CUCM, Unified Communication

Sync agent failed to start after uploading Tomcat certificate signed by RSASSA-PSS

Posted by Nithin Eluvathingal on

My customer provided me signed certificates for the CSR i generated from the CUCM and IMP.

After uploading all sudden the IMP sync agent stopped working. Both CUCM and IMP accepted the certificates and there was no error messages.

The SYNC agent logs was throwing Bad certificates errors but it was not informational. The customer has many unused certificates So both Me and Cisco TAC was unable to pin point the certificate which caused the sync agent to stop.

2022-11-09 15:19:34,280 INFO [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - Cookie header : ; ;
2022-11-09 15:19:34,280 INFO [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - Establishing a TLS connection
2022-11-09 15:19:34,280 INFO [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - Successfully established TLS Connection : sun.net.www.protocol.https.DelegateHttpsURLConnection:https://172.18.40.15:8443/axl/
2022-11-09 15:19:34,321 ERROR [AXL Runner for parent thread ID:1 (main)] ssl.SSLNullSession - getPeerCertificates - SSLPeerUnverifiedException: No peer certificate
2022-11-09 15:19:34,321 ERROR [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - IMPHostNameChecker::hostnameMatches() Not using certificates for peers : No peer certificate
2022-11-09 15:19:34,321 INFO [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - IMPHostNameChecker::verify() Host name mismatched :
2022-11-09 15:19:34,321 ERROR [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - IMPHostNameChecker::IMPHostNameChecker() : hostname verify error
2022-11-09 15:19:34,362 ERROR [AXL Runner for parent thread ID:1 (main)] axl.AXLClientLogger - sendSOAPRequest() :: Received SOAPException.
com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:149)
at com.cisco.cup.axlclient.AXLClientBase.sendSOAPRequest(AXLClientBase.java:419)
at com.cisco.cup.axl.AxlClient$AxlRunner.run(AxlClient.java:666)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(HttpSOAPConnection.java:282)
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:145)
… 3 more
Caused by: javax.net.ssl.SSLHandshakeException: Bad server certificate: rsassaPss Signature not available

Finally after hours of troubleshooting we found The root cause of the issue, it was the algorithm used to signed the Certificate.

I have uploaded the certificates to UC servers assuming that they are signed using SHA256RSA algorithm.But it wasn’t. so always verify your certificates.

Sync agent came up after my customer provided me a certificate signed by SHA256RSA algorithm

Changes where made on CA server to convert RSASSA-PSS to sha256RSA. The below mentioned link was used by my customer.

https://www.derekseaman.com/2021/03/disabling-the-rsassa-pss-algorithm-on-your-microsoft-ca.html

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s