[cisco-voip] UCCX 11.5 Upgrade Disaster

nimloth at nimloth.pl nimloth at nimloth.pl
Thu Nov 17 15:41:12 EST 2016 

Hi Abhiram,

 

Many thanks for pics – quite usefull.

 

If tomcat cert is signed using Internal CA with RSA and same Internal CA don’t support ECDSA what are possibilities (use external CA for ECDSA signing) ?

Where we can find cop to disable ECDSA? Are there any risks doing it? Is there rollback when ECDSA will be offered by Internal CA ?

 

Many thanks,

Lukasz

 

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Abhiram Kramadhati (akramadh)
Sent: Thursday, November 17, 2016 7:00 PM
To: Clifford McGlamry <cmcglamry at forsythe.com>; Anthony Holloway <avholloway+cisco-voip at gmail.com>; Heim, Dennis <Dennis.Heim at wwt.com>
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

 

Hi all, 

 

This is from a document I created internally for the teams. Hope it clarifies few of the questions below, but feel free to let me know if there are any other questions about the certificate:



 

Customers moving from a self-signed environment to 11.0:



 

Customers moving from a CA signed environment to 11.5:

 



 

This is not to be treated as a Cisco document, but more for purposes of sharing information only. Thanks. 

 

Regards,

Abhiram Kramadhati

Technical Solutions Manager, CCBU

CCIE Collaboration # 40065

 

From: cisco-voip <cisco-voip-bounces at puck.nether.net <mailto:cisco-voip-bounces at puck.nether.net> > on behalf of Clifford McGlamry <cmcglamry at forsythe.com <mailto:cmcglamry at forsythe.com> >
Date: Thursday, 17 November 2016 at 11:17 PM
To: Anthony Holloway <avholloway+cisco-voip at gmail.com <mailto:avholloway+cisco-voip at gmail.com> >, "Heim, Dennis" <Dennis.Heim at wwt.com <mailto:Dennis.Heim at wwt.com> >
Cc: "cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> " <cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> >
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

 

Actually, there is a patch available from TAC which removes the requirement.  For some reason, they say it cannot be used on a fresh install.  Bug ID is CSCvb46250

 




Cliff McGlamry, CCIE Collaboration #24757
Master Consultant 
(678) 934-0348   direct 
(404) 969-9806   mobile 
(678) 934-0448   fax 
 <Mailto:cmcglamry at forsythe.com> cmcglamry at forsythe.com 



Forsythe Technology, Inc.
400 Interstate North Parkway 

Suite 860
Atlanta, GA 30339
 <http://www.forsythe.com> http://www.forsythe.com 

 


 

 

 




		

 

 

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Anthony Holloway
Sent: Wednesday, November 16, 2016 2:43 PM
To: Heim, Dennis
Cc: cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

 

According to the quote I replied with: "This is required for the Live Data functionality", it would seem so.

 

Also, this forum post says the same.

 

https://supportforums.cisco.com/discussion/13141166/uccx-115-do-you-need-both-tomcat-and-tomcat-ecdsa-certificates

 

Though I have not played with 11.5 just yet.

 

On Tue, Nov 15, 2016 at 7:06 PM, Heim, Dennis <Dennis.Heim at wwt.com <mailto:Dennis.Heim at wwt.com> > wrote:

Is tomcat-ECDSA required in order to use signed certificates on the live data?

 

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net <mailto:cisco-voip-bounces at puck.nether.net> ] On Behalf Of Anthony Holloway
Sent: Tuesday, November 15, 2016 4:44 PM
To: Randall (Randy) Raitz <randy.raitz at readytalk.com <mailto:randy.raitz at readytalk.com> >
Cc: cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

 

It was version 11.5 which brought Tomcat to ECDSA certs and is causing those new challenges, so you wouldn't have seen the same issues as Greg.

 

"Note: When you use UCCX 11.5 and later, there is a new certificate for tomcat-ECDSA. When you use CA signed certificates, ensure that the CSR is downloaded for this certificate as shown previously and the application certificate for tomcat-ECDSA is uploaded into the tomcat-ECDSA as explained in the previous procedure. This is required for the Live Data functionality which uses Socket IO from UCCX 11.5"

 

Source: http://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html

 

 

 

On Tue, Nov 15, 2016 at 1:05 PM, Randall (Randy) Raitz <randy.raitz at readytalk.com <mailto:randy.raitz at readytalk.com> > wrote:

We didn’t have those failures, though we took call manager , IM&P, and unity connection to 11.5 and UCCX to 11.0.1 several weeks ago. I believe at the time, there was not a compatible version of UCCX to go to 11.5 with, but the 11.0.1.10000-75 was listed as a supported matrix.

 

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net <mailto:cisco-voip-bounces at puck.nether.net> ] On Behalf Of Ayoub,Gregory
Sent: Monday, November 14, 2016 12:53 PM
To: cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
Subject: [cisco-voip] UCCX 11.5 Upgrade Disaster

 

We recently attempted to upgrade UCCX 10.5 -- > 11.5.  The deployment was HA, and we didn’t see much risk.   The upgrade went fairly smooth, and we hit a finesse bug which required the ECDSA COP file.  While minor, it’s still not mentioned in the release notes.

 

The real shocker was 4 hours later when the system stopped accepting calls and just handed out fast busys.  Failing over to the secondary would fix the issue for a few minutes, but then fast busy.

 

Our entire contact center, which is HA, was entirely down.  Primary down, Secondary Down, and TAC was unable to resolve after hours and hours.  It was a total unmitigated Cisco disaster.

 

Rolling back fixed the problem.  And then rolling forward again to 11.5 the system worked great again – but only for 4 hours.  Then endless fast busys.  We rolled back and are on 10.5 working fine.  But we are at a loss what could be causing this problem.  Cisco TAC is in the same boat.

 

If I had to guess, that seems like more of a licensing failure, because TAC even tried replacing our license.   Anyone have a similar experience?

 

Thanks Greg.

 

 

 

 

 

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived.


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-voip

 

 

NOTICE OF CONFIDENTIALITY: 
The information contained in this email transmission is confidential information which may contain information that is legally privileged and prohibited from disclosure under applicable law or by contractual agreement. The information is intended solely for the use of the individual or entity named above. 
If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking of any action in reliance on the contents of this email transmission is strictly prohibited. 
If you have received this email transmission in error, please notify us immediately by telephone to arrange for the return of the original transmission to us.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 324297 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 80432 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 109791 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 9699 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 2971 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4985 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161117/662b044d/attachment.p7s>

More information about the cisco-voip mailing list