Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Tomcat Certificate expire with Error:Connection to the Server cannot be established

 

 

Introduction

 

This document describes the Cisco Unified Communications Manager (CUCM) Certificate related Error message : "Connection to the Server cannot be established(Unable to access Remote Node)" thrown on the serviceability page, when the remote node's tomcat certificate has expired and provides the necessary steps to troubleshoot it.

 

Problem Description

 

Unable to access CUCM Subscriber’s service activation page from serviceability page and getting the following error on publisher

"Connection to the Server cannot be established (Unable to access Remote Node)".

 

Solution

 

Possible scenarios in which "Connection to the Server cannot be established(Unable to access Remote Node)" is thrown when trying to access the Serviceability page of a remote server from a server

 

1. Tomcat certificate on the remote server has expired

 

Cisco uses this self-signed (own) certificate in Cisco Unified Communications Manager servers

 

HTTPS certificate (tomcat_cert)—This self-signed root certificate is generated during the Cisco Unified Communications Manager installation for the HTTPS server.

 

You must delete and regenerate the certificate in Cisco Unified Communications Manager if you encounter this error in the Cisco Unified Communications Manager server:

 

Login into Cisco Unified Communications Operating System Administration.

Choose Cisco Unified OS Administration from the Navigation drop-down menu from the right hand side of the Administration page, and click Go.

ccm_sec_cert-1.gif

 

1.1 Regenerate the tomcat certificates on the affected Subscribers

 

First Delete the certificate and then do the Regeneration

 

1.1(a) Delete a Certificate

In order to delete a trusted certificate, complete these steps:

Note: If you delete a certificate, it can affect your system operations.

  1. Choose Security>Certificate Management>Delete/Regenerate Cert.

 

ccm_sec_cert-2.gif

 

2. Check the Delete Trust Cert check box, and click Next.

 

The Display Certificates or Trust Units For Delete/Regenerate window appears.

 

ccm_sec_cert-3.gif

 

3. Check the check box for the existing certificate type that you want to delete, and click Next.

 

The Delete Certificates or Trust Store window appears.

 

4. Check the Existing Certificate Name check box for the certificate that you want to delete, and click Delete

 

 

1.1(b)Regenerate a Certificate

In order to regenerate a certificate, complete these steps:

  1. Choose Security > Certificate Management > Delete/Regenerate Cert.

    The Select Certificates or Trust Store for Deletion window appears.

  2. Check the Regenerate Self-Signed Cert check box, and click Next.

  3. Check the appropriate Existing Certificates Types check box for the certificate that you want to regenerate, and click Next.

  4. Check the appropriate Existing Certificate check box, and click Regenerate

 

 

1.2 Restart the Cisco Tomcat service on the affected Subscribers

 

CLI: ( utils service restart Cisco Tomcat)

 

 

Note: When the subscriber and the Publisher are in different timezone after fresh install, admin have to regenerate Tomcat certificates on the subscriber side.

 

Refer this Bug ID: CSCth44399 for more information

 

Workaround mentioned in the Bug:-
1.If using CA signed certificate, get the Tomcat CSR re-signed by the CA, re-upload it back, and restart Cisco Tomcat service (utils service Cisco Tomcat)

2.If self-signed certificate on the affected server, regenerate tomcat cert (set cert regen tomcat) and then restart Cisco Tomcat service (utils service Cisco Tomcat)

 

 

2. Check Database replication status

 

3. /etc/host of the server from which you are trying to access the remote server is missing

 

4. User doesn't have the required groups (Super CCM User)

 

5. Verify that the application user and end user should not have the same name.

 

6. Network connectivity issue to the remote server.

 

 

 

Log Collection:

Collect the "Cisco CCMServices Web Service" Logs when this error is reported

First,set the "Cisco CCMServices Web Service" Logs as detailed.

 
  • Go to Cisco Unified Serviceability page
  • Choose configuration from the trace menu.
  • Select the Publisher server
  • Service Group: System Services
  • Service: Cisco CCMServices Web Service
  • Set the Debug Trace Level as: Debug
 
 
Then use RTMT to Collect those logs


From the ccmservice logs on the Pub :

2011-05-05 02:09:04,515 DEBUG [http-8443-7] function.FunServiceActivation - product type with service name*** for CommonCisco AXL Web ServiceDatabase and Admin Services
--snip--

2011-05-05 02:09:04,528 DEBUG [http-8443-7] function.FunServiceActivation - product type with service name*** for CallManagerCisco TAPS ServiceDatabase and Admin Services
2011-05-05 02:09:04,528 DEBUG [http-8443-7] function.FunServiceActivation - service list for common ---23
2011-05-05 02:09:04,530 DEBUG [http-8443-7] function.FunServiceActivation - Created SSLContext
2011-05-05 02:09:04,530 DEBUG [http-8443-7] function.FunServiceActivation - Created SSLContext
2011-05-05 02:09:04,531 DEBUG [http-8443-7] function.FunServiceActivation - Getting socketfactory

2011-05-05 02:09:04,552 ERROR [http-8443-7] function.FunServiceActivation - Exception1 in CreatingTrustManager and setting as DefaultSocketFactory
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server Certificate not available in Keystore for Authentication
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
 

 

Related Information

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 12:06 PM
 
Labels (1)