Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
0
Helpful
4
Replies

IM&P 11.5 bosh certificate

joeharb
Level 5
Level 5

‎05-31-2017 06:45 AM - edited ‎03-19-2019 12:29 PM

We have upgraded our Cluster to 11.5 and have discovered some issues with the bosh certificate, with different browsers.  If I browse to the :7335/httpbinding url in chrome it attempts to utilize the cup-xmpp-ECDSA certificate which is self signed.  If I go to the same url within IE it uses the original CA signed certificate.  The reason I have started looking into this is we have a user that attempting to utilize a embrava light for jabber on a Mac but is having issues.  This was never utilized until after the upgrade to 11.5 so I don't know if it would have worked prior, would a CA signed certificate to replace cup-xmpp-ECDSA resolve the issue?  Has anyone else experienced issues similar?

Thanks,

Joe

Labels:
0 Helpful
4 Replies 4

Jorie van Santvoort
Level 1
Level 1

‎06-01-2017 02:04 AM

Hi Joe,

Did you sign the "normal" CA cup-xmpp certificate?

Signing the cup-xmpp-ECDSA will definitely solve your problem but we should ask ourselves why your application is using the EC certificate instead of the CA.

Since version 11 Cisco started supporting Elliptic Curve Cryptography

Hope you can solve your issue

Some good reads about this:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200930-CUCM-11-Next-Generation-Encryption-Ell.pdf

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/11_5_1/CUP0_BK_CE08159C_00_config-admin-guide-imp-1151/CUP0_BK_CE08159C_00_config-admin-guide-imp-1151_chapter_01000.pdf

0 Helpful

joeharb
Level 5
Level 5
In response to Jorie van Santvoort

‎06-01-2017 06:39 AM

Actually I am not completely sure that the application is using the EC certificate, but I have verified that chrome will utilize that by browsing the bosh url, IE will utilize the "normal" certificate.  Maybe I am assuming to much with the browser results but it seems to correlate to the issue, that the OS/application doesn't trust the self signed certificate.

I am going generate a CSR for the EC certificate and have it signed with our CA and see if the results are different.  Thanks for the information, I will update the thread with the results...

Thanks,

Joe

0 Helpful

tcnagpure1
Level 1
Level 1
In response to Jorie van Santvoort

‎09-28-2017 10:09 AM

I am having the same issue where I receive BOSH URL error:

BOSH URL has different protocol than webserver: https: != http:

Navigating to BOSH URL by https://<IM&P Address>:7335/httpbinding uses EC Certificate in our UC environment.

I am trying to understand if uploading a root CA signed cert to the presence server will help to resolve this issue.

Thanks.

0 Helpful

Phil.Males
Level 1
Level 1
In response to tcnagpure1

‎10-12-2017 06:04 AM

I know this a little old but we just updated our IMPS to 11.5 and have a few MACs with Embrava. What we ended up doing was trusting the EC cert after creating a cname in our DNS with the <imserver>-ec.<domain> to our imps server. 

You may not need the cname and just need to trust the cert but we did the cname first. 

 

Hope this helps. 

Phil

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents