Decrypt HTTPS traffic from UC Servers using wireshark

During the login of jabber client, it communicates with several UC servers like CUPS, CUCM, UnityConnection etc for authentication, config file downloading, registering. Most of those traffic is carried through HTTPS/XML. Therefore, in order to have a deep dive into the Jabber client login sequences and have an idea about what exactly is happening during Jabber login, decrypting HTTPS traffic between Jabber client and UC Servers is required. 2 steps to get it done, which are downloading the private key from UC Server, and inputting the private key into wireshark for decryption.

  1. Download private key from UC Server
    Firstly, download Red Hat Enterprise LINUX 5 (32bits) image and use that to gain root access to your Linux-based UC server. Here is the step-by-step guide for your reference, Modify License MAC of Linux-based appliance on VM.
    After root accessing your UC Server through CLI, navigate to /usr/local/platform/.security/tomcat/keys/tomcat_priv.pem. Then use any of SFTP/FTP/TFTP to download tomcat_priv.pem to your local PC.Last login: Sat Apr 12 13:28:15 2014
    [root@CUCM912 ~]# cd /usr/local/platform/.security/tomcat/keys/
    [root@CUCM912 keys]# dir
    tomcat.passphrase  tomcat_priv.der  tomcat_priv.pem  tomcat-trust.passphrase

    [root@CUCM912 keys]# tftp 192.168.10.254
    tftp> put /tomcat_priv.pem

     

  2. Input Server Private Key Into wireshark
    Open the wireshark packet capture file *.pcap, go to Edit>Preference>Protocols>SSL, click on New, to add new private key file (*.pem)  and associate it with UC Server IP address / Port 8443 or 443 (depends on used port in HTTPS traffic) / Protocol (HTTP), leave password as blank. Then click Apply and OK, you will be able to see decrypted HTTS traffic instantly.