Solved: Hi Mohammed and Jonathan,

Pankaj Misra · ‎08-01-2016

Hi All,

We are looking to integrate our CUCM cluster with MS AD using LDAP over SSL for sync and authentication. Currently the integration is unsecure and working fine.

For SSL, I understand that i need to import the DCs/GC certificate via the Cisco Unified OS amministration in the CUCM Nodes. I have the certificates which have CN=FQDN of DC.

I would like to confirm if we require DNS IP and Domain name configuration on CUCM nodes as a prerequisite? The reason for ask is, we don't have DNS and domain name configured in any CUCM nodes, and if I try to configure it I get a warning saying... 'This operation will regenerate all the CUCM certificates including third party certificates'. I have a secure cluster , so I don't want to mess up by regenerating all the certs.

Can you confirm if I can setup LDAP over SSL without DNS or DNS is must?

Regards,

Pankaj Misra

Mohammed al Baqari · ‎08-01-2016

I didn't try it but at concept level yes you need. This is similar to integrating expressway with cucm.

Certificates use domain name in the CN field hence you need to have dns server and use domain names to avoid certificate errors which will break the connection between cucm and ldap over ssl

View solution in original post

Jonathan Schulenberg · ‎08-01-2016

I agree with Mohammed here: yes, you must enable DNS and define a Domain on the OS level of each node in the cluster. This is required becauss you must enter a DNS FQDN value that matches the CN of the certificate presented by the LDAP server to CUCM. The TLS handshake will fail if these do not match.

Since you lack access to the hosts file you cannot create a static DNS resolution inside the VM; you have to turn on DNS.

The warning is correct that certificates will regenerate. Be sure you plan this out, have read the security guide, and fully understand how the ITL/CTL process works. Here's a good article that doesn't show up on normal CCO product pages:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

View solution in original post

Mohammed al Baqari · ‎08-01-2016

I didn't try it but at concept level yes you need. This is similar to integrating expressway with cucm.

Certificates use domain name in the CN field hence you need to have dns server and use domain names to avoid certificate errors which will break the connection between cucm and ldap over ssl

Jonathan Schulenberg · ‎08-01-2016

I agree with Mohammed here: yes, you must enable DNS and define a Domain on the OS level of each node in the cluster. This is required becauss you must enter a DNS FQDN value that matches the CN of the certificate presented by the LDAP server to CUCM. The TLS handshake will fail if these do not match.

Since you lack access to the hosts file you cannot create a static DNS resolution inside the VM; you have to turn on DNS.

The warning is correct that certificates will regenerate. Be sure you plan this out, have read the security guide, and fully understand how the ITL/CTL process works. Here's a good article that doesn't show up on normal CCO product pages:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

Pankaj Misra · ‎08-02-2016

Hi Mohammed and Jonathan,

Thanks and appreciate your quick response :)

I will go through the CUCM security guide and this awesome link you provided to plan it carefully.

Is DNS required for LDAP over SSL ?