Configuration and Maintenance Guide for MeetingPlace 7.1
Troubleshooting SSL for the Application Server
Downloads: This chapterpdf (PDF - 138.0KB) The complete bookPDF (PDF - 5.46MB) | Feedback

Troubleshooting the Cisco Unified MeetingPlace Application Server

Table Of Contents

Troubleshooting the Cisco Unified MeetingPlace Application Server

Failover Replication Fails After Adding New Node 1

How to Solve Problems with the Application Server SSL

Cannot Load Certificate

Cannot Enable SSL

SSL Stops Working

No SSL Connection

Certificate or Private Key is in the Wrong Format

Error Messages for Application Server SSL

Additional References for Troubleshooting SSL for the Application Server

Cisco Unified MeetingPlace Time Zone, Daylight Savings, and Clock Errors

Performing a Login Audit on the Application Server


Troubleshooting the Cisco Unified MeetingPlace Application Server


Release 7.1
Revised: April 3, 2011 8:31 pm

Failover Replication Fails After Adding New Node 1

How to Solve Problems with the Application Server SSL

Error Messages for Application Server SSL

Additional References for Troubleshooting SSL for the Application Server

Cisco Unified MeetingPlace Time Zone, Daylight Savings, and Clock Errors

Performing a Login Audit on the Application Server

Failover Replication Fails After Adding New Node 1

Problem   As part of the failover configuration between two Application Servers, user switched on replication with sync via mp_replication switchON command. The replication failed.

Possible Cause    A table is locking due to the processes on an active server. Both servers must be in standby mode before attempting to synchronize them.

Solution   Run the mp_replication switchON with sync command again.

How to Solve Problems with the Application Server SSL

Cannot Load Certificate

Cannot Enable SSL

SSL Stops Working

No SSL Connection

Certificate or Private Key is in the Wrong Format

Cannot Load Certificate

Problem   After attempting to load the certificate, you see the following error message on the Display Certificate page: Unparseable certificate extensions: 2 [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name:file:// \\SAMPLE.string.com\CertEnroll\SAMPLE.string.com

Possible Cause    Java.net.URL does not handle UNC paths well, "file://\\" is not a valid URI due to the inclusion of '\\' characters as defined by RFC 2396.

Solution   Sign the certificate without the URL that includes the UNC path.

Cannot Enable SSL

Problem   You cannot enable SSL.

Possible Cause    While generating CSRs, you clicked the Generate CSR more than once. This causes the system to create a second private key that does not work with the certificate for the CSR that was created and downloaded the first time you clicked Generate CSR.

Solution   Obtain and upload a new certificate. This time, make sure that you click Generate CSR only once.

Possible Cause    An extra line was accidentally included at the end of the certificate. To verify, use the Linux cat command to either view the certificate file before uploading it, or view your local copy of the certificate file. The uploaded certificate on the Application Server is stored in a binary format, which cannot be viewed via the Linux cat command.

In the following sample output, notice the blank line that immediately precedes the "-----END CERTIFICATE-----" line.

[root@meeting certs]# cat webapp.cert.pem 
-----BEGIN CERTIFICATE-----
MIIDUzCCArygAwIBAgIDBXgLMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVTMRwwGgYDVQQK
...
hXEdFMDnNHyFa/Y8Rk//WNWGVEb57n2E/AdmIVZ3PYyxjpqDhxmhmQCo8I1rVhYzeJWXEudvUcnb

-----END CERTIFICATE-----
[root@meeting certs]#

Solution   Use any Linux editor, such as the vim command, to delete the extra line. Then use the Enable SSL Page to upload the corrected certificate.

Possible Cause    Upon inspection, the modulus and exponent fields do not match between the public certificate file and private key file. If these common portions do not match, the system cannot communicate using SSL.

Solution   Obtain and upload a new certificate.

SSL Stops Working

Problem   SSL stops working.

Possible Cause    You accidentally clicked Generate CSR, which created a new private key that no longer matches the previously uploaded certificate.

Solution   If you backed up the SSL configuration, restore it. See "Restoring the SSL Configuration" in the Configuring SSL for the Cisco Unified MeetingPlace Application Server module. If you did not back up the SSL configuration, then obtain and upload a new certificate.

Possible Cause    You performed a fresh installation of the Cisco Unified MeetingPlace application. The installation process deletes any private key files and public certificates on the system.

Solution   If you backed up the SSL configuration, restore it. See "Restoring the SSL Configuration" If you did not back up the SSL configuration, then obtain and upload a new certificate.

Possible Cause    The Application Server hostname was changed. The CSR and resulting certificate use the Application Server hostname that you entered for Ethernet Port 1 (device eth0) during the operating system installation.

Solution   Obtain and upload a new certificate.

No SSL Connection

Problem   SSL connection cannot be established between Cisco Unified MeetingPlace and Microsoft Outlook, and an exception such as the following appears in the logs:

java.lang.Securityeption: Unsupported keysize or algorithm parameters

Possible Cause    The problem occurs when the certificate contains a key longer than 1024 bits. The cryptography strength limitations placed by the default policy files included with Java Runtime Environment (JRE) give the highest strength cryptography algorithms and key lengths which are allowed for import to all countries.

Solution   If your country does not place restrictions on the import of cryptography, then you can download the unlimited strength policy files:

1. Go to http://java.sun.com/javase/downloads/index.jsp.

2. Download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6."

3. Follow the instructions in the README.txt file in the downloaded package. The JRE installation used by Cisco Unified MeetingPlace is in /opt/cisco/meetingplace/jre/.

Certificate or Private Key is in the Wrong Format

Problem   The certificate or private key is in the wrong format.


Note The Application Server supports only the following formats:


Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore

Certificates: X.509 (PEM or DER encoding), Java keystore

Solution   Use the openssl command in the Application Server CLI to convert the file to a supported format. In the following example, an unsupported PKCS12 file is converted to a supported PEM-formatted file:

[mpxadmin@application-server ~]$ openssl pkcs12 -in old-file.pfx -out new-file.pem 
-nodes

If the file contained both the certificate and the private key, then the converted file will contain both a PRIVATE KEY block and a CERTIFICATE block. Use a text editor to separate these into two files before uploading them to the Application Server and enabling SSL, following these requirements:

Each file must contain only one block.

Include the BEGIN and END lines of each block, for example:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Do not include any text, including spaces or blank lines, before the BEGIN line and after the END line. A trailing line break after the END line is okay. Some files contain extraneous data before the BEGIN line and after the END line. Remove such data before uploading the file and enabling SSL on the Application Server.

Error Messages for Application Server SSL

This topic lists error messages that may appear in the Administration Center.

Error Message    Unparseable certificate extensions: 2 [1]: ObjectId: 1.3.6.1.5.5.7.1.1 
Criticality=false Unparseable AuthorityInfoAccess extension due to 
java.io.IOException: invalid URI name:file:// 
\\SAMPLE.string.com\CertEnroll\SAMPLE.string.com 

Explanation    Java.net.URL does not handle UNC paths well, "file://\\" is not a valid URI due to the inclusion of '\\' characters as defined by RFC 2396.

Recommended Action    Sign the certificate without the URL that includes the UNC path.

Error Message    The uploaded certificate does not match any private key on disk. SSL 
cannot be enabled.

Recommended Action    Make sure that you are uploading the correct certificate. If necessary, obtain a new certificate, private key, and password.

Error Message    A certificate was not found in the uploaded file.

Explanation    There was an error parsing the certificate.

Recommended Action    Make sure that you are uploading the correct file. If necessary, obtain a new certificate.

See Certificate or Private Key is in the Wrong Format.

If necessary, obtain a new certificate.

Error Message    Unable to recover the private key. Is the password correct?

Recommended Action    Make sure that you enter the correct password. If the password is correct, then the key file may be corrupted. If necessary, obtain a new certificate, private key, and password.

See Certificate or Private Key is in the Wrong Format.

If necessary, obtain a new certificate, private key, and password.

Error Message    Unable to locate a private key on disk. SSL cannot be enabled. You may 
need to generate a new CSR and obtain a new certificate.

Recommended Action    Generate a CSR and obtain a new certificate. If you created your own certificate, private key, and password, then make sure that you enter all three items at the same time on the Enable SSL Page.

Error Message    The certificate you are trying to upload expired on <expiration-time>. 
The system time is now <system-time>. Cannot enable SSL.

Recommended Action    Check that the system time is correct. If necessary, obtain a new certificate.

Error Message    The certificate you are trying to upload is not yet valid. It will be 
valid from <valid-start-time>. The system time is now <system-time>.

Recommended Action    Check that the system time is correct, or wait until the certificate becomes valid.

Error Message    A CSR already exists. Generating a new CSR will make any certificate 
you have obtained for the existing CSR unusable. Please make sure you want to do 
this.

Recommended Action    You may ignore this message if you are replacing the certificate, private key, and password, or if you did not obtain a certificate for the previously generated CSR. Otherwise, click Cancel and do not generate a new CSR.

Error Message    Failed to generate CSR. Please try again.

Explanation    You entered invalid characters in the Generate Certificate Signing Request (CSR) Page if you see an exception in root.out with one of the following messages:

Improperly specified input name

Directory string too small

Incorrect ava format

Recommended Action    Avoid any special characters, and see the "Field Reference: Generate Certificate Signing Requests (CSRs) Page"

Error Message    Could not parse SSL certificate for Administration Center.

Explanation    The certificate file in the backup archive may be corrupt.

Recommended Action    Make sure that you specify the correct file.

Error Message    This is not a valid SSL configuration archive.

Explanation    You uploaded a backup archive, but it could not be read because it was corrupt or did not contain the expected files.

Recommended Action    Make sure that you specify the correct file.

Error Message    Unable to create backup archive.

Recommended Action    Manually back up the SSL configuration by saving the following files:

/usr/local/enrollment/certs/keystore

The keystore file contains the certificate and private key.

/usr/local/enrollment/<hostname>_req.csr

This is the certificate signing request (CSR).

/usr/local/enrollment/webCsr.xml

The webCsr.xml file contains the keystore password.

To restore SSL from a manual backup:

1. Manually copy the backed up files to the original directories.

2. Go to the Enable SSL Page, which should indicate that the system found a valid certificate.

3. Click OK to the prompt that asks if you want to reuse the system-found certificate to enable SSL.

If the system does not find the valid certificate, then do the following:

1. Go to the Enable SSL Page.

2. Upload the keystore file as both the Certificate file and the Private key file.

3. Enter the Password from the webCsr.xml file.

The password is the value between the <Password></Password> tags in this element path: EnrollmentClient/Certificates/Keystore/MapStore/Password


Note There are multiple sets of <Password></Password> tags in the XML file. Make sure you get the password from the specified element path.


Related Topics

How to Solve Problems with the Application Server SSL

Configuring SSL for the Cisco Unified MeetingPlace Application Server module

Additional References for Troubleshooting SSL for the Application Server

Topic
Documentation

Configuring SSL

Configuring SSL for the Cisco Unified MeetingPlace Application Server module

Examining the keystore using the keytool utility

http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html


Cisco Unified MeetingPlace Time Zone, Daylight Savings, and Clock Errors

For countries where Daylight Savings Time (DST) is used, you should apply the following procedure right after the clocks are adjusted one hour forward or backward on the Cisco Unified MeetingPlace server:

Procedure


Step 1 Sign in to the Cisco Unified Media Server Administration page.

Step 2 Take each Audio Blade offline.

Step 3 Put each Audio Blade online.

The process of taking the Audio Blade offline and then putting it back online automatically adjusts the Audio Blade clock to match the one hour shift. If you do not perform this procedure, the log information will be wrong.


Performing a Login Audit on the Application Server

You can use audit logs to monitor the activities and commands of users on the Application Server. The psacct utility provides audit log functions. It contains four commands: ac, lastcomm, accton, and sa.

Follow these steps to enable a login audit on the Application Server:

Procedure


Step 1 Go to the operating system login page.

Step 2 Log in as the user called root.

Step 3 Enter the password associated with this username.

The system displays the operating system desktop.

Step 4 Choose Application > System Tools > Terminal.

The system displays the command line.

Step 5 Follow the instructions in the table.

To do the following
Enter this

To enable the psacct utility

chkconfig psacct on

To start the psacct utility

/etc/init.d/psacct start

To display statistics about the connect time for users

$ ac

To display previously executed user commands

$ lastcomm <user_id>

To show previous logins

last -a

For more information about a command

man <command_name>