10-20-2017 06:11 AM - edited 03-14-2019 05:39 PM
Please any thoughts on replacing UCCX certificates with minimal disruption to agents/clients using Cisco Finesse?
*********Reason for this query *******
UCCX version: 10.6.1.11002-15
To solve a reported issue last week, Cisco Tomcat service on both our servers was restarted.
This caused client certificate issues apparent on Monday morning, with many users trying to log onto Cisco Finesse experiencing browser certificate issues (in all browsers/versions).
To try to resolve we restarted the following services:
Cisco Tomcat
Cisco Finesse Tomcat
CUIC Reporting Service
CUIC Serviceability Service
When this didn’t resolve, decision was taken to shut down the entire cluster and bring up the primary only to see if this resolved and this appeared to resolve most user issues.
However, due to some users still experiencing issues, an attempt was made to generate a CSR and generated a ‘tomcat’ certificate and uploaded these on Tuesday morning early (OOH).
These appeared to upload and services via CLI on both servers were restarted:
Cisco Tomcat
Cisco Finesse Tomcat
CUIC Reporting Service
CUIC Serviceability Service
But, this again caused many users to experience certificate issues when trying to log onto Cisco Finesse.
From looking at the Certificates on the system, it appeared that the new certificate uploaded had been over-written again by the old certificate.
Users are now all logged onto Cisco Finesse, after again having to go through accepting certificates in browsers and all has currently settled down.
But this was quite a long-winded and painful process, involving a lot of people trying to get users at the stage where they could log onto Cisco Finesse as agents.
The following web page does detail the potential process:
There is talk of generating a 3rd party certificate for UCCX and people have found other guides online which could be confusing the issues.
Any views and recommendations of the way forward for replacing the UCCX certificates with minimal disruption to agents/clients using Cisco Finesse, will be very much appreciated
Many thanks in advance.
10-20-2017 06:47 AM
You can't do it with minimal disruption. As you can see, you must restart a few services, which will affect your agents and make them disconnect from Finesse. I would advise you to do it after working hours, it won't disrupt anything. Of course, after you do it, verify that an agent PC can sign in to Finesse without having security alerts about the new certificates.
Also, make sure that:
10-20-2017 09:27 AM
Another thing to consider, I believe that this action will invalidate your license and you'll need Cisco to issue you a new one.
10-20-2017 02:57 PM
@david.macias Tomcat nor any other certs do not affect licensing.
10-21-2017 03:19 AM
Have you tried it before? Per this link https://communities.cisco.com/docs/DOC-76009 updates to the certificate information will invalidate your license, but it doesn't say that replacing the actual certificate will do so. So that would be my mistake.
david
10-21-2017 04:11 AM
Right, only if you change the cert info on the CCX server, i.e. organization, unit, location, state, country which I did not see in original post is changing. This is the info that would get populated in the CSR, but does not need to be changed for new cert unless the CA needs it to be difference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide