cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1255
Views
5
Helpful
3
Replies

Unity Connection 10 with Exchange 2013 Single Inbox SSL certificates

woutereelen
Beginner
Beginner

Hi,

If you enable the unified messaging service on Unity Connection you have the option to validate the SSL certificates. For some reason it's not working. I really don't have solid expertise in Exchange or with server certificates, so I'm reaching out for some help. Environment: Exchange 2013 64-bit on Windows server 2008 R2 64-bit. 

To me it's not clear what is going wrong, if it's exchange or unity connection that throws the error. I find the Cisco documentation not clear on this subject. It doesn't state what specific certificates need to be uploaded on CUC, so I took the root certificate and the server certificate. I uploaded both to 'tomcat-trust' and 'connection-trust' as descibed in the docs. In Wireshark traces I can see an encrypted handshake and no errors.

I followed all steps in this document:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/unified_messaging/guide/9xcucumgx/9xcucumg020.html#wp1348034

If I don't validate the certificates the integration is working perfectly. When I enable the option to validate the certificates and I test with a UM account the error I receive is:
Diagnostic=[Peer certificate cannot be authenticated with given CA certificates -- SSL certificate problem: unable to get local issuer certificate] Verb=[POST] url=[https://WIN-HQU5PTR49V3.demo.be/EWS/Exchange.ASMX] request=[<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:RequestServerVersion Version="Exchange2007_SP1"/> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrimarySmtpAddress>weelen@demo.be</t:PrimarySmtpAddress> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <GetFolder xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <FolderShape> <t:BaseShape>Default</t:BaseShape> </FolderShape> <FolderIds> <t:DistinguishedFolderId Id="deleteditems"> <t:Mailbox> <t:EmailAddress>weelen@demo.be</t:EmailAddress> </t:Mailbox> </t:DistinguishedFolderId> </FolderIds> </GetFolder> </soap:Body> </soap:Envelope> ] response=[] 

As this is a lab environment I don't have signed certificates, so I converted them with openssl (.der to .pem). In the troubleshooting guide they provide the workarround by not enabling this certificates validation. Is it even supposed to work like this?

I tried to change some settings from what I found in several other posts on this forum, but the problem remains. 

Is there another way to test this? 

What traces can be looked at on CUC to see what's going wrong with the certificates?

Thanks for any useful information.

KR,
Wouter

1 Accepted Solution

Accepted Solutions

David Hailey
Advisor
Advisor

If you are using a self-signed certificate in your lab, a self-signed certificate cannot be validated.  You would need to disable this option in your configuration.

D. Hailey

View solution in original post

3 Replies 3

David Hailey
Advisor
Advisor

If you are using a self-signed certificate in your lab, a self-signed certificate cannot be validated.  You would need to disable this option in your configuration.

D. Hailey

Hi D. Hailey,

Thanks for the answer. I guess I must have been too tired that night to read complete documentation (or just too lazy). The documentation is indeed clear on this:

"Self-signed certificates cannot be validated. If you selected HTTPS from the Web-Based Protocol list, and if you are using self-signed certificates, do not check the Validate Certificates for Exchange Servers check box. If you do check the check box, Connection will not be able to access Exchange"

Now that's an easy 5 points (for the effort on answering n00b questions).

But why not changing the parameter to "Validate public certificates for Exchange Servers" if that's the only way to go? Must just been me...

Thanks
Wouter

Well, I don't have much say in whether or not the parameter name itself should be changed.  I don't really see it as being an issue but that's my opinion.  In general, I don't typically use certificate validation but, like everything, I'm sure there are 2 sides to that story depending on who you talk to.

Hailey

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: