Solved: Re: JTAPI add certificate chain to the store

RITT · ‎01-17-2024

Hello,

I have a CTI appllication that works fine. Tried to secure the CTI connection following this very good guide.

https://community.cisco.com/t5/collaboration-knowledge-base/configuring-and-troubleshooting-secure-jtapi-cti/ta-p/3125041

I have a client and server certificate store (as shown in the guide) but I see verification errors in the security logs when attempting a TLS connection to CTI. My client certificate is signed by an offline certificate authority. When I look in the client keystore I only see one certificate.

My question is, to achieve a secure connection should I import the certificate signing chain into the client keystore?

Many thanks

RITT · ‎01-22-2024

I'm going to answer my own question after trying this out in a lab. Many thanks to @Gunnar Reiser for their post which really helped.
If your CUCM certificates are signed by a CA you need to do one of the following.

1.Provide a means for the Java application to verify the CA certificates, seems to be OCSP for Java applications
2.Include the CA signing certificate in the CTL file
3.Manually import the CA certificates into the server keystore

To achieve solution 2 (shamelessly stolen from @Gunnar Reiser post)

1. Download the Root CA and any intermediary CA files (in pem format) and then re-upload it as "Phone-CTL-trust" file (in the example below there is only a Root CA)
2. Then update the CTL file with the CLI command "utils ctl update CTLFile".
3. At a minimum, you will need to restart the "Cisco TFTP service" so TFTP can serve out the new CTL file.
4. After the update, it will add the Root CA into the CTL as function of GENERIC APPLICATION. Now when TSP downloads the CTL file it will also pull down the root CA files and fully trust the CallManager certificate.

To achieve solution 3

1. On the pc hosting your Java CTI application download the Root CA signing certificate.
2. Use the "keytool" Java command line application to import the Root CA certificate (from step 1 above) into your server keystore.
> keytool -import -trustcacerts -alias rootCA -file ca_root.cer -keystore JtapiServerKeyStore

Hope this helps.

View solution in original post

RITT · ‎01-22-2024

I'm going to answer my own question after trying this out in a lab. Many thanks to @Gunnar Reiser for their post which really helped.
If your CUCM certificates are signed by a CA you need to do one of the following.

1.Provide a means for the Java application to verify the CA certificates, seems to be OCSP for Java applications
2.Include the CA signing certificate in the CTL file
3.Manually import the CA certificates into the server keystore

To achieve solution 2 (shamelessly stolen from @Gunnar Reiser post)

1. Download the Root CA and any intermediary CA files (in pem format) and then re-upload it as "Phone-CTL-trust" file (in the example below there is only a Root CA)
2. Then update the CTL file with the CLI command "utils ctl update CTLFile".
3. At a minimum, you will need to restart the "Cisco TFTP service" so TFTP can serve out the new CTL file.
4. After the update, it will add the Root CA into the CTL as function of GENERIC APPLICATION. Now when TSP downloads the CTL file it will also pull down the root CA files and fully trust the CallManager certificate.

To achieve solution 3

1. On the pc hosting your Java CTI application download the Root CA signing certificate.
2. Use the "keytool" Java command line application to import the Root CA certificate (from step 1 above) into your server keystore.
> keytool -import -trustcacerts -alias rootCA -file ca_root.cer -keystore JtapiServerKeyStore

Hope this helps.