Field Notice: FN - 72120 - CUCM, SME, and IM&P: QuoVadis Root CA 2 Decommission Might Affect Incoming Calls to Cisco Jabber/WebEx (Android and iOS) - Workaround Provided
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
2.0 |
24-Feb-22 |
Updated the Problem Description, Background, Problem Symptom, and Workaround/Solution Sections |
1.0 |
29-Oct-21 |
Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
Unified Communications Manager / Cisco Unity Connection Updates |
UCM |
11.5(1), 11.5(1)SU1, 11.5(1)SU10, 11.5(1)SU2, 11.5(1)SU3, 11.5(1)SU3a, 11.5(1)SU3b, 11.5(1)SU4, 11.5(1)SU5, 11.5(1)SU6, 11.5(1)SU7, 11.5(1)SU8, 11.5(1)SU9, 11.5(2), 12.0(1), 12.0(2), 12.5(1) |
|
NON-IOS |
Unified Communications Manager Updates |
UCM |
12.0(1)SU1, 12.0(1)SU2, 12.0(1)SU3, 12.0(1)SU4, 12.0(1)SU5, 12.5(1), 12.5(1)SU1, 12.5(1)SU2, 12.5(1)SU3, 12.5(1)SU4, 12.5(1)SU5, 14(1) Beta |
|
NON-IOS |
Unified Communications Manager Updates |
14 |
14, 14SU1 |
|
NON-IOS |
Unified Presence Server (CUP) Updates |
11.5(1) |
11.5(1), 11.5(1)SU1, 11.5(1)SU10, 11.5(1)SU2, 11.5(1)SU3, 11.5(1)SU3a, 11.5(1)SU4, 11.5(1)SU5, 11.5(1)SU5a, 11.5(1)SU6, 11.5(1)SU7, 11.5(1)SU8, 11.5(1)SU9 |
|
NON-IOS |
Unified Presence Server (CUP) Updates |
12.5(1) |
12.5(1), 12.5(1)SU1, 12.5(1)SU2, 12.5(1)SU3, 12.5(1)SU4, 12.5(1)SU5 |
Includes Cisco Unified Communications IM & Presence Release 12.0 |
NON-IOS |
Unified Presence Server (CUP) Updates |
14 |
14, 14SU1 |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCwa88279 | Incoming Calls to Cisco Jabber and WebEx (Android and iOS) Will Fail while in background mode |
Problem Description
For affected versions of Cisco Unified Communications Manager (CUCM), Cisco Session Management Edition (SME), and Cisco Unified Communications Manager IM & Presence (IM&P), some Secure Sockets Layer (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before March 31, 2021 cannot be renewed from this CA. Once those certificates expire on devices or are removed from the Cisco cloud servers, functions such as Push Notification will fail to establish secure connections to Cisco and might not operate properly.
Background
The QuoVadis Root CA 2 Public Key Infrastructure (PKI) used by CUCM, SME, and IM&P software to issue SSL certificates is subject to an industry-wide issue that affects revocation abilities. Due to this issue, no new QuoVadis Root CA 2 certificates will be issued or renewed by Cisco after March 31, 2021. This affects certificate renewals on devices, Cisco cloud servers, and third-party services.
Certificates issued before the QuoVadis Root CA 2 was decommissioned will continue to be valid. However, the certificates on the Cisco cloud server have been updated to IdenTrust. This might cause functions such as Push Notification to fail to establish secure connections to Cisco cloud servers.
This table shows a summary of the QuoVadis Root CA 2 certificate change dates for affected Cisco services.
| Cisco Cloud Server | QuoVadis Certificate Expiration Date | Affected Services |
|---|---|---|
| tools.cisco.com | November 7, 2021 |
Tomcat |
Problem Symptom
Expiration of the QuoVadis Root CA 2 certificates affects Push Notifications with the associated symptoms.
- For CUCM, SME, and IM&P versions 14, 12.5 (SU5 and earlier), or 11.5 (SU10 and earlier) and have Cisco Jabber (Android or Apple iOS) or WebEx (Android or Apple iOS); customers will not receive incoming calls or message notifications once the client moves to background mode due to unsuccessful Push Notifications.
- For CUCM, SME, and IM&P versions 14, 12.5 (SU5 and earlier), or 11.5 (SU10 and earlier); customers will not be able to enable the Push Notification service and will receive this error message:
"Push Notification/Activation Code Onboarding Settings cannot be configured as a valid certificate is not present in trust store. Either upload the certificates manually or check the check box to have Cisco manage the Cisco Cloud Service CA Certificates. For HTTPS proxy make sure the valid certificates are present for tomcat and tomcat trust store."
Workaround/Solution
Cisco has migrated from the QuoVadis Root CA 2 to the IdenTrust Commercial Root CA 1 for SSL certificates. Cisco recommends to add the new IdenTrust Commercial Root CA 1 certificate to CUCM, SME, or IM&P.
Manual Certificate Update
- Copy and paste this IdenTrust Commercial Root CA 1 Certificate into a text file on your computer. Do not include
“-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“.-----BEGIN CERTIFICATE----- MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT 3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU +ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1 bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH 6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93 nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3 +wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG 4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A 7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H -----END CERTIFICATE-----
- Update the certificate based on the product version information in this table.
Push Notification Cloud Onboarding Status CUCM, SME, or IM&P Release Certificate Managed By * Recommended Action Must Be Performed Prior to November 7, 2021 Customers who have already onboarded Push Notifications via the cloud. Release 14, 12.5 (SU5 and earlier), 11.5 (SU10 and earlier)
Cisco Note: Service restarts must be performed in the exact order as specified.
The IdenTrust certificate will be automatically copied to the tomcat-trust store.
Verify the IdenTrust certificate is available in the CUCM tomcat- trust. Choose Cisco Unified OS Administration > Security > Certificate Management and search for tomcat-trust certificates:
1. On CUCM, restart tomcat on the Publisher node.
2. On CUCM, restart "Cisco Push Notification Service" on all nodes that have the service activated.
3. On IM&P, restart “Cisco XCP Router” service on all the nodes.
4. On IM&P, restart “Cisco XCP Config Manager” service on all the nodes.
Customer Note: Service restarts must be performed in the exact order as specified.
1. Manually upload the IdenTrust Commercial Root CA 1 certificate to the tomcat-trust store.
2. On CUCM, restart tomcat on the Publisher node.
3. On CUCM, restart "Cisco Push Notification Service" on all nodes that have the service activated.
4. On IM&P, restart “Cisco XCP Router” service on all the nodes.
5. On IM&P, restart “Cisco XCP Config Manager” service on all the nodes.
Customers who perform Push Notification onboarding via the cloud for the first time. Release 14,12.5 (SU5 and earlier), 11.5 (SU10 and earlier) Cisco
Manually upload the IdenTrust Commercial Root CA 1 certificate to the tomcat-trust store.
Follow the standard procedure found in the Push Notification Deployment Guide.
Customer
Customers who perform Push Notification onboarding via the cloud for the first time. Release 14 SU1 Cisco Follow the standard procedure found in the Push Notification Deployment Guide.
Customer * In order to verify whether you have opted for Cisco to manage the certificate or for the customer to manage the certificate, log in to Cisco Unified CM Administration UI > Advanced Features > Cisco Cloud Onboarding. In the Cluster Cloud Onboarding Settings section, check the I want Cisco to manage the Cisco Cloud Service CA certifications required for this trust check box.
Note: Multiple CUCM and IM&P services must be restarted for the changes to take effect. It is recommended to perform this during a maintenance window as a restart of these services will impact call services.
For more information on Push Notification Cloud Onboarding, see the Push Notification Deployment Guide.
For the steps to upload a new certificate, see Upload Certificate.
Note: Existing certificates issued from the HydrantID SSL ICA G3 do not need replacement. They are normal certificates issued from the current SSL certificate service and can be used until expiration.
Additional Information
After the certificate is updated, it is recommended to ensure the IdenTrust certificates are reflected properly in the tomcat-trust store.
For More Information
Cisco has created a web page to provide customers and partners with additional information on this issue. Consult the QuoVadis Root CA 2 Decommission page for a full list of products affected, associated Field Notices, and frequently asked questions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
- Unified Communications Manager IM and Presence Service Version 11.5
- Unified Communications Manager IM and Presence Service Version 12.5
- Unified Communications Manager IM and Presence Service Version 14
- Unified Communications Manager Session Management Edition
- Unified Communications Manager Version 11.5
- Unified Communications Manager Version 12.5
- Unified Communications Manager Version 14
Unleash the Power of TAC's Virtual Assistance