Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Jabber Security Alert

Hi All,


We are in the process of rolling out Jabber (Version 11.8.1 / Build 50250) with CUCM (10.5.2.10000-5) but have come across a certificate security prompt when logging in that we are unable to remove / resolve (see screenshot below).


Once the prompt below is accepted the user logs in via SSO without issue and all services within Jabber are working as expected.

*See message reply below for additional environment information and partial Jabber.Log 

Thanks!

Everyone's tags (1)
6 REPLIES
Community Member

Additional Information:

Additional Information:

  • SSO is provided by AD FS 2.0 SAML
  • All hostnames are entered in as FQDN within CUCM, Jabber-Config.xml, AD FS 
  • Certificates were signed by an internal CA.
  • Group policy is setup with Internet Options for trusted sites and settings

This is the error (I believe) shown in the Appdata Jabber.log file:

Date: Thu, 19 Jan 2017 23:59:02 GMT

2017-01-20 10:29:02,202 DEBUG [0x000025f8] [etutils\src\http\CurlHttpUtils.cpp(1699)] [csf.httpclient] [csf::http::CurlHttpUtils::logOperationTiming] - Request #11 network IO timestamps: [name lookup = 0 ; connect = 0.015 ; ssl connect = 0.078 ; pre-transfer = 0.078 ; start-transfer = 0.156 ; total = 0.156 ; redirect = 0]
2017-01-20 10:29:02,202 INFO [0x000025f8] [ls\src\http\CurlAnswerEvaluator.cpp(115)] [csf.httpclient] [csf::http::CurlAnswerEvaluator::curlCodeToResult] - Request #11 got curlCode=[0] curl error message=[] HttpClientResult=[SUCCESS] fips enabled=[false]
2017-01-20 10:29:02,202 INFO [0x000025f8] [ls\src\http\BasicHttpClientImpl.cpp(452)] [csf.httpclient] [csf::http::executeImpl] - *-----* HTTP response code 200 for request #11 to https://cucm.mydomain.com:8443/[...]
2017-01-20 10:29:02,202 DEBUG [0x000025f8] [ls\src\http\BasicHttpClientImpl.cpp(474)] [csf.httpclient] [csf::http::executeImpl] - Request #11 -> local IP address: 10.0.0.55, destination IP address: 172.16.0.10
2017-01-20 10:29:02,202 DEBUG [0x000025f8] [etutils\src\http\HttpRequestData.cpp(88)] [csf.httpclient] [csf::http::HttpRequestData::returnEasyCURLConnection] - Request #11 returning borrowed EasyCURLConnection
2017-01-20 10:29:02,202 INFO [0x000025f8] [ls\src\edge\GlobalEdgeStateImpl.cpp(605)] [csf.edge] [csf::edge::GlobalEdgeStateImpl::isInternalConnectivityAvailable] - Internal Visibility: 1
2017-01-20 10:29:02,202 INFO [0x000025f8] [ls\src\edge\GlobalEdgeStateImpl.cpp(605)] [csf.edge] [csf::edge::GlobalEdgeStateImpl::isInternalConnectivityAvailable] - Internal Visibility: 1
2017-01-20 10:29:02,202 DEBUG [0x000025f8] [ls\src\http\BasicHttpClientImpl.cpp(495)] [csf.httpclient] [csf::http::executeImpl] - For request #11 the total size of the data received is: 889, the size of the response body is: 889
2017-01-20 10:29:02,202 DEBUG [0x00001c2c] [etutils\NetworkEventReporterImpl.cpp(57)] [csf.netutils] [csf::netutils::NetworkEventTask::execute] - Executing a NetworkEventTask for label: csfnetutils.http.clientRequestSuccessful
2017-01-20 10:29:02,202 INFO [0x00001c2c] [tutils\NetworkEventReporterImpl.cpp(182)] [csf.netutils] [csf::netutils::NetworkEventReporterImpl::hintNetworkIsInUseImpl] - Event Label:csfnetutils.http.clientRequestSuccessful
2017-01-20 10:29:02,202 INFO [0x00000bf4] [ansitionDetectionControllerImpl.cpp(252)] [csf.edge] [csf::edge::EdgeTransitionDetectionControllerImpl::processEvent] - EdgeTransitionDetectionController processing Event NetworkActivity with DDCAFsm in state Idle and DDCUFsm in state Monitoring
2017-01-20 10:29:02,202 DEBUG [0x00000bf4] [DetectDirectConnectAvailableFsm.cpp(273)] [csf.edge] [csf::edge::DetectDirectConnectAvailableFsm::State::logIgnoringEvent] - DetectDirectConnectAvailable.Idle: Ignoring event NetworkAccessOpportunity
2017-01-20 10:29:02,202 INFO [0x00000bf4] [csf-netutils\src\common\Reactor.cpp(180)] [csf.edge] [csf::common::Reactor::runEventLoop] - Reactor event loop entering wait()
2017-01-20 10:29:02,203 INFO [0x000025f8] [control\CallControlManagerImpl.cpp(1923)] [csf.ecc.evt] [csf::ecc::CallControlManagerImpl::notifyConnectionInfoChange] - CONNECTION_INFO_CHANGE: size(8):
type=eUDS, isRelevant=true, server=cucm.mydomain.com:8443, connectionState=eConnected, isEncrypted=true
type=eUDS, isRelevant=true, server=172.16.0.10:8443, connectionState=eNotApplicable, isEncrypted=false
type=eCCMCIP, isRelevant=true, server=cucm.mydomain.com:8443, connectionState=eNotApplicable, isEncrypted=false
type=eCCMCIP, isRelevant=true, server=172.16.0.10:8443, connectionState=eNotApplicable, isEncrypted=false
type=eEMAPI, isRelevant=true, server=cucm.mydomain.com:8443, connectionState=eNotApplicable, isEncrypted=false
type=eEMAPI, isRelevant=true, server=172.16.0.10:8443, connectionState=eNotApplicable, isEncrypted=false
type=eConfigFile, isRelevant=true, server=cucm.mydomain.com:6970, connectionState=eNotApplicable, isEncrypted=false
type=eConfigFile, isRelevant=true, server=cucm.mydomain.com:69, connectionState=eNotApplicable, isEncrypted=false

2017-01-20 10:29:02,203 DEBUG [0x000025f8] [fig\AbstractDeviceListRetriever.cpp(285)] [csf.ecc] [csf::ecc::AbstractDeviceListRetriever::getXmlDoc] - XML: "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><devices uri="https://cucm.mydomain.com:8443/cucm-uds/user/bhawkins/devices" version="10.5.2"><device uri="https://cucm.mydomain.com:8443/cucm-uds/user/bhawkins/device/156f8c7d-8722-2b61-3751-9bf40e2aff49"><id>156f8c7d-8722-2b61-3751-9bf40e2aff49</id><name>csfbhawkins</name><type>Phone</type><model>Cisco Unified Client Services Framework</model><description editable="true" source="admin">Ben Hawkins Jabber</description><protocol>SIP</protocol></device><device uri="https://cucm.mydomain.com:8443/cucm-uds/user/bhawkins/device/1e2101d1-708b-0d57-364e-77e287aa0b5e"><id>1e2101d1-708b-0d57-364e-77e287aa0b5e</id><name>SEPB4A4E3D76077</name><type>Phone</type><model>Cisco 7945</model><description editable="true" source="admin">Ben Hawkins - 8024</description><protocol>SCCP</protocol></device></devices>"
2017-01-20 10:29:02,203 INFO [0x000025f8] [c\src\callcontrol\Authenticator.cpp(428)] [csf.ecc] [csf::ecc::Authenticator::doUdsLogin] - Successfully authenticated the user with UDS
2017-01-20 10:29:02,203 INFO [0x000025f8] [ponents\ecc\src\config\UDSClient.cpp(92)] [csf.ecc] [csf::ecc::UDSClient::getEmLoggedInDevices] - getEmLoggedInDevices
2017-01-20 10:29:02,203 INFO [0x000025f8] [onents\ecc\src\config\UDSClient.cpp(101)] [csf.ecc] [csf::ecc::UDSClient::doUdsQuery] - doUdsQuery(): eEmLoginDevices
2017-01-20 10:29:02,203 INFO [0x000025f8] [onents\ecc\src\config\UDSClient.cpp(147)] [csf.ecc] [csf::ecc::UDSClient::doUdsQuery] - doUdsQuery(url)
2017-01-20 10:29:02,203 DEBUG [0x000025f8] [s\telephonyservice\ECCHttpHelper.cpp(57)] [jcf.tel.ecc.http] [CSFUnified::ECCHttpHelper::doGet] - doGet() for SSO request [ https://cucm.mydomain.com:8443/cucm-uds/user/[username_not_logged]/emLoggedInDevices]
2017-01-20 10:29:02,203 DEBUG [0x000025f8] [src\framework\ServicesDispatcher.cpp(39)] [services-dispatcher] [CSFUnified::ServicesDispatcher::enqueue] - ServicesDispatcher.enqueue: BT-Calling OAuthTokenRetriever::GetAuthorisationTokens from ECCHttpHelper
2017-01-20 10:29:02,203 DEBUG [0x00003a50] [rc\framework\ServicesDispatcher.cpp(208)] [services-dispatcher] [CSFUnified::ServicesDispatcher::executeTask] - executing (BT-Calling OAuthTokenRetriever::GetAuthorisationTokens from ECCHttpHelper)
2017-01-20 10:29:02,203 DEBUG [0x00003a50] [phonyservice\OAuthTokenRetriever.cpp(41)] [jcf.tel.oauth] [CSFUnified::OAuthTokenRetriever::getAuthorisationTokens] - Getting CUCM Authorisation token...
2017-01-20 10:29:02,203 INFO [0x00003a50] [\impl\system\UserProfileManager.cpp(127)] [UserProfileManager] [CSFUnified::UserProfileManager::Impl::getCredentialsForAuthenticator] - for authenticator: 2100
2017-01-20 10:29:02,203 DEBUG [0x00003a50] [phonyservice\OAuthTokenRetriever.cpp(46)] [jcf.tel.oauth] [CSFUnified::OAuthTokenRetriever::getAuthorisationTokens] - CUCMAuthenticator credentials verified value = 1
2017-01-20 10:29:02,203 DEBUG [0x00003a50] [rc\framework\ServicesDispatcher.cpp(221)] [services-dispatcher] [CSFUnified::ServicesDispatcher::executeTask] - executed (BT-Calling OAuthTokenRetriever::GetAuthorisationTokens from ECCHttpHelper) in [0] milliseconds. Waiting time was [0] milliseconds
2017-01-20 10:29:02,203 DEBUG [0x000025f8] [\telephonyservice\ECCHttpHelper.cpp(296)] [jcf.tel.ecc.http] [CSFUnified::ECCHttpHelper::getOAuthToken] - tokenIsValid [1] for SSOTokenType [OAuth]
2017-01-20 10:29:02,203 DEBUG [0x000025f8] [s\telephonyservice\ECCHttpHelper.cpp(92)] [jcf.tel.ecc.http] [CSFUnified::ECCHttpHelper::getRequest] - getRequest(), create HttpRequest
2017-01-20 10:29:02,203 DEBUG [0x000025f8] [\telephonyservice\ECCHttpHelper.cpp(108)] [jcf.tel.ecc.http] [CSFUnified::ECCHttpHelper::getRequest] - Setting credentials using oAuthToken
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [pters\config\ConfigStoreManager.cpp(165)] [ConfigService-ConfigStoreManager] [CSFUnified::ConfigStoreManager::getValue] - key : [CucmHttpTransferTimeout] skipLocal : [0] value: [] success: [false] configStoreName: []
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [s\telephonyservice\ConfigHelper.cpp(337)] [jcf.tel.config] [CSFUnified::ConfigHelper::getHttpTransferTimeout] - Did not find CucmHttpTransferTimeout key. Defaulting to [20000]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [pters\config\ConfigStoreManager.cpp(165)] [ConfigService-ConfigStoreManager] [CSFUnified::ConfigStoreManager::getValue] - key : [CucmHttpConnectionTimeout] skipLocal : [0] value: [] success: [false] configStoreName: []
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [s\telephonyservice\ConfigHelper.cpp(321)] [jcf.tel.config] [CSFUnified::ConfigHelper::getHttpConnectionTimeout] - Did not find CucmHttpConnectionTimeout key. Defaulting to [10000]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [netutils\src\common\PolicyDriven.cpp(20)] [csf.common.PolicyDriven] [csf::common::PolicyDriven::PolicyDriven] - PolicySet : EDGE_USAGE[USE_IF_REQUIRED], FAILURE_MANAGEMENT[IGNORE_SOFT_FAILURE], INVALID_CERT_MANAGEMENT[PROMPT_USER], IGNORE_INVALID_CERT_CONDITION[IGNORE_REVOCATION_INFO_UNAVAILABLE_ERRORS], EDGE_CAPABILITY[EDGE_ENABLED], PERSIST_INVALID_CERT_DECISION[PERSIST_DECISION], IP_FAMILY_PREFERENCE[DUAL_STACK], SYSTEM_PROXY_USAGE[USE_SYSTEM_PROXY_WHEN_REQUESTED]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [netutils\src\common\PolicyDriven.cpp(20)] [csf.common.PolicyDriven] [csf::common::PolicyDriven::PolicyDriven] - PolicySet : EDGE_USAGE[USE_IF_REQUIRED], FAILURE_MANAGEMENT[IGNORE_SOFT_FAILURE], INVALID_CERT_MANAGEMENT[PROMPT_USER], IGNORE_INVALID_CERT_CONDITION[IGNORE_REVOCATION_INFO_UNAVAILABLE_ERRORS], EDGE_CAPABILITY[EDGE_ENABLED], PERSIST_INVALID_CERT_DECISION[PERSIST_DECISION], IP_FAMILY_PREFERENCE[DUAL_STACK], SYSTEM_PROXY_USAGE[USE_SYSTEM_PROXY_WHEN_REQUESTED]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [netutils\src\common\PolicyDriven.cpp(20)] [csf.common.PolicyDriven] [csf::common::PolicyDriven::PolicyDriven] - PolicySet : EDGE_USAGE[USE_IF_REQUIRED], FAILURE_MANAGEMENT[IGNORE_SOFT_FAILURE], INVALID_CERT_MANAGEMENT[PROMPT_USER], IGNORE_INVALID_CERT_CONDITION[IGNORE_REVOCATION_INFO_UNAVAILABLE_ERRORS], EDGE_CAPABILITY[EDGE_ENABLED], PERSIST_INVALID_CERT_DECISION[PERSIST_DECISION], IP_FAMILY_PREFERENCE[DUAL_STACK], SYSTEM_PROXY_USAGE[USE_SYSTEM_PROXY_WHEN_REQUESTED]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [netutils\src\common\PolicyDriven.cpp(28)] [csf.common.PolicyDriven] [csf::common::PolicyDriven::PolicyDriven] - PolicySet : EDGE_USAGE[USE_IF_REQUIRED], FAILURE_MANAGEMENT[IGNORE_SOFT_FAILURE], INVALID_CERT_MANAGEMENT[PROMPT_USER], IGNORE_INVALID_CERT_CONDITION[IGNORE_REVOCATION_INFO_UNAVAILABLE_ERRORS], EDGE_CAPABILITY[EDGE_ENABLED], PERSIST_INVALID_CERT_DECISION[PERSIST_DECISION], IP_FAMILY_PREFERENCE[DUAL_STACK], SYSTEM_PROXY_USAGE[USE_SYSTEM_PROXY_WHEN_REQUESTED]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [sf-netutils\src\common\PolicySet.cpp(84)] [csf.common.PolicySet] [csf::common::PolicySet::getPolicy] - Successfully found Policy with nature EDGE_USAGE [USE_IF_REQUIRED]
2017-01-20 10:29:02,204 INFO [0x000025f8] [ls\src\edge\GlobalEdgeStateImpl.cpp(605)] [csf.edge] [csf::edge::GlobalEdgeStateImpl::isInternalConnectivityAvailable] - Internal Visibility: 1
2017-01-20 10:29:02,204 INFO [0x000025f8] [ls\src\edge\GlobalEdgeStateImpl.cpp(605)] [csf.edge] [csf::edge::GlobalEdgeStateImpl::isInternalConnectivityAvailable] - Internal Visibility: 1
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [ls\src\http\BasicHttpClientImpl.cpp(265)] [csf.httpclient] [csf::http::BasicHttpClientImpl::execute] - Edge policy enforced successfully with transformed Url: https://cucm.mydomain.com:8443/[...] for request #12
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [sf-netutils\src\common\PolicySet.cpp(84)] [csf.common.PolicySet] [csf::common::PolicySet::getPolicy] - Successfully found Policy with nature IP_FAMILY_PREFERENCE [DUAL_STACK]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [netutils\src\common\PolicyDriven.cpp(59)] [csf.common.PolicyDriven] [csf::common::PolicyDriven::policyFailureCanBeIgnored] - Checking if the failure of a policy can be ignored by this object
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [sf-netutils\src\common\PolicySet.cpp(84)] [csf.common.PolicySet] [csf::common::PolicySet::getPolicy] - Successfully found Policy with nature FAILURE_MANAGEMENT [IGNORE_SOFT_FAILURE]
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [netutils\src\common\PolicyDriven.cpp(69)] [csf.common.PolicyDriven] [csf::common::PolicyDriven::policyFailureCanBeIgnored] - The policy failure can be ignored
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [etutils\src\http\HttpRequestData.cpp(73)] [csf.httpclient] [csf::http::HttpRequestData::consumeEasyCURLConnection] - Request #12 acquiring EasyCURLConnection
2017-01-20 10:29:02,204 INFO [0x000025f8] [etutils\src\http\CurlHttpUtils.cpp(1106)] [csf.httpclient] [csf::http::CurlHttpUtils::configureEasyRequest] - *-----* Configuring request #12 GET https://cucm.mydomain.com:8443/[...]
2017-01-20 10:29:02,204 INFO [0x000025f8] [etutils\src\http\CurlHttpUtils.cpp(1760)] [csf.httpclient] [csf::http::CurlHeaders::CurlHeaders] - Number of Request Headers : 1
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [etutils\src\http\CurlHttpUtils.cpp(1497)] [csf.httpclient] [csf::http::CurlHttpUtils::configureEasyRequest] - Request #12 configured with: connection timeout 10000 msec, transfer timeout 20000 msec
2017-01-20 10:29:02,204 DEBUG [0x000025f8] [ls\src\http\BasicHttpClientImpl.cpp(523)] [csf.httpclient] [csf::http::performCurlRequest] - About to perform curl connection request #12
2017-01-20 10:29:02,209 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(188)] [csf.httpclient] [csf::http::CurlHttpUtils::curlTraceCallback] - Request #12 pre connect phase: ' Trying 172.16.0.10...'
2017-01-20 10:29:02,209 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(192)] [csf.httpclient] [csf::http::CurlHttpUtils::curlTraceCallback] - Request #12 post connect phase: 'Connected to cucm.mydomain.com (172.16.0.10) port 8443 (#0)'
2017-01-20 10:29:02,210 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(513)] [csf.httpclient] [csf::http::CurlHttpUtils::curlSSLCallback] - fqdn : cucm.mydomain.com
2017-01-20 10:29:02,210 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(196)] [csf.httpclient] [csf::http::CurlHttpUtils::curlTraceCallback] - Request #12 SSL handshake phase: 'TLSv1.2 (OUT), TLS handshake, Client hello (1):'
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [rc\cert\common\BaseCertVerifier.cpp(104)] [csf.cert.] [csf::cert::BaseCertVerifier::verifyCertificate] - verifyCertificate using ctx. Identity: Reference identifiers: ['cucm.mydomain.com']; Identifier to display: 'cucm.mydomain.com'
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [rc\cert\utils\AltNameParserImpl.cpp(214)] [csf.cert.utils] [csf::cert::AltNameParserImpl::parse] - parsing a leaf cert
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [rc\cert\utils\AltNameParserImpl.cpp(162)] [csf.cert.utils] [csf::cert::parseSubjectCNField] - Subject CN field: 'cucm.mydomain.com'
2017-01-20 10:29:02,211 INFO [0x000025f8] [rc\cert\utils\AltNameParserImpl.cpp(255)] [csf.cert.utils] [csf::cert::AltNameParserImpl::parse] - number of Subject Alt Name fields : 1
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [rc\cert\utils\AltNameParserImpl.cpp(102)] [csf.cert.utils] [csf::cert::parseDNSField] - parsed dnsName : mydomain.com
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [rc\cert\utils\KeyUsageParserImpl.cpp(62)] [csf.cert.utils] [csf::cert::KeyUsageParserImpl::parse] - Basic Key Usage in cert: [DIGITAL_SIGNATURE, KEY_ENCIPHERMENT], Extended Key Usage in cert: [SERVER_AUTH]
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [cert\utils\KeyStrengthParserImpl.cpp(31)] [csf.cert.utils] [csf::cert::KeyStrengthParserImpl::parse] - Cert Public Key type is 'rsaEncryption'
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [cert\utils\KeyStrengthParserImpl.cpp(39)] [csf.cert.utils] [csf::cert::KeyStrengthParserImpl::parse] - Cert KeyStrength parsed: 2048
2017-01-20 10:29:02,211 DEBUG [0x000025f8] [rc\cert\common\BaseCertVerifier.cpp(161)] [csf.cert.] [csf::cert::BaseCertVerifier::doVerifyCertificate] - About to verify the certificate.
2017-01-20 10:29:02,212 INFO [0x000025f8] [rc\cert\win32\Win32CertVerifier.cpp(262)] [csf.cert.win32] [csf::cert::Win32CertVerifier::loadCertificateChain] - Certificate Chain status 0x0
2017-01-20 10:29:02,212 INFO [0x000025f8] [rc\cert\win32\Win32CertVerifier.cpp(327)] [csf.cert.win32] [csf::cert::Win32CertVerifier::verifySslPolicy] - Ignoring errors due to Invalid CN
2017-01-20 10:29:02,212 INFO [0x000025f8] [rc\cert\win32\Win32CertVerifier.cpp(300)] [csf.cert.win32] [csf::cert::Win32CertVerifier::verifyPolicies] - SSL Policy status 0x0
2017-01-20 10:29:02,212 INFO [0x000025f8] [rc\cert\win32\Win32CertVerifier.cpp(311)] [csf.cert.win32] [csf::cert::Win32CertVerifier::verifyPolicies] - Basic Constraints Policy status 0x0
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [rc\cert\win32\Win32CertVerifier.cpp(146)] [csf.cert.win32] [csf::cert::Win32CertVerifier::verifyCertificate] - Certificate validation response is 'valid'
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [rc\cert\common\BaseCertVerifier.cpp(171)] [csf.cert.] [csf::cert::BaseCertVerifier::doVerifyCertificate] - Result of platform cert verification: []
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [rc\cert\common\BaseCertVerifier.cpp(271)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentity] - About to check for an Identity Match.
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [ls\src\cert\common\CertVerifier.cpp(154)] [csf.cert] [csf::cert::CertVerifier::checkIdentifier] - Verifying identity 'cucm.mydomain.com'
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [rc\cert\utils\AltNameParserImpl.cpp(364)] [csf.cert.utils] [csf::cert::AltNameParserImpl::verify] - Match for 'cucm.mydomain.com' found in _commonName
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [rc\cert\common\BaseCertVerifier.cpp(329)] [csf.cert.] [csf::cert::BaseCertVerifier::checkIdentifiers] - Verification of identity succeeded. Matched identifier : 'cucm.mydomain.com'
2017-01-20 10:29:02,212 INFO [0x000025f8] [-diagnostics\src\DiagnosticsImpl.cpp(50)] [csf.diagnostics] [CSFDiagnostics::DiagnosticsImpl::AddRecord] - Add record task enqueued: cucm.mydomain.com
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [rc\cert\common\BaseCertVerifier.cpp(466)] [csf.cert.] [csf::cert::BaseCertVerifier::applyIgnoreInvalidCertConditionPolicy] - Certificate verification was successful, not applying policy.
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [cert\common\CertificateDataImpl.cpp(192)] [csf.cert] [csf::cert::CertificateDataImpl::parseSubjectCNField] - size of Subject CN field : 27
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [cert\common\CertificateDataImpl.cpp(206)] [csf.cert] [csf::cert::CertificateDataImpl::parseSubjectCNField] - Subject CN field : cucm.mydomain.com
2017-01-20 10:29:02,212 INFO [0x000025f8] [mmon\PlatformVerificationHandler.cpp(42)] [csf.cert] [csf::cert::PlatformVerificationHandler::handlePlatformVerificationResultSynchronously] - Verification result : SUCCESS reason : [VALID]
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [sf-netutils\src\common\PolicySet.cpp(84)] [csf.common.PolicySet] [csf::common::PolicySet::getPolicy] - Successfully found Policy with nature INVALID_CERT_MANAGEMENT [PROMPT_USER]
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [mon\PlatformVerificationHandler.cpp(188)] [csf.cert] [csf::cert::PlatformVerificationHandler::guaranteeResultConsistency] - Verification successful, forcing identifier verification status to SUCCESS
2017-01-20 10:29:02,212 DEBUG [0x000025f8] [mmon\PlatformVerificationHandler.cpp(62)] [csf.cert] [csf::cert::PlatformVerificationHandler::handlePlatformVerificationResultSynchronously] - finalResult: SUCCESS
2017-01-20 10:29:02,212 INFO [0x000025f8] [etutils\adapters\HttpCertAdapter.cpp(93)] [csf.httpclient] [csf::netutils::adapters::HttpCertAdapter::verifyCertificate] - *-----* Certificate Verification Result: SUCCESS
2017-01-20 10:29:02,212 INFO [0x000025f8] [s\csf-netutils\src\http\SslUtils.cpp(52)] [csf.SslUtils] [csf::http::SslUtils::verifyCb] - Certificate Verified by application using SOFT_MATCH identity matching model.
2017-01-20 10:29:02,263 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(204)] [csf.httpclient] [csf::http::CurlHttpUtils::curlTraceCallback] - Request #12 post SSL handshake phase: 'SSL connection using TLSv1.2 / AES256-SHA'
2017-01-20 10:29:02,343 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(733)] [csf.httpclient] [csf::http::CurlHttpUtils::curlHeaderCallback] - Request #12 got status line: HTTP/1.1 200 OK
2017-01-20 10:29:02,343 DEBUG [0x000025f8] [netutils\src\http\CurlHttpUtils.cpp(713)] [csf.httpclient] [csf::http::CurlHttpUtils::curlHeaderCallback] - Request #12 got CR-LF pair. Accumulated headers:

Cisco Employee

If those are the CUCM/IM&P

If those are the CUCM/IM&P/CUC certificates, and those have not been deployed to the user's computers, that is expected to happen. The Jabber documentation has a whole chapter dedicated to certificates that covers this.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

Hi Jamie,

Hi Jamie,

Thanks for the reply.

All the certificates for Jabber have been signed by our internal CA so any machine within our domain should trust it.

This particular prompt i believe is being caused by our CUCM not trusting our root CA.

I have followed this step by step guide and updated the Tomcat-Trust and Tomcat certificates with signed / root CA certs but i still receive the certificate errors as shown in my attached pictures.

https://supportforums.cisco.com/document/30501/cucm-uploading-ccmadmin-web-gui-certificates#Verify_Hostname_and_Settings

I'm going to try again tonight but any thoughts on why this may be happening would be appreciated.

Cheers,Ben

Cisco Employee

OK, those are two complete

OK, those are two complete different things you're talking about here, and they're NOT related to each other.

A) To get rid of the errors when using a browser to CUCMadmin, you need to have the root certificate who signed the Tomcat cert installed in the Trusted Root repository in your machine, and to browse to the server using the CN or a SAN from the certificate you uploaded to CUCM.

B) To get rid of the certificate errors in Jabber, it doesn't matter if you have the root cert, you need the ACTUAL SERVER CERTIFICATE to be installed on the machine/device/phone BEFORE you login, OR to accept the certificate so it's stored in your device, and you won't get the prompt again. As I previously mentioned, the Jabber documentation has two chapters (on two different docs) that cover everything you need to know about Jabber and certificates. If you have not reviewed them, that should be your first step.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Community Member

No worries that's clear. I'll

No worries that's clear. I'll have a read over the Cisco documentation on certificates again and will try again tonight.

Out of interest can you tell me what services would be affected if i was to restart the Tomcat service during business hours? 

Cisco Employee

All the webpages, directories

All the webpages, directories and EM, as they all depend on the web server.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
318
Views
5
Helpful
6
Replies
CreatePlease to create content