Issue Expressway with Smart licensing (SSM-On Prem)

Abdelrhman Elmenyawe · ‎01-23-2022

failed registration between SSM-on prem and expressway with reason:

Failure reason: SSL: no alternative certificate subject name matches target host name 'CCSSMS.bfegy.com'

I have assigned a cert for SSM and uploaded it to EXP's trust CA.

but it shows that the certificate is "Not a CA" as below, I don't know if it is a problem or not.

I have opened the firewall ports HTTPS 443 between both.

the Expressway for smart licensing configuration is as below:

b.winter · ‎01-23-2022

As the error message already declares:

You only should upload CA certificate, that signed the cert of the SSM and not the cert of the server itself.

Nithin Eluvathingal · ‎01-24-2022

Have you tired with IP address ?

Sign the SSM certificate with an CA and upload the CA root to the Expressway C.

Abdelrhman Elmenyawe · ‎01-24-2022

I have already uploaded the root CA that signed the SSM cert to the expressway trust store.

i have tried with :

https://<<fqdn>>/Transportgateway/services/DeviceRequestHandler

https://<<fqdn>>/SmartTransport

https://<<iIP add>>Transportgateway/services/DeviceRequestHandler

https://<<IP add>>/SmartTransport

but the only works is:https://<<fqdn>>/SmartTransport and the others give invalid URL as the below :

b.winter · ‎01-24-2022

It should be the following format: https://<<fqdn>>/SmartTransport. So it should be fine.

IP-address wouldn't work, since it isn't in the cert normally and therefore would give a cert error.

Have you delete the CSSM cert from the trust store?

Have you tried a reboot?

Abdelrhman Elmenyawe · ‎01-24-2022

yes, i have done that, delete the cert of SSM from expressway trust store and leave only the ROOT

restart and try,, reboot and try ...and no hope

Abdelrhman Elmenyawe · ‎01-24-2022

it still detects error as below:

Smart Licensing is ENABLED

Registration:
Status: REGISTERING - REGISTRATION IN PROGRESS
Export-Controlled Functionality: NOT ALLOWED
Initial Registration: FAILED on Jan 24 2022 13:54:05 EET
Failure reason: SSL: no alternative certificate subject name matches target host name 'CCSSMS.bfegy.com'
Next Registration Attempt: Jan 24 2022 14:13:28 EET

Although I have double-checked the cert and alternative certificate subject name:

Nithin Eluvathingal · ‎01-24-2022

https://<<fqdn>>/SmartTransport is the correct url. Just to check the behavior of expressway, i requested to try with IP,

What version of expressway and SSM you use ? looks like you might need a TAC support.

eliegerges · ‎08-24-2022

Hello Abdelrahman,

How this issue was resolved cause i am having the same behavior.

Thank you

Nithin Eluvathingal · ‎10-15-2022

if you are using https://fqdn then make sure your certificate has the FQDN. if not try with https://IPaddress.

Also make sure you have ports opened

Register product instances to the SSM On-Prem. See Registering Product Instances to the On-Prem
in the Cisco SSM On-Prem User Guide and the documentation for your product.
• Cisco Products use the following API endpoints:
o HTTPS(443): tools.cisco.com. (Registration/Authorization)
o HTTP(80): www.cisco.com
• Smart Software Manager On-Prem uses the following API endpoints:
o User Interface: HTTPS (8443) Only
o Products: HTTP (80)/HTTPS(443)
o CSSM: HTTPS (443)
▪ Syncs:
api.cisco.com. (6.2 and prior)
swapi.cisco.com (6.3 and later)
▪ Account Registration: cloudsso.cisco.com
o cloudsso.cisco.com

Marc Brauner · ‎10-13-2022

You should open port 443 and 80 in your firewall

Roger Kallberg · ‎10-14-2022

It does not use port 80. We’re using SL on our Expressways and do not have port 80 open in the firewall for the E to communicate with the on-prem SSM.

marc.brauner · ‎10-17-2022

Port 80 needs to be open in version 14.0.6 of EXP (I have not testet with other versions). It dosen't make sense i know, but i have debugged on the error for a week and after we open port 80, it starts to work.

Roger Kallberg · ‎10-17-2022

We use a newer version that that and we do not have port 80 open from the E’s to the on-prem SSM.