CUPS 6.0.3 Calendar Integration

Answered Question
Jul 7th, 2008
User Badges:

We have just upgraded CCM to 6.1.2.1000-13 and CUPS to 6.0.3.1000-12.


Previously, we had CUPS 6.0.2 and our OWA uses FBA so we had no Calendar integration in Unified Personal communicator. I understood this to be resolved in the latest version, so we upgraded.


We still have no Calendar integration with the Unified client and going thru the System Troubleshooter, it says our Presence Gateway is unreachable. I desparately need help configuring this...I think this comes down to certificates.


Our OWA certificate is issued by 3rd party, root CA is Equifax. I have downloaded the root CA from Equifax at http://www.geotrust.com/resources/root_certificates/index.asp and uploaded it to the Certs in CUPS OS Admin as .cer and .pem and it never shows up in the Certs list (which I've attached)


The initial install, we did upload our OWA cert as .pem and it appeared to take. On the initial CUPS 6.0.2 install, we briefly changed OWA to Windows Authentication and Calendaring worked. But we changed it back to FBA because we weren't ready to make that change.


The CN in the Cert is exactly the FQDN of our OWA so I'm really lost here. The deployment guide talks about using IIS to issue a cert request...I shouldn't need to do all that...especially since there is no IIS in CUPS.


thanks



Correct Answer by okuehn about 8 years 10 months ago

i'm able to install your equifax root ca certificate but it does also not appear in the certificate list of our CUPS!


we are using thawte root ca which worked fine this way. maybe CUPS has some problem processing different root CA certificate details? e.g. thawte has no CRL entry. i'm afraid you have to open a TAC case...


do you habe rebooted the CUPS server and try again?


in the release notes of CUPS 6.03 i've found the following:


"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI. Select Cisco Unified Presence > Presence Engine > Presence Gateways. You can upload any number of root CA certificates but you must upload five certificates at a time. Following a L2 upgrade, the Exchange certificates must be uploaded again on this page."


i don't believe that this also applies to root ca certificates, but maybe you can try this method too.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
okuehn Mon, 07/07/2008 - 10:42
User Badges:
  • Bronze, 100 points or more

Hi,


we have faced the same problem with FBA. however, with 6.0.3 the calendar integration actually works fine!

you have to upload both, the root CA and your exchange OWA certificate as PresenceEngine-Trust.

when uploading the root use base64 encoded certificate rootca.cer and enter "." in the field root certificate!


you do not have to worry about the documentation regarding IIS certificate request...


hope this helps!

maloyal Mon, 07/07/2008 - 11:13
User Badges:

I uploaded the root ca as base64, named rootca.cer and "." in the field (with quotes) and still I get presense gateway unreachable via the Troubleshooter.


My OWA cert was uploaded as PEM...do I need to delete that and reload as cer?


And my certs page still does not list the rootca for the 3rd party...argh!


Thanks

okuehn Mon, 07/07/2008 - 11:25
User Badges:
  • Bronze, 100 points or more

sorry, put only a . in the field rootca name

maloyal Mon, 07/07/2008 - 11:55
User Badges:

Nope...a period in the Root certificate name field does not work. My troubleshooting status still show Presence gateway unreachable.


If I goto help doc on Cert page, I get: If you are uploading an application certificate that was issued by a third party CA, enter the name of the CA root certificate in the Root Certificate text box. If you are uploading a CA root certificate, leave this text box empty."


Did that and still same result.


Do I need to just delete my .pem OWA cert and re-upload it?


Sorry to be a pain!

maloyal Mon, 07/07/2008 - 14:00
User Badges:

Well...on the presence gateway settings, I changed the Presence Gateway from my FQDN to the internal IP of my Exchange server...and now all troubleshooting steps pass except for MOC (not using) and MeetingPlace server (don't have.)


But my status in UPC still shows available even though I have an all day appt for being out of office.

okuehn Mon, 07/07/2008 - 21:40
User Badges:
  • Bronze, 100 points or more

ok, i think your initial problem is not related to certificate issues. the troubleshooter would have shown everything fine although you are not able to access calendar.


maybe you can check the following things:

- dns related problems on your CUPS. are you using DNS doctoring on PIX/ASA to resolve internal DMZ IP adress of OWA?


- can you see any errors (Cisco UP Presence Engine) in application syslog using RealTimeMonitoringTool?



maloyal Tue, 07/08/2008 - 06:24
User Badges:

When I changed to the internal IP of my Exchange server, I thought maybe of DNS, but it should be pointing to my local internal DNS server which can resolve the FQDN of my OWA url.


I restarted the PE:

: 81: Jul 08 14:07:38.324 UTC : %CCM_SERVICEMANAGER-GENERIC-6-ServiceStarted: Service started. Service Name:Cisco UP Presence Engine Process ID:3469 Cluster ID: Node ID:pres1


Then this error:

: UNKNOWN PARAMETER ERROR 2


then:

: 0: Jul 08 14:10:49.152 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-3-PEExchangeConnectionLoss: Indicates that PE cannot connect to the Exchange Server. UNKNOWN_PARAMNAME:PEAlarmMessage:TLS error - check certificate; Server certificate verification failed: certificate issued for a different hostname, issuer is not Cluster ID:StandAloneCluster Node ID:pres1


Then:

: 1: Jul 08 14:14:03.115 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-2-PESipSgHostUnavailable: PE could not reach server group. Server group host that could not be contacted.:server group host=pres1 Cluster ID:StandAloneCluster Node ID:pres1


Restart the SIP Proxy and get:

: 2: Jul 08 14:14:29.146 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-2-PESipSgHostUnavailableClear: PE service can now connect the outbound proxy server group Server group host that can now contacted.:server group host=pres1 Cluster ID:StandAloneCluster Node ID:pres1


okuehn Tue, 07/08/2008 - 06:43
User Badges:
  • Bronze, 100 points or more

in the error logs you can see that you have to use the fqdn name of your OWA server. because only this fqdn name matches the certificate CN


"...certificate issued for a different hostname, issuer is not Cluster ID:StandAloneCluster Node ID:pres1"


can you confirm the dns resolve on your CUPS server?

maloyal Tue, 07/08/2008 - 07:30
User Badges:

I changed my presence gateway back to my FQDN and get:

: 2: Jul 08 15:04:54.87 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-3-PEExchangeConnectionLoss: Indicates that PE cannot connect to the Exchange Server. UNKNOWN_PARAMNAME:PEAlarmMessage:TLS error - check certificate; Server certificate verification failed: issuer is not trusted Cluster ID:StandAloneCluster Node ID:pres1


The DNS server is correct. Can I do a NSlookup from the command prompt on Pres?

okuehn Wed, 07/09/2008 - 23:11
User Badges:
  • Bronze, 100 points or more

you can do a nslookup using the following command on CLI:


utils network host webmail.ndv.net

maloyal Sat, 07/12/2008 - 18:44
User Badges:

did the host lookup and it correctly resolved my FQDN of my Webmail.

okuehn Thu, 07/10/2008 - 21:57
User Badges:
  • Bronze, 100 points or more

i think the troubleshooter message is wrong and CUPS can resolve your internal IP. the error message "TLS error - check certificate; Server certificate verification failed: issuer is not trusted " indicates that CUPS cannot verify your OWA certificate because it has not the equifax root CA installed.

can you confirm that your equifax root CA certificate is listed in your CUPS cetificate list as PresenceEngine-trust?

maloyal Fri, 07/11/2008 - 11:02
User Badges:

I keep reloading the dang rootca.cer with just a period (.) in the field root certificate and I've done it blank and still it doesn't show up in my cert list.


See attached




Attachment: 
okuehn Sat, 07/12/2008 - 02:12
User Badges:
  • Bronze, 100 points or more

please, can you send me your root CA certificate?

maloyal Sun, 07/13/2008 - 19:36
User Badges:

Here are some logs from me uploading/reloading my root ca with different names, as well as my OWA cert.


Whenever I load my root ca, no matter what name I give it, it NEVER shows up in the cert list.



Correct Answer
okuehn Mon, 07/14/2008 - 01:14
User Badges:
  • Bronze, 100 points or more

i'm able to install your equifax root ca certificate but it does also not appear in the certificate list of our CUPS!


we are using thawte root ca which worked fine this way. maybe CUPS has some problem processing different root CA certificate details? e.g. thawte has no CRL entry. i'm afraid you have to open a TAC case...


do you habe rebooted the CUPS server and try again?


in the release notes of CUPS 6.03 i've found the following:


"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI. Select Cisco Unified Presence > Presence Engine > Presence Gateways. You can upload any number of root CA certificates but you must upload five certificates at a time. Following a L2 upgrade, the Exchange certificates must be uploaded again on this page."


i don't believe that this also applies to root ca certificates, but maybe you can try this method too.





maloyal Mon, 07/14/2008 - 05:17
User Badges:

Could I see a pic of your Cert list to see how your Root CA shows up?


There was also something in the docs about having spaces in the cert filename.


FYI...tried mine both ways.


What is weird is my OWA cert would only show up in the list when I used the CN name as the filename...periods and everything. It wouldn't show up if I used underscores or spaces.

okuehn Mon, 07/14/2008 - 06:07
User Badges:
  • Bronze, 100 points or more

i have succesfully installed two root CA certificates (Thawte and Startcom). however, i did not named the root ca cer files specific.


please try whether you are able to install a thawte certificate?



okuehn Mon, 07/14/2008 - 07:03
User Badges:
  • Bronze, 100 points or more

ok, then it seems that we have actually a bug with cups and root ca certificate details!


can you open a TAC case with these two examples of Equifax and Thawte?

maloyal Mon, 07/14/2008 - 07:19
User Badges:

I think I got it!!!



When I view my OWA cert in Firefox and look at the "Issue by" there is no CN.


"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI."


I thought this was talking just about my OWA cert. But I went ahead and tried uploading my equifax.cer and it said not valid PEM file. I changed the file extension and uploaded it.


Restarted my PE and SIP, but the Cert still does NOT show up in the Cert list.


However I started my UC client and there was my status! I deleted my all day appt and I went to available. I created an all day Busy meeting, and my status changed.


There are no further Cert errors in RTMT either.


I think this is fixed. Thanks for all your help, it is TRULY appreciated!

okuehn Mon, 07/14/2008 - 07:34
User Badges:
  • Bronze, 100 points or more

glad it works now for you!

maloyal Thu, 07/24/2008 - 06:40
User Badges:

From this url: http://www.geotrust.com/resources/root_certificates/index.asp


I used Root 1 and uploaded it thru the Presence Gateway config page.


I have since had to open a ticket with TAC. This cert is not displayed in OS administration, but is located in the folder: /usr/local/thirdparty/


We have since deleted my OWA certificate since only the Root CA was needed.


My troubleshooter is still saying Presence Gateway unreachable, however Presence info works.


The RTMT will consistently register period errors about timeouts to the Exchange server, but it will register another event saying connection re-established with no elasped time.


Weird

Hi,


Thanks for the reply. My problems seem to be the complete opposite. I'm not getting errors about the Presence Gateway in the Troubleshooter, however, since I removed my OWA cert I am picking up errors about my Exchange cert in the troubleshooter.


My Presence info doesn't work at all. I'm also waiting to open a case with TAC, been working at this for almost two weeks.



maloyal Thu, 07/24/2008 - 07:06
User Badges:

What's your version of CUPS?


Are you using Forms Based Authentication for OWA?


Finally, who issued your OWA cert?



rsantry Mon, 08/11/2008 - 08:37
User Badges:

I am getting similar issues, here is what I get in the RTMT log. I have uploaded a certificate, and the root for our certificate, and still have iussues.


8/11/2008 11:33:22.715 EPE|system.pe.pa.owa.backend 404906 ERROR ExchangeSession: 0xffffffff90b0bfe8 ssl problem(s): CERTIFICATE_AUTHORITY_SIGNATURE_NOT_TRUSTED - rejected

|

08/11/2008 11:33:22.715 EPE|system.pe.pa.owa.backend 404906 ERROR Exchange Server Transaction Failed: SUBSCRIBE sip:[email protected]@owa.sentinel.com:443 1 TLS error - check certificate; Server certificate verification failed: issuer is not trusted - rejected

|




Here are the certs, what can I be doing wrong?



Attachment: 
maloyal Mon, 08/11/2008 - 08:55
User Badges:

Under Cert Mgmt in OS Administration...is your Root & OWA certs listed?


I am still working with TAC on my issue. We completely deleted my OWA cert and verified we only needed the Root uploaded thru the Presence Gateway config page. The cert is only visible from the command line.


My new issue is now that I have connectivity, my PE server regularly registers timeouts to Exchange and reconnections after anywhere from a couple seconds to several mins. Happens at all times, but especially overnight when there is no load.


I have uploaded some updated code from TAC with a longer timeout period but little change.

okuehn Mon, 08/11/2008 - 22:15
User Badges:
  • Bronze, 100 points or more

Hi Ryan,


as Allen mentioned, please check whether your rootca certificate shows up in your CUPS OS administration.

i think you are not hitting Allen's issue because your root ca has actually an issuer subject CN (CN = GTE CyberTrust Global Root).

otherwise you have to upload your root ca on presence gateway configuration page.


so, please confirm when uploading when uploading the root certificate use base64 encoded certificate rootca.cer and enter "." in the field root certificate! afterwards confirm your root certificate shows up in cert management.


Allen, i'm facing the same timeout issues several times a day. if you get a resolution from TAC, please get back to me ;)

maloyal Tue, 09/23/2008 - 09:14
User Badges:

Still working with TAC on my Exchange Timeout issue.


They have advised me to wait till CUPS 7.02 which has a different presence engine.

Actions

This Discussion