[cisco-voip] how to make ExtensionMobility use HTTPS

Joe Martini joemar2 at cisco.com
Wed Jan 19 08:02:50 EST 2011


Since you're on CUCM 8.x, the phone only needs an ITL (Initial Trust List) file which contains a certificate for the Trust Verification Service (TVS).  When the phone is presented the HTTPS certificate the phone doesn't have to locally store all the certificates it has to trust, but instead will query TVS to see if the phone trusts the certificate or not.  All the certificates reside on the CUCM server and not the phone.  One thing to check, would be if you manually download your phone's configuration file there is a TVS section that will have either a hostname or IP address depending on what is defined under System > Server.  If it's a hostname many hardphones (not sure about IPC) will display host not found when trying to connect to TVS if DNS is not configured.  Phones have to be on 9.0.2 to use TVS too and HTTPS: http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/firmware/9_0_2/english/release/notes/7900_902SR1.html#wp192055.  I'd have to check on CIPC.

Joe

On Jan 19, 2011, at 3:40 AM, cips wrote:

I already figured this out, using HTTPS or port 8443 gives me the XML output of the service so this part seems to work.
But I still have to “accept” the certificate warning.
I expect the phones need some kind of certificate to support this? I’m I correct?
 
Any thoughts?
 
From: Jason Burns [mailto:burns.jason at gmail.com] 
Sent: dinsdag 18 januari 2011 22:14
To: Ryan Ratliff
Cc: cips; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] how to make ExtensionMobility use HTTPS
 
One small but crucial piece is the port. https defaults to tcp port 443.

CUCM Secure Services listen on 8443

https://<serverIP>:8443/<whatever your EM URL is>

Can you give that a try and see if it makes a difference?

-Jason

On Tue, Jan 18, 2011 at 12:32 PM, Ryan Ratliff <rratliff at cisco.com> wrote:
You shouldn't have to add a second service.  The phone service should have two URLs you can provide, one for secure, one for non-secure. 
 
For testing purposes point a web browser to the https URL and see if it gives you some xml text as a result.  Your browser may complain about the formatting but you can view the source to see what comes back.
 
-Ryan
 
On Jan 18, 2011, at 10:37 AM, cips wrote:
 
Hi All,
 
Running CM 8, trying to figure out how I can allow my users to logon via ExtensionMobility using HTTPS instead of HTTP.
Now the service is working pointing to http://172.21.1.181:8080/emapp/EMAppServlet?device=#DEVICENAME# but it is not secure, using HTTP.
 
If I add another phone service pointing to https://172.21.1.181/emapp/EMAppServlet?device=#DEVICENAME# this does not work. I can see the service in the menu of my IP com (testing phone) but when I hit the button nothing happens.
 
I assume I’ve missed something. I guess I need to install certificates and the phones must be equipped with these certificates to get this to work? Right?
 
Any thoughts or comments are welcome.
 
Regards.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
 

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110119/92700940/attachment.html>


More information about the cisco-voip mailing list