Hi Lucas,

Lucas · ‎01-17-2017

Folks,

I'm trying to call an Azure web service that returns data back to UCCX. The custom Java code that i use works in Eclipse is based on this and it works as expected. I've uploaded my custom JAR file and dependencies and restarted the server. I've modified my AEF script to call my method in my custom method and that also works. There are no validation issues with the script / custom java library.

Looking at the MIVR and the 'stderr.log' i see the following:

java.lang.RuntimeException: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find certificate chain
at com.center.test.client.WebServiceClient.getAccessTokenFromClientCredentials(WebServiceClient.java:166)

The capture has the list of my certificates that are installed. As far as i can call, they are correct.

The error happens when it tries to get the token.

I can't think of anything else except to now 'Disable Certificate Validation' but it's not what i want to do.

What am i missing?

Anthony Holloway · ‎01-17-2017

According to this article, having your certificates in the Tomcat Trust is exactly correct.

"Traditonally, the UCCX engine accessed the Engine keystore. This was always accessible from the root only. The keystore which was accessible by the user was the platform Tomcat keystore. This was however not used by the UCCX Engine. So if you are using a step like getUrlDocument and trying to establish a secure connection to the server, you had to upload the certificate and the certificate chain to the UCCX engine keystore. This was possible only via the root. This was a little inconvinent and was tracked under the defect: CSCue13884"

Source: https://supportforums.cisco.com/blog/12049551/community-tech-talk-cisco-unified-contact-center-express-uccx-version-100-upgrade

Outside of a defect in UCCX, I can't think of what it could be. Are you able to reboot UCCX since the upload of the new certs?

If you look at that defect listed above, the error is the same as yours. You could always open a TAC case to have them check it out.

Jorie van Santvoort · ‎04-21-2017

Hi Lucas,

Did you find a solution to your problem? I have the exact same issue trying to do a JSON POST call to azurewebsites.net on our customer's 10.6 deployment.

The response I get is

"javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find certificate chain"
"Client response status: 412"

I have added the Azure root/subordinates certificates to the tomcat-trust and restarted the Cisco Tomcat service, just like you did in your screenshot.

I've tested the same script in my 11.5 lab environment, here it works fine even without adding the extra tomcat trust certificates. It's hard to find any additional info about this, but it seems something was improved in UCCX 11.5 regarding this issue.

Would be great to hear from you if you solved the problem or if I need to raise a TAC case for this maybe.

Lucas · ‎04-21-2017

Hi Jorie,

I've abandoned it because of the errors and decided to host the web service on-premise. It doesn't seem like it's a problem in version 11 and I don't have the authority to update from 10.5 to latest version. But once i put my web service and hosted it locally the problem went away.

The solution would probably update to version 11 if you want to use azure or take what you want to do in in azure and do it on-premise if upgrade is not possible.

Jorie van Santvoort · ‎04-21-2017

Hi Lucas,

Thanks for your feedback, I will discuss these solutions with the customer. I will probably just make a TAC case to investigate what is really going on here. I will post it here is anything comes out.

UCCX 10.5 SSLHandshakeException authenticating with Azure using ADAL