05-19-2009 07:27 AM - edited 03-15-2019 06:04 PM
We have CUCM 6.13.1000-16.
We are having a problem using SSL during LDAP directory and end user authentication.
Does SSL also require certificate on the client (CUCM server) site to work? If yes, where can I can more information for the requirements?
Or are there any issues accessing Active Directory (Win2003) LDAP over SSL with CUCM 6.13 platform?
Thanks for the info.
Solved! Go to Solution.
05-19-2009 08:11 AM
You need to install the CA cert on CUCM as directory-trust cert. (go to CUCM OS Admin > Security > Certificate Management)
Thanks!
Michael
05-19-2009 08:11 AM
You need to install the CA cert on CUCM as directory-trust cert. (go to CUCM OS Admin > Security > Certificate Management)
Thanks!
Michael
05-19-2009 08:14 AM
Thank you!! Got it.
I was also reviewing the OS-Admin guide. I came across the same info. However, i wasn't sure about the directory-trust part.
Thanks again for the quick response.
Fureya
08-18-2009 05:02 AM
I hope it's not too late to revisit this issue.
I just uploaded our root cert as a directory-trust and then checked the use ssl box on the LDAP server configuration. I keep getting a connection error when I submit it. I wanted to ask you what port you used for the connection? I used the default 389 and also 636.
Your assistance is greatly appreciated.
08-18-2009 07:28 AM
A common mistake is to use IP address in the CUCM LDAP configuration while the LDAP certificate has the FQDN as CN (Common Name).
Due to the security design of SSL, the requested URL has to match the certificate CN.
Go to CUCM > System > LDAP to see if you're using IP address or FQDN.
Michael
08-18-2009 07:56 AM
I was indeed using an IP address. I have changed to the FQDN, but still get the same error.
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
I get this error on both callmanager v7 and Unity Connection v7.
I read another post that stated the Tomcat service needs to be restarted before it will work. I will be trying this tonight.
NOTE: I am using TCP 636 for the SSL connection.
Thanks,
Mark
08-18-2009 11:26 AM
That is correct, you need to restart Tomcat.
Also, make sure you upload the CA cert as "Directory-Trust" (you don't need to upload the LDAP cert). For example, the CA cert was "ca.verisign.com", the LDAP cert is "ldap.mycompany.local". You should upload the Verisign one instead of the LDAP one.
Michael
08-18-2009 08:02 PM
htluo,
Thanks for your help. Changing the IP to the FQDN and restarting the Cisco Tomcat service allowed me to configure SSL for the LDAP integration.
Configuration steps:
1. Exported the interprise CA root certificate and then converted it to a PEM file using OpenSSL program.
2. Uploaded the enterprise CA root certificate to callmanager as a directory-trust certificate.
3. Restarted the Cisco Tomcat service.
4. Changed the LDAP server reference from IP address to FQDN.
5. Changed the TCP port from 389 to 636.
6. Submitted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide