cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
3
Replies

Secure Finesse XMPP port for the Cisco PCCE 12.5 and UCCE 12.5

vbashin
Level 1
Level 1

There were some security-related changes in the Finesse HTTP configuration , starting version 12.5

That’s what the Cisco documents say:

Security Enhancements

In Cisco Finesse the following security changes are implemented:
• By default, Cisco Finesse Notification Service unsecure XMPP port 5222 and BOSH/WebSocket (HTTP)
port 7071 are disabled.
Use the CLI command
utils finesse set_property webservices enableInsecureOpenfirePort true to
enable these ports.
• Validation of the X.509 certificate is enforced. It is mandatory to have the following valid non-expired
X.509 CA or self-signed certificates, which must be imported into the Cisco Finesse trust store.
• Cisco Finesse node certificates are available by default. The administrator must verify the validity
of the certificates, as non-expired certificates are invalid.
• Valid non-expired Cisco Finesse primary certificate must be present on the secondary Cisco
Finesse.
• Valid non-expired Cisco Finesse secondary certificate must be present on the primary Cisco
Finesse.
• Import the CUCM certificate to both the primary and secondary Finesse nodes.
• Import the IdS certificate to both the primary and secondary Finesse nodes.
• Import the Customer Collaboration Platform server certificates to both the primary and secondary
Finesse nodes in the Unified CCE.
• Import the LiveData server certificates to both the primary and secondary Finesse nodes in the
Unified CCE.
• Import the Cloud Connect server certificates to both the primary and secondary Finesse nodes in
the Unified CCE.

Here are the questions:

  1. What port shall we use for the XMPP notifications instead of  previously exposed port 5222 ?
  2. Is using the highlighted CLI command the only workaround to get the access to this port ?

 

 

3 Replies 3

There's a Cisco defect that references port 5223 and 5222 in 12.5 and enabling access, but unfortunately it looks like it is only visible to Cisco right now. Based on the description though, it might contain what you're looking for, so maybe ask Cisco if they can give you more information?
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16362

Description
Symptom: CLI command to enable port 5223 on UCCX doesn’t work on 12.5. utils finesse set_property webservices enableExternalNotificationPortAccess true utils network connectivity 5223 command gives: connect to the port (tcp) failed: Connection refused Service not accessible Conditions: Customer requires port 5223 to get info. from third party gadgets/wallboard. Port 5223...More
Details
12.5(1)
Release Pending
Cisco Finesse

vbashin
Level 1
Level 1

Thanks.

Sorry but I'm not allowed to access that https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16362 link .

If possible , could you please copy its content to this conversation thread?

 

All that Cisco shows is above, the rest is Cisco internal use only so you'd have to open a ticket and have them tell you what else it says.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: