IM&P (10.5.2.10000-9) and Expressway-C/E (X8.5).
All servers used FQDN instead of IP address, certificates (tomcat, Call Manager, XMPP) issuing by internal CAs, etc. Security profile on particular telephone have name, which we use during making certificate request on Expressway as Nirmal suggested.
Please, could you send your workaround, because this bug is not yet publicly available.
FYI, the bug with ID CSCun30200 is about the following:
Openssl does not support 2 self-signed certificates with the same Common Name and, unfortunately, this is the CM's default configuration.
It is not possible to configure a UCM for MRA when the UCM uses self signed certs for both the tomcat and CallManager certificates.
Either TLS verify or secure SIP will fail depending upon the order in which the certificates are added. If the tomcat.pem certificate is first in the trusted CA file then TLS verify will work and SIPS will not.
Unfortunately, Cisco doesn't recognize it as a bug, and seems that no improvement has been made so far.
My workaround is to sign the CUCM's tomcat Cert by CA, and keep callmanager Cert self-signed.
Or, you may sign all CUCM's Cert by CA. It makes the Expressway C not required to verify two CUCM's Cert with same CN.
On the other hand, I don't have problem of "CallManager service restarted" during my Lab setup before I found my workaround.
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...