Hello, I've been trying to take advantage of the new Multiserver Certificate feature available in 10.5.
I appreciate anyone who can recall a recent deployment if they can share what certs they purchased for Jabber connect without issuing a certificate warning.
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051_chapter_01.html#CUCM_RF_SEC52373_00
My goal is to purchase the least amount of SSL certificates from a public CA (for CUCM, IMP, Unity Connection, Expressway-C & E, WebEx Meeting Server) while still ensuring any Jabber client in the environment does NOT ever prompt for a security warning, across any platform (iOS, Android, Windows, Mac). We intend to deploy MRA and employ vpn-less Jabber.
It's hard to explain clearly since I have multiple questions all related. I have a few concerns based on the documentation that Cisco has supplied regarding the Jabber certificate verification process and what is required -
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html
and
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_5/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber/CJAB_BK_D6497E98_00_deployment-installation-guide-ciscojabber_chapter_01100.html
Both documents state I'll need an xmpp certificate in addition to the standard tomcat. I'm not fully convinced, do I actually need an xmpp cert, I don't recall ever needing it before in similar deployments, but I just can't say for sure. I thought I would only need xmpp for secure federation deployments?
1. Do I need an xmpp cert or would the tomcat certs be enough for Jabber to be happy?
2. If I do need it, what xmpp cert would it be, there are two options the cup-xmpp or the cup-xmpp-s2s? Documentation just says XMPP.
3. For the tomcat certificate for cucm and imp, does the multiserver cluster feature on cucm also include and cover the tomcat certs for the imp servers, since now they are considered more like subscribers in the cucm cluster, or do I need separate tomcat certs for imp servers as well with the feature allowing the imp nodes to share as well as the cucm nodes to share?
Basically I have it narrowed down to the following anticipating the certs I'll need, but I don't want to waste budget for certs I don't need. Based on the concerns and information above, would you say is this accurate?
Using the multiserver certificate feature -
A single tomcat cert for all CUCM & IMP
A single xmpp cert for all IMP
A single tomcat cert for all CUCXN
A single identity cert for VCS-E
A single identity cert for VCS-C
A single tomcat cert for WebEx
I appreciate anyone who can recall a recent deployment if they can share what certs they purchased for Jabber.
