cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
320
Views
15
Helpful
4
Replies
Highlighted
Beginner

Have to get educated on SAML SSO Cluster Wide on CUCM 11.5.1

I'm running 11.5.1 Call Manager system with ~1500 users and we are running LDAP Sync on the UCM and Unity.  Bossman recently decreed we are going to change things up and go with LDAP Authentication / Single Sign On so now I am scrambling to get educated quick on SAML SSO.  Our AD is not run by us so I am coordinating with another engineer to get the IdP and CoT set up.  The AD Team set a requirement to go cluster wide instead of per node, so I had to get a Multi Server SAN Tomcat Cert.  I found and followed - https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html

All goes well until step 5 " Once you obtain the certificate, you must upload the CA certificate as tomcat-trust and then upload the CA-signed certificate as tomcat."  I submit the received certificate from our CA at tomcat-trust and that goes fine.  Then I try to submit it again as just Tomcat, I cannot modify the description, and I get the error "CSR SAN and Certificate SAN does not match"  I feel like I am missing something.

I can't move forward until I get this ironed out.  Are there any other guides available for Cluster Wide Certs, SAML SSO cluster wide in 11.5.1, or people who have lived through this with stories to tell?

Rob.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

The CSR has a SAN of your Parent Domain "joe.blow.com" but this was removed from the issued certificate. The order doesn't matter.

View solution in original post

4 REPLIES 4
Highlighted

The Common Name and Subject Alternate Name attributes in the CSR must exactly match the certificate issued by your CA. Decode both using OpenSSL and compare the before and after values; if they don’t match you must work with the CA Atl get them to exactly match; CUCM won’t accept the certificate if they don’t.
Highlighted

Thank you for your input!  I finally got a chance to decode the CSR and CER today, this is what came out (FQDN changed to protect the innocent)

 

CSR Information:
Common Name: ULDF-VLSC-UCMP1V.joe.blow.com
Subject Alternative Names: ULDF-AS-TFTP2V.joe.blow.com, uldf-as-imp2v.joe.blow.com, ULDF-VLSC-UCMS1V.joe.blow.com, joe.blow.com, ULDF-VLSC-UCMP1V.joe.blow.com, ULDF-AS-TFTP1V.joe.blow.com, ULDF-VLSC-UCMS2V.joe.blow.com, uldf-as-imp1v.joe.blow.com
Organization: U.S. Government
Organization Unit: AFRL
Locality: Rome
State: NY
Country: US

 

Certificate Information:
Common Name: ULDF-VLSC-UCMP1V.joe.blow.com
Subject Alternative Names: ULDF-VLSC-UCMP1V.joe.blow.com, ULDF-AS-TFTP1V.joe.blow.com, ULDF-AS-TFTP2V.joe.blow.com, ULDF-VLSC-UCMS1V.joe.blow.com, ULDF-VLSC-UCMS2V.joe.blow.com, uldf-as-imp1v.joe.blow.com, uldf-as-imp2v.joe.blow.com
Organization: U.S. Government
Organization Unit: DoD
Country: US
Valid From: March 26, 2018
Valid To: March 26, 2021
Issuer: CA-38, Uncle Sam
Serial Number: 217116 (0x3501c)

 

could it be that they are not in the same order?!?

Rob

Highlighted

The CSR has a SAN of your Parent Domain "joe.blow.com" but this was removed from the issued certificate. The order doesn't matter.

View solution in original post