[cisco-voip] 10.5.1 UCCX Certificate for Finesse

Anthony Holloway avholloway+cisco-voip at gmail.com
Fri Feb 6 12:54:54 EST 2015


Jose,

I just lab'd this up, with an internal CA (Win28kR2) and here are my cliff
notes.

*most of the settings in this process can be left as default, or don't
really matter, so long as you have a convention and it's used throughout.

Validate your UCCX DNS settings with show network eth0 detail.  It should
have a fully functioning DNS setup with A record and PTR record.  A CNAME
record is optional but nice if you want something like ccx.company.local
instead of abc123ccx123.company.local (or other extreme hostname ugliness).

Validate your Web Security settings with show web-security.  Set your SAN
to the CNAME from the above paragraph like this:

set web-security <ouname> <oname> <city> <state> <country> ccx.company.local

This will regen the tomcat cert automatically, but as long as you don't
restart Tomcat nor the server, no client will be served this cert.
Optionally, if you want to see the cert on the client right now, just to
see it, then restart Cisco Tomcat and/or Cisco Finesse Tomcat, then restart
your browser to connect to the server again, and inspect the cert.
Otherwise, leave it be for now, and let's move on.

I wont go through the details of enabling the MS AD Root CA role, but it's
pretty self explanatory (I.e., Next, Next, Next, Next, etc.).  It might
even already be turned on in your environment.  It will be required to
proceed, so make sure it's done.  Just be sure to adjust your group policy
to allow auto enrollment of certs, otherwise, your Issuer cert will not be
on the desktop PCs and the chain of trust will not exist.  FireFox ignores
this anyway, so you'll see need to address FF + Trusted Root CA, which can
be imported manually
<http://www.cyberciti.biz/faq/firefox-adding-trusted-ca/> into FF or
automated
<http://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla>
.

Alternatively, you could use some other server to sign your certs, and the
only really difference I can think of is that you'd lack the auto enroll
feature on the domain PC's, in which case you can simply right click the
cert and import it into your trusted root CA.  I'm sure there's even a way
to push that out via GPO.

Now log into UCCX OS Admin and generate a new CSR for tomcat.  Download
that CSR and then point your browser to your AD CA like this:

http://ad-ca.company.local/certsrv

Go through the process of requesting a new cert with advanced settings from
an existing file.  You'll know you're at the right place if all it's asking
you for is the contents of the CSR file.  You'll need to copy/paste the
contents into the browser window, select Web Server as the template, and
then generate the cert.  You will need to download the cer in order to
upload it to UCCX, and then you'll need the Chain cert to import in to FF
as well as upload to UCCX.

You should now have three files: a CSR (no longer needed), a new Cert (need
to import to UCCX still), and a Chain cert (need to import into UCCX and
FF).

Let's move on to uploading the chain and cert in UCCX, which is done in OS
Admin.  Upload the chain one first, then upload the tomcat one second.  You
will now need to restart Cisco Tomcat and Cisco Finesse Tomcat in order for
them to start dishing out the new cert.  You can do this from the CLI with
utils service restart Cisco Tomcat and utils service restart Cisco Finesse
Tomcat.

As long as you've auto enrolled your PC's in domain certs and/or imported
the chain into FF, you should not see a warning any longer.  If you did
setup auto enroll, but the PC hasn't picked up the cert it needs yet, you
can run gpupdate /force to make it happen without a logoff.

Recall that you can now use:

https://ccx.company.loca/appadmin AND https://ccx.company.local:8445/desktop

That's a high level overview of using an internal CA to sign Tomcat and
Finesse Tomcat.  I hope it was helpful.

On Thu Feb 05 2015 at 12:17:54 PM Jose Colon II <jcolon424 at gmail.com> wrote:

> Thanks Brian, How would I go about issuing a internal CA that does not
> require the Finesse user to accept multiple certificates. My users are not
> that tech savvy and there are over 300 of them that will need to come
> monday morning.
>
> On Thu, Feb 5, 2015 at 11:38 AM, Kevin Przybylowski <
> kevinp at advancedtsg.com> wrote:
>
>> Another nice CSR decoder:
>> https://www.networking4all.com/en/support/tools/csr+check/
>>
>>
>> -----Original Message-----
>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf
>> Of Jason Aarons (AM)
>> Sent: Thursday, February 5, 2015 12:08 PM
>> To: Gary Parker; jcolon424 at gmail.com
>> Cc: Cisco VOIP
>> Subject: Re: [cisco-voip] 10.5.1 UCCX Certificate for Finesse
>>
>> I've run into this before TX vs Texas
>>
>> Use this to view your CSR and then fix via the set web-security commands
>> etc
>>
>> http://certlogik.com/decoder/
>>
>>
>>
>>
>> -----Original Message-----
>> From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf
>> Of Gary Parker
>> Sent: Thursday, February 5, 2015 11:55 AM
>> To: jcolon424 at gmail.com
>> Cc: Cisco VOIP
>> Subject: Re: [cisco-voip] 10.5.1 UCCX Certificate for Finesse
>>
>>
>> > On 5 Feb 2015, at 16:37, Jose Colon II <jcolon424 at gmail.com> wrote:
>> >
>> > I am trying to generate certificate request from 10.5.1 UCCX box and
>> the cert it generates is not working with verasign. It tells me "The State
>> Name in the CSR cannot be abbreviated"
>> >
>> > Anyone have any suggestions?
>>
>> Hi Jose, have a look at your CSR using:
>>
>> openssl req -text -noout -verify -in CSR.csr
>>
>> where CSR.csr is your csr file.
>>
>> Mine, for example, reads:
>>
>>         Subject: C=GB, ST=Leicestershire, L=Loughborough, O=Loughborough
>> University, OU=ITS, CN=
>> tainter.lboro.ac.uk/serialNumber=xxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> On the “Subject:” line is the entry for ST= an abbreviated version of
>> your State name? If so I’d imagine you’ll have to login on the command line
>> for the server and use “set web-security” to change the State to a proper
>> value.
>>
>> If I had ST=Leics it would also likely fail.
>>
>> Be aware that this *may* make you have to relicense the server (I’m not
>> sure if changing state is enough to trigger this).
>>
>>
>> ---
>> /-Gary Parker----------------------------------f--\
>> |     Unified Communications Service Manager      |
>> n       Loughborough University IT Services       |
>> |     Tel: +441509635635  Mob: +447989172258      o
>> |     http://delphium.lboro.ac.uk/pubkey.txt      |
>> \r----------------------------------------------d-/
>>
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150206/7fe7366f/attachment.html>


More information about the cisco-voip mailing list