[cisco-voip] Call Manager, Jabber, and Certificates

Rob Dawson rdawson at force3.com
Fri Mar 20 11:07:22 EDT 2015


Fair enough, those certs are generated/managed via CUCM though. The section he quoted below is specifically in relation to Tomcat/XMPP certs.

Same conclusion though, make sure either the cert itself, or the CA root chain is trusted by the client computer.

Joe, have a look at this - http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

Rob


From: Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com]
Sent: Friday, March 20, 2015 9:48 AM
To: Joe Loiacono
Cc: Rob Dawson; cisco-voip voyp list
Subject: Re: [cisco-voip] Call Manager, Jabber, and Certificates

There is the LSC and CTL files that do get transmitted from UCM to the Jabber client.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_0110.html#JABW_RF_U3F30C79_00

The original sentence reads like a dumbed-down description of how trust chains work with any cert that UCM presents to Jabber during the establishing of a TLS session.

If you aren’t doing encryption then just make sure the trust store on whatever platform Jabber is running on (Windows, Mac, etc) can validate the cert that UCM, IMP, etc will be presenting to it.

-Ryan

On Mar 20, 2015, at 8:39 AM, Joe Loiacono <jloiacon at csc.com<mailto:jloiacon at csc.com>> wrote:

Rob Dawson <rdawson at force3.com<mailto:rdawson at force3.com>> wrote on 03/19/2015 10:50:55 AM:

> What document are you looking at?

Cisco Jabber for Windows 9.7 Installation and Configuration Guide

> As far as I know the only certificate “push” would be done via GPO
> or some similar mechanism. During the SSL handshake the server
> certificate is sent to the client and the client will attempt to
> validate either the cert itself, or the signing authority, against
> its trust list. If the certificate is not in the trust list then the
> client will be offered the opportunity to trust/add it to its store,
> but this is the server cert, not the root cert. If however the CA
> root cert (public or private) OR the privately signed cert is
> already in the trust list then it should work with no further
> intervention or prompting. Once the client trusts the certificate
> then the key exchange happens.
> I can’t really think of anytime that it would a solid decision,
> security wise, to allow a piece of software to install a trusted
> root certificate.


I'm thinking the action that we take on CUCM, which we refer to as 'pushing a cert to the Jabber client' is the following:

--------

Import Root Certificates on Client Computers

Every server certificate should have an associated root certificate present in the trust store on client computers. Cisco Jabber validates the certificates that servers present against the root certificates in the trust store. If you get server certificates signed by a public CA, the public CA should already have a root certificate present in the trust store on the client computer. In this case, you do not need to import root certificates on the client computers.

You should import root certificates into the Microsoft Windows certificate store if:

• The certificates are signed by a CA that does not already exist in the trust store, such as a private CA.

Import the private CA certificate to the Trusted Root Certification Authorities store.

• The certificates are self-signed.

Import self-signed certificates to the Enterprise Trust store.

--------


This is driving us nuts, so I'm wondering if we have self-signed server certs or we're using our own private CA, etc. I'm inquiring within, of course, just was curious what others had done here.

Many thanks,

Joe _______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150320/d87d6987/attachment.html>


More information about the cisco-voip mailing list