I don't remember if CM requires the engine to restart or not. I don't think it did, but it's been a while since I've had to do this process.
Did you load new certs into CM (server certs)? If not, that might be the next step, in case the TLS is being rejected by the Session Managers. (You can find out of the Session Managers are rejecting the certs by SSHing into the Session Manager, and using the
traceSM tool. When you start a trace, there will be a "TLS Handshaking" option, and it should say if things are being rejected on it's side or not.
Loading the new certs -- do a Certificate Signing Request in CM, take that CSR file and go into System Manager to have it "sign" the cert. View this video for some step-by-step on how to do that part :
https://youtu.be/PweEPzNTkvE?t=218 (end at 6:45 -- the rest is SBC specific). From there, you take the signed certificate, and load it into CM as a server certificate. (BTW -- when you do this step, if you have TLS going on with any other devices, they may start to fail if you don't have the System Manager Root CA loaded into them)
Good luck! Certs and Security are a real pain, esp. if you aren't already and expert on them.
Little plug -- I am putting on a Webinar on Certs and Security in a few weeks. I'll be covering
why some of this stuff works the way it does.
https://www.iaug.org/learn/event-description?CalendarEventKey=c7654338-b7d5-459a-8bb8-e85ddac5d4e6&Home=%2flearn%2flivewebinars------------------------------
Nick Kwiatkowski
Director of Design and Engineering
Michigan State University
------------------------------
Original Message:
Sent: 02-06-2020 08:20 AM
From: Todd Stone
Subject: CM Cert Issue
I have the root CA installed on CM now in the trusted certs in all repositories. Will I need to run the initTM -f again to get the signal groups back in service? I really appreciate your help bud.
Thank you,
------------------------------
Todd Stone
Telecommunications Adminstrator
St Johns County Schools
Original Message:
Sent: 02-06-2020 07:50 AM
From: Nick Kwiatkowski
Subject: CM Cert Issue
Did you import the new "root" certificate from SMGR into CM? You can grab the root, or CA cert from SMGR's "Public Web" area within the Security Authority section. Take the "PEM" file, and upload it as a trusted cert in CM, and make sure it's trusted by all modules.
You will want to make sure you install that root cert in ALL devices before you start deploying the new CA. That is how devices know to trust SMGR, and all the devices that it generates a cert for.
------------------------------
Nick Kwiatkowski
Director of Design and Engineering
Michigan State University
Original Message:
Sent: 02-06-2020 07:39 AM
From: Todd Stone
Subject: CM Cert Issue
Good Morning,
I need help in configuring a certificate for CM. I just deployed SM and ASM 8 and run the initTM -f to pull the new CA from ASM which is showing to be 2048 key and SHA2. However once I did this my SIP TLS signal group between CM and SM is down.
I know it has to be a cert issue but I have no idea how to resolve it. I am hoping there is someone on here that is an expert when it comes to this stuff. I have never dealt with certificates.
Thank you so much
------------------------------
Todd Stone
Telecommunications Adminstrator
St Johns County Schools
------------------------------