Certificates are apart of every UC Install these days.. Even more so now with the introduction of Finesse and third-party gadgets. I recently had to install a certificate for the Calibrio AQM Server, rather than you dig through their guides.. I’ve listed the commands you’ll need below. Have fun.
1. Create the certificate signing request.
“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -certreq -alias jetty -file jetty.csr -ext san=dns:tg2aqm10.topgun2.uplinx
2. Install the CA Root or Chain Certificates.
“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -trustcacerts -alias TG2PDC -file root-cer.cer
3. Install the signed certificate for the AQM Server.
“C:\Program Files\Cisco\WFO_QM\Java\bin\keytool.exe” -keystore “C:\Program Files\Common Files\QM\config\.keystore” -storepass C@labr1o -importcert -alias jetty -file jetty.cer
UPDATE: To increase or specify the length of the key, use the attribute -keysize when generating a CSR.
Working with spaces in usernames can be challenging. CUCM 10.5 supports spaces within the usernames and to go a little further CUCM also supports the following characters in usernames =, +, , #, ;, \, , “”. Cisco Jabber also supported the use of spaces in the username; however the space must be removed when entering the CSF/BOT/TAB/TCT device name.
Contact Centre on the other hand does not support spaces, Cisco have an open Bug ID for this at the time writing. This makes it a little hard when the UC system is heavily dependent on the integration with LDAP. Organisations will not simply change their username format for a single application (Phone System).
A workaround is to create local user accounts in CUCM and remove the blank space from the usernames. All other user parameters should reflect the comparable user account. Then allow this local user to control the device used with UCCX. This does create a little more overhead for the UC Administrator and some confusion for the UCCX Agent by having to remember to log into Finesse with a ‘no space’ in their username as well as having to remember a dedicated password for this login.
Error received when running the PostInstall.exe wizard.
Check to see if MS IIS is installed on the save server. If IIS s installed, this will also be listening on the TCP port 443. Therefore this conflicts with the jetty service for QM.
We need to change IIS to listen on a different port for HTTPS connections. IIS allows you to change the port binding for HTTP, however IIS will only allow the HTTPS port binding to changed once you have installed an SSLCertificate.
Easiest way is to sign a certificate using an Internal CA, if you don’t have this, you’ll need to purchase a certificate. Run the certificate request wizard on the IIS Server. Once you have completed the certificate signing with the CA and installed the DER file back into IIS, navigate back to the binding section and create a new binding for HTTPS, select the certificate you just installed and change the port to something other than 443.
Restart IIS, then restart the Monitoring and Recording Jetty Service. All should be good now.
Go back and complete the PostInstall.exe wizard.