Re: Expressway X14.2.2 CUCM neighbor zones

shleets · ‎01-18-2023

Hello - with the changes to Expressway X14.2 you now are required to have the ECDSA certificates signed. We ran into this because we upgraded from x14.0.7 to X14.2.2 and the neighbor zones would not come up because of self signed certificates. The TAC documents says we will need to get our TOMCAT and Callmanger ECDSA certificates signed by our internal CA which is trusted by Expressway. With that said we will be generating these as MULTI SAN so they cover all the CUCM and IMP nodes. If its just these 2 certificates for the CUCM and IMP nodes will this cause any issues with Unity connection, CER, or UCCX or do certificates need to be signed for those applications as well? The TAC article only references CUCM and the Expressway C.

This is the TAC article:

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/218018-troubleshoot-expressway-traffic-server-c.html

b.winter · ‎01-18-2023

In your link you already would see that you need the certs for CUCM / IMP / Unity. The answers to your questions would be in there.

CER and UCCX have no connection with Expressway. Especially, when you only use MRA.
And no, there is no need to use ECDSA certs. You can also use classical RSA certs.

Roger Kallberg · ‎01-19-2023

From a specific version of Expressway you do need to have both the ECDSA and RSA signed certificates or the certificate(s) of the CA that signed these in the trust store on the Expressway. At least if you’re following best practices and don’t want to go down the path of the workaround as outlined in the document.

John Dow · ‎11-06-2024

Change expressway Ciphers in Security to EECDH:EDH:HIGH:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL:!aDH

This solves the problem with IM&P servers when Expressway suddenly begins not to recognize them as its sister servers.