[cisco-voip] 10.5.1 UCCX Certificate for Finesse

Jose Colon II jcolon424 at gmail.com
Fri Feb 6 13:00:30 EST 2015 

Anthony thank you a ton for that. I will give this a try and see how far I
get. I have a window of opportunity to do this tomorrow and we have a TAC
case open trying to figure it out as well. I really appreciate your time in
building this out and giving me a option.

KUDOS!!!

Jose

On Fri, Feb 6, 2015 at 11:54 AM, Anthony Holloway <
avholloway+cisco-voip at gmail.com> wrote:

> Jose,
>
> I just lab'd this up, with an internal CA (Win28kR2) and here are my cliff
> notes.
>
> *most of the settings in this process can be left as default, or don't
> really matter, so long as you have a convention and it's used throughout.
>
> Validate your UCCX DNS settings with show network eth0 detail.  It should
> have a fully functioning DNS setup with A record and PTR record.  A CNAME
> record is optional but nice if you want something like ccx.company.local
> instead of abc123ccx123.company.local (or other extreme hostname ugliness).
>
> Validate your Web Security settings with show web-security.  Set your SAN
> to the CNAME from the above paragraph like this:
>
> set web-security <ouname> <oname> <city> <state> <country>
> ccx.company.local
>
> This will regen the tomcat cert automatically, but as long as you don't
> restart Tomcat nor the server, no client will be served this cert.
> Optionally, if you want to see the cert on the client right now, just to
> see it, then restart Cisco Tomcat and/or Cisco Finesse Tomcat, then restart
> your browser to connect to the server again, and inspect the cert.
> Otherwise, leave it be for now, and let's move on.
>
> I wont go through the details of enabling the MS AD Root CA role, but it's
> pretty self explanatory (I.e., Next, Next, Next, Next, etc.).  It might
> even already be turned on in your environment.  It will be required to
> proceed, so make sure it's done.  Just be sure to adjust your group policy
> to allow auto enrollment of certs, otherwise, your Issuer cert will not be
> on the desktop PCs and the chain of trust will not exist.  FireFox ignores
> this anyway, so you'll see need to address FF + Trusted Root CA, which can
> be imported manually
> <http://www.cyberciti.biz/faq/firefox-adding-trusted-ca/> into FF or
> automated
> <http://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla>
> .
>
> Alternatively, you could use some other server to sign your certs, and the
> only really difference I can think of is that you'd lack the auto enroll
> feature on the domain PC's, in which case you can simply right click the
> cert and import it into your trusted root CA.  I'm sure there's even a way
> to push that out via GPO.
>
> Now log into UCCX OS Admin and generate a new CSR for tomcat.  Download
> that CSR and then point your browser to your AD CA like this:
>
> http://ad-ca.company.local/certsrv
>
> Go through the process of requesting a new cert with advanced settings
> from an existing file.  You'll know you're at the right place if all it's
> asking you for is the contents of the CSR file.  You'll need to copy/paste
> the contents into the browser window, select Web Server as the template,
> and then generate the cert.  You will need to download the cer in order to
> upload it to UCCX, and then you'll need the Chain cert to import in to FF
> as well as upload to UCCX.
>
> You should now have three files: a CSR (no longer needed), a new Cert
> (need to import to UCCX still), and a Chain cert (need to import into UCCX
> and FF).
>
> Let's move on to uploading the chain and cert in UCCX, which is done in OS
> Admin.  Upload the chain one first, then upload the tomcat one second.  You
> will now need to restart Cisco Tomcat and Cisco Finesse Tomcat in order for
> them to start dishing out the new cert.  You can do this from the CLI with
> utils service restart Cisco Tomcat and utils service restart Cisco Finesse
> Tomcat.
>
> As long as you've auto enrolled your PC's in domain certs and/or imported
> the chain into FF, you should not see a warning any longer.  If you did
> setup auto enroll, but the PC hasn't picked up the cert it needs yet, you
> can run gpupdate /force to make it happen without a logoff.
>
> Recall that you can now use:
>
> https://ccx.company.loca/appadmin AND
> https://ccx.company.local:8445/desktop
>
> That's a high level overview of using an internal CA to sign Tomcat and
> Finesse Tomcat.  I hope it was helpful.
>
> On Thu Feb 05 2015 at 12:17:54 PM Jose Colon II <jcolon424 at gmail.com>
> wrote:
>
>> Thanks Brian, How would I go about issuing a internal CA that does not
>> require the Finesse user to accept multiple certificates. My users are not
>> that tech savvy and there are over 300 of them that will need to come
>> monday morning.
>>
>> On Thu, Feb 5, 2015 at 11:38 AM, Kevin Przybylowski <
>> kevinp at advancedtsg.com> wrote:
>>
>>> Another nice CSR decoder:
>>> https://www.networking4all.com/en/support/tools/csr+check/
>>>
>>>
>>> -----Original Message-----
>>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf
>>> Of Jason Aarons (AM)
>>> Sent: Thursday, February 5, 2015 12:08 PM
>>> To: Gary Parker; jcolon424 at gmail.com
>>> Cc: Cisco VOIP
>>> Subject: Re: [cisco-voip] 10.5.1 UCCX Certificate for Finesse
>>>
>>> I've run into this before TX vs Texas
>>>
>>> Use this to view your CSR and then fix via the set web-security commands
>>> etc
>>>
>>> http://certlogik.com/decoder/
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf
>>> Of Gary Parker
>>> Sent: Thursday, February 5, 2015 11:55 AM
>>> To: jcolon424 at gmail.com
>>> Cc: Cisco VOIP
>>> Subject: Re: [cisco-voip] 10.5.1 UCCX Certificate for Finesse
>>>
>>>
>>> > On 5 Feb 2015, at 16:37, Jose Colon II <jcolon424 at gmail.com> wrote:
>>> >
>>> > I am trying to generate certificate request from 10.5.1 UCCX box and
>>> the cert it generates is not working with verasign. It tells me "The State
>>> Name in the CSR cannot be abbreviated"
>>> >
>>> > Anyone have any suggestions?
>>>
>>> Hi Jose, have a look at your CSR using:
>>>
>>> openssl req -text -noout -verify -in CSR.csr
>>>
>>> where CSR.csr is your csr file.
>>>
>>> Mine, for example, reads:
>>>
>>>         Subject: C=GB, ST=Leicestershire, L=Loughborough, O=Loughborough
>>> University, OU=ITS, CN=
>>> tainter.lboro.ac.uk/serialNumber=xxxxxxxxxxxxxxxxxxxxxxxxx
>>>
>>> On the “Subject:” line is the entry for ST= an abbreviated version of
>>> your State name? If so I’d imagine you’ll have to login on the command line
>>> for the server and use “set web-security” to change the State to a proper
>>> value.
>>>
>>> If I had ST=Leics it would also likely fail.
>>>
>>> Be aware that this *may* make you have to relicense the server (I’m not
>>> sure if changing state is enough to trigger this).
>>>
>>>
>>> ---
>>> /-Gary Parker----------------------------------f--\
>>> |     Unified Communications Service Manager      |
>>> n       Loughborough University IT Services       |
>>> |     Tel: +441509635635  Mob: +447989172258      o
>>> |     http://delphium.lboro.ac.uk/pubkey.txt      |
>>> \r----------------------------------------------d-/
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150206/d1d92f64/attachment.html>

More information about the cisco-voip mailing list