I tried to enable Mobile and Remote Access, but I'm having a issue with adding the IM&P Servers. If I want to discover the IM&P servers, the VCS fails when reading some internal root certificates.
That's the AXL Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/8.0"> <soapenv:Header/> <soapenv:Body> <ns:getCertificates sequence="?"> <userid>admin</userid> <component>SERVICE_ESP</component> </ns:getCertificates> </soapenv:Body> </soapenv:Envelope>
That's the response:
management UTCTime="2014-02-03 15:54:18,53" Module="network.axl" Level="DEBUG" Action="Received" URL="https://cupsserver.internal:8443/axl/" Function="getCertificates" Status="500" Content=" <?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server</faultcode><faultstring>/usr/local/sip/.security/cert_cache/SERVICE_ESP/RootCA.pem (No such file or directory)</faultstring><detail><axlError><axlcode>-1</axlcode><axlmessage>/usr/local/sip/.security/cert_cache/SERVICE_ESP/RootCA.pem (No such file or directory)</axlmessage><request>getCertificates</request></axlError></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope> "
The certificate file is our internal root CA. The internal certificates on VCS-C, CUCM and CUPS are issued from this CA. The ca certificate is added to all *-trust stores on the CUP and CUCM.
Any ideas, why this certificate can't be loaded from the IM&P server?
Did not look that much into it in general, but sounds to me that the rootca does not exist on the server which you connect to.
sure that all is generated and uploaded fine?
Please remember to rate helpful responses and identify
The root certificate is there, why else should it try to be loaded?
The file name is not rootca.pem, but the real file name of our root ca. So it is not just some file which includes some cas, but exactly the file for our root ca.
this was an issue with IM&P 9. Did you upgrade to IMP&P 10.5 ?
If so, you can try to recreate your certificates.
yes IM&P was upgraded to 10.5.1. VCS-C was freshly installed after IM&P upgrade. In IM&P node I see the following exeption when AXL request is generated from VCS:
java.io.FileNotFoundException: /usr/local/sip/.security/cert_cache/SERVICE_ESP/jns_Root_Certificate_Authority.pem (No such file or directory)
I already re-uploaded root cert, but the error stays
the issue is on the IM&P side. If you recreate the IM&P certificates, this might fix your issue.
Alternatively you can open a TAC case. The TAC engineer can get root access to you IM&P and fix that issue. There is also a bug for that, but I do not have the ID.
ok, I already tried to re-upload all trust-certs in IM&P which didn't change the behavior. Know I deleted those root certs and uploaded again.....and voila: works now.
Thank you very much, this did the trick!
I had same issue with IM&P ver 10.5.1.10000-9, I apply certificates from Microsoft CA Server and then when I wanted to add IM&P to Expressway-C 8.2.1 I received the same error.
I only update the IM&P software to 10.5.1.13900-2 then I could add CUP to Expressway-C.