02-03-2014 08:09 AM - last edited on 03-25-2019 09:11 PM by ciscomoderator
Hi Community!
I tried to enable Mobile and Remote Access, but I'm having a issue with adding the IM&P Servers. If I want to discover the IM&P servers, the VCS fails when reading some internal root certificates.
That's the AXL Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/8.0"> <soapenv:Header/> <soapenv:Body> <ns:getCertificates sequence="?"> <userid>admin</userid> <component>SERVICE_ESP</component> </ns:getCertificates> </soapenv:Body> </soapenv:Envelope>
That's the response:
management UTCTime="2014-02-03 15:54:18,53" Module="network.axl" Level="DEBUG" Action="Received" URL="https://cupsserver.internal:8443/axl/" Function="getCertificates" Status="500" Content=" <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server</faultcode><faultstring>/usr/local/sip/.security/cert_cache/SERVICE_ESP/RootCA.pem (No such file or directory)</faultstring><detail><axlError><axlcode>-1</axlcode><axlmessage>/usr/local/sip/.security/cert_cache/SERVICE_ESP/RootCA.pem (No such file or directory)</axlmessage><request>getCertificates</request></axlError></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope> "
The certificate file is our internal root CA. The internal certificates on VCS-C, CUCM and CUPS are issued from this CA. The ca certificate is added to all *-trust stores on the CUP and CUCM.
Any ideas, why this certificate can't be loaded from the IM&P server?
Regards,
Paul
02-03-2014 09:57 AM
Did not look that much into it in general, but sounds to me that the rootca does not exist on the server which you connect to.
sure that all is generated and uploaded fine?
Please remember to rate helpful responses and identify helpful or correct answers.
Please remember to rate helpful responses and identify
02-04-2014 12:04 AM
The root certificate is there, why else should it try to be loaded?
The file name is not rootca.pem, but the real file name of our root ca. So it is not just some file which includes some cas, but exactly the file for our root ca.
Regards,
Paul
03-05-2014 11:59 AM
Hi Paul, I have a TAC case open on this. Did you ever come up with a solution for this?
10-10-2014 02:18 AM
Hi,
has this ever been solved? I've the same issue with VCS-C X8.2.2 and IM&P 10.5.1
Thanks
Oliver
10-10-2014 02:27 AM
Hi Oliver,
this was an issue with IM&P 9. Did you upgrade to IMP&P 10.5 ?
If so, you can try to recreate your certificates.
10-10-2014 02:35 AM
Hi Paul,
yes IM&P was upgraded to 10.5.1. VCS-C was freshly installed after IM&P upgrade. In IM&P node I see the following exeption when AXL request is generated from VCS:
java.io.FileNotFoundException: /usr/local/sip/.security/cert_cache/SERVICE_ESP/jns_Root_Certificate_Authority.pem (No such file or directory)
I already re-uploaded root cert, but the error stays
10-10-2014 02:41 AM
Hi Oliver,
the issue is on the IM&P side. If you recreate the IM&P certificates, this might fix your issue.
Alternatively you can open a TAC case. The TAC engineer can get root access to you IM&P and fix that issue. There is also a bug for that, but I do not have the ID.
10-10-2014 03:10 AM
ok, I already tried to re-upload all trust-certs in IM&P which didn't change the behavior. Know I deleted those root certs and uploaded again.....and voila: works now.
Thank you very much, this did the trick!
07-03-2015 09:14 AM
Hello eveybody,
I had same issue with IM&P ver 10.5.1.10000-9, I apply certificates from Microsoft CA Server and then when I wanted to add IM&P to Expressway-C 8.2.1 I received the same error.
I only update the IM&P software to 10.5.1.13900-2 then I could add CUP to Expressway-C.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide