[cisco-voip] UCCX 11.5 Upgrade Disaster

Abhiram Kramadhati (akramadh) akramadh at cisco.com
Fri Nov 18 01:08:44 EST 2016 

Hi Lukaz,

You can use any CA as long as they can sign it and provide the full certificate chain, which you will upload. Also, the COP and the rollback COP is available with TAC. You can open a case to get access to the same.

Regards,
Abhiram Kramadhati
Technical Solutions Manager, CCBU
CCIE Collaboration # 40065


From: <nimloth at nimloth.pl>
Date: Friday, 18 November 2016 at 2:11 AM
To: "'Abhiram Kramadhati (akramadh)'" <akramadh at cisco.com>
Cc: <cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] UCCX 11.5 Upgrade Disaster

Hi Abhiram,

Many thanks for pics – quite usefull.

If tomcat cert is signed using Internal CA with RSA and same Internal CA don’t support ECDSA what are possibilities (use external CA for ECDSA signing) ?
Where we can find cop to disable ECDSA? Are there any risks doing it? Is there rollback when ECDSA will be offered by Internal CA ?

Many thanks,
Lukasz

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Abhiram Kramadhati (akramadh)
Sent: Thursday, November 17, 2016 7:00 PM
To: Clifford McGlamry <cmcglamry at forsythe.com>; Anthony Holloway <avholloway+cisco-voip at gmail.com>; Heim, Dennis <Dennis.Heim at wwt.com>
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

Hi all,

This is from a document I created internally for the teams. Hope it clarifies few of the questions below, but feel free to let me know if there are any other questions about the certificate:
[cid:image001.png at 01D24190.4C1FBC50]

Customers moving from a self-signed environment to 11.0:
[reen Shot 2016-10-06 at 11.23.41 AM.png]

Customers moving from a CA signed environment to 11.5:

[reen Shot 2016-10-06 at 11.22.41 AM.png]

This is not to be treated as a Cisco document, but more for purposes of sharing information only. Thanks.

Regards,
Abhiram Kramadhati
Technical Solutions Manager, CCBU
CCIE Collaboration # 40065

From: cisco-voip <cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>> on behalf of Clifford McGlamry <cmcglamry at forsythe.com<mailto:cmcglamry at forsythe.com>>
Date: Thursday, 17 November 2016 at 11:17 PM
To: Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>>, "Heim, Dennis" <Dennis.Heim at wwt.com<mailto:Dennis.Heim at wwt.com>>
Cc: "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

Actually, there is a patch available from TAC which removes the requirement.  For some reason, they say it cannot be used on a fresh install.  Bug ID is CSCvb46250

[cid:image004.png at 01D24190.4C1FBC50]
Cliff McGlamry, CCIE Collaboration #24757
Master Consultant
(678) 934-0348   direct
(404) 969-9806   mobile
(678) 934-0448   fax
cmcglamry at forsythe.com<Mailto:cmcglamry at forsythe.com>



Forsythe Technology, Inc.
400 Interstate North Parkway
Suite 860
Atlanta, GA 30339
http://www.forsythe.com









[cid:image005.gif at 01D24190.4C1FBC50]



From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Anthony Holloway
Sent: Wednesday, November 16, 2016 2:43 PM
To: Heim, Dennis
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

According to the quote I replied with: "This is required for the Live Data functionality", it would seem so.

Also, this forum post says the same.

https://supportforums.cisco.com/discussion/13141166/uccx-115-do-you-need-both-tomcat-and-tomcat-ecdsa-certificates

Though I have not played with 11.5 just yet.

On Tue, Nov 15, 2016 at 7:06 PM, Heim, Dennis <Dennis.Heim at wwt.com<mailto:Dennis.Heim at wwt.com>> wrote:
Is tomcat-ECDSA required in order to use signed certificates on the live data?

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Anthony Holloway
Sent: Tuesday, November 15, 2016 4:44 PM
To: Randall (Randy) Raitz <randy.raitz at readytalk.com<mailto:randy.raitz at readytalk.com>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] UCCX 11.5 Upgrade Disaster

It was version 11.5 which brought Tomcat to ECDSA certs and is causing those new challenges, so you wouldn't have seen the same issues as Greg.

"Note: When you use UCCX 11.5 and later, there is a new certificate for tomcat-ECDSA. When you use CA signed certificates, ensure that the CSR is downloaded for this certificate as shown previously and the application certificate for tomcat-ECDSA is uploaded into the tomcat-ECDSA as explained in the previous procedure. This is required for the Live Data functionality which uses Socket IO from UCCX 11.5"

Source: http://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-express/118855-configure-uccx-00.html



On Tue, Nov 15, 2016 at 1:05 PM, Randall (Randy) Raitz <randy.raitz at readytalk.com<mailto:randy.raitz at readytalk.com>> wrote:
We didn’t have those failures, though we took call manager , IM&P, and unity connection to 11.5 and UCCX to 11.0.1 several weeks ago. I believe at the time, there was not a compatible version of UCCX to go to 11.5 with, but the 11.0.1.10000-75 was listed as a supported matrix.

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Ayoub,Gregory
Sent: Monday, November 14, 2016 12:53 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] UCCX 11.5 Upgrade Disaster

We recently attempted to upgrade UCCX 10.5 -- > 11.5.  The deployment was HA, and we didn’t see much risk.   The upgrade went fairly smooth, and we hit a finesse bug which required the ECDSA COP file.  While minor, it’s still not mentioned in the release notes.

The real shocker was 4 hours later when the system stopped accepting calls and just handed out fast busys.  Failing over to the secondary would fix the issue for a few minutes, but then fast busy.

Our entire contact center, which is HA, was entirely down.  Primary down, Secondary Down, and TAC was unable to resolve after hours and hours.  It was a total unmitigated Cisco disaster.

Rolling back fixed the problem.  And then rolling forward again to 11.5 the system worked great again – but only for 4 hours.  Then endless fast busys.  We rolled back and are on 10.5 working fine.  But we are at a loss what could be causing this problem.  Cisco TAC is in the same boat.

If I had to guess, that seems like more of a licensing failure, because TAC even tried replacing our license.   Anyone have a similar experience?

Thanks Greg.






Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived.

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



NOTICE OF CONFIDENTIALITY:
The information contained in this email transmission is confidential information which may contain information that is legally privileged and prohibited from disclosure under applicable law or by contractual agreement. The information is intended solely for the use of the individual or entity named above.
If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking of any action in reliance on the contents of this email transmission is strictly prohibited.
If you have received this email transmission in error, please notify us immediately by telephone to arrange for the return of the original transmission to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161118/26a8e575/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 324298 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161118/26a8e575/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 80433 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161118/26a8e575/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 109792 bytes
Desc: image003.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161118/26a8e575/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 9700 bytes
Desc: image004.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161118/26a8e575/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 2972 bytes
Desc: image005.gif
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161118/26a8e575/attachment.gif>

More information about the cisco-voip mailing list