<html><head><base href="x-msg://54/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Since you're on CUCM 8.x, the phone only needs an ITL (Initial Trust List) file which contains a certificate for the Trust Verification Service (TVS). When the phone is presented the HTTPS certificate the phone doesn't have to locally store all the certificates it has to trust, but instead will query TVS to see if the phone trusts the certificate or not. All the certificates reside on the CUCM server and not the phone. One thing to check, would be if you manually download your phone's configuration file there is a TVS section that will have either a hostname or IP address depending on what is defined under System > Server. If it's a hostname many hardphones (not sure about IPC) will display host not found when trying to connect to TVS if DNS is not configured. Phones have to be on 9.0.2 to use TVS too and HTTPS: <a href="http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/firmware/9_0_2/english/release/notes/7900_902SR1.html#wp192055">http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/firmware/9_0_2/english/release/notes/7900_902SR1.html#wp192055</a>. I'd have to check on CIPC.<div><br></div><div>Joe<br><div><br><div><div>On Jan 19, 2011, at 3:40 AM, cips wrote:</div><br class="Apple-interchange-newline"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div lang="NL" link="blue" vlink="purple"><div class="WordSection1" style="page: WordSection1; "><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I already figured this out, using HTTPS or port 8443 gives me the XML output of the service so this part seems to work.<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">But I still have to “accept” the certificate warning.<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I expect the phones need some kind of certificate to support this? I’m I correct?<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Any thoughts?<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><a name="_MailEndCompose"><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></a></div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0cm; padding-bottom: 0cm; padding-left: 0cm; "><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>Jason Burns [mailto:burns.jason@gmail.com]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>dinsdag 18 januari 2011 22:14<br><b>To:</b><span class="Apple-converted-space"> </span>Ryan Ratliff<br><b>Cc:</b><span class="Apple-converted-space"> </span>cips;<span class="Apple-converted-space"> </span><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [cisco-voip] how to make ExtensionMobility use HTTPS<o:p></o:p></span></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><p class="MsoNormal" style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 12pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; ">One small but crucial piece is the port. https defaults to tcp port 443.<br><br>CUCM Secure Services listen on 8443<br><br>https://<serverIP>:8443/<whatever your EM URL is><br><br>Can you give that a try and see if it makes a difference?<br><br>-Jason<o:p></o:p></p><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Tue, Jan 18, 2011 at 12:32 PM, Ryan Ratliff <<a href="mailto:rratliff@cisco.com" style="color: blue; text-decoration: underline; ">rratliff@cisco.com</a>> wrote:<o:p></o:p></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; ">You shouldn't have to add a second service. The phone service should have two URLs you can provide, one for secure, one for non-secure. <o:p></o:p></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; ">For testing purposes point a web browser to the https URL and see if it gives you some xml text as a result. Your browser may complain about the formatting but you can view the source to see what comes back.<o:p></o:p></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 13.5pt; font-family: Helvetica, sans-serif; color: black; ">-Ryan<o:p></o:p></span></div></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Jan 18, 2011, at 10:37 AM, cips wrote:<o:p></o:p></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div><div><div><div><div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Hi All,<o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; ">Running CM 8, trying to figure out how I can allow my users to logon via ExtensionMobility using <b>HTTPS</b> instead of <b>HTTP.</b></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; ">Now the service is working pointing to <a href="http://172.21.1.181:8080/emapp/EMAppServlet?device=#DEVICENAME%23" target="_blank" style="color: blue; text-decoration: underline; ">http://172.21.1.181:8080/emapp/EMAppServlet?device=#DEVICENAME#</a> but it is not secure, using HTTP.</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; "> </span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; ">If I add another phone service pointing to <a href="https://172.21.1.181/emapp/EMAppServlet?device=#DEVICENAME%23" target="_blank" style="color: blue; text-decoration: underline; ">https://172.21.1.181/emapp/EMAppServlet?device=#DEVICENAME#</a> this does not work. I can see the service in the menu of my IP com (testing phone) but when I hit the button nothing happens.</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; "> </span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; ">I assume I’ve missed something. I guess I need to install certificates and the phones must be equipped with these certificates to get this to work? Right?</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; "> </span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; ">Any thoughts or comments are welcome.</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; "> </span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span lang="EN-US" style="font-size: 11pt; font-family: Calibri, sans-serif; ">Regards.</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><o:p></o:p></span></div></div></div></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 13.5pt; font-family: 'Lucida Grande', serif; ">_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></span></div></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div><p class="MsoNormal" style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 12pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" style="color: blue; text-decoration: underline; ">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></div></span></div><br></div></div></body></html>