cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2832
Views
0
Helpful
32
Replies

CUPS 6.0.3 Calendar Integration

maloyal
Level 1
Level 1

We have just upgraded CCM to 6.1.2.1000-13 and CUPS to 6.0.3.1000-12.

Previously, we had CUPS 6.0.2 and our OWA uses FBA so we had no Calendar integration in Unified Personal communicator. I understood this to be resolved in the latest version, so we upgraded.

We still have no Calendar integration with the Unified client and going thru the System Troubleshooter, it says our Presence Gateway is unreachable. I desparately need help configuring this...I think this comes down to certificates.

Our OWA certificate is issued by 3rd party, root CA is Equifax. I have downloaded the root CA from Equifax at http://www.geotrust.com/resources/root_certificates/index.asp and uploaded it to the Certs in CUPS OS Admin as .cer and .pem and it never shows up in the Certs list (which I've attached)

The initial install, we did upload our OWA cert as .pem and it appeared to take. On the initial CUPS 6.0.2 install, we briefly changed OWA to Windows Authentication and Calendaring worked. But we changed it back to FBA because we weren't ready to make that change.

The CN in the Cert is exactly the FQDN of our OWA so I'm really lost here. The deployment guide talks about using IIS to issue a cert request...I shouldn't need to do all that...especially since there is no IIS in CUPS.

thanks

1 Accepted Solution

Accepted Solutions

i'm able to install your equifax root ca certificate but it does also not appear in the certificate list of our CUPS!

we are using thawte root ca which worked fine this way. maybe CUPS has some problem processing different root CA certificate details? e.g. thawte has no CRL entry. i'm afraid you have to open a TAC case...

do you habe rebooted the CUPS server and try again?

in the release notes of CUPS 6.03 i've found the following:

"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI. Select Cisco Unified Presence > Presence Engine > Presence Gateways. You can upload any number of root CA certificates but you must upload five certificates at a time. Following a L2 upgrade, the Exchange certificates must be uploaded again on this page."

i don't believe that this also applies to root ca certificates, but maybe you can try this method too.

View solution in original post

32 Replies 32

okuehn
Level 1
Level 1

Hi,

we have faced the same problem with FBA. however, with 6.0.3 the calendar integration actually works fine!

you have to upload both, the root CA and your exchange OWA certificate as PresenceEngine-Trust.

when uploading the root use base64 encoded certificate rootca.cer and enter "." in the field root certificate!

you do not have to worry about the documentation regarding IIS certificate request...

hope this helps!

I uploaded the root ca as base64, named rootca.cer and "." in the field (with quotes) and still I get presense gateway unreachable via the Troubleshooter.

My OWA cert was uploaded as PEM...do I need to delete that and reload as cer?

And my certs page still does not list the rootca for the 3rd party...argh!

Thanks

sorry, put only a . in the field rootca name

Nope...a period in the Root certificate name field does not work. My troubleshooting status still show Presence gateway unreachable.

If I goto help doc on Cert page, I get: If you are uploading an application certificate that was issued by a third party CA, enter the name of the CA root certificate in the Root Certificate text box. If you are uploading a CA root certificate, leave this text box empty."

Did that and still same result.

Do I need to just delete my .pem OWA cert and re-upload it?

Sorry to be a pain!

Well...on the presence gateway settings, I changed the Presence Gateway from my FQDN to the internal IP of my Exchange server...and now all troubleshooting steps pass except for MOC (not using) and MeetingPlace server (don't have.)

But my status in UPC still shows available even though I have an all day appt for being out of office.

ok, i think your initial problem is not related to certificate issues. the troubleshooter would have shown everything fine although you are not able to access calendar.

maybe you can check the following things:

- dns related problems on your CUPS. are you using DNS doctoring on PIX/ASA to resolve internal DMZ IP adress of OWA?

- can you see any errors (Cisco UP Presence Engine) in application syslog using RealTimeMonitoringTool?

When I changed to the internal IP of my Exchange server, I thought maybe of DNS, but it should be pointing to my local internal DNS server which can resolve the FQDN of my OWA url.

I restarted the PE:

: 81: Jul 08 14:07:38.324 UTC : %CCM_SERVICEMANAGER-GENERIC-6-ServiceStarted: Service started. Service Name:Cisco UP Presence Engine Process ID:3469 Cluster ID: Node ID:pres1

Then this error:

: UNKNOWN PARAMETER ERROR 2

then:

: 0: Jul 08 14:10:49.152 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-3-PEExchangeConnectionLoss: Indicates that PE cannot connect to the Exchange Server. UNKNOWN_PARAMNAME:PEAlarmMessage:TLS error - check certificate; Server certificate verification failed: certificate issued for a different hostname, issuer is not Cluster ID:StandAloneCluster Node ID:pres1

Then:

: 1: Jul 08 14:14:03.115 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-2-PESipSgHostUnavailable: PE could not reach server group. Server group host that could not be contacted.:server group host=pres1 Cluster ID:StandAloneCluster Node ID:pres1

Restart the SIP Proxy and get:

: 2: Jul 08 14:14:29.146 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-2-PESipSgHostUnavailableClear: PE service can now connect the outbound proxy server group Server group host that can now contacted.:server group host=pres1 Cluster ID:StandAloneCluster Node ID:pres1

in the error logs you can see that you have to use the fqdn name of your OWA server. because only this fqdn name matches the certificate CN

"...certificate issued for a different hostname, issuer is not Cluster ID:StandAloneCluster Node ID:pres1"

can you confirm the dns resolve on your CUPS server?

I changed my presence gateway back to my FQDN and get:

: 2: Jul 08 15:04:54.87 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-3-PEExchangeConnectionLoss: Indicates that PE cannot connect to the Exchange Server. UNKNOWN_PARAMNAME:PEAlarmMessage:TLS error - check certificate; Server certificate verification failed: issuer is not trusted Cluster ID:StandAloneCluster Node ID:pres1

The DNS server is correct. Can I do a NSlookup from the command prompt on Pres?

you can do a nslookup using the following command on CLI:

utils network host webmail.ndv.net

did the host lookup and it correctly resolved my FQDN of my Webmail.

i think the troubleshooter message is wrong and CUPS can resolve your internal IP. the error message "TLS error - check certificate; Server certificate verification failed: issuer is not trusted " indicates that CUPS cannot verify your OWA certificate because it has not the equifax root CA installed.

can you confirm that your equifax root CA certificate is listed in your CUPS cetificate list as PresenceEngine-trust?

I keep reloading the dang rootca.cer with just a period (.) in the field root certificate and I've done it blank and still it doesn't show up in my cert list.

See attached

please, can you send me your root CA certificate?