Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1669
Views
5
Helpful
3
Replies

Unity Connection 10 with Exchange 2013 Single Inbox SSL certificates

Go to solution
woutereelen
Level 1
Level 1

‎05-25-2014 01:34 PM - edited ‎03-19-2019 08:13 AM

Hi,

If you enable the unified messaging service on Unity Connection you have the option to validate the SSL certificates. For some reason it's not working. I really don't have solid expertise in Exchange or with server certificates, so I'm reaching out for some help. Environment: Exchange 2013 64-bit on Windows server 2008 R2 64-bit. 

To me it's not clear what is going wrong, if it's exchange or unity connection that throws the error. I find the Cisco documentation not clear on this subject. It doesn't state what specific certificates need to be uploaded on CUC, so I took the root certificate and the server certificate. I uploaded both to 'tomcat-trust' and 'connection-trust' as descibed in the docs. In Wireshark traces I can see an encrypted handshake and no errors.

I followed all steps in this document:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/9x/unified_messaging/guide/9xcucumgx/9xcucumg020.html#wp1348034

If I don't validate the certificates the integration is working perfectly. When I enable the option to validate the certificates and I test with a UM account the error I receive is:
Diagnostic=[Peer certificate cannot be authenticated with given CA certificates -- SSL certificate problem: unable to get local issuer certificate] Verb=[POST] url=[https://WIN-HQU5PTR49V3.demo.be/EWS/Exchange.ASMX] request=[<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <soap:Header> <t:RequestServerVersion Version="Exchange2007_SP1"/> <t:ExchangeImpersonation> <t:ConnectingSID> <t:PrimarySmtpAddress>weelen@demo.be</t:PrimarySmtpAddress> </t:ConnectingSID> </t:ExchangeImpersonation> </soap:Header> <soap:Body> <GetFolder xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"> <FolderShape> <t:BaseShape>Default</t:BaseShape> </FolderShape> <FolderIds> <t:DistinguishedFolderId Id="deleteditems"> <t:Mailbox> <t:EmailAddress>weelen@demo.be</t:EmailAddress> </t:Mailbox> </t:DistinguishedFolderId> </FolderIds> </GetFolder> </soap:Body> </soap:Envelope> ] response=[] 

As this is a lab environment I don't have signed certificates, so I converted them with openssl (.der to .pem). In the troubleshooting guide they provide the workarround by not enabling this certificates validation. Is it even supposed to work like this?

I tried to change some settings from what I found in several other posts on this forum, but the problem remains. 

Is there another way to test this? 

What traces can be looked at on CUC to see what's going wrong with the certificates?

Thanks for any useful information.

KR,
Wouter

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
David Hailey
VIP Alumni
VIP Alumni

‎05-27-2014 08:30 AM

If you are using a self-signed certificate in your lab, a self-signed certificate cannot be validated.  You would need to disable this option in your configuration.

D. Hailey

View solution in original post

0 Helpful
3 Replies 3

Go to solution
David Hailey
VIP Alumni
VIP Alumni

‎05-27-2014 08:30 AM

If you are using a self-signed certificate in your lab, a self-signed certificate cannot be validated.  You would need to disable this option in your configuration.

D. Hailey

0 Helpful

Go to solution
woutereelen
Level 1
Level 1
In response to David Hailey

‎05-27-2014 10:06 AM

Hi D. Hailey,

Thanks for the answer. I guess I must have been too tired that night to read complete documentation (or just too lazy). The documentation is indeed clear on this:

"Self-signed certificates cannot be validated. If you selected HTTPS from the Web-Based Protocol list, and if you are using self-signed certificates, do not check the Validate Certificates for Exchange Servers check box. If you do check the check box, Connection will not be able to access Exchange"

Now that's an easy 5 points (for the effort on answering n00b questions).

But why not changing the parameter to "Validate public certificates for Exchange Servers" if that's the only way to go? Must just been me...

Thanks
Wouter

0 Helpful

Go to solution
David Hailey
VIP Alumni
VIP Alumni
In response to woutereelen

‎05-27-2014 10:42 AM

Well, I don't have much say in whether or not the parameter name itself should be changed.  I don't really see it as being an issue but that's my opinion.  In general, I don't typically use certificate validation but, like everything, I'm sure there are 2 sides to that story depending on who you talk to.

Hailey

0 Helpful
Customers Also Viewed These Support Documents