AnsweredAssumed Answered

Uploading Third-Party Gadget Certificate to Finesse (UCCX)

Question asked by kpickard@upstreamworks.com on Jun 26, 2014
Latest reply on Jun 26, 2014 by dlender

Hello. We serve our Finesse gadgets off of a Windows IIS box. We generate self-signed certificates for these boxes to load into Finesse (via Cisco Unified OS Administration/Security/Certificate Management). As per the docs we select tomcat-trust as the Certificate Name. With the UCCE version of Finesse this works fine and the certificate uploads fine and https works perfectly. When we try to do this with the UCCX version of Finesse the upload fails with the following message.

 

The requested command [sudo /usr/local/platform/bin/CertMgmt.py decode op:import type:trust-certs unit:tomcat-trust src-cert:%2Fusr%2Flocal%2Fplatform%2Fupload%2Fcerts%2FUWF.UPSTREAMWORKS.root.pem cert-dir:%2Fusr%2Flocal%2Fplatform%2F.security%2Ftomcat%2Ftrust-certs key-dir:%2Fusr%2Flocal%2Fplatform%2F.security%2Ftomcat%2Fkeys rootCA-cert:Dummy+Root+cert trust-dir:%2Fusr%2Flocal%2Fplatform%2F.security%2Ftomcat%2Ftrust-certs logfile:%2Fvar%2Flog%2Factive%2Fplatform%2Flog%2Fcert-mgmt.log resultfile:%2Fvar%2Flog%2Factive%2Fplatform%2Flog%2Fcertde-info.xml description:Signed+Certificate] could not be executed.

 

There are a few interesting things in all this.

 

1. The logfile: parameter shown in the error message does not match the log filenames see via the CLI. The error message shows .../cert-mgmt.log but looking via the CLI we see a log file of the form certm.log and others of the form certMgmtnnnnn.log (eg. certMgmt00040.log).

 

2. We know the command is executing because the resultfile: certde-info.xml is being updated (timestamp changes). The following is what is written to this file.

 

<?xml version="1.0" encoding="UTF-8"?>

<CertMgr>

<result>error</result>

<description>The file /usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem is not found.</description>

</CertMgr>

 

3. Looking at the certMgmt00040.log file we see the following Java exception. You can see it processing the command correctly and reading all the certificate information correctly. It looks like it uploads all properly and then when it tries to verify the CN it suddenly thinks the uploaded cert file is a directory instead of a file! I have removed IPs and hostnames :-) .

 

2014-06-26 09:19:59,538 INFO [main] - log4j configuration successful.

2014-06-26 09:19:59,653 INFO [main] - IN -- CertMgr.java - mainInternal(args) -

2014-06-26 09:19:59,654 INFO [main] - decode

2014-06-26 09:19:59,655 INFO [main] - op:import

2014-06-26 09:19:59,655 INFO [main] - type:trust-certs

2014-06-26 09:19:59,655 INFO [main] - unit:tomcat-trust

2014-06-26 09:19:59,655 INFO [main] - src-cert:%2Fusr%2Flocal%2Fplatform%2Fupload%2Fcerts%2FUWF.UPSTREAMWORKS.root.pem

2014-06-26 09:19:59,655 INFO [main] - cert-dir:%2Fusr%2Flocal%2Fplatform%2F.security%2Ftomcat%2Ftrust-certs

2014-06-26 09:19:59,655 INFO [main] - key-dir:%2Fusr%2Flocal%2Fplatform%2F.security%2Ftomcat%2Fkeys

2014-06-26 09:19:59,655 INFO [main] - rootCA-cert:Dummy+Root+cert

2014-06-26 09:19:59,655 INFO [main] - trust-dir:%2Fusr%2Flocal%2Fplatform%2F.security%2Ftomcat%2Ftrust-certs

2014-06-26 09:19:59,655 INFO [main] - logfile:%2Fvar%2Flog%2Factive%2Fplatform%2Flog%2Fcert-mgmt.log

2014-06-26 09:19:59,658 INFO [main] - resultfile:%2Fvar%2Flog%2Factive%2Fplatform%2Flog%2Fcertde-info.xml

2014-06-26 09:19:59,658 INFO [main] - description:Signed+Certificate

2014-06-26 09:19:59,687 INFO [main] - Parsed information

2014-06-26 09:19:59,687 INFO [main] - OrgName: Upstream Works Software Ltd.

2014-06-26 09:19:59,687 INFO [main] - OrgUnit: 8000 Jane Street, Tower A, Suite 401

2014-06-26 09:19:59,687 INFO [main] - Location: Vaughan

2014-06-26 09:19:59,687 INFO [main] - Country: CA

2014-06-26 09:19:59,687 INFO [main] - State: ON

2014-06-26 09:19:59,687 INFO [main] - Hostname: <removed>

2014-06-26 09:19:59,687 INFO [main] - AlternateHostname: null

2014-06-26 09:19:59,687 INFO [main] - Domain Name: ps.upstreamworks.com

2014-06-26 09:19:59,687 INFO [main] - IPAddress: <removed>

2014-06-26 09:19:59,688 INFO [main] - In parseXML()

2014-06-26 09:19:59,688 INFO [main] - CN: <removed>.ps.upstreamworks.com

2014-06-26 09:19:59,689 INFO [main] - Temp before mod is

2014-06-26 09:19:59,689 INFO [main] - Temp afer mod is 8000 Jane Street

2014-06-26 09:19:59,689 INFO [main] - Temp in else is 8000 Jane Street

2014-06-26 09:19:59,689 INFO [main] - Temp before mod is

2014-06-26 09:19:59,689 INFO [main] - Temp afer mod is Tower A

2014-06-26 09:19:59,689 INFO [main] - Temp in else is Tower A

2014-06-26 09:19:59,689 INFO [main] - Temp before mod is

2014-06-26 09:19:59,689 INFO [main] - Temp afer mod is Suite 401

2014-06-26 09:19:59,689 INFO [main] - Temp in else is Suite 401

2014-06-26 09:19:59,690 INFO [main] - Temp before mod is

2014-06-26 09:19:59,690 INFO [main] - Temp afer mod is 8000 Jane Street

2014-06-26 09:19:59,690 INFO [main] - Temp in else is 8000 Jane Street

2014-06-26 09:19:59,690 INFO [main] - Temp before mod is

2014-06-26 09:19:59,690 INFO [main] - Temp afer mod is Tower A

2014-06-26 09:19:59,690 INFO [main] - Temp in else is Tower A

2014-06-26 09:19:59,690 INFO [main] - Temp before mod is

2014-06-26 09:19:59,690 INFO [main] - Temp afer mod is Suite 401

2014-06-26 09:19:59,690 INFO [main] - Temp in else is Suite 401

2014-06-26 09:19:59,690 INFO [main] - OuFields are 8000 Jane Street

2014-06-26 09:19:59,690 DEBUG [main] - Field after encoding: 8000 Jane Street

2014-06-26 09:19:59,690 INFO [main] - OuFields are Tower A

2014-06-26 09:19:59,690 DEBUG [main] - Field after encoding: Tower A

2014-06-26 09:19:59,690 INFO [main] - OuFields are Suite 401

2014-06-26 09:19:59,691 DEBUG [main] - Field after encoding: Suite 401

2014-06-26 09:19:59,691 DEBUG [main] - Field after encoding: Upstream Works Software Ltd.

2014-06-26 09:19:59,691 DEBUG [main] - Field after encoding: Vaughan

2014-06-26 09:19:59,691 DEBUG [main] - Field after encoding: ON

2014-06-26 09:19:59,691 DEBUG [main] - Field after encoding: CA

2014-06-26 09:19:59,694 INFO [main] - OU field is :8000 Jane Street

2014-06-26 09:19:59,694 INFO [main] - OU field is :Tower A

2014-06-26 09:19:59,694 INFO [main] - OU field is :Suite 401

2014-06-26 09:19:59,694 INFO [main] - SubjectDN :: CN=<removed>.ps.upstreamworks.com,OU=8000 Jane Street,OU=Tower A,OU=Suite 401,O=Upstream Works Software Ltd.,L=Vaughan,ST=ON,C=CA

2014-06-26 09:19:59,694 INFO [main] - IN -- CertMgr.java - getCertMgrObj(unit) - tomcat-trust

2014-06-26 09:19:59,705 INFO [main] - OUT -- CertMgr.java - getCertMgrObj - com.cisco.cpi.certMgmt.manager.TomcatCertMgr@1a52fdf

2014-06-26 09:19:59,705 INFO [main] - Dummy loadProperties

2014-06-26 09:19:59,705 INFO [main] - IN -- CertMgr.java - doOp(info) -

2014-06-26 09:19:59,705 INFO [main] - IN -- DefaultCertMgr.java - importCert(info) -

decode:     true

op:         import

unit:       tomcat-trust

keystoreUnit:tomcat-trust

logFile:    /var/log/active/platform/log/cert-mgmt.log

resultFile: /var/log/active/platform/log/certde-info.xml

keyDir:     /usr/local/platform/.security/tomcat/keys

certDir:    /usr/local/platform/.security/tomcat/trust-certs

srcCert:    /usr/local/platform/upload/certs/UWF.UPSTREAMWORKS.root.pem

type:       trust-certs

rootCACert: Dummy Root cert

trustDir:   /usr/local/platform/.security/tomcat/trust-certs

DNAME:      CN=<removed>.ps.upstreamworks.com,OU=8000 Jane Street,OU=Tower A,OU=Suite 401,O=Upstream Works Software Ltd.,L=Vaughan,ST=ON,C=CA

description:Signed Certificate

isDBInsert:true

 

2014-06-26 09:19:59,705 INFO [main] - IN -- DefaultCertMgr.java - loadInputCert(info) -

2014-06-26 09:20:00,206 DEBUG [main] - Loading RSA providers explicitly...

2014-06-26 09:20:02,062 DEBUG [main] - RSA providers are loaded explicitly...

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.1=JsafeJCE

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.2=RsaJsse

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.3=BC

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.4=SUN

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.5=SunRsaSign

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.6=SunJSSE

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.7=SunJCE

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.8=SunJGSS

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.9=SunSASL

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.10=XMLDSig

2014-06-26 09:20:02,062 DEBUG [main] - New security.provider.11=SunPCSC

2014-06-26 09:20:02,062 INFO [main] - IN -- RSACryptoEngine.java - loadCertificates(..) -

2014-06-26 09:20:02,062 INFO [main] - IN -- RSACryptoEngine.java - loadCertificate(..) -

2014-06-26 09:20:02,417 INFO [main] - OUT -- RSACryptoEngine.java - loadCertificate -

2014-06-26 09:20:02,417 INFO [main] - OUT -- RSACryptoEngine.java - loadCertificates -

2014-06-26 09:20:02,417 INFO [main] - OUT -- DefaultCertMgr.java - loadInputCert - Successfully loaded input cert

2014-06-26 09:20:02,417 DEBUG [main] - Checking validity of cert

2014-06-26 09:20:02,418 INFO [main] - Verifying certificate CN=*.UPSTREAMWORKS.com,O=UPSTREAMWORKS.com

2014-06-26 09:20:02,418 INFO [main] - IN -- CertUtil.java - parseCNfromDN(DN, sSearchStr) -

2014-06-26 09:20:02,418 DEBUG [main] - parseCNfromDN( certSubjDN: 'CN=*.UPSTREAMWORKS.com,O=UPSTREAMWORKS.com')

2014-06-26 09:20:02,418 DEBUG [main] - Truncating CN '*.UPSTREAMWORKS.com,O=UPSTREAMWORKS.com' -> '*.UPSTREAMWORKS.com'

2014-06-26 09:20:02,418 INFO [main] - OUT -- CertUtil.java - parseCNfromDN -

2014-06-26 09:20:02,418 DEBUG [main] - Parsed CN '*.UPSTREAMWORKS.com' from DN 'CN=*.UPSTREAMWORKS.com,O=UPSTREAMWORKS.com'

2014-06-26 09:20:02,419 INFO [main] - trying to load cert from trust store ::/usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem

2014-06-26 09:20:02,419 INFO [main] - certificate exists in the trust store, checking for subjectCN

2014-06-26 09:20:02,419 ERROR [main] - /usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem (Is a directory)

java.io.FileNotFoundException: /usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem (Is a directory)

        at java.io.FileInputStream.open(Native Method)

        at java.io.FileInputStream.<init>(FileInputStream.java:120)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.loadCertFromFile(DefaultCertMgr.java:2250)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.getCertsToImport(DefaultCertMgr.java:2395)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.importTrustCerts(DefaultCertMgr.java:426)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.importCert(DefaultCertMgr.java:322)

        at com.cisco.cpi.certMgmt.CertMgr.doOp(CertMgr.java:225)

        at com.cisco.cpi.certMgmt.CertMgr.mainInternal(CertMgr.java:192)

        at com.cisco.cpi.certMgmt.CertMgr.main(CertMgr.java:206)

2014-06-26 09:20:02,421 ERROR [main] - The file /usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem is not found.

com.cisco.cpi.certMgmt.CertMgrException: The file /usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem is not found.

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.loadCertFromFile(DefaultCertMgr.java:2254)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.getCertsToImport(DefaultCertMgr.java:2395)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.importTrustCerts(DefaultCertMgr.java:426)

        at com.cisco.cpi.certMgmt.manager.DefaultCertMgr.importCert(DefaultCertMgr.java:322)

        at com.cisco.cpi.certMgmt.CertMgr.doOp(CertMgr.java:225)

        at com.cisco.cpi.certMgmt.CertMgr.mainInternal(CertMgr.java:192)

        at com.cisco.cpi.certMgmt.CertMgr.main(CertMgr.java:206)

2014-06-26 09:20:02,421 INFO [main] - IN -- CertMgr.java - logResult(result, desc, resultFile) -

2014-06-26 09:20:02,421 INFO [main] - CertMgmt Operation Result : The file /usr/local/platform/.security/tomcat/trust-certs/_.UPSTREAMWORKS.com.pem is not found.

2014-06-26 09:20:02,422 INFO [main] - OUT -- CertMgr.java - logResult -

2014-06-26 09:20:02,422 INFO [main] - OUT -- CertMgr.java - doOp -

2014-06-26 09:20:02,422 INFO [main] - OUT -- CertMgr.java - mainIntenal -

Outcomes