Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
5
Helpful
3
Replies

VerifyServerCertificate reverts automatically to "On" on SX20 TC7.3.3

Mohamed Amine Jaafar
Level 4
Level 4

‎10-31-2015 04:40 AM - edited ‎03-18-2019 05:10 AM

Hello Guys,

We have an SX20 that we are trying to register to CUCM through Expressway. Jabber works worrectly over MRA and we also already successfully registered an SX10 through MRA.

We are struggling in registering the SX20 through Expressway. We have the Exp-E certificate containing the host A, the _collab-edge SRV and the XMPP domain.

The problem here is that we have an option on System Configuration > Network Services > HTTPS > VerifyServerCertificate that we put to "Off" and we Save. We see that this option was applied through the "application.log" file.

However, after one minute or two, this option auto-reverts to "On" !

We don't know why it reverts to "On" ? Had somebody run into the same behaviour ? We are running TC7.3.3

Labels:
0 Helpful
3 Replies 3

Paulo Souza
VIP Alumni
VIP Alumni

‎11-05-2015 04:08 AM

Hi,

This is the expected behavior when registering the device via RMA. Cisco has forced the public part of the RMA topology to always use TLS with certificate verification. That is applied to SIP, XMPP and HTTPS connections from an external device towards Exp-E and between Exp-C and Exp-E.

A client registering through RMA will be provisioned through HTTPS (using TCP port 8443) and it will download all its configuration from the Exp-E. That configuration will tell which parameters the client must use in order to register via RMA, wich includes the "VerifyServerCertificate". And those parameters will be applied by the device itself automatically. The VerifyServerCertificate parameter will force SX20 to always verify that the HTTPS server´s certificate is signed by a trusted Certificate Authority (CA). This security feature is mandatory for MRA and thus cant be changed. 

Therefore, if you are having issues to register your SX20 through RMA, the first thing to check is: Does your Exp-E has a certificate signed by a public CA? This highly recommended for MRA deployments. However, if your Exp-E does not have a public valid certificate, you can still have it working by uploading to the SX20 the certificate of the CA that signed Exp-E´s certificate, so that SX20 will trust the certificate presented by Exp-E. Nevertheless, I strongly suggest you to have a public valid certificate.

I hope that helps you.

Cheers,

Paulo Souza

Remember to rate useful answers and mark your question as "answered" if applicable

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Mohamed Amine Jaafar
Level 4
Level 4
In response to Paulo Souza

‎11-05-2015 05:52 AM

Thanks Paulo!

Yes, this is exactly what I see for the VerifyServerCertificate parameter.

When I set it to "Off" it does apply, but as soon as the SX20 retry to register after X seconds, the parameter immediately revert to "On" as you said.

5 stars.

0 Helpful

Paulo Souza
VIP Alumni
VIP Alumni
In response to Mohamed Amine Jaafar

‎11-05-2015 05:54 AM

You are welcome!

Paulo Souza

Remember to rate useful answers and mark your question as "answered" if applicable

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents