09-16-2022 06:52 AM
Hello to all,
as with Expressway 14.2 (and 14.0.9) Cisco changed behaviour of Expressway TLS verifycation, so now is on by default.
CSCwc69661 : Bug Search Tool (cisco.com)
Troubleshoot Expressway Traffic Server Certificate Verification for MRA Services Introduced by CSCwc69661 - Cisco
It is stated that with workaround "xConfiguration EdgeConfigServer VerifyOriginServer: Off" it should still work even if there is no valid CA od CUCM certificate on Expressway.
With this, we have a two problems:
1. Our setup is that CUCM is not using DNS or domain name and have only self-signed certificates. That works OK for years with our Expway E/C pair for MRA. Now with update to 14.2, even if we implement mentioned workaround, IP phones cannot register. Jabbers can and they work OK. I've opened TAC for this as per documentation with workaround everything should work like in 14.0.8 version but it does not. Still no solution from TAC.
2. With "xConfiguration EdgeConfigServer VerifyOriginServer: On" I tried in LAB environment convert our CUCM system to using DNS and domain so we can use TLS check. After configuring it, CUCM restarted and regenerated self-signed certificates and now they contain FQDN of CUCM. I've imported that certificates to ExpWayC CA trust store and reconfigure ExpWayC to use FQDN for CUCM instead of IP addresses. In status everything looks OK, Expway is connected to CUCM. When trying to connect with Jabber, in Expressway logs I see that for GET request for /cucm-uds/clusterUser, /cucm-uds/servers, /cucm-uds/version request contains FQDN of CUCM and that looks OK. However, for /cucm-uds/user there are still IP adresses instead of FQDN. Because of that, TLS verification fails as IP address of CUCM is not contained in self-signed CUCM certificate do Jabber cannot register.
I'm not finding reason why GET request for user (http://ip_of_cucm:firstname.lastname@example.org) is using IP address instead of fqdn.
I'm trying to find solution for 1. or 2. as for now it looks like we cannot make Expressway C upgrade to higher version than 14.0.8.
09-16-2022 07:19 AM - edited 09-16-2022 09:49 AM
Have you refreshed or possibly even removed and then added the CM and IMP systems back to your C after you did the change to have it use names? Also can you please share a screenshot of your CM System > Server page? These need to be in FQDN.
For your first question the long term solution is to use FQDNs for the names on all nodes and to get CA signed certificates. This can very well be an internal CA, many companies do use that for any internal facing certificates. For MRA the only certificate that is recommended to be a signed by a public CA is the one on the E as that is used by clients when they are outside of your corporate network premises.
09-16-2022 09:53 AM
OK, for #2 I've missed to change IP address to FQDN on CM System > Servers. Thanks both of you for pointing to it!
However, we would prefer to make this works with #1 scenario. Thing is that our production CUCM cluster is complex multi-country and multi-company solution so putting DNS and domain on CUCM is not so easy to do without risk of failures on all other systems that we have. It is a 0-24h system with contact centers so every change that is applied globally is a big risk and makes some downtime. As per documentation, turning off "xConfiguration EdgeConfigServer VerifyOriginServer" should do the work, but there is obviously some problems with IP phones while Jabbers works OK.