cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30819
Views
106
Helpful
22
Replies

Finesse has Problems with Certificate on Port 7443

nico13192
Level 1
Level 1

Hi Guys,

 

I want to configure Cisco Finesse, which runs on my UCCX 10.5.1.

It works fine, I can open it per Explorer/Firefox/Chrome and I get the request for the login credentials.

After that, I get the message, that I have to install two certificates: For Port 8445 & Port 7443.

I downloaded the cerficates (tomcat & ipsec) from the UCCX certificate management and installed it on the client, but i still get

the message, that the certificate for 7443 is still missing?

Has somebody an idea, how I can solve this problem?

 

Kind Regards,

 

Nico Seinsche

 

22 Replies 22

nanosynth
Level 1
Level 1

None of this applies in my case. None of it. I have just one UCCX 10.6. I have a REAL CA cert. Finesse works perfect on my Win 7 PC using Firefox AND Chrome. The problem is with IE 11 on the same machine. Just like the person said, I get the "SSL Certs Not Accepted" for the 2 ports and when I click on "OK" to "Accept" the certs, it brings me to another just opened page in IE and says "

You must accept or install the appropriate certificate for this domain. If you have questions, contact your administrator for instructions." but there is NO place to actually "Accept" the certs. None of the "basic" problems are here, like not using FQDN or self-signed, no, everything is REAL. Nothing needs ''restarting' either, it gets shutdown and started all the time, its in a lab. Sure, I can use Firefox and Chrome, but Id really like to know why IE, on this machine wont even let me 'Accept" the certs. 
 

Never mind your ranking here of 'rising star'...you are a shooting star! Very nice! I looked at that compatibility guide and took my UCCX out of being flagged for Internet Explorer 'compatability' mode. Problem solved! Thank you kindly.

Glad to hear that it resolved the issue, and thank you for reporting that was the fix to everyone reading here.

Please mark that post as helpful if you don't mind so that people may find it easier in the future if they have the same problem.

I am going to add one 'quirk' here, just so anyone who has the same trouble can 'try'. The initial reason I had my UCCX marked as needing Internet Explorer 'compatibility' mode is because without compatibility mode, I wasn't getting any drop down menu choices when logged into UCCX on the admin page, you know, top left drop down menus. IE compatibility mode fixes this, at least in my UCCX 10.6. So when I wanted to use the Finesse, having forgotten that I applied compatibility mode, the Finesse was jammed up just like I wrote in here. So after taking bill.king1's advise, I wound up 'undoing' compatibility mode in IE and then I was able to get past the 2 ports certificate problems, but then I couldn't use the drop down menu choices in UCCX, and thats when I remembered why I had compatibility mode on in the first place. Then having Finesse all fixed I re-applied compatibility mode for the UCCX menu drop downs to work and what do you know, Finesse stayed working. What a lot of frustration.

nanosynth
Level 1
Level 1

If someone knows, would you kindly tell me exactly what certificates from the UCCX that you are accepting when you get presented with -->    uccx.realdomain.com:8445 and uccx.realdomain.com:7443 I have Finesse working over a regular internet connection, no VPN, back to my UCCX in my lab. The entire CUCM/UCCX..etc system has real certs from a real CA and the UCCX is reached by Oracle DNS resolving the uccx.realdomain.com to a static IP in my lab which is then port forwarded by a Palo Alto firewall to the UCCX on an internal private IP subnet. I have all the necessary Finesse ports open. The Finesse screen comes up in the browser and I log in, then it wants to present me with those two 7443 and 8445 certs and it wont do anything after I click to accept. No where can I find exactly what two certs those really are. I have already made successful Finesse connections from this same PC to the UCCX using the real uccx.mydomain.com hostname in the lab, and over a Palo Alto Global Protect tunnel, so I know I am not missing any certs in this same PC. This is all an experiment anyway, for me to use Finesse over a NON VPN internet connection.

There's only the one cert: Tomcat.  If you are having a mixed experience based on the port you're connecting to, I can think of two reasons:

  1. You have not restarted all of the necessary services, there's like 6 of them.  I would recommend rebooting the whole server.
  2. You are using a version of UCCX where they toyed with using the EC certs, and therefore you'd need to install the COP file which suppresses it

Now, I didn't quite understand what you were doing in full, but it seems like you might be accessing uccx.realdomain.com in your browser, but the actual name of the server is uccx.mydomain.com.  Unless you have uccx.realdomain.com in the SAN, that will not work.  Is this what you're doing?  Does the name exist in the SAN?

Hey Anthony. Sorry about the domain name thing, all my UC servers in my lab and both my Expressway boxes have real Comodo certs with the same main name, 'realdomain.com', so every UC box has the format like uccx.realdomain.com. Its a lab, so I start and stop the servers every day, so all those services have naturally been fresh on each days start up of the lab. Very interesting thing you bring up about ECDSA, because when I was debugging in the Chrome browser, under security, it said something about ECDSA, but, I have UCCX 10.6, but I did apply the SU3ES03 to it, but I don't know if that has anything to do with the ECDSA thing, I dont think so. I did add Socialminer 10.6 about 3 months ago, but in having read what you gave me and linking to the UCCX Solution Certificate Management Guide, I see I just stepped into a can of worms regarding certs interactions between UCCX and Socialminer, that I never knew about. In my UCCX, Im not sure if this is a problem, but when I generated the CSR and got it signed by the real CA, they automatically put a www.uccx.realdomain.com in the SAN space along with the uccx.realdomain.com in the same SAN area. Of course the CN of that signed cert is uccx.realdomain.com like it should be. I have had this cert in the UCCX for a year now and no problems. I need to ask them how to not put the www thing in there. In the Socialminer I have, I do have a real multi SAN cert in there but the CN is my realdomain.com and in the SAN box is socialminer.realdomain.com and cucm.realdomain.com and unity.realdomain.com and it has been working fine. All my e-mail and chat and the gadgets I built, and everything, and I mean everything has been working fine, in the lab. Now in the lab I have a hosts file entrys mappings for the real UC servernames to their respective lab internal IP addresses, so when I fire up Finesse in the lab, I would *THINK* it would be the same thing as if I fired up Finesse on another PC in the lab that didnt have a hosts file that made the Finesse go out over the internet to 8.8.8.8 and resolve uccx.mydomain.com:8445 to my real static public IP that comes back into the lab in the PALO port forwarded to the uccx private IP. This works, like I said. The Finesse screen comes up, it asks for user/passwr/extension, I enter it and the browser takes a real long time to finally come back with that 'accept the certificate' business for the 2 ports, and whats odd and is exactly what is in the article you give after I click accept, about the next message being something like "

https://uccx.realdomain.com:7443/security?&protcol=https&host=uccx.realdomain.com&port=8445", and it stops there, dead end.

. Mind you, on this same PC I have 100% already successfully used Finesse and Socialminer and every other thing by using the real domain names being resolved by the internal hosts file, of which I remove when doing real internet tests with the Finesse. So I would *think* that this PC, having already been working with Finesse, wouldnt need to have to accept any certs when I test over the interet to the same UCCX.  I can see in the wire sharks on both the PALO and the PC on the internet, I can see the back and forth conversations using the 7443 and 8445 ports, so I know my channels are open and working. The short of it all now is to follow the cert procedure I just discovered, thanks to you, and do my UCCX and Socialminer certs correctly. This all started out as "well, let me see if I can do this Finesse over the internet without VPN'" while I have the Jabber up on the same PC connected to Expressway and Presence over the same internet path and it kinda snowballed into this, but it *almost* works now..I know no one in their right mind would ever expose the UCCX like this, but I can't stop till success.