Knowlege base

Configure Cisco ECC Curri to use HTTPS

Article ID: 512
Last updated: 19 Feb, 2018
Applies from Application Suite 2017.6.1

Applies to:

Imagicle Application Suite, rel. Summer 2017 or newer

Description: 

This article details how to configure CuCM and IAS to use HTTPS for ECC-Curri.
Curri can be used with several IAS applications: StoneLock, Speedy Lookup and/or SmartNumbers, Call Recording announcement.

How-to:

Requirements

On CuCM, the DNS must be correctly configured to resolve IAS server(s) FQDN.

When the IAS server is joined to a domain, the Active Directory will try to register the IAS computer name in the company DNS. Hence, every server should be able to resolve the IAS server name. If this is not the case, you must add a static entry in the company DNS to let the CUCM reach the IAS server using its name (fqdn).

1. Configure the External Call Control Profile for HTTPS

In the Primary Web Service field of the ECC profile, enter the IAS web service URL, e.g. https://ias.mydomain.com:443/fw/ecc.ashx.

Notes:

a. https://ias.mydomain.com:443/fw/ecc.ashx
In the address remember to specify the port :443. The port number must be explicity written even if implied by the https protocol.

b. https://ias.mydomain.com:443/fw/ecc.ashx
In the address you must use the netbios computer name (ias.mydomain.com), not the IP address.
It must be the same name specified in the Common Name of the SSL certificate (CN value)
 

2. Adjust the Certificate on the IAS server

The Common Name (CN) field of the certificate used by IIS must contain the machine Fully Qualified Domain Name used in the External Call Control profile URL.

To ensure this, different steps has to be followed depending on whether the customer has a certificate issued by a trusted Certificate Authority (CA), trusted by the Domain Controller, or wants to use a self-signed certificate.

The procedure is detailed in How to install and use a certificate on Imagicle Application Suite server to use HTTPS protocol

3. Import certificate(s) into CUCM

In order to let CUCM trust the HTTPS connection, the certificate configured on IAS web server must be imported into all CUCM nodes.

Note: for HA installations, you must repeat the following procedure for each IAS cluster node.

a. Export the Certificate used by Application Suite web server

In "Server Certificates" section of "Internet Information Services (IIS) Manager", double click on the certificate used by the binding on port 443 (see previous paragraph). Click on "Details" tab and then click on "Copy to File.." button.

The Certificate Export Wizard will start, click Next. Choose "No, do not export private key".

Choose to export certificate in "DER encoded binary X.509 (CER)" format.

Then complete the wizard, it will save a .cer file.

b. Load certificate(s) to CUCM

The certificates must be loaded on all CUCM nodes. Since CUCM 8.5, they're expected to be automatically replicated among cluster nodes.

Login into "Cisco Unified OS Administration", and go to "Security", "Certificate Management".

Then click on "Upload Certificate/Certificate chain"

In the upload form, choose "CallManager-trust" as Certificate purpose, then select the .cer file and upload it.

Go to "Certificate Management" of each CUCM node to check that certificate has been properly replicated.

Troubleshooting: check certificates trust chain 

In order to let CUCM trust the HTTPS connection established with IAS web server, CUCM must also know all the certificates in IAS certificate's certification path.

In "Server Certificates" section of "Internet Information Services (IIS) Manager", double click on the certificate used by the binding on port 443.
Click on "Certification Path" tab: CUCM must be able to verify every certificate displayed in this panel. So, in CUCM, go to "Certificate Management" and check that appropriate entries exist with "CallManager-trust" as Certificate purpose.
If not, select the missing certificate in the "Certification path" panel, export and upload it to CUCM as explained in step 3b.

Article ID: 512
Last updated: 19 Feb, 2018
Revision: 25
Views: 449
Print Export to PDF Subscribe Share
This article was:  
Prev   Next
Un-associate Jabber devices from CURRI using stonelock while...     Configure Cisco XML Service in HTTPS