Jabber guest with CUCM, Expressway-C and -E setup: certificates from cert-authority mandatory?
Hello support community,
I will have to install a small jabber guest deployment soon (approx 5 - 10 jabber guest clients used for video only, no IM/Presence). The setup will be the following: CUCM 10.5, Expressway-C and Expressway-E. The jabber guest clients will be used on both intranet and internet side.
As this is a very small deployment I would like to avoid the additional efforts to be done and dependencies with certificates from a certificate authority.
(I heard this used to be possible at least with jabber 9.x, but this might have changed with jabber 10.x)
Does anybody know if this will work with such "selfsigned cert" setup? And if it basically would work, it this would bring along any disadvantages in user experience, such as jabber client displaying any error messages?
I beleive that there is a requirement to do A CA certificate (not use the temporary one) However, this guide will show you how to use OpenSSL to create a self signed CA. Then you can upload these self signed CAs to upload to the expressway C & E and then use these to generate a CSR to re-run against openSSL. openSSL is installed by default on MACs ( I believe) and it is freeware. You can also get it here
In this guide the order that you want to do things is
Page 19 Configure OpenSSL to act as A CA
Page 21 Creating a Signed certificate using openSSL (Generate a certificate signing request on both the core and edge boxes, and then dowload them and run them through openssl.
IF you follow the instructions carefully, then it will work fine for you. If you change any of your file names, make sure you update the switches on the command line to reflect those changes.
Thank you very much for your very helpful answer, much appreciated. Likely I will go with implementing this self signed CA solution.
Going through the guide you sent me the link for and through other documents (mobile and remote access via cisco expressway deployment guide x8.1.1 page 25 - 26), I understand that easiest will be to have a SIP TCP SIP trunk (non secure) between cucm and expressway-c and that this should work fine together with Jabber. In case I would need to use a TLS SIP trunk, I understand that I could install the self signed ca certificate (from Expressway-C) to cucm and this should work. Do you also think so?
Yes I think that would work fine. I did notice that you mentioned the 8.1.1 giude for Mobile Remote access set up, I would recommend that you use the 8.2 guide as there were some significant changes in how traversal zones are setup between Expressway C & E.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.