Cisco Unified MeetingPlace, Release 7.0 -- How to Solve Problems with the Application Server SSL
Main page: Cisco Unified MeetingPlace, Release 7.0
Up one level: Troubleshooting
Cannot Load Certificate
Problem: After attempting to load the certificate, you see the following error message on the Display Certificate page: Unparseable certificate extensions: 2 : ObjectId: 18.104.22.168.22.214.171.124.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name:file:// \\SAMPLE.string.com\CertEnroll\SAMPLE.string.com
Possible Cause: Java.net.URL does not handle UNC paths well, "file://\\" is not a valid URI due to the inclusion of '\\' characters as defined by RFC 2396.
Solution: Sign the certificate without the URL that includes the UNC path.
Cannot Enable SSL
Problem: You cannot enable SSL.
Possible Cause: While generating CSRs, you clicked "Generate CSR" more than once. This causes the system to create a second private key that does not work with the certificate for the CSR that was created and downloaded the first time you clicked Generate CSR.
Solution: Obtain and upload a new certificate. This time, make sure that you click Generate CSR only once.
Possible Cause: An extra line was accidentally included at the end of the certificate. To verify, use the Linux cat command to either view the certificate file before uploading it, or view your local copy of the certificate file. The uploaded certificate on the Application Server is stored in a binary format, which cannot be viewed via the Linux cat command.
In the following sample output, notice the blank line that immediately precedes the "-----END CERTIFICATE-----" line.
[root@meeting certs]# cat webapp.cert.pem
Solution: Use any Linux editor, such as the vim command, to delete the extra line. Then use the Enable SSL Page to upload the corrected certificate.
Possible Cause: Upon inspection, the modulus and exponent fields do not match between the public certificate file and private key file. If these common portions do not match, the system cannot communicate using SSL.
Solution: Obtain and upload a new certificate.
SSL Stops Working
Problem: SSL stops working.
Possible Cause: You accidentally clicked Generate CSR, which created a new private key that no longer matches the previously uploaded certificate.
Solution: If you backed up the SSL configuration, restore it. See Restoring the SSL Configuration. If you did not back up the SSL configuration, then obtain and upload a new certificate.
Possible Cause: You performed a fresh installation of the Cisco Unified MeetingPlace application. The installation process deletes any private key files and public certificates on the system.
Solution: If you backed up the SSL configuration, restore it. See Restoring the SSL Configuration. If you did not back up the SSL configuration, obtain and upload a new certificate.
Possible Cause: The Application Server hostname was changed. The CSR and resulting certificate use the Application Server hostname that you entered for Ethernet Port 1 (device eth0) during the operating system installation.
Solution: Obtain and upload a new certificate.
No SSL Connection
Problem: SSL connection cannot be established between Cisco Unified MeetingPlace and Microsoft Outlook, and an exception such as the following appears in the logs:
java.lang.Securityeption: Unsupported keysize or algorithm parameters
Possible Cause: The problem occurs when the certificate contains a key longer than 1024 bits. The cryptography strength limitations placed by the default policy files included with Java Runtime Environment (JRE) give the highest strength cryptography algorithms and key lengths which are allowed for import to all countries.
Solution: If your country does not place restrictions on the import of cryptography, then you can download the unlimited strength policy files:
- Go to http://java.sun.com/javase/downloads/index.jsp.
- Download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6."
- Follow the instructions in the README.txt file in the downloaded package.
- The JRE installation used by Cisco Unified MeetingPlace is in /opt/cisco/meetingplace/jre/.
Certificate or Private Key is in the Wrong Format
Problem: The certificate or private key is in the wrong format.
NOTE: The Application Server supports only the following formats:
- Private keys: PKCS #1, PKCS #8 (PEM or DER encoding), Java keystore
- Certificates: X.509 (PEM or DER encoding), Java keystore
Solution: Use the openssl command in the Application Server CLI to convert the file to a supported format. In the following example, an unsupported PKCS12 file is converted to a supported PEM-formatted file:
[mpxadmin@application-server ~]$ openssl pkcs12 -in old-file.pfx -out new-file.pem -nodes
If the file contained both the certificate and the private key, then the converted file will contain both a PRIVATE KEY block and a CERTIFICATE block. Use a text editor to separate these into two files before uploading them to the Application Server and enabling SSL, following these requirements:
- Each file must contain only one block.
- Include the BEGIN and END lines of each block, for example:
-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
- Do not include any text, including spaces or blank lines, before the BEGIN line and after the END line. A trailing line break after the END line is okay. Some files contain extraneous data before the BEGIN line and after the END line. Remove such data before uploading the file and enabling SSL on the Application Server.