CUCM – Secure LDAP

Cisco Unified Communications Manager – Secure LDAP

Expanding a little bit on our previous post CUCM LDAP Active Directory Integration-Sync and considering Microsoft advisory ADV190023 which makes Secure LDAP (LDAPS) mandatory, we will discuss the additional steps to configure Secure LDAP over port 636.

Upload the Active Directory (AD) certificate.

If you do not have the certificate, you can either obtain it form the AD server directly or using open-ssl with the command openssl s_client -showcerts -connect <host>:636.
Once the certificate is ready, go to Cisco Unified OS Administration > Security > Certificate Management and click on Upload Certificate.

Select tomcast-trust and the correct certificate and click Upload.

Once the upload is completed, from the CLI restart the Tomcat service with the command utils service restart Cisco Tomcat.

Configure/Update LDAP Authentication and LDAP Directory to use SSL.

Update the Host Name for Sever (the name MUST match the CN field of the certificate).
Set the LDAP Port to 636.
Check the Use TLS box.
Same steps for LDAP Directory if it is being used.

NOTE: If there will be more than one LDAP server configured the certificate will have to be discovered and noted for all of them.

You may also like...

2 Responses

  1. Richard K says:

    Are we able to issue our own SSL Certificates, like using OpenSSL, for Cisco Collab products?
    We’re using them of course for CUCM, because they allow wildcard certs, but for UCCX and Finesse? As well as Cisco CER?
    Could I generate my certificates in our OpenSSL server, like we do for many other devices (non-cisco, etc)…

  2. Jay says:

    I already have a tomcat trust by the very nature of having a CUCM and active Directory relationship. Do i need to upload another server certificate specifically for the LDAPS up grade?

Leave a Reply

Your email address will not be published. Required fields are marked *