Re: Signing UCCX 11.6 signing tomcat ECDSA via Windows server 2008 R2 CA

Omar Gamil · ‎01-31-2018

Dears,

As per the Understand ECDSA certificates in an UCCX Solution guide, tomcat ECDSA should be signed with external CA by EC (best practice) or signing by RSA (in this case email-chat gadget won't load and SocialMiner webpage does not load otherwise cop file which I cannot reach by the way) . I want to know the steps for signing the tomcat ECDSA by CE or RSA via Windows server 2008 R2 CA.

Thanks in advance

Omar

Chris Deren · ‎01-31-2018

Did you review this doc:

https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/210528-Understand-ECDSA-certificates-in-an-UCCX.pdf

here is another write up with MSFT CA signing steps:

https://collabengineer.com/2017/04/20/uccx-11-5-tomcat-and-tomcat-ecdsa-certificates-for-cisco-finesse-cuic-and-the-admin-pages/

Omar Gamil · ‎02-05-2018

Yes, Already checked the document and the other link.. In our case there is no chance to change the CA template to CE or the key length of RSA. So we had to check the second option which is the COP file to disable offering tomcat-ECDSA. if you has the COP file link, please provide it to me.

Thanks in Advance

Clifford McGlamry · ‎03-29-2019

The document link provided on ECDSA certs is good, but the links to the cop file to disable it are broken. They link to a blank page.

PhonesRUs · ‎04-01-2019

Yeah I have this EXACT same issue. I did the process and 11.6(1) - old COP for disable of ECDSA doesn't apply to 11.6(1), did this whole walkthrough and install the cert - takes the cert - can't get the COP to disable SocialMiner (we don't use it anyways) and Live Data doesn't work still. The COP file they reference only disables 11.5(1) from using ECDSA.

These documents are highly lacking in steps, clarity and detail. The original Cisco document where it is someone cutting and pasting a Cisco-internal flowchart is a poor way to create documentation. This needs to be flushed out a bit more as I am seeing this thread come up a bunch of times in here.

Even my server admin commented in how vague it was and how a 3rd party Cisco-related site is the one giving the meat and potato steps. Haha!

Clifford McGlamry · ‎04-01-2019

This is what TAC said about the issue:

The ECDSA cert caused issues for Live Data in 11.5(1) and the COP file was more of a stop-gap measure to get its use turned off quickly and easily. This fix was included in 11.5(1)SU1, at which point the separate COP file for that purpose was no longer needed and removed from cisco.com. 11.6(2) also is not affected, so you should be fine.

PhonesRUs · ‎04-01-2019

Sounds like I need to go to 11.6(2) from 11.6(1) rather than spend more time on this cert. Haha

Wayne_G · ‎05-22-2019

Did you get a resolution? I was about to purchase another set of certs but I have a TAC engineer saying that Tomcat-ECDSA is not supported in 11.6. We're on 11.6(1).

Omar Gamil · ‎05-23-2019

The issue resolved by neglecting Tomcat-ECDSA certificate at all and sign only the normal tomcat certificate.

Omar Gamil · ‎05-23-2019

The issue resolved by neglecting Tomcat-ECDSA certificate at all and sign only the normal tomcat certificate.

Wayne_G · ‎05-23-2019

Thanks for confirming. I will just let the ECDSA certificate expire then.