Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

jabber windows 9.2.6 certificates (sub cluster)

Hi,

We have a 2 node implementation of CIMP 9.1.1 and are attemping to upgrade our jabber for windows client to 9.2.6

Being aware of the cert requirements needed for 9.2.5 onwards we have had the tomcat and cup-xmpp certs signed by our internal CA.

When you https to both the cimp servers they are both OK and the certs and the path look good with no errors.

When you load the jabber client you get different results depending on which member of the subcluster your account is associated with (they are a HA pair).

Having cleared the locally accepted certs from windows first. If I make my account be on the cimp_subscriber I log in (default server using SRV records) and everything is straight in and fine in no problems.

If however I move my accounts to the cimp_publisher I get a vertify certificate warning, which when I accept works fine. If I look at the certificate it only has itself in the certification path, not the root ca's etc.

Looking on OS admin and the certificate manager the cup-xmpp cert is signed by the cup-xmpp-trust cert so I'm a bit stuck!

Any ideas greatefully received!

Thanks

Jon

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

jabber windows 9.2.6 certificates (sub cluster)

Is the cup-xmpp certificate on cimp_publisher what you expect it to be if you look at it under Certificate Management? You should be able to see the signing CA information and all in it.

If yes, restart XCP Router and give it another try. The -trust store is mostly irrelevent here. The cup-xmpp-trust store is only used during inter-cluster peering and domain federation because it's what the server will accept from the other party in the TLS handshake. The cup-xmpp is the certificate the server presents to Jabber as the server.

The SRV record isn't checked against the CN of the certificate.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify helpful or
5 REPLIES

Re: jabber windows 9.2.6 certificates (sub cluster)

My first thought would be, the host name you are issuing, using SRV records, is not the same as the hostname in the cert signed by your CA, hence you get the self signed cert pop up instead

check your srv:

nslookup

> set type=srv

> _sip._tcp.presence.minksolutions.com.au  <--whatever domain name you have


=============================
Please remember to rate useful posts, by clicking on the stars below. 

=============================

Please remember to rate useful posts, by clicking on the stars below.

New Member

jabber windows 9.2.6 certificates (sub cluster)

Hi, I've checked DNS the SRV records match the correct FQDN's for both cimp servers

VIP Super Bronze

jabber windows 9.2.6 certificates (sub cluster)

Is the cup-xmpp certificate on cimp_publisher what you expect it to be if you look at it under Certificate Management? You should be able to see the signing CA information and all in it.

If yes, restart XCP Router and give it another try. The -trust store is mostly irrelevent here. The cup-xmpp-trust store is only used during inter-cluster peering and domain federation because it's what the server will accept from the other party in the TLS handshake. The cup-xmpp is the certificate the server presents to Jabber as the server.

The SRV record isn't checked against the CN of the certificate.

Please remember to rate helpful responses and identify helpful or correct answers.

Please remember to rate helpful responses and identify helpful or
New Member

jabber windows 9.2.6 certificates (sub cluster)

Hi Jonathan,

I've checked the cup-xmpp certs on both servers and they seem OK, they are both signed by the root CA.

Both have alternate names of:

Their own FQDN

an A-record (for client's who cannot use SRV)

the domain name the CUCM/CIMP servers all sit in (which is the same domain for XMPP server-server alternate name)

I've restarted the whole appliance (both of them) to make sure everything was fresh after the certs where uploaded.

Any other ideas? Seems very strange as all there are the same number and type of certs on both servers.

Thanks for your assistance

New Member

jabber windows 9.2.6 certificates (sub cluster)

anyone got any ideas on this? I'm pretty sure the cert's are correctly signed on both servers, it just seems like the publisher server is presenting it's own self-signed cert to the client rather than the the ca-signed cert, even thought the ca-signed cert is the only cup-xmpp cert on the system.

833
Views
10
Helpful
5
Replies