05-02-2016 12:10 AM - edited 03-13-2019 09:27 PM
Hi
I've got an warning that the self generated certificates (tomcat.der, ipsec-trust etc) is about to expire.
I don't see in the adminguide what the consequences will be when i do this.
This is Unity Connection 9.1.2
Anyone know?
/Tony
Solved! Go to Solution.
05-02-2016 02:47 AM
You will even not able to set up a new backup location or a new schedule backup task if the IPSec certificates are expired.
Shouldn't that use the new ipsec certificate?
And when will that happen?? Only once the certificates are regenerated again. Hence, go ahead and regenerate the certificates followed by restart of Cisco Tomcat and Cisco DRF Master & Local.
Regards
Deepak
05-02-2016 09:41 PM
Certificates are not used per user/instance basis. Simply go ahead and delete it as they do not have direct dependency on anything to function properly.
Regards
Deepak
05-02-2016 02:07 AM
IPSEc Certificate is important for Disaster Recovery Framewrok (DRF) to work properly. With these certificates being expired, you might not able to click on any option inside DRF page such as History, taking a Manual backup etc. Even the scheduled backups can fail due to this.
Tomcat certificate is responsible for any thing related to HTTPS communication such as opening the CUC Administration Page, navigating to other server from Cisco Unified Serviceability page etc. In nutshell, both of these certificates are most important for any UC application to work properly hence you should regenerate them. Simply regenrate the Tomcat and IpSec certificate on the required servers within CUC cluster and that will automatically regenerate the associate Tomcat-Trust and IPSec-Trust certificates
Regards
Deepak
05-02-2016 02:14 AM
Hi Deepak
I was reading http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/security/guide/9xcucsecx/9xcucsec065.html and cound't see that this would have much enduser impact. Is that correct?
Fixing the backup, if it fails should be easy. And Tomcat only has admin-impact (admin-pages).
/Tony
05-02-2016 02:22 AM
From an end user perspective it will only impact wherein they use some service running out of CUC that use a HTTP/HTTPS url one that I can think of right now is Visual VoiceMail. In CM, there is a huge impact since lot of end users are using Extension mobility and other phone based services running on HTTP/HTTPS. Even from an admin-impact perspective I do not see a point why someone will need to face exception all the times to open the web page and also you cannot forget that lot many times end users within CUC also need to open their user based page within CUC
Fixing the backup, if it fails should be easy.
Not very easy if it fails due to the IPSec certificate error.
Regards
Deepak
05-02-2016 02:32 AM
Hi Deepak
Then i should be OK to regenerate the tomcat certificate.
Why would it be hard to stop the shceduled backups and set up a new one? Shouldn't that use the new ipsec certificate?
/Tony
05-02-2016 02:47 AM
You will even not able to set up a new backup location or a new schedule backup task if the IPSec certificates are expired.
Shouldn't that use the new ipsec certificate?
And when will that happen?? Only once the certificates are regenerated again. Hence, go ahead and regenerate the certificates followed by restart of Cisco Tomcat and Cisco DRF Master & Local.
Regards
Deepak
05-02-2016 03:02 AM
Hi
Sorry for not making it clear: i thought it was obvious that the services needed to be restarted.
btw: everything works and the new updated certificates works.
/Tony
05-02-2016 03:05 AM
Ah no issues Tony :) Glad that it worked fine for you and the certs had been regenerated successfully.
Regards
Deepak
05-02-2016 12:08 PM
Hi Deepak
One last question:
I have three tomcat-trust certificates, one of them which is expired. How do i know if its in use somewhere?
Or can i just delete it?
Prime Collaboration is complaining about that one.
/Tony
05-02-2016 09:41 PM
Certificates are not used per user/instance basis. Simply go ahead and delete it as they do not have direct dependency on anything to function properly.
Regards
Deepak
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: