Certificate validation problem with CUCM SDB

tferitferi — Fri, 01 Mar 2019 10:49:57 GMT

Hi,

I’d like to configure a secure phone XML service in CUCM. I want to add a phone button service but using HTTPS protocol.

CUCM: not in mixed mode
Service certificate has been imported into CUCM as tomcat-trust
I have a service implemented as a Tomcat servlet and service has been bound into a phone service with these URLs:
- Service URL: http://192.168.5.36:8080/app/callback?page=missed&dev=#DEVICENAME#
- Secure-Service URL: https://192.168.5.36:8443/app /callback?page=missed&dev=#DEVICENAME#

When I push phone button and call the service I’ve get ‘Host not found’ message on phone device.

When a phone initializes a HTTPS connection to a server it validates server certificate from remote trust store (provided by CUCM). This is a SBD (Security by Default) Cisco feature.

In my environment phone is not able to validate server certificate because phone is not able to connect to remote trust store (CUCM).

It tries to access CUCM by DNS name, but it’s not supported (see in log above).

Is there any configuration issue in our environment?

Log about CUCM SBD certificate validation downloaded from phone:

2867: NOT 16:25:59.512685 SECD: srvr_cert_vfy: Server Certificate Validation needs to be done

2868: NOT 16:25:59.514375 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from CTL file

2869: NOT 16:25:59.515189 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from ITL file

2870: WRN 16:25:59.515895 SECD: WARN:getSubjectCTLentry: default lookup failed, try lookup using DN

2871: NOT 16:25:59.516565 SECD: findByCertAndRoleInTL: Searching TL from CTL file

2872: NOT 16:25:59.517240 SECD: findByCertAndRoleInTL: Searching TL from ITL file

2873: ERR 16:25:59.517933 SECD: EROR:https_cert_vfy: HTTPS cert not in CTL, <192.168.5.36>

2874: NOT 16:25:59.522492 SECD: setupSocketToTvsProxy: TVS client sock fd 10 bound to </tmp/secClntTvs_119_6359>

2875: NOT 16:25:59.523701 SECD: setupSocketToTvsProxy: Connected to TVS proxy server

2876: NOT 16:25:59.524990 SECD: clpTvsInit: Client message received on TVS proxy socket

2877: NOT 16:25:59.526147 SECD: processTvsClntReq: Success reading the client TVS request, len : 3708

2878: NOT 16:25:59.526950 SECD: processTvsClntReq: TVS Certificate Authentication request

2879: NOT 16:25:59.527660 SECD: lookupAuthCertTvsCacheEntry: No matching entry found at cache

2880: NOT 16:25:59.528372 SECD: processTvsClntReq: No server sock exists, must be created

2881: NOT 16:25:59.532634 SECD: getTvsServerInfo: Phone in IPv4 only mode

2882: NOT 16:25:59.533333 SECD: getTvsServerInfo: Retreiving IPv4 address

2883: NOT 16:25:59.533994 SECD: getTvsServerInfo: TVS retry count 0

2884: NOT 16:25:59.534727 SECD: getTvsSrvrSock: TVS server info: IP : BAL-CUCM-01, tvsPort : 2445, ipMode : 0, timeout : 10, dscpValue : 96, srvrRetries : 0

2885: NOT 16:25:59.535611 SECD: secSock_send_clnt_reqs: trying conn to <BAL-CUCM-01:2445>

2886: NOT 16:25:59.537932 SECD: secSock_send_clnt_reqs: SSL/TLS waiting, <BAL-CUCM-01:2445>, fd 13

2887: NOT 16:25:59.538709 SECD: connectToTvsServer: Send buffer size on TVS server socket set to <4096>

2888: NOT 16:25:59.539443 SECD: connectToTvsServer: Successfully started a TLS connection establishment to the TVS server: IP:BAL-CUCM-01, port:2445(default); Waiting for it to get connected.

2889: NOT 16:25:59.541687 SECD: tvsReqAuthenticateCertificate: Sent Request to TVS proxy, len: 3708

2890: NOT 16:25:59.542430 SECD: tvsReqAuthenticateCertificate: Waiting for response from TVS Proxy

2891: NOT 16:25:59.543341 SECD: clpGetConnParams: IP Mode is 0, addr : BAL-CUCM-01

2892: ERR 16:25:59.544082 SECD: EROR:clpGetConnParams: Server address passed in as DNS name.Not supported in SECD

2893: ERR 16:25:59.544787 SECD: EROR:clpSetupSsl: conn req has bad target addr <BAL-CUCM-01> c:14

2894: ERR 16:25:59.545503 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <> c:14 s:-1

2895: ERR 16:25:59.546222 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<>

2896: ERR 16:25:59.546899 SECD: EROR:secErr_errStr: *** bad err table ***

2897: ERR 16:25:59.547587 SECD: EROR:secErr_errStr: ** SEC-ERR: code:1(N/A) subcode:10(BAD_ADDR)

2898: ERR 16:25:59.548244 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <bad target addr>

2899: NOT 16:25:59.549137 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 13

2900: ERR 16:25:59.549899 SECD: EROR:secSock_isConnected: ** failed to connect to target

2901: ERR 16:25:59.550698 SECD: EROR:secErr_errStr: *** bad err table ***

2902: ERR 16:25:59.551398 SECD: EROR:secErr_errStr: ** SEC-ERR: code:1(N/A) subcode:10(BAD_ADDR)

2903: ERR 16:25:59.552068 SECD: EROR:secSock_isConnected: ** SEC-ERR: desc <bad target addr>

2904: ERR 16:25:59.552742 SECD: EROR:checkTvsSrvrConn: Failed to get TVS TLS session connected - setup failed

2905: NOT 16:25:59.553430 SECD: cleanupTvsSrvrSock: Clearing TVS proxy server socket, fd : 13

Re: Certificate validation problem with CUCM SDB

Geevarghese Cheria — Fri, 01 Apr 2016 08:38:11 GMT

Hi Ferenc,

Apologies for the delay in responding to you, I would request you to find this url - SSL Problem from CUCM for related information. And also post if there is any questions related to the topic under AXL community.

Thanks and Regards,

Geevarghese

topic Re: Certificate validation problem with CUCM SDB in DevNet General Discussions

Certificate validation problem with CUCM SDB

Re: Certificate validation problem with CUCM SDB