Re: Ucce 12.5(2) Tomcat Upgrade Stopped users login to cceadmin Page

Miguel-V · ‎05-01-2024

This is happening in our Lab environment, need to fix it so people can reskill and avoid it in Prod.

After deploying ucce 12.5(2) on new Windows Server 2016 VMs, a security scan found Apache Tomcat Version 9.0.62 to be vulnerable and suggested to upgrade it to latest version available, 9.0.81.

I found the ucce_b_125_security_guide pdf stating that starting with version 12.5(1) Java and/or Tomcat can be individually upgraded following the steps described in the guide and using the utility UpgradeTomcatTool (Tomcat's case) https://software.cisco.com/download/home/284360381/type/284416107/release/12.5(1)

After performing the upgrade, users can't log into the cceadmin url https://server_hds/cceadmin.

They get an "Invalid username and/or Password" message. We tested the user's password through Powershell and it's correct.

The debug tools for the browsers we've tried show:

Name Protocol Method Result Content type Received Time Initiator
https://server_hds/cceadmin/css/logon.css?bust=20240501114604 HTTP/2 GET 200 text/css 6.63 KB 3.96 ms parsedElement (https://server_hds/cceadmin/j_security_check:40)

After that, there's the Error message about "Invalid username and/or Password"

Catallina + Logs attached

Any suggestions as to where to look for the issue.?

bill.king1 · ‎05-01-2024

Hi, two questions, the link for the software you provided is for 12.5.1, not 12.5.2, are you sure you used the right one?
Also, have you seen this troubleshooting guide from the Cisco site. Different symptom than what you described, but thought the couple steps they mentioned might still be of interest to you.
https://www.cisco.com/c/en/us/support/docs/contact-center/unified-contact-center-enterprise/216490-troublshoot-ucce-tomcat-upgrade-failure.html

Miguel-V · ‎05-02-2024

Hello.

Thank you for replying.

About your 1st question, yes, we are using the right versions for the upgrade tool to match the running 12.5.2 version on the servers.

I wanted to share this also, yesterday, while troubleshooting one of the people actually logged in to the cceadmin page. After several attempts and getting these messages: "The requested resource [/cceadmin/j_security_check] is not available. Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists."

Interesting enough, this person is not in the Cisco_ICM ou and has more permissions and rights than the users affected. After seeing that, and finding out there are a couple similar scenarios where updating to versions later than 9.0.81 resolved this issue. We plan on updating to a later Tomcat version. Good thing this is lab.

I will post our results.

Reading through the guide, I see a link to

Ucce 12.5 Security Guide Tomcat Upgrade --> Funny enough, I followed the guide and the Tomcat upgrade 12.5(2) link points to the URL https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_12_5_1/configuration/guide/ucce_b_125-security-guide/ucce_b_125-security-guide_chapter_01100.html?bookSearch=true#concept_45CF813E4D4F7FFEE5...

Again, thank you for taking the time to reply.

bill.king1 · ‎05-02-2024

Thanks for posting your experience and please let us know how it goes to help out the next person in the scenario.

Miguel-V · ‎05-03-2024

Upgraded to Tomcat 9.0.88 last night. Users can now log in to the cceadmin page and work, do their re-skilling.
Down side, the people who were able to log in yesterday, they can't log in anymore after the upgrade. They get the same "username or password invalid" message. We tested moving one user (AD admin user) to the Cisco_ICM OU where the application users are to check if it had anything to do with the DN search scope, but no success. Found this link about enabling logging (authentication) to try make sense as to why the change. https://community.cisco.com/t5/collaboration-knowledge-base/webview-tracing-and-logs/ta-p/3124028.. Will post an update. Thank you.

Miguel-V · ‎05-06-2024

Last update... After upgrading ton Tomcat 9.0.88, supervisors can log in to cceadmin page; meaning they can do their work. They log in using their CN (Common Name); for example: JDoe. Now, System Administrators who could not log in, they can now using their UPN; for example jsmith@domain.com. We worked with Cisco debugging with log files. No RCA found, just changed the login format for the system administrators. Our authentication sources worked correctly all throughout the process.

Thank you.