Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CUPS 6.0.3 Calendar Integration

We have just upgraded CCM to 6.1.2.1000-13 and CUPS to 6.0.3.1000-12.

Previously, we had CUPS 6.0.2 and our OWA uses FBA so we had no Calendar integration in Unified Personal communicator. I understood this to be resolved in the latest version, so we upgraded.

We still have no Calendar integration with the Unified client and going thru the System Troubleshooter, it says our Presence Gateway is unreachable. I desparately need help configuring this...I think this comes down to certificates.

Our OWA certificate is issued by 3rd party, root CA is Equifax. I have downloaded the root CA from Equifax at http://www.geotrust.com/resources/root_certificates/index.asp and uploaded it to the Certs in CUPS OS Admin as .cer and .pem and it never shows up in the Certs list (which I've attached)

The initial install, we did upload our OWA cert as .pem and it appeared to take. On the initial CUPS 6.0.2 install, we briefly changed OWA to Windows Authentication and Calendaring worked. But we changed it back to FBA because we weren't ready to make that change.

The CN in the Cert is exactly the FQDN of our OWA so I'm really lost here. The deployment guide talks about using IIS to issue a cert request...I shouldn't need to do all that...especially since there is no IIS in CUPS.

thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: CUPS 6.0.3 Calendar Integration

i'm able to install your equifax root ca certificate but it does also not appear in the certificate list of our CUPS!

we are using thawte root ca which worked fine this way. maybe CUPS has some problem processing different root CA certificate details? e.g. thawte has no CRL entry. i'm afraid you have to open a TAC case...

do you habe rebooted the CUPS server and try again?

in the release notes of CUPS 6.03 i've found the following:

"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI. Select Cisco Unified Presence > Presence Engine > Presence Gateways. You can upload any number of root CA certificates but you must upload five certificates at a time. Following a L2 upgrade, the Exchange certificates must be uploaded again on this page."

i don't believe that this also applies to root ca certificates, but maybe you can try this method too.

32 REPLIES
Bronze

Re: CUPS 6.0.3 Calendar Integration

Hi,

we have faced the same problem with FBA. however, with 6.0.3 the calendar integration actually works fine!

you have to upload both, the root CA and your exchange OWA certificate as PresenceEngine-Trust.

when uploading the root use base64 encoded certificate rootca.cer and enter "." in the field root certificate!

you do not have to worry about the documentation regarding IIS certificate request...

hope this helps!

New Member

Re: CUPS 6.0.3 Calendar Integration

I uploaded the root ca as base64, named rootca.cer and "." in the field (with quotes) and still I get presense gateway unreachable via the Troubleshooter.

My OWA cert was uploaded as PEM...do I need to delete that and reload as cer?

And my certs page still does not list the rootca for the 3rd party...argh!

Thanks

Bronze

Re: CUPS 6.0.3 Calendar Integration

sorry, put only a . in the field rootca name

New Member

Re: CUPS 6.0.3 Calendar Integration

Nope...a period in the Root certificate name field does not work. My troubleshooting status still show Presence gateway unreachable.

If I goto help doc on Cert page, I get: If you are uploading an application certificate that was issued by a third party CA, enter the name of the CA root certificate in the Root Certificate text box. If you are uploading a CA root certificate, leave this text box empty."

Did that and still same result.

Do I need to just delete my .pem OWA cert and re-upload it?

Sorry to be a pain!

New Member

Re: CUPS 6.0.3 Calendar Integration

Well...on the presence gateway settings, I changed the Presence Gateway from my FQDN to the internal IP of my Exchange server...and now all troubleshooting steps pass except for MOC (not using) and MeetingPlace server (don't have.)

But my status in UPC still shows available even though I have an all day appt for being out of office.

Bronze

Re: CUPS 6.0.3 Calendar Integration

ok, i think your initial problem is not related to certificate issues. the troubleshooter would have shown everything fine although you are not able to access calendar.

maybe you can check the following things:

- dns related problems on your CUPS. are you using DNS doctoring on PIX/ASA to resolve internal DMZ IP adress of OWA?

- can you see any errors (Cisco UP Presence Engine) in application syslog using RealTimeMonitoringTool?

New Member

Re: CUPS 6.0.3 Calendar Integration

When I changed to the internal IP of my Exchange server, I thought maybe of DNS, but it should be pointing to my local internal DNS server which can resolve the FQDN of my OWA url.

I restarted the PE:

: 81: Jul 08 14:07:38.324 UTC : %CCM_SERVICEMANAGER-GENERIC-6-ServiceStarted: Service started. Service Name:Cisco UP Presence Engine Process ID:3469 Cluster ID: Node ID:pres1

Then this error:

: UNKNOWN PARAMETER ERROR 2

then:

: 0: Jul 08 14:10:49.152 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-3-PEExchangeConnectionLoss: Indicates that PE cannot connect to the Exchange Server. UNKNOWN_PARAMNAME:PEAlarmMessage:TLS error - check certificate; Server certificate verification failed: certificate issued for a different hostname, issuer is not Cluster ID:StandAloneCluster Node ID:pres1

Then:

: 1: Jul 08 14:14:03.115 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-2-PESipSgHostUnavailable: PE could not reach server group. Server group host that could not be contacted.:server group host=pres1 Cluster ID:StandAloneCluster Node ID:pres1

Restart the SIP Proxy and get:

: 2: Jul 08 14:14:29.146 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-2-PESipSgHostUnavailableClear: PE service can now connect the outbound proxy server group Server group host that can now contacted.:server group host=pres1 Cluster ID:StandAloneCluster Node ID:pres1

Bronze

Re: CUPS 6.0.3 Calendar Integration

in the error logs you can see that you have to use the fqdn name of your OWA server. because only this fqdn name matches the certificate CN

"...certificate issued for a different hostname, issuer is not Cluster ID:StandAloneCluster Node ID:pres1"

can you confirm the dns resolve on your CUPS server?

New Member

Re: CUPS 6.0.3 Calendar Integration

I changed my presence gateway back to my FQDN and get:

: 2: Jul 08 15:04:54.87 UTC : %CUP_PRESENCE-CISCOUPSPRESENCEENGINE-3-PEExchangeConnectionLoss: Indicates that PE cannot connect to the Exchange Server. UNKNOWN_PARAMNAME:PEAlarmMessage:TLS error - check certificate; Server certificate verification failed: issuer is not trusted Cluster ID:StandAloneCluster Node ID:pres1

The DNS server is correct. Can I do a NSlookup from the command prompt on Pres?

Bronze

Re: CUPS 6.0.3 Calendar Integration

you can do a nslookup using the following command on CLI:

utils network host webmail.ndv.net

New Member

Re: CUPS 6.0.3 Calendar Integration

did the host lookup and it correctly resolved my FQDN of my Webmail.

Bronze

Re: CUPS 6.0.3 Calendar Integration

i think the troubleshooter message is wrong and CUPS can resolve your internal IP. the error message "TLS error - check certificate; Server certificate verification failed: issuer is not trusted " indicates that CUPS cannot verify your OWA certificate because it has not the equifax root CA installed.

can you confirm that your equifax root CA certificate is listed in your CUPS cetificate list as PresenceEngine-trust?

New Member

Re: CUPS 6.0.3 Calendar Integration

I keep reloading the dang rootca.cer with just a period (.) in the field root certificate and I've done it blank and still it doesn't show up in my cert list.

See attached

Bronze

Re: CUPS 6.0.3 Calendar Integration

please, can you send me your root CA certificate?

New Member

Re: CUPS 6.0.3 Calendar Integration

Sent via email...thank you!

New Member

Re: CUPS 6.0.3 Calendar Integration

Here are some logs from me uploading/reloading my root ca with different names, as well as my OWA cert.

Whenever I load my root ca, no matter what name I give it, it NEVER shows up in the cert list.

Bronze

Re: CUPS 6.0.3 Calendar Integration

i'm able to install your equifax root ca certificate but it does also not appear in the certificate list of our CUPS!

we are using thawte root ca which worked fine this way. maybe CUPS has some problem processing different root CA certificate details? e.g. thawte has no CRL entry. i'm afraid you have to open a TAC case...

do you habe rebooted the CUPS server and try again?

in the release notes of CUPS 6.03 i've found the following:

"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI. Select Cisco Unified Presence > Presence Engine > Presence Gateways. You can upload any number of root CA certificates but you must upload five certificates at a time. Following a L2 upgrade, the Exchange certificates must be uploaded again on this page."

i don't believe that this also applies to root ca certificates, but maybe you can try this method too.

New Member

Re: CUPS 6.0.3 Calendar Integration

Could I see a pic of your Cert list to see how your Root CA shows up?

There was also something in the docs about having spaces in the cert filename.

FYI...tried mine both ways.

What is weird is my OWA cert would only show up in the list when I used the CN name as the filename...periods and everything. It wouldn't show up if I used underscores or spaces.

Bronze

Re: CUPS 6.0.3 Calendar Integration

i have succesfully installed two root CA certificates (Thawte and Startcom). however, i did not named the root ca cer files specific.

please try whether you are able to install a thawte certificate?

New Member

Re: CUPS 6.0.3 Calendar Integration

yep...able to install it.

Bronze

Re: CUPS 6.0.3 Calendar Integration

ok, then it seems that we have actually a bug with cups and root ca certificate details!

can you open a TAC case with these two examples of Equifax and Thawte?

New Member

Re: CUPS 6.0.3 Calendar Integration

I think I got it!!!

When I view my OWA cert in Firefox and look at the "Issue by" there is no CN.

"If the certificate has no Subject CN, upload the certificate on the Presence Gateway Configuration page of the Cisco Unified Presence Administration GUI."

I thought this was talking just about my OWA cert. But I went ahead and tried uploading my equifax.cer and it said not valid PEM file. I changed the file extension and uploaded it.

Restarted my PE and SIP, but the Cert still does NOT show up in the Cert list.

However I started my UC client and there was my status! I deleted my all day appt and I went to available. I created an all day Busy meeting, and my status changed.

There are no further Cert errors in RTMT either.

I think this is fixed. Thanks for all your help, it is TRULY appreciated!

Bronze

Re: CUPS 6.0.3 Calendar Integration

glad it works now for you!

New Member

Re: CUPS 6.0.3 Calendar Integration

Hi,

Could you perhaps tell me which cert you used as your root certificate from Equifax. I'm having the exact same problem. I'm not getting any errors in the Troubleshooter, but I have a feeling that there might be a problem with my cert.

New Member

Re: CUPS 6.0.3 Calendar Integration

From this url: http://www.geotrust.com/resources/root_certificates/index.asp

I used Root 1 and uploaded it thru the Presence Gateway config page.

I have since had to open a ticket with TAC. This cert is not displayed in OS administration, but is located in the folder: /usr/local/thirdparty/

We have since deleted my OWA certificate since only the Root CA was needed.

My troubleshooter is still saying Presence Gateway unreachable, however Presence info works.

The RTMT will consistently register period errors about timeouts to the Exchange server, but it will register another event saying connection re-established with no elasped time.

Weird

New Member

Re: CUPS 6.0.3 Calendar Integration

Hi,

Thanks for the reply. My problems seem to be the complete opposite. I'm not getting errors about the Presence Gateway in the Troubleshooter, however, since I removed my OWA cert I am picking up errors about my Exchange cert in the troubleshooter.

My Presence info doesn't work at all. I'm also waiting to open a case with TAC, been working at this for almost two weeks.

New Member

Re: CUPS 6.0.3 Calendar Integration

What's your version of CUPS?

Are you using Forms Based Authentication for OWA?

Finally, who issued your OWA cert?

New Member

Re: CUPS 6.0.3 Calendar Integration

I'm using CUPS 6.0.4.1000-3.

I'm not using Forms Based Authentication for OWA.

The cert was issued by VeriSign.

New Member

Re: CUPS 6.0.3 Calendar Integration

I am getting similar issues, here is what I get in the RTMT log. I have uploaded a certificate, and the root for our certificate, and still have iussues.

8/11/2008 11:33:22.715 EPE|system.pe.pa.owa.backend 404906 ERROR ExchangeSession: 0xffffffff90b0bfe8 ssl problem(s): CERTIFICATE_AUTHORITY_SIGNATURE_NOT_TRUSTED - rejected

|<:STANDALONECLUSTER><:DGCUP1><:ERROR><:0800>

08/11/2008 11:33:22.715 EPE|system.pe.pa.owa.backend 404906 ERROR Exchange Server Transaction Failed: SUBSCRIBE sip:etruesda@sentinel.com@owa.sentinel.com:443 1 TLS error - check certificate; Server certificate verification failed: issuer is not trusted - rejected

|<:STANDALONECLUSTER><:DGCUP1><:ERROR><:0800>

Here are the certs, what can I be doing wrong?

490
Views
0
Helpful
32
Replies