Cisco Cisco Expressway Manual De Manutenção
Also, when generating tomcat certificate signing requests for any products within the Cisco Collaboration Systems
Release 10.5.2, you need to be aware of
Release 10.5.2, you need to be aware of
. You need to work around this issue to ensure that the
FQDNs of the nodes are in the certificates as Subject Alternative Names. The Expressway X8.5.2 Release Notes have
the details of the workarounds.
the details of the workarounds.
Expressway Certificates
The Expressway certificate signing request (CSR) tool prompts for and incorporates the relevant subject alternate
name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.
name (SAN) entries as appropriate for the Unified Communications features that are supported on that Expressway.
The following table shows which CSR alternative name elements apply to which Unified Communications features:
Add these items
as Subject
Alternative Names
When generating a CSR for these purposes
Mobile and Remote
Access
Jabber
Guest
XMPP Federation
Business to
Business Calls
Unified CM registrations domains
Required on
Expressway-E only
—
—
—
XMPP federation domains
—
—
Required on
Expressway-E only
—
IM and Presence chat node
aliases
(federated group chat)
aliases
(federated group chat)
—
—
Required
—
Unified CM phone security profile
names
names
Required on
Expressway-C only
—
—
—
Note:
■
You may need to produce a new server certificate for the Expressway-C if chat node aliases are added or
renamed, when IM and Presence nodes are added or renamed, or when new TLS phone security profiles are
added.
renamed, when IM and Presence nodes are added or renamed, or when new TLS phone security profiles are
added.
■
You must produce a new Expressway-E certificate if new chat node aliases are added to the system, or if the
Unified CM or XMPP federation domains are modified.
Unified CM or XMPP federation domains are modified.
■
You must restart the Expressway for any new uploaded server certificate to take effect.
More details about the individual feature requirements per Expressway-C / Expressway-E are described below.
Expressway-C server certificate requirements
The Expressway-C server certificate needs to include the following elements in its list of subject alternate names:
■
Unified CM phone security profile names: the names of the Phone Security Profiles in Unified CM that are
configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and
separate multiple entries with commas.
configured for encrypted TLS and are used for devices requiring remote access. Use the FQDN format and
separate multiple entries with commas.
Having the secure phone profiles as alternative names means that Unified CM can communicate via TLS with
the Expressway-C when it is forwarding messages from devices that use those profiles.
the Expressway-C when it is forwarding messages from devices that use those profiles.
■
IM and Presence chat node aliases (federated group chat): the Chat Node Aliases (e.g.
chatroom1.example.com) that are configured on the IM and Presence servers. These are required only for
Unified Communications XMPP federation deployments that intend to support group chat over TLS with
federated contacts.
chatroom1.example.com) that are configured on the IM and Presence servers. These are required only for
Unified Communications XMPP federation deployments that intend to support group chat over TLS with
federated contacts.
The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set
of IM&P servers.
of IM&P servers.
We recommend that you use DNS format for the chat node aliases when generating the CSR. You must
include the same chat node aliases in the Expressway-E server certificate's alternative names.
include the same chat node aliases in the Expressway-E server certificate's alternative names.
49
Cisco Expressway Administrator Guide