<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Fair enough, those certs are generated/managed via CUCM though. The section he quoted below is specifically in relation to Tomcat/XMPP certs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Same conclusion though, make sure either the cert itself, or the CA root chain is trusted by the client computer.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Joe, have a look at this -
<a href="http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html">
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Rob<o:p></o:p></span></p>
<div>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
<td style="padding:.75pt .75pt .75pt .75pt"></td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ryan Ratliff (rratliff) [mailto:rratliff@cisco.com]
<br>
<b>Sent:</b> Friday, March 20, 2015 9:48 AM<br>
<b>To:</b> Joe Loiacono<br>
<b>Cc:</b> Rob Dawson; cisco-voip voyp list<br>
<b>Subject:</b> Re: [cisco-voip] Call Manager, Jabber, and Certificates<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There is the LSC and CTL files that do get transmitted from UCM to the Jabber client.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><a href="http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_0110.html#JABW_RF_U3F30C79_00">http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_0110.html#JABW_RF_U3F30C79_00</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The original sentence reads like a dumbed-down description of how trust chains work with any cert that UCM presents to Jabber during the establishing of a TLS session.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you aren’t doing encryption then just make sure the trust store on whatever platform Jabber is running on (Windows, Mac, etc) can validate the cert that UCM, IMP, etc will be presenting to it. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">-Ryan <o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Mar 20, 2015, at 8:39 AM, Joe Loiacono <<a href="mailto:jloiacon@csc.com">jloiacon@csc.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><tt><span style="font-size:10.0pt">Rob Dawson <<a href="mailto:rdawson@force3.com">rdawson@force3.com</a>> wrote on 03/19/2015 10:50:55 AM:</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>> What document are you looking at?</tt></span> <br>
<br>
<tt><span style="font-size:10.0pt">Cisco Jabber for Windows 9.7 Installation and Configuration Guide</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">> As far as I know the only certificate “push” would be done via GPO
</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>> or some similar mechanism. During the SSL handshake the server </tt><br>
<tt>> certificate is sent to the client and the client will attempt to </tt><br>
<tt>> validate either the cert itself, or the signing authority, against </tt><br>
<tt>> its trust list. If the certificate is not in the trust list then the</tt><br>
<tt>> client will be offered the opportunity to trust/add it to its store,</tt><br>
<tt>> but this is the server cert, not the root cert. If however the CA </tt><br>
<tt>> root cert (public or private) OR the privately signed cert is </tt><br>
<tt>> already in the trust list then it should work with no further </tt><br>
<tt>> intervention or prompting. Once the client trusts the certificate </tt><br>
<tt>> then the key exchange happens.</tt></span> <br>
<tt><span style="font-size:10.0pt">> I can’t really think of anytime that it would a solid decision,
</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>> security wise, to allow a piece of software to install a trusted </tt><br>
<tt>> root certificate.</tt></span> <br>
<br>
<br>
<tt><span style="font-size:10.0pt">I'm thinking the action that we take on CUCM, which we refer to as 'pushing a cert to the Jabber client' is the following:</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">--------</span></tt> <br>
<br>
<tt><span style="font-size:10.0pt">Import Root Certificates on Client Computers</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">Every server certificate should have an associated root certificate present in the trust store on client computers. Cisco Jabber validates the certificates that servers present against the root certificates in the trust store.
If you get server certificates signed by a public CA, the public CA should already have a root certificate present in the trust store on the client computer. In this case, you do not need to import root certificates on the client computers.</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">You should import root certificates into the Microsoft Windows certificate store if:</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">• The certificates are signed by a CA that does not already exist in the trust store, such as a private CA.</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">Import the private CA certificate to the Trusted Root Certification Authorities store.</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">• The certificates are self-signed.</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">Import self-signed certificates to the Enterprise Trust store.</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">--------</span></tt> <br>
<br>
<br>
<tt><span style="font-size:10.0pt">This is driving us nuts, so I'm wondering if we have self-signed server certs or we're using our own private CA, etc. I'm inquiring within, of course, just was curious what others had done here.</span></tt>
<br>
<br>
<tt><span style="font-size:10.0pt">Many thanks,</span></tt> <br>
<br>
<tt><span style="font-size:10.0pt">Joe </span></tt>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>