Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-12 Thread Nick via cisco-voip 
Thanks guys, that's sorted me out now, ran that command and I could see
that the certificate could not be verified so I uploaded the root certs
again directly to the IMP tomcat-trust and all is good now. They were
previously uploaded via the CUCM.


On 9 March 2018 at 01:10, Daniel  wrote:

> That works great!
>
> So Nick, run the command 'file tail activelog tomcat/logs/cupadmin/log4j
> recent' and then visit the Cluster Topology page.
>
> On 9/3/18 11:40 am, Anthony Holloway wrote:
>
> Actually, just put "recent" at the end of your tail command.
>
> On Mar 8, 2018 4:35 PM, "Daniel"  wrote:
>
>> You will get a good understanding of whats happening by running the
>> command 'file list activelog tomcat/logs/cupadmin/log4j date detail' and
>> then 'file tail activelog tomcat/logs/cupadmin/log4j/cupadminX.log'
>> where cupadminX.log is the latest file from the first output. Then
>> visiting the page where you see Unknown and you should see some certificate
>> related errors.
>>
>> On 9/3/18 9:25 am, Nick via cisco-voip wrote:
>>
>> Hi Anthony, forgot to mention it yes, cup-xmpp was also added at the same
>> time.
>>
>> On 8 March 2018 at 18:48, Anthony Holloway > om> wrote:
>>
>>> You didn't mention it, so maybe you forgot to also do the IM&P cup-xmpp
>>> cert in additional to Tomcat?
>>>
>>> On Thu, Mar 8, 2018 at 12:17 PM Nick via cisco-voip <
>>> cisco-voip@puck.nether.net> wrote:
>>>
 Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then
 generated Multi SAN Tomcat certs and applied these to the servers which are
 working fine when I browse to any of the nodes.

 Since applying the certs the the nodes under the DefaultSubCluster on
 the presence Topology page are showing with red crosses and the services
 for each node are showing as Unknown.

 The Presence Redundancy group in CUCM is showing as both nodes in
 normal state and IM&P is working correctly.

 The system troubleshooter is reporting

 Could not determine the status of the Cisco IM and Presence Data
 monitor Service on the following nodes and XCP Troubleshooter shows

 The Cisco XCP Connection Manager and Cisco XCP Authentication Service
 is currently down but both of the services are started up.

 All is working as expected so is cosmetic but needs resolving.

 Anyone had similar issues after applying CA signed certs?

 Regards

 Nick
 ___
 cisco-voip mailing list
 cisco-voip@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-voip

>>>
>>
>>
>> ___
>> cisco-voip mailing 
>> listcisco-voip@puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-08 Thread Daniel via cisco-voip 
That works great!

So Nick, run the command 'file tail activelog tomcat/logs/cupadmin/log4j
recent' and then visit the Cluster Topology page.


On 9/3/18 11:40 am, Anthony Holloway wrote:
> Actually, just put "recent" at the end of your tail command. 
>
> On Mar 8, 2018 4:35 PM, "Daniel"  > wrote:
>
> You will get a good understanding of whats happening by running
> the command 'file list activelog tomcat/logs/cupadmin/log4j date
> detail' and then 'file tail activelog
> tomcat/logs/cupadmin/log4j/cupadminX.log' where
> cupadminX.log is the latest file from the first output. Then
> visiting the page where you see Unknown and you should see some
> certificate related errors.
>
>
> On 9/3/18 9:25 am, Nick via cisco-voip wrote:
>> Hi Anthony, forgot to mention it yes, cup-xmpp was also added at
>> the same time.
>>
>> On 8 March 2018 at 18:48, Anthony Holloway
>> > > wrote:
>>
>> You didn't mention it, so maybe you forgot to also do the
>> IM&P cup-xmpp cert in additional to Tomcat?
>>
>> On Thu, Mar 8, 2018 at 12:17 PM Nick via cisco-voip
>> > > wrote:
>>
>> Just completed a new build of CUCM and IM&P to 11.5.1
>> SU4, I then generated Multi SAN Tomcat certs and applied
>> these to the servers which are working fine when I browse
>> to any of the nodes.
>>
>> Since applying the certs the the nodes under the
>> DefaultSubCluster on the presence Topology page are
>> showing with red crosses and the services for each node
>> are showing as Unknown.
>>
>> The Presence Redundancy group in CUCM is showing as both
>> nodes in normal state and IM&P is working correctly.
>>
>> The system troubleshooter is reporting 
>>
>> Could not determine the status of the Cisco IM and
>> Presence Data monitor Service on the following nodes and
>> XCP Troubleshooter shows
>>
>> The Cisco XCP Connection Manager and Cisco XCP
>> Authentication Service is currently down but both of the
>> services are started up.
>>
>> All is working as expected so is cosmetic but needs
>> resolving.
>>
>> Anyone had similar issues after applying CA signed certs?
>>
>> Regards
>>
>> Nick 
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> 
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
>>
>>
>>
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>> 
>

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-08 Thread Anthony Holloway 
Actually, just put "recent" at the end of your tail command.

On Mar 8, 2018 4:35 PM, "Daniel"  wrote:

> You will get a good understanding of whats happening by running the
> command 'file list activelog tomcat/logs/cupadmin/log4j date detail' and
> then 'file tail activelog tomcat/logs/cupadmin/log4j/cupadminX.log'
> where cupadminX.log is the latest file from the first output. Then
> visiting the page where you see Unknown and you should see some certificate
> related errors.
>
> On 9/3/18 9:25 am, Nick via cisco-voip wrote:
>
> Hi Anthony, forgot to mention it yes, cup-xmpp was also added at the same
> time.
>
> On 8 March 2018 at 18:48, Anthony Holloway  com> wrote:
>
>> You didn't mention it, so maybe you forgot to also do the IM&P cup-xmpp
>> cert in additional to Tomcat?
>>
>> On Thu, Mar 8, 2018 at 12:17 PM Nick via cisco-voip <
>> cisco-voip@puck.nether.net> wrote:
>>
>>> Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then
>>> generated Multi SAN Tomcat certs and applied these to the servers which are
>>> working fine when I browse to any of the nodes.
>>>
>>> Since applying the certs the the nodes under the DefaultSubCluster on
>>> the presence Topology page are showing with red crosses and the services
>>> for each node are showing as Unknown.
>>>
>>> The Presence Redundancy group in CUCM is showing as both nodes in normal
>>> state and IM&P is working correctly.
>>>
>>> The system troubleshooter is reporting
>>>
>>> Could not determine the status of the Cisco IM and Presence Data monitor
>>> Service on the following nodes and XCP Troubleshooter shows
>>>
>>> The Cisco XCP Connection Manager and Cisco XCP Authentication Service is
>>> currently down but both of the services are started up.
>>>
>>> All is working as expected so is cosmetic but needs resolving.
>>>
>>> Anyone had similar issues after applying CA signed certs?
>>>
>>> Regards
>>>
>>> Nick
>>> ___
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>
>
>
> ___
> cisco-voip mailing 
> listcisco-voip@puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-08 Thread Daniel via cisco-voip 
You will get a good understanding of whats happening by running the
command 'file list activelog tomcat/logs/cupadmin/log4j date detail' and
then 'file tail activelog tomcat/logs/cupadmin/log4j/cupadminX.log'
where cupadminX.log is the latest file from the first output. Then
visiting the page where you see Unknown and you should see some
certificate related errors.


On 9/3/18 9:25 am, Nick via cisco-voip wrote:
> Hi Anthony, forgot to mention it yes, cup-xmpp was also added at the
> same time.
>
> On 8 March 2018 at 18:48, Anthony Holloway
>  > wrote:
>
> You didn't mention it, so maybe you forgot to also do the IM&P
> cup-xmpp cert in additional to Tomcat?
>
> On Thu, Mar 8, 2018 at 12:17 PM Nick via cisco-voip
> mailto:cisco-voip@puck.nether.net>>
> wrote:
>
> Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I
> then generated Multi SAN Tomcat certs and applied these to the
> servers which are working fine when I browse to any of the nodes.
>
> Since applying the certs the the nodes under the
> DefaultSubCluster on the presence Topology page are showing
> with red crosses and the services for each node are showing as
> Unknown.
>
> The Presence Redundancy group in CUCM is showing as both nodes
> in normal state and IM&P is working correctly.
>
> The system troubleshooter is reporting 
>
> Could not determine the status of the Cisco IM and Presence
> Data monitor Service on the following nodes and XCP
> Troubleshooter shows
>
> The Cisco XCP Connection Manager and Cisco XCP Authentication
> Service is currently down but both of the services are started up.
>
> All is working as expected so is cosmetic but needs resolving.
>
> Anyone had similar issues after applying CA signed certs?
>
> Regards
>
> Nick 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
>
>
>
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-08 Thread Nick via cisco-voip 
 Hi Anthony, forgot to mention it yes, cup-xmpp was also added at the same
time.

On 8 March 2018 at 18:48, Anthony Holloway 
wrote:

> You didn't mention it, so maybe you forgot to also do the IM&P cup-xmpp
> cert in additional to Tomcat?
>
> On Thu, Mar 8, 2018 at 12:17 PM Nick via cisco-voip <
> cisco-voip@puck.nether.net> wrote:
>
>> Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then
>> generated Multi SAN Tomcat certs and applied these to the servers which are
>> working fine when I browse to any of the nodes.
>>
>> Since applying the certs the the nodes under the DefaultSubCluster on the
>> presence Topology page are showing with red crosses and the services for
>> each node are showing as Unknown.
>>
>> The Presence Redundancy group in CUCM is showing as both nodes in normal
>> state and IM&P is working correctly.
>>
>> The system troubleshooter is reporting
>>
>> Could not determine the status of the Cisco IM and Presence Data monitor
>> Service on the following nodes and XCP Troubleshooter shows
>>
>> The Cisco XCP Connection Manager and Cisco XCP Authentication Service is
>> currently down but both of the services are started up.
>>
>> All is working as expected so is cosmetic but needs resolving.
>>
>> Anyone had similar issues after applying CA signed certs?
>>
>> Regards
>>
>> Nick
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-08 Thread Anthony Holloway 
You didn't mention it, so maybe you forgot to also do the IM&P cup-xmpp
cert in additional to Tomcat?

On Thu, Mar 8, 2018 at 12:17 PM Nick via cisco-voip <
cisco-voip@puck.nether.net> wrote:

> Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then
> generated Multi SAN Tomcat certs and applied these to the servers which are
> working fine when I browse to any of the nodes.
>
> Since applying the certs the the nodes under the DefaultSubCluster on the
> presence Topology page are showing with red crosses and the services for
> each node are showing as Unknown.
>
> The Presence Redundancy group in CUCM is showing as both nodes in normal
> state and IM&P is working correctly.
>
> The system troubleshooter is reporting
>
> Could not determine the status of the Cisco IM and Presence Data monitor
> Service on the following nodes and XCP Troubleshooter shows
>
> The Cisco XCP Connection Manager and Cisco XCP Authentication Service is
> currently down but both of the services are started up.
>
> All is working as expected so is cosmetic but needs resolving.
>
> Anyone had similar issues after applying CA signed certs?
>
> Regards
>
> Nick
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] CA Certs applied to CUCM & IMP

2018-03-08 Thread Daniel Clark 
Hey Nick,

Check the root CA cert in your trust store.  Is it signed with MD5withRSA?  The 
Java system built into CUCM dropped support for this cert signing algorithm 
after CUCM 11.0.  We had the same issue and it was a hard stop because it broke 
AXL integration with UCCX while upgrading 11.0 to 11.6.

I believe CACert did resign their root with SHA256, but for some reason, they 
aren’t pushing it out for all certs.  There’s a FAQ on their website here:  
http://wiki.cacert.org/FAQ/Class3Resign

-Daniel


From: Nick via cisco-voip
Sent: Thursday, March 8, 2018 1:17 PM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] CA Certs applied to CUCM & IMP

Just completed a new build of CUCM and IM&P to 11.5.1 SU4, I then generated 
Multi SAN Tomcat certs and applied these to the servers which are working fine 
when I browse to any of the nodes.

Since applying the certs the the nodes under the DefaultSubCluster on the 
presence Topology page are showing with red crosses and the services for each 
node are showing as Unknown.

The Presence Redundancy group in CUCM is showing as both nodes in normal state 
and IM&P is working correctly.

The system troubleshooter is reporting 

Could not determine the status of the Cisco IM and Presence Data monitor 
Service on the following nodes and XCP Troubleshooter shows

The Cisco XCP Connection Manager and Cisco XCP Authentication Service is 
currently down but both of the services are started up.

All is working as expected so is cosmetic but needs resolving.

Anyone had similar issues after applying CA signed certs?

Regards

Nick 

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip