Alright. I can hear you yelling at the screen right now. @Warcop is back again trying to get me to run a dot zero release. Yes. Here I am and I come with reasons and cookies.

Let’s bust a couple of myths.
Myth #1: Dot zero releases are evil and should be sent back to the hell that they came from.
I at least have a couple of readers who feel that way. I know you and here’s the response. The call manager development team is not evil and they’re not out to get you. The code base that is call manager is very mature and portions of the call control code hasn’t changed in years. The team that works on dot zero releases is probably the same team that works on all the other releases. So I ask you a question in return. Why do you trust the person coding service updates more than the person coding the dot zero?

Myth #2: Call Manager dot zero releases should be considered a beta.
This myth is in an echo chamber outside of Cisco and within Cisco. Call manager releases come on schedule and if you notice there’s a predictable cadence. A dot zero release is what I consider a fork of an existing .5 release. If you browse the bug tool (yes I do this for fun) for any release you’ll likely notice fixes are published for a .5 and .0 release. So both release trains are getting the same bug fixes where applicable. So why do you trust 11.5SU5 more than 12.0SU1.

So if they contain some of the same bug fixes does that mean the code is the same? Don’t leave now! I have proof! The recent work on the Apple Push Notification service has required some fixes to the call manager service. So it’s no surprise that the APNS COP file to patch call manager applies to BOTH 11.5.1(SU3) and 12.0(1). The file that’s in this patch is the call manager binary and if it applies to both versions.. ZING! If you’ve applied CSCvf57440 to 11.5(su5) you’re running the same call manager binary as 12.0(1). Saying that a dot zero release is a beta is not accurate. A dot zero release is not described as beta software on the website or release notes.

There’s a wealth of reasons why you should be moving to version 12. I’m liking the security updates the most since that is top of mind with nearly everyone. Instead of listing all the features here the datasheet link is: https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-communications-manager-callmanager/datasheet-c78-739475.html

The CCIE Collaboration lab is also being upgraded to Communications Manger version 12. If it’s good enough for the lab it should be good enough for you!

There are production clusters in the world running version 12 and they’re humming right along. Let’s face the reality that software updates are being released faster than most of us can absorb. So why not change the echo chamber to “Why would you not run the latest code?”

Here’s a quote I remember and reference often: “Updates are evil. Updates are only OK when I don’t read the release notes and click install.” — @swiftonsecurity

Bring the feedback @Warcop on Twitter

With the release of Communications Manager 11.5SU3 there is a change in licensing specific to encryption. The reason for this change is the need to meet certain export and regulatory requirements. Since the license file will be issued from Cisco directly to a user/customer they’ll have better control and visibility who is enabling mixed mode. I think the visibility part will be important for Cisco to understand how few customers are running mixed mode. Maybe that will encourage them to make some needed changes?

So what happens when you upgrade to 11.5SU3 and you have mixed mode enabled? You’ll get a warning that’ll you need to add an encryption license to Prime License Manger. Mixed mode will not be disabled on your cluster by installing this patch.

How do you get the license? Over at the product upgrade tool at the Cisco site you can use your contract or Spark calling subscription to obtain the $0 license CUCM-PLM-ENC-K9=. Install the issued license on Prime License Manager and synchronize with Communications Manager.

I encourage you to comment on this post as other technical details are discovered. It’s still unknown if there is a time limit on running mixed mode without this installed license file. Thanks!

Reference:
Cisco UCM Release Notes
CUCM Readme

There’s multiple reasons you might want to export the certificate from Cisco Expressway. Maybe you need to replace the server, move a certificate from one cluster node to another cluster node, back up the keys, or simply use it somewhere else.

Recently I was setting up a cluster and forgot to generate the key and CSR locally. Using OpenSSL locally the first time is the best way I’ve found to move, secure, and backup keys without needing an export. However, I forgot and generated the CSR on the Expressway node. I received the signed certificate from the CA and landed in this predicament. Expressway doesn’t have an export button so you have to go digging. Grab the shovel.

Fortunately you have root access to Cisco Expressway. (If we were only so lucky with Communications Manager.)

I’m not suggesting that any modifications be done with this method. Even though a quick poking around ssl.conf proves it’s not as complex as you’d think. We’re just looking at files.

SSH as root and you’ll find the certs in this directory.

cd /tandberg/persistent/certs

The two files server.pem and privkey.pem are the files you’re looking for. However, for sanity purposes I’ll show you how to verify this is the key you’re looking for. The public key modulus and the private key modulus should match.

If you want to verify the modulus block as part of the cert text then do this:

openssl x509 -in server.pem -text -noout

openssl rsa -in privkey.pem -text -noout

If you want to check it without the cert text:

openssl x509 -in server.pem -modulus -noout

openssl rsa -in privkey.pem -modulus -noout

And the real shortcut is using an md5 to match:

openssl x509 -in server.pem -modulus -noout | openssl md5

openssl rsa -in privkey.pem -modulus -noout | openssl md5

So now you’ve done the comparison, it matches and you want to grab the private key:

cat privkey.pem

Copy pasta the text block and save using your favorite editor. Now you have the files you need to upload to the other nodes using the GUI. Yes, there are ways to automate/move things around underneath without Expressway losing it’s mind, but this method is simple enough for everyone.

Introduced in UCM version 11 is the ability to synchronize groups from Active Directory. The primary driver is to have Active Directory groups available in the Cisco Jabber contact list.

One problem this brings up is that if you’re synchronizing from the base DN you’ll import all security groups. So you’ll need an effective filter to only get the groups you want. Generally speaking distribution groups are an ideal target for what you want represented in UCM and Jabber. The more granular you get will require more administration in Active Directory.

I’ll first outline the LDAP filters that will look for security groups and filter different types of groups. These are the bit values for each group and you’ll end up using the bitwise value.

All Security Groups with a type of Global
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))

All Security Groups with a type of Domain Local
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))

All Security Groups with a type of Universal
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))

Values for the different group types:
Global = 2
Domain Local = 4
Universal = 8
Security Group = 2147483648
Distribution Group = no value

Using the above information we can then build LDAP filters to only import distribution groups. Since a distribution group doesn’t have a value you have to add the NOT operator to the query.

All Global Distribution Groups
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

All Domain Local Distribution Groups
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

All Universal Distribution Groups
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

Now what if you want distribution groups and security groups and want to select certain groups? Depending on how much additional administration you want in Active Directory you can pick a custom attribute. At this point all you have to do is look for the custom attribute not in use and populate it. Exchange 2010 SP2 and higher introduces 5 new multivalued attributes, but in this example we’re still using a custom attribute.

I recommend running some queries to determine if you have any custom attributes currently in use and then picking the next available value. You can use whatever value you would like just as long as it’s descriptive enough why it’s being used. In the examples below I’ve used “CiscoUCM” as a value to indicate the system thats using it in a query.

All Groups with Custom Attribute 1 – (Note the LDAP property is named extensionAttribute1)
(&(objectCategory=group)(extensionAttribute1=CiscoUCM))

Only Universal Distribution Groups with Custom Attribute 1
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(extensionAttribute1=CiscoUCM)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

I personally prefer the highest granular approach based on universal distribution groups and a custom attribute. This way the control is based on the source information and synchronized Cisco UCM/IMP information is kept to a minimum.

Happy filtering!

Cisco Jabber version 11 is significant in many ways and it’s difficult to outline all of the details in a single post. First and foremost Cisco is continuing to show that cross-platform feature parity, mobile first, and secure first is a leading part of the strategy.

Enterprise groups, persistent chat, and WebEx CMR escalation are three things significant enough to mention. There are some future integrations that will be better shown than blogging about.

There is a lot of work happening back at Cisco and I’m sure the Jabber team backlog is growing. In the meantime I highly recommend taking a look at the videos below to become a little more familiar with Cisco Jabber 11.

Check out these new Jabber 11 Videos

• Cisco Jabber for Android 11: Overview
• Cisco Jabber for Android 11: In call Features
• Cisco Jabber for iPhone and iPad 11: Overview
• Cisco Jabber for iPhone and iPad 11: In call Features
• Cisco Jabber for Mac 11: Introduction
• Cisco Jabber for Mac 11: Contacts
• Cisco Jabber for Windows 11: Introduction
• Cisco Jabber for Windows 11: Personalize Your Jabber

The release notes detailing the new features:

• Cisco Jabber for Windows 11.0 Release Notes
• Cisco Jabber for Mac 11.0 Release Notes
• Cisco Jabber for iPhone and iPad 11.0 Release Notes
• Cisco Jabber for Android 11.0 Release Notes
• Cisco Virtualization Experience Media Engine for Windows 11.0 Release Notes
• Cisco Virtualization Experience Media Engine for SUSE Linux 11.0 Release Notes

With VMware 5.5 showing up everywhere including Cisco collaboration specific hosts I found it was time to look into the use of latency sensitivity. Please don’t run off and turn this on without a proper understanding of what you’re changing on your UC cluster especially if you’re not follow co-residency guidelines. (That was a disclaimer and why wouldn’t you follow co-res guidelines anyway?)

When scoping or designing a UC cluster that involves Unity Connection there was always an extra core reservation for the VMware scheduler. With VMware 5.5 and the ability to specify latency sensitivity we don’t need to have one core sitting idle.

The reason this is important was due to core oversubscription and the co-residency guidelines published by Cisco. For example; if your host has 12 cores you can now safely lay out the VM reservations across all 12 cores and not 11 cores. This only applies if you have an active Unity Connection VM on the host machine. All other VMs on the host must have the latency sensitivity set to “normal”. Only the Unity Connection VMs will be set to “high”.

So now you’re wondering how do I cut it on? First it has to be modified while the machine is powered off, and if you have vSphere Web Client it is simple as “VM Options | Advanced settings | Edit | Latency Sensitivity = High”.

OK – I see this yellow exlaimation point and what is about to happen? The warning is to let you know this should be performed on a VM that has CPU reservation. If you used the OVA to deploy Unity Connection and have not changed vCPU amounts or reservations you’re in the clear to proceed.

Since most UC clusters and ESXi hosts specific for collaboration are not joined to vSphere you need a way to turn on latency sensitivity without vSphere Web.

• Using the vSphere client edit the settings of the Unity Connection VM.
• Click Options | Advanced-General | Configuration
• First scan to see if “sched.cpu.latencySensitivity” is in the configuration parameters.
• If the setting does not exist click “Add Row”
  • Name = sched.cpu.latencySensitivity
  • Value = high
• Click OK | OK

Don’t forget to power it back on. 🙂

There has been a flurry of activity lately when it comes to Jabber and certificate warnings. Jabber adoption is growing and being exposed to a lot of different installations of Communications Manager and IM & Presence.

Not only do we have the adoption rate skyrocketing but we’re also seeing the development cycle becoming extremely fast. In the last 2 months I believe I’ve counted 4 minor releases to just 1 train of Jabber. This is presenting several challenges between the development and the deployment of Cisco Jabber. The technical information, deployment recommendations, and caveats are not being consumed fast enough in the field to understand the nuances of getting it to work. All of this is a great effort by Cisco but I do believe there could be a better way getting technical notes out to the field.

Certificate warnings are something that just isn’t acceptable. If your workaround is telling someone to ‘Click Accept’ then you’re not doing something right. We’re dealing with a client application and parts of the CUCM system that in the past have rarely needed to be touched. If communications manager and presence were installed for telephony only there are many things lacking to get these certificate warnings to go away.

Here is the latest information straight from Cisco regarding the certificates you need to adjust depending on the products you have deployed.

Required Certificates for On-Premises Servers On-premises servers present the following certificates to establish a secure connection with Cisco Jabber:

So let’s break this table down into something a little more understandable. On Communications Manager this involves uploaded valid CA certificates to callmanager-trust and tomcat-trust. Once those are uploaded you need to generate a CSR for callmanager.pem and tomcat.pem. Even though you can sign all your CUCM nodes with one SAN certificate there are several caveats with this and my personal recommendation is to continue signing each CUCM node with its own certificate.

On IM & Presence you need to upload valid CA certificates to cup-trust, cup-xmpp-trust, and tomcat trust. Once that is complete you need to generate the CSR and sign cup, cup-xmpp, cup-xmpp-s2s, and tomcat.

On Unity Connection you’ll only need to upload and sign the tomcat certificate.

One Expressway-CORE you’ll need to upload the valid CA certificate and generate a server certificate. On Expressway-EDGE you’ll 100% need a public signed CA certificate for the server certificate. If you’re not going to use Expressway for B2B communications and every device using Jabber MRA has managed certificates you MIGHT get away with a private CA signed certificate, but I still wouldn’t recommend it.

These certificates need to be x509v3 compliant for server authentication, client authentication, and ipsec. If you’re looking for the exact settings needed I have the certificate template EKUs below. All of the certificates can all be signed by a Microsoft CA with an x509v3 compliant template.

Version: V3
SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)

Extension: ExtKeyUsageSyntax (OID.2.5.29.37)
Critical: false
Usage oids: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.5, 1.3.6.1.5.5.7.3.2,

Extension: KeyUsage (OID.2.5.29.15)
Critical: false
Usages: digitalSignature, nonRepudiation,keyEncipherment,dataEncipherment

The callmanager certificate also has keyAgreement usage but this is mutually exclusive of keyEncipherment per RFC 3280. The keyCertSign is also not needed as an EKU because this isn’t a self-signed certificate. Your callmanger certificate is perfectly valid without these two EKUs. My x509v3 template typically includes nonRepudiation to allow the certificate template to be used for VMware servers.

A final reminder is if you truly want to support all client types without doing managed PKI go ahead and save yourself a lot of headache and get public CA signed certificates for all of this.

So you’ve done all of that and you still get a certificate warning?

There is a good possibility you have certificates correct but you’re still getting these prompts. Let’s understand this issue a little deeper before I get to the long term fix. SSL certificate validation is based on the client and server agreeing to the subject name or SAN name. For example, if you have a valid and trusted certificate on a web server and you browse to https://10.1.1.0 you’re going to get a certificate warning from your browser. This is because you told the browser you wanted a secure connection to 10.1.1.0 but the server sends back a certificate the the name webserver.domain.com. The same thing is happening underneath Jabber between CUCM, CUPS and Expressway. When Jabber connects to CUCM via UDS or CTI the server may be responding with an IP address even though you’ve requested the FQDN. SO WAIT – isn’t that a reverse of what you just said? Absolutely it is but the same principle applies. The CUCM and CUPS “System > Server” setting is giving you this problem. So while Jabber tries to connect to CUCM via cucm-node1.domain.com the UDS/CTI is responding with https://10.1.1.20 which will be the IP address of the node.

So now what – I can’t just go and change that “System > Server” value without breaking the whole cluster! This is where some additional pain points may come into play. The “System > Server” value controls quite a few communications between cluster nodes and endpoints. This value is essentially put into the phone configuration files that are downloaded. Over the years Cisco SRND and guides have flip flopped with the recommendation here. There have also been several bugs along the way using hostname or FQDN. Now we’re to a point where FQDN is the standard and any bugs will need to be fixed to support FQDN. My first recommendation is make sure you’re on the latest versions of CUCM and CUPS and this is super important if you’re serious about the Jabber deployment.

Some have opted to put the hostname or IP address of the “System > Server” values into the SAN certificate fields that are uploaded to the servers. While this sounds like an OK workaround that particular SSL certficate it still invalid per the CA/Browser forum. It may “work” but at this point in time it is more of a hack. You can read the full details of this CA/Browser change at https://www.digicert.com/internal-names.htm

I know this post got a little long but it’s really important stuff to get your deployment up to the new standards, using valid certificates, and keeping certificate warning prompts away from your users.

Thanks and feel free to comment or reach me on Twitter!