Re: Recommendations on replacing UCCX certificates with minimal disruption to Finesse users

azeez.raheem1 · ‎10-20-2017

Please any thoughts on replacing UCCX certificates with minimal disruption to agents/clients using Cisco Finesse?

*********Reason for this query *******

UCCX version: 10.6.1.11002-15

To solve a reported issue last week, Cisco Tomcat service on both our servers was restarted.

This caused client certificate issues apparent on Monday morning, with many users trying to log onto Cisco Finesse experiencing browser certificate issues (in all browsers/versions).

To try to resolve we restarted the following services:

Cisco Tomcat

Cisco Finesse Tomcat

CUIC Reporting Service

CUIC Serviceability Service

When this didn’t resolve, decision was taken to shut down the entire cluster and bring up the primary only to see if this resolved and this appeared to resolve most user issues.

However, due to some users still experiencing issues, an attempt was made to generate a CSR and generated a ‘tomcat’ certificate and uploaded these on Tuesday morning early (OOH).

These appeared to upload and services via CLI on both servers were restarted:

Cisco Tomcat

Cisco Finesse Tomcat

CUIC Reporting Service

CUIC Serviceability Service

But, this again caused many users to experience certificate issues when trying to log onto Cisco Finesse.

From looking at the Certificates on the system, it appeared that the new certificate uploaded had been over-written again by the old certificate.

Users are now all logged onto Cisco Finesse, after again having to go through accepting certificates in browsers and all has currently settled down.

But this was quite a long-winded and painful process, involving a lot of people trying to get users at the stage where they could log onto Cisco Finesse as agents.

The following web page does detail the potential process:

https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

There is talk of generating a 3rd party certificate for UCCX and people have found other guides online which could be confusing the issues.

Any views and recommendations of the way forward for replacing the UCCX certificates with minimal disruption to agents/clients using Cisco Finesse, will be very much appreciated

Many thanks in advance.

Slavik Bialik · ‎10-20-2017

You can't do it with minimal disruption. As you can see, you must restart a few services, which will affect your agents and make them disconnect from Finesse. I would advise you to do it after working hours, it won't disrupt anything. Of course, after you do it, verify that an agent PC can sign in to Finesse without having security alerts about the new certificates.
Also, make sure that:

You're signing the certificate in your organization root CA that is in the domain that all users are in.
You're signing the certificate with SHA256 and not SHA1, as Microsoft already deprecated SHA1 and it'll lead to security alerts in agents PCs.

david.macias · ‎10-20-2017

Another thing to consider, I believe that this action will invalidate your license and you'll need Cisco to issue you a new one.

Blog

Chris Deren · ‎10-20-2017

@david.macias Tomcat nor any other certs do not affect licensing.

david.macias · ‎10-21-2017

Have you tried it before? Per this link https://communities.cisco.com/docs/DOC-76009 updates to the certificate information will invalidate your license, but it doesn't say that replacing the actual certificate will do so. So that would be my mistake.

david

Blog

Chris Deren · ‎10-21-2017

Right, only if you change the cert info on the CCX server, i.e. organization, unit, location, state, country which I did not see in original post is changing. This is the info that would get populated in the CSR, but does not need to be changed for new cert unless the CA needs it to be difference.