Solved: Cisco Unified CM Authentication Failed because of SSLException.

Ibrahim Jamil · ‎02-09-2020

Hi Freinds

I m getting the below errors while integrating CCX 12 5 1 With UCM 12.5.1 , Kindly Advise

Cisco Unified CM Authentication Failed because of SSLException. Ensure that the Tomcat self-signed certificates from

all AXL providers are uploaded to the Tomcat trust through Cisco OS Administrator

Chris Deren · ‎02-12-2020

Did you see this in the CCX install guide:

If the Cisco Unified Communications Manager (CUCM) cluster is using the self-signed certificate, then upload Tomcat certificates from all the nodes of CUCM cluster into the Unified CCX Tomcat trust store. To upload certificates, use the Cisco Unified OS Administration interface (for example, https://<uccx-hostname>/cmplatform) or the set cert import trust tomcat CLI.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_12_5/install/guide/uccx_b_125install-and-upgrade-guide/uccx_b_125install-and-upgrade-guide_chapter_010.html

View solution in original post

Chris Deren · ‎02-12-2020

Did you see this in the CCX install guide:

If the Cisco Unified Communications Manager (CUCM) cluster is using the self-signed certificate, then upload Tomcat certificates from all the nodes of CUCM cluster into the Unified CCX Tomcat trust store. To upload certificates, use the Cisco Unified OS Administration interface (for example, https://<uccx-hostname>/cmplatform) or the set cert import trust tomcat CLI.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_12_5/install/guide/uccx_b_125install-and-upgrade-guide/uccx_b_125install-and-upgrade-guide_chapter_010.html

Ibrahim Jamil · ‎02-12-2020

Hello chris

why this comes with CCX 12.5 :(

CCX 11.6 was straight :)

bro chris , any youtube video for such matter to follow

thanks

Chris Deren · ‎02-12-2020

I did not know that either, found it in the guide when researching your post :) Cisco must have decided in their wisdom that trusted AXL connection is a must :)

Ibrahim Jamil · ‎02-13-2020

Thanks Chris , realy Appreciate , i m going to mark it as Accepted solution to let other guys know the resolution for such issue

thanks

Anthony Holloway · ‎02-13-2020

That's also in the upgrade section for anyone upgrading to 12.5, and it's also in the Release Notes, for anyone planning an install or upgrade. Once again, proving that although documentation can be wrong at times, it's absolutely critical to read it.

Chris Deren · ‎02-14-2020

Indeed, always review at minimum Upgrade Guide, Release Guide and ReadMe (if one is available) before planning any upgrade. The simplest things can make your upgrade a disaster.

RAustin70 · ‎09-14-2021

For my site, we use a CA-Signed Multi-SAN tomcat certificate that covers all 5 nodes of our CUCM. We had to do this so our IdP would set up SAML-SSO. There are no self-signed CA-Certs

Running 12.5 CUCM and just rebuilt our 11.5 CCX into 12.5ES01. Getting this error when I try to set up the CCX_axl, would I do the same process even though there is just one Cert for all 5 UCM nodes?

Chris Deren · ‎09-14-2021

If your CCX Tomcat cert is signed by the same CA then you should not need to do that. If they are signed by different CA or CCX does not have the the "common" Root cert installed then just upload the Tomcat cert from CUCM onto CCX per the instructions.

RAustin70 · ‎09-14-2021

Excellent, so I am a touch ahead of myself then. Currently the CCX is self signed with Tomcat, but will be signed by the same intermediary and root once I get off my backside and submit the CSR.

Roger Kallberg · ‎09-14-2021

Have you added the root and if applicable intermediate CA certificates to the tomcat trust store in CCX to see if that sorts this out? If that does not do it you would likely be needed to upload the CM MSAN certificate into the tomcat trust store in CCX and also the CA certificate(s) likely.

For either of these you’d need to restart tomcat on both the CCX nodes for it to recognise the new certificates.

RAustin70 · ‎09-14-2021

Yeah I loaded up the root and sub certs that are in the chain of the CA signed Certs. TAC came in and put in the MSAN from the UCM Pub, and the self signed EC tomcat certs from the other nodes, This left me at a loss for the process, and didn't fix what I was seeing heh.

I was looking through the documentation and ran the show cert own tomcat on all nodes and as predicted, they all came back with the same key, so I don't even know if running set cert import trust tomcat 5 times with the same key would get me anywhere.