01-15-2021 08:40 AM
Hi,
In a hosted environmet with multiple siloed UC 12 deployments - all using customers own DNS. We have a CSSM enterprise deployed with all the customers Smart Accounts on it
We have TCP 443 open from all CUCM nodes to the CSSM but when we put in URL below with IP address it fails below
https://X.X.X.X:443/Transportgateway/services/DeviceRequestHandler
Cannot send out SL Message.hostname in certificate didn't match: <X.X.X.X> != <csm.uc.hosted>
So it seems that the URL needs to be FQDN but this means we'll have to go to every single customer and add a "uc.hosted" subdomain to their DNS to resolve this which we really don't want to haev to do
Is there any way to disable TLS verification on Cisco UC or has anyone got this working with IP rather than FQDN ?
Thanks
01-15-2021 09:26 AM
Have you tried with HTTP instead of HTTPS with the IP address?
01-15-2021 09:56 AM
Don't have HTTP open on firewall to test and don't think it will be allowed as IP Sec has a TLS only policy. Will CSM support HTTP?
Was hoping there was ssome sort of TLS Verify disable option or similar. I've even gone down the route of seeing if static DNS Host records are possible in CUCM 112 but sadly this still doesn't seem to be possible
01-15-2021 10:42 AM
Yes on-prem SSM supports HTTP.
01-15-2021 10:03 AM
asper the Guide its using IP.
Navigate to CUCM admin page > System > Licensing > License Management > View/Edit the Licensing Smart Call Home settings and then set the SSM satellite URL to ‘ https://10.106.81.131:443/Transportgateway/services/DeviceRequestHandler’(10.106.81.131 is the IP address of the satellite configured) and save, as shown in the image.
SL Message.hostname in certificate didn't match: <X.X.X.X> != <csm.uc.hosted>
Looks like something wrong with the certificate which you are using. Can you add ip on Certificate SAN filed.
01-15-2021 11:33 AM
Interesting. The certificate is the same self signed one it generated at install. We don't have a CA to signed this.
Might try changing the cssm host name to the ip and try regenerate the cert....
If that doesn't work might have to sweeten ip Info Sec
01-16-2021 09:33 AM
Hi ..
Yes we did and we are using HTTP instead of https.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide