Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CVP v9.0 doesn't run secure CallServer and VXMLServer

Hi,

I'm working on securing a CVP 9.0 in a comprehensive deployment with SIP.

Although it should be possible to use https for all VXML communication (IVR subsystem on port 8443 & vxml server on port 7443), I noticed that these ports were not in use on my newly installed CVP.

I finally found that there are 2 install scripts (install_vxml_cert.bat and install_cs_cert.bat) that should set up both Tomcat instances with secure connectors. Only, these scripts are interrupted on a piece of Java with a NoClassDefFound error.

I added the piece marked in red on the following line to fix the issue:

"%JAVA%" -cp "%CVP_HOME%/lib/ccbu-common.jar";"%CVP_HOME%/lib/log4j.jar";"%CVP_HOME%/lib/*" com.cisco.ccbu.infra.security.CCBUSecurityInstall –cstomcatxml

Ran both install scripts again, restarted CallServer and VXMLServer ... et voilà!

My CVP is capable of serving VXML over HTTPS now!

What is my question then?

Well, I can't seem to make the vxml gateway communicate with the IVR subsystem over https (port 8443).

I found some info on parameters in bootstrap.tcl (cvpserverport and cvpserverssl) to enable secure communication.

But that didn't work for me. It turns out in a SIP scenario the bootstrap.tcl extracts the info from a SIP header (App-Info) and ignores the parameters.

App-Info should look like this for a secure communication:

<CallServer IP>:<http port>:<https port>

E.g.: 192.168.1.99:8000:8443

Looking at my situation with Wireshark, I only see 192.168.1.99:8000 in the App-Info header.

So finally the question:

How can I make the CVP SIP Subsystem send the secure communication port in that custom sip header?

I couldn't find any setting in OpsConsole that refers to that part.

Any ideas and suggestions are welcome.

Regards,

Koen

Everyone's tags (1)
3 REPLIES
Cisco Employee

CVP v9.0 doesn't run secure CallServer and VXMLServer

Hello Koen,

I again suspect something on the HTTP SSL Connector.

Can you check the xml file located at C:\Cisco\CVP\CallServer\Tomcat\conf\server.xml or can you share that file here.

Regards,

Senthil

Cisco Employee

CVP v9.0 doesn't run secure CallServer and VXMLServer

Hello Koen,

This could also help you, These snippets are from CVP Config/Administration Guide.

HTTPS support for unified CVP

Unified CVP can be configured to use HTTPS on the VXML Server and on the IVR leg of theCall Server. Only signed server certificates can be applied to the IOS gateway; self-signedcertificates are not accepted. Unified CVP generates self-signed certificates for Tomcatapplications, which must be signed by a Certificate Authority prior to use. Tomcat VXMLServer users and Call Server users must follow these steps to have the certificate signed

Regards,

Senthil

New Member

CVP v9.0 doesn't run secure CallServer and VXMLServer

Hi Senthil,

Your suspicion was right: it had to do with the SSL connector (or something that is set by the install_xxxxx_cert.bat).
I have 4 CVP's in my environment. I fixed the first one to use SSL by changing the connector definition manually.

But for some reason the SIP subsystem didn't see that (or was missing something) to advertise this to the gateway.

I now ran the install scripts again on that first CVP as well, and yes, it works!

My certificates haven't been signed yet, so to make this work I had to add them to the gateway as trustpoints. That works for now. I will have them signed soon, and will update the config accordingly.

Thanks for your help.

Regards,

Koen

388
Views
0
Helpful
3
Replies