cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14432
Views
74
Helpful
11
Replies

Cisco Unified CM Authentication Failed because of SSLException.

Ibrahim Jamil
Level 6
Level 6

Hi Freinds

 

I m getting the below errors while integrating CCX 12 5 1 With UCM 12.5.1 , Kindly Advise

 

Cisco Unified CM Authentication Failed because of SSLException. Ensure that the Tomcat self-signed certificates from

all AXL providers are uploaded to the Tomcat trust through Cisco OS Administrator

1 Accepted Solution

Accepted Solutions

Chris Deren
Hall of Fame
Hall of Fame

Did you see this in the CCX install guide:

 

  • If the Cisco Unified Communications Manager (CUCM) cluster is using the self-signed certificate, then upload Tomcat certificates from all the nodes of CUCM cluster into the Unified CCX Tomcat trust store. To upload certificates, use the Cisco Unified OS Administration interface (for example, https://<uccx-hostname>/cmplatform) or the set cert import trust tomcat CLI.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_12_5/install/guide/uccx_b_125install-and-upgrade-guide/uccx_b_125install-and-upgrade-guide_chapter_010.html

View solution in original post

11 Replies 11

Chris Deren
Hall of Fame
Hall of Fame

Did you see this in the CCX install guide:

 

  • If the Cisco Unified Communications Manager (CUCM) cluster is using the self-signed certificate, then upload Tomcat certificates from all the nodes of CUCM cluster into the Unified CCX Tomcat trust store. To upload certificates, use the Cisco Unified OS Administration interface (for example, https://<uccx-hostname>/cmplatform) or the set cert import trust tomcat CLI.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_12_5/install/guide/uccx_b_125install-and-upgrade-guide/uccx_b_125install-and-upgrade-guide_chapter_010.html

Hello chris

 

why this comes with CCX 12.5 :( 

 

CCX 11.6 was straight :)

 

 

bro chris , any youtube video for such matter  to follow

thanks

I did not know that either, found it in the guide when researching your post :)  Cisco must have decided in their wisdom that trusted AXL connection is a must :)

Thanks Chris , realy Appreciate , i  m going to mark it as Accepted solution to let other guys know the resolution for such issue

 

thanks

That's also in the upgrade section for anyone upgrading to 12.5, and it's also in the Release Notes, for anyone planning an install or upgrade. Once again, proving that although documentation can be wrong at times, it's absolutely critical to read it.

Indeed, always review at minimum Upgrade Guide, Release Guide and ReadMe (if one is available) before planning any upgrade. The simplest things can make your upgrade a disaster. 

For my site, we use a CA-Signed Multi-SAN tomcat certificate that covers all 5 nodes of our CUCM.  We had to do this so our IdP would set up SAML-SSO.  There are no self-signed CA-Certs

 

Running 12.5 CUCM and just rebuilt our 11.5 CCX into 12.5ES01.  Getting this error when I try to set up the CCX_axl, would I do the same process even though there is just one Cert for all 5 UCM nodes?

If your CCX Tomcat cert is signed by the same CA then you should not need to do that.  If they are signed by different CA or CCX does not have the the "common" Root cert installed then just upload the Tomcat cert from CUCM onto CCX per the instructions.

Excellent, so I am a touch ahead of myself then.  Currently the CCX is self signed with Tomcat, but will be signed by the same intermediary and root once I get off my backside and submit the CSR.

Have you added the root and if applicable intermediate CA certificates to the tomcat trust store in CCX to see if that sorts this out? If that does not do it you would likely be needed to upload the CM MSAN certificate into the tomcat trust store in CCX and also the CA certificate(s) likely.

For either of these you’d need to restart tomcat on both the CCX nodes for it to recognise the new certificates.



Response Signature


Yeah I loaded up the root and sub certs that are in the chain of the CA signed Certs.  TAC came in and put in the MSAN from the UCM Pub, and the self signed EC tomcat certs from the other nodes, This left me at a loss for the process, and didn't fix what I was seeing heh.

 

I was looking through the documentation and ran the show cert own tomcat on all nodes and as predicted, they all came back with the same key, so I don't even know if running set cert import trust tomcat 5 times with the same key would get me anywhere.