Guest

Cisco Unity Connection

Troubleshoot the Cisco Unity Connection Certificate Error in a High-Availability Environment

Cisco - Troubleshoot the Cisco Unity Connection Certificate Error in a High-Availability Environment

Document ID: 111795

Updated: Feb 22, 2010

   Print

Introduction

This document describes how to troubleshoot the Cisco Unity Connection Subscriber Certificate error in a high-availability environment.

Prerequisites

Requirements

You must perform the cluster configuration after you install the Publisher server.

Components Used

The information in this document is based on the Cisco Unity Connection 7.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

After converting Cisco Unity Connection to a Publisher Subscriber cluster for high availability, the user receives this certificate error when they connect to the Subscriber:

unity-certificate-error-01.gif

Solution

When a Cisco Unity Connection cluster is configured, the Disaster Recovery System uses an SSL-based communication between the Master Agent and the Local Agent for authentication and encryption of data between the Publisher and Subscriber servers. To resolve the issue, the current certificate and the private key have to be exported from the Publisher, and then should be imported into the Subscriber.

Perform these steps in order to resolve the issue:

  1. Download the Certificate from the Publisher.

  2. Upload the Server Certificate to the Subscriber.

  3. Regenerate a Certificate on the Subscriber.

  4. Restart the Cisco Unity Connection IMAP Server Service.

  5. Restart the Tomcat Service.

  6. Perform a cluster wide reboot.

Note: The detailed steps to perform these tasks are provided in the remainder of this document.

Download the Certificate from the Publisher

Perform these steps in order to Download a Certificate Signing Request from the Publisher:

  1. From the Cisco Unity Connection server acting as the Publisher, log in to Cisco Unified Operating System Administration.

  2. In the Security menu, click Certificate Management.

  3. If you click Find and display a list of the certificates currently installed on the server, you will see an existing, automatically generated, self-signed certificate for Tomcat.

  4. In the File Download dialog box, click Save.

  5. Save the file tomcat.csr to a location on the server.

Upload the Server Certificate to the Subscriber

Perform these steps in order to upload the certificate to the subscriber:

  1. From the Cisco Unity Connection server acting as the Subscriber, log in to Cisco Unified Operating System Administration.

  2. In the Security menu, click Certificate Management.

  3. From the Certificate List page, click Upload Certificate.

  4. Click Browse, and browse to the location of the server certificate.

  5. Click the name of the file.

  6. Click Open.

  7. From the Upload Certificate page, click Upload File.

  8. When the Status area reports that the upload succeeded, click Close.

Regenerate a Certificate on Subscriber

Perform these steps in order to regenerate a certificate:

  1. From the Cisco Unity Connection server acting as the Subscriber, log in to Cisco Unified Operating System Administration.

  2. From the Cisco Unified OS Administration webpage, select Security > Certificate Management. The Certificate List page appears.

  3. Click Generate New. The Generate Certificate dialog box opens.

  4. Select the tomcat (this self-signed root certificate gets generated during installation for the HTTPS server) certificate name from the Certificate Name list.

  5. Click Generate New.

Restart the Cisco Unity Connection IMAP Server Service

Perform these steps in order to Restart the Connection IMAP Server Service:

  1. Log in to Cisco Unity Connection Serviceability.

  2. From the Tools menu, click Service Management.

  3. In the Optional Services section, for the Connection IMAP Server service, click Stop.

  4. When the Status area displays a message that the Connection IMAP Server service was successfully stopped, click Start for the service.

Restart the Tomcat service

This service cannot be restarted from Cisco Unified Serviceability. Perform these steps in order to accomplish the task:

  1. Log in to the Connection server using an SSH application.

  2. Issue this CLI command to restart the Tomcat service:

    utils service restart Cisco Tomcat
    

Also, perform a cluster wide reboot on all the Cisco Unity Connection Servers.

Generate a 2048 bit Certificate

Problem

When the user tries to generate a 2048 bit certificate signing request in Cisco Unity Connection, the Certificate Signing Request (CSR) generated by Cisco Unity Connection will only give the CSR in 1024 bytes.

Solution

Only Cisco Unity Connection 8.x supports 2048 bit certificates. As a result, the solution is to either use a Certificate Authority that accepts the 1024 length or upgrade to Cisco Unity Connection 8.x.

This is documented in Bug ID CSCso62711 (registered customers only) .

Related Information

Updated: Feb 22, 2010
Document ID: 111795