Re: Tomcat cert updated,Phone directory showing "host not fou

Geeth · ‎08-14-2023

before update certificate:-

After update:-

I think after update effected to sync LDAP server. I came across a document that mentioned the need to restart the system certificate after updating them. I'm seeking advice on how to process with this as well as guidance on the process of restart them.

Thanks and Regards

Geeth.

b.winter · ‎08-14-2023

IMHO: You shouldn't make such changes, if you even don't know how to restart services in CUCM ... or you should think about that before you do such changes.

Edit:
How to restart tomcat service: via CLI, which you found out in the other post you asked, but you obviously don't carefully. If you did, you would see that you wrote the command wrong.

Jonathan Schulenberg · ‎08-14-2023

The is a confusing post. You chose to put it on the contact center board despite it being a CUCM question (I moved it for you). You also chose a Buying Decision label which doesn’t seem applicable. The subject and body don’t even match; the former referencing a Phone Service TLS failure after renewing the self-signed Tomcat cert while the latter mentions a DirSync failure with the LDAP server. Those two issues are unrelated.

You also didn’t mention the product version you’re running. The answer to the first scenario varies depending on version, so please clarify that. And if you haven’t already, restart Cisco Tomcat from the CLI as the documentation instructs.

Geeth · ‎08-15-2023

Dear Jonathan,

I am new to here. sorry for any inconvenience. Couldn't take the backupis the reason to the regenerate certificates(Tomcat,IPsec). please find the image I paste below.

After regenerate certificates, phones show the "host not found" error in phone directory. It's means LDAP server not sync with cucm correctly. I want to know the cause of regenerate certs was effected to this case and how can I do for resolve this issue?

also please find the details of CUCM.

Thanks and regards
Geeth

Jonathan Schulenberg · ‎08-16-2023

Ouch. 10.5 is long past end of life and has known vulnerabilities. Start working with your Cisco Partner on an upgrade project or migration to Webex Calling.

Anyway, in that version the Tomcat.pem certificate is not involved in the ITL (further reading on that topic: Understand CUCM Security By Default and ITL Operation and Troubleshooting). Be far more careful if you need to regenerate the CallManager.pem or ITLRecovery.pem certificates at some point though! The "Host Not Found" is shown because the Trust Verification Service (TVS) on CUCM doesn't know about the new Tomcat certificate until you restart - which three people have now recommended trying. Pressing the Directories button causes the phone to open an HTTPS connection to CUCM. CUCM sends the Tomcat.pem certificate in the TLS Server Hello packet but the phone doesn't know how to validate it as authentic/trusted - so it asks TVS instead.

DRS isn't working because the IPsec cert needs to be uploaded to the IPSec-trust store of the other servers and the DRS services restarted.

Neither of those certificates impact LDAP sync or authentication.

Ibrahim AlQumairi · ‎08-14-2023

For renewing any certificate in CUCM, the system will directly prompt anotification for the service that need to be restart and how to restart it.

To restart the Tomcat service in Cisco CUCM, you can follow these steps:

Log in to the CUCM CLI.
Enter the following command:

utils service restart Cisco Tomcat

The Tomcat service will be restarted.

Note: you need to restart Tomcat service in all servers that you renew the certificate.

Tomcat cert updated,Phone directory showing &quot;host not found&quot;

Tomcat cert updated,Phone directory showing "host not found"