Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Jabber 9.6 give cert warnings, 9.2 did not

We are in the pilot phase of a UC and Jabber for Everyone deployment. We purchased SSL certificates for CUCM, CUC, and CIMP, including 2 certs for XMPP on the CIMP servers with subject alternate names, to get rid of SSL certificate warnings.

We've started testing with the Jabber 9.6 client on Windows, and of course on iOS devices that is all that is available now. Under 9.6 we are seeing warnings for the certificates intermittently:

1. On first login we get certificate warnings, sometimes for a single cert, sometimes for all of them, sometimes just a couple. In each case viewing the details lists the name of the server as it is listed as the subject in the certificate, and it shows it as being a Comodo certificate.

2. Some users (including myself) have seen the warning pop up randomly during the day while the client is up and running. This is very rare, but I've seen it twice on my own test machines.

3. iOS devices on first launch give the certificate error, but rather than showing the DNS name of the server, it shows the IP address for our CUCM server.

All our certificates are purchased via Comodo, and their root and intermediate is in the Windows Trust store in the appropriate places. We use Comodo for all our services, and we never have this issue with our websites, exchange server, etc, etc.

Has anyone else seen this behavior?

9 REPLIES
VIP Super Bronze

Jabber 9.6 give cert warnings, 9.2 did not

I suggest reading through this document and verifying that every step has been completed exactly.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

For example, the fact that your servers are configured to address by IPv4 instead of DNS is called out as a problem in the Prevent Identity Mismatch section.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify helpful or
New Member

Re: Jabber 9.6 give cert warnings, 9.2 did not

Thanks for your help Jonathan. I followed that document and the only things setup to use just the hostname rather than the FQDN was the CUCM publisher and CUCM subscriber nodes. I updated those, but the iOS issue hasn't resolved yet.

From what I can see all the servers are set to use FQDN, none are set to use only their IP address. But the iOS devices show the IP address in the certificate dialog.

My gut reaction is that it has to do with the TFTP service. In the document you linked to it mentions: TFTP Servers (Application > Cisco Jabber > Settings), however on our CIMP servers (ver 9.1.1.30000-3) that option isn't there. I dug thorugh all the other options in the Application menu and the only ones with TFTP server settings are the Legacy client options and they are already set to use FQDN.

I'm still testing to be sure on the desktop clients, but I think that changing the CUCM servers to FQDN from hostname only fixed that.

I lied. On a fresh install the PC client is still giving those errors also. It is also hitting at the IP addresses. The IP addresses specified are the CUCM servers so I guess it could be for CUCM in general, CTI control, or TFTP.

VIP Super Bronze

Jabber 9.6 give cert warnings, 9.2 did not

Most of that stuff got moved into CUCM with v9. Look for UC Service and Service Profiles under the Users > Settings menu of /ccmadmin.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify helpful or
New Member

Re: Jabber 9.6 give cert warnings, 9.2 did not

Turns out it is a bug: https://tools.cisco.com/bugsearch/bug/CSCul15900/?reffering_site=dumpcr

NOTE: CCO account required for that link.

Intalled the referenced COP file and it seems to have resolved the issue. The COP file is for Collaboration Edge, but we are not using Collaboration Edge at this point and it fixed it for us.

New Member

Re: Jabber 9.6 give cert warnings, 9.2 did not

Hi Shawn,

I am running into this issue as well. When doing a fresh install of Jabber, the certificate that is presented is the IP address of my CUCM instead of FQDN. All my settings are FQDN for all my servers.

When you installed the COP file, did you have to reboot the server?

And can anyone answer if this COP file resolves just this issue or other issues as well? I can not seem to find the documentation regarding this file.

Thanks,

Anthony

New Member

Re: Jabber 9.6 give cert warnings, 9.2 did not

Yes Anthony,

When I installed the COP file I had to reboot my cluster. Just the CUCM nodes, not CUC or CIMP. In our case we have a publisher and a subscriber so I had to reboot both. If you have more than one subscriber you will need to reboot them all.

The file and readme is available here: 

http://software.cisco.com/download/release.html?mdfid=284510097&flowid=45900&softwareid=282204704&release=LCU&relind=AVAILABLE&rellifecycle=&reltype=latest

You may have to click the link on the left for COP files.

Here is an attempt at a direct link to that readme: 

http://www.cisco.com/web/software/282204704/18582/cmterm-cucm-uds-912.pdf

There are five items listed as either enhancements or improvements.

New Member

Re: Jabber 9.6 give cert warnings, 9.2 did not

Thank you very much for the prompt response, Shawn!

Glad to know I wasn't the only person to encournter this issue and that there's a fix!

Thanks,

Anthony

New Member

I installed the COP file on

I installed the COP file on my Publisher and both subscribers last week and rebooted all nodes. I am now seeing the same certificate errors w/ IPs of the subscribers.

 

All servers are set as FQDN on CUCM and under User Settings > UC Service, they are also FQDN.

New Member

As a followup soon after I

As a followup soon after I installed the COP file the issue returned. We also had some issues around jabber for everyone and ended up upgrading our cluster to version 10 and Jabber client to 9.7.

We've been testing some more and I've had a couple of people report that on first launch they get a certificate warning for our XMPP connection. On our IM & Presence servers we installed certificates that had both the FQDN and just the domain itself as a subject alternate name. This is what is giving the error. If the user clicks either the accept or deny button then they log in and work as normal. Often they don't see the certificate warning again.

935
Views
0
Helpful
9
Replies