Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IM&P 11.5 bosh certificate

We have upgraded our Cluster to 11.5 and have discovered some issues with the bosh certificate, with different browsers.  If I browse to the :7335/httpbinding url in chrome it attempts to utilize the cup-xmpp-ECDSA certificate which is self signed.  If I go to the same url within IE it uses the original CA signed certificate.  The reason I have started looking into this is we have a user that attempting to utilize a embrava light for jabber on a Mac but is having issues.  This was never utilized until after the upgrade to 11.5 so I don't know if it would have worked prior, would a CA signed certificate to replace cup-xmpp-ECDSA resolve the issue?  Has anyone else experienced issues similar?

Thanks,

Joe

4 REPLIES

Hi Joe,

Hi Joe,

Did you sign the "normal" CA cup-xmpp certificate?

Signing the cup-xmpp-ECDSA will definitely solve your problem but we should ask ourselves why your application is using the EC certificate instead of the CA.

Since version 11 Cisco started supporting Elliptic Curve Cryptography

Hope you can solve your issue

Some good reads about this:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200930-CUCM-11-Next-Generation-Encryption-Ell.pdf

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/11_5_1/CUP0_BK_CE08159C_00_config-admin-guide-imp-1151/CUP0_BK_CE08159C_00_config-admin-guide-imp-1151_chapter_01000.pdf

New Member

Actually I am not completely

Actually I am not completely sure that the application is using the EC certificate, but I have verified that chrome will utilize that by browsing the bosh url, IE will utilize the "normal" certificate.  Maybe I am assuming to much with the browser results but it seems to correlate to the issue, that the OS/application doesn't trust the self signed certificate.

I am going generate a CSR for the EC certificate and have it signed with our CA and see if the results are different.  Thanks for the information, I will update the thread with the results...

Thanks,

Joe

New Member

Re: Hi Joe,

I am having the same issue where I receive BOSH URL error:

BOSH URL has different protocol than webserver: https: != http:

Navigating to BOSH URL by https://<IM&P Address>:7335/httpbinding uses EC Certificate in our UC environment.

I am trying to understand if uploading a root CA signed cert to the presence server will help to resolve this issue.

Thanks.

New Member

Re: Hi Joe,

I know this a little old but we just updated our IMPS to 11.5 and have a few MACs with Embrava. What we ended up doing was trusting the EC cert after creating a cname in our DNS with the <imserver>-ec.<domain> to our imps server. 

You may not need the cname and just need to trust the cert but we did the cname first. 

 

Hope this helps. 

Phil

160
Views
0
Helpful
4
Replies
CreatePlease login to create content