Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1631
Views
0
Helpful
4
Replies

Can you run Finesse without certificates?

Go to solution
rowdygardner
Level 1
Level 1

‎02-23-2018 06:31 PM - edited ‎03-14-2019 05:58 PM

UCCX 10.6

We are getting a lot of Certificate errors when connecting to Finesse using Internet explorer 11. We have been working with Cisco TAC for a fix for over a week and we still cannot get it operational.

The way certificates work is confusing and as multiple parties need to be involved to get it working, it's taking a lot longer than expected to resolve this issue. This is preventing agents from being able to login to Finesse and answer phone calls. They now have to go back and use CAD, which has always worked without any issues.

To me there is no need to use certificates with Finesse, as the computers need to be on our private network to be able to access the UCCX server and everyone needs an AD login and be setup in UCCX as an agent to access it. So why is a Certificate required?

 

Is it possible to run Finesse without Certificates?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Slavik Bialik
Level 7
Level 7

‎02-24-2018 03:22 AM

It is possible to run UCCX without certificates, it'll use its own self-signed certificate. The problem with using self-signed certificate is that the computers don't trust it, and every time an agent will try to login it'll prompt him an annoying message that he needs to accept the certificate one by one. If he'll do this 'pain-in-the-ass' process of accepting the certificate it should login fine. You can also install the self-signed certificate on the local PC so the PC will trust it later.

That's why it is recommended to sign the certificate in your organization Root CA, where all the PCs resides so it'll trust each other.

 

By the way, can you check your self-signed (or the signed one, if you already signed it) hashing algorithm? Is there a chance it uses SHA-1? If so, that is your problem probably, as Microsoft already deprecated the use of the certificates using SHA-1, and services that still signed with this hashing algorithm won't work anymore after Microsoft updates.

If it uses SHA-1, you'll have re-produce a self-signed SHA-256 certificate, or make a CSR to sign it in your Root CA. BUT, make sure your Root CA is also signing with SHA-256 (or SHA-2), if not, your system team will have to change somehow that the Root CA will be able to do that (not an easy process if using Windows Server 2012 and above).

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Slavik Bialik
Level 7
Level 7

‎02-24-2018 03:22 AM

It is possible to run UCCX without certificates, it'll use its own self-signed certificate. The problem with using self-signed certificate is that the computers don't trust it, and every time an agent will try to login it'll prompt him an annoying message that he needs to accept the certificate one by one. If he'll do this 'pain-in-the-ass' process of accepting the certificate it should login fine. You can also install the self-signed certificate on the local PC so the PC will trust it later.

That's why it is recommended to sign the certificate in your organization Root CA, where all the PCs resides so it'll trust each other.

 

By the way, can you check your self-signed (or the signed one, if you already signed it) hashing algorithm? Is there a chance it uses SHA-1? If so, that is your problem probably, as Microsoft already deprecated the use of the certificates using SHA-1, and services that still signed with this hashing algorithm won't work anymore after Microsoft updates.

If it uses SHA-1, you'll have re-produce a self-signed SHA-256 certificate, or make a CSR to sign it in your Root CA. BUT, make sure your Root CA is also signing with SHA-256 (or SHA-2), if not, your system team will have to change somehow that the Root CA will be able to do that (not an easy process if using Windows Server 2012 and above).

0 Helpful

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee
In response to Slavik Bialik

‎02-24-2018 07:04 AM - edited ‎02-25-2018 01:50 PM

You started off by saying that you can run Finesse without certs, but then said it will use self-signed certs. So, technically that's still using certs. If someone was wondering if you could use Finesse without TLS, then the answer is no. I think in UCCE you can use Finesse without TLS on HTTP port 8082. However, UCCX cannot do this. So, certs are required.

Another thing people miss with certs, is that the server FQDN now needs to be in the SAN, and not just the CN.

And last but not least, depending on your version of UCCX, you might have to disable the Tomcat ECDSA cert with the COP file, unless you're prepared for it. Which, if you're already having cert issues, it's likely ECDSA is not helping you.

0 Helpful

Go to solution
geoff
Level 10
Level 10
In response to Anthony Holloway

‎02-25-2018 08:45 AM

Another thing people miss with certs, is that the server FQDN now needs to be in the SAN, and not just the CN.

Chrome needs that but I don't think IE does. Also, be aware of this SAN issue.

 

SAN Issue with Third Party Signed Certs

 

Regards,

Geoff

0 Helpful

Go to solution
rowdygardner
Level 1
Level 1
In response to Slavik Bialik

‎02-26-2018 05:42 PM

We have regenerated certificates as SHA256, had them CA Signed and uploaded back to UCCX.

Finesse now works in Internet Explorer without any Certificate errors or warnings.

The end users now love Finesse.

0 Helpful
Customers Also Viewed These Support Documents