Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14276
Views
74
Helpful
11
Replies

Cisco Unified CM Authentication Failed because of SSLException.

Go to solution
Ibrahim Jamil
Level 6
Level 6

‎02-09-2020 11:54 AM

Hi Freinds

 

I m getting the below errors while integrating CCX 12 5 1 With UCM 12.5.1 , Kindly Advise

 

Cisco Unified CM Authentication Failed because of SSLException. Ensure that the Tomcat self-signed certificates from

all AXL providers are uploaded to the Tomcat trust through Cisco OS Administrator

5 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎02-12-2020 07:37 AM

Did you see this in the CCX install guide:

 

  • If the Cisco Unified Communications Manager (CUCM) cluster is using the self-signed certificate, then upload Tomcat certificates from all the nodes of CUCM cluster into the Unified CCX Tomcat trust store. To upload certificates, use the Cisco Unified OS Administration interface (for example, https://<uccx-hostname>/cmplatform) or the set cert import trust tomcat CLI.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_12_5/install/guide/uccx_b_125install-and-upgrade-guide/uccx_b_125install-and-upgrade-guide_chapter_010.html

View solution in original post

11 Replies 11

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎02-12-2020 07:37 AM

Did you see this in the CCX install guide:

 

  • If the Cisco Unified Communications Manager (CUCM) cluster is using the self-signed certificate, then upload Tomcat certificates from all the nodes of CUCM cluster into the Unified CCX Tomcat trust store. To upload certificates, use the Cisco Unified OS Administration interface (for example, https://<uccx-hostname>/cmplatform) or the set cert import trust tomcat CLI.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_12_5/install/guide/uccx_b_125install-and-upgrade-guide/uccx_b_125install-and-upgrade-guide_chapter_010.html

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to Chris Deren

‎02-12-2020 09:25 AM

Hello chris

 

why this comes with CCX 12.5 :( 

 

CCX 11.6 was straight :)

 

 

bro chris , any youtube video for such matter  to follow

thanks

0 Helpful

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to Ibrahim Jamil

‎02-12-2020 10:26 AM

I did not know that either, found it in the guide when researching your post :)  Cisco must have decided in their wisdom that trusted AXL connection is a must :)

Go to solution
Ibrahim Jamil
Level 6
Level 6
In response to Chris Deren

‎02-13-2020 02:25 AM

Thanks Chris , realy Appreciate , i  m going to mark it as Accepted solution to let other guys know the resolution for such issue

 

thanks

Go to solution
Anthony Holloway
Cisco Employee
Cisco Employee
In response to Chris Deren

‎02-13-2020 09:23 AM

That's also in the upgrade section for anyone upgrading to 12.5, and it's also in the Release Notes, for anyone planning an install or upgrade. Once again, proving that although documentation can be wrong at times, it's absolutely critical to read it.

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to Anthony Holloway

‎02-14-2020 06:13 AM

Indeed, always review at minimum Upgrade Guide, Release Guide and ReadMe (if one is available) before planning any upgrade. The simplest things can make your upgrade a disaster. 

Go to solution
RAustin70
Level 1
Level 1
In response to Chris Deren

‎09-14-2021 07:46 AM

For my site, we use a CA-Signed Multi-SAN tomcat certificate that covers all 5 nodes of our CUCM.  We had to do this so our IdP would set up SAML-SSO.  There are no self-signed CA-Certs

 

Running 12.5 CUCM and just rebuilt our 11.5 CCX into 12.5ES01.  Getting this error when I try to set up the CCX_axl, would I do the same process even though there is just one Cert for all 5 UCM nodes?

0 Helpful

Go to solution
Chris Deren
Hall of Fame
Hall of Fame
In response to RAustin70

‎09-14-2021 08:10 AM

If your CCX Tomcat cert is signed by the same CA then you should not need to do that.  If they are signed by different CA or CCX does not have the the "common" Root cert installed then just upload the Tomcat cert from CUCM onto CCX per the instructions.

Go to solution
RAustin70
Level 1
Level 1
In response to Chris Deren

‎09-14-2021 09:19 AM

Excellent, so I am a touch ahead of myself then.  Currently the CCX is self signed with Tomcat, but will be signed by the same intermediary and root once I get off my backside and submit the CSR.

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to RAustin70

‎09-14-2021 08:46 AM - edited ‎09-14-2021 10:03 AM

Have you added the root and if applicable intermediate CA certificates to the tomcat trust store in CCX to see if that sorts this out? If that does not do it you would likely be needed to upload the CM MSAN certificate into the tomcat trust store in CCX and also the CA certificate(s) likely.

For either of these you’d need to restart tomcat on both the CCX nodes for it to recognise the new certificates.



Response Signature


Go to solution
RAustin70
Level 1
Level 1
In response to Roger Kallberg

‎09-14-2021 09:33 AM

Yeah I loaded up the root and sub certs that are in the chain of the CA signed Certs.  TAC came in and put in the MSAN from the UCM Pub, and the self signed EC tomcat certs from the other nodes, This left me at a loss for the process, and didn't fix what I was seeing heh.

 

I was looking through the documentation and ran the show cert own tomcat on all nodes and as predicted, they all came back with the same key, so I don't even know if running set cert import trust tomcat 5 times with the same key would get me anywhere.

Preview file
30 KB
0 Helpful
Customers Also Viewed These Support Documents