TLS Handshake Failure on the VCS Web Interface

Available Languages

Download Options

  • PDF     (275.0 KB)
    View with Adobe Reader on a variety of devices
Updated:August 9, 2013
Document ID:116416

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

The Cisco Video Communication Server (VCS) uses client certificates for the authentication and authorization process. This feature is extremely useful for some environments, because it allows an added layer of security and can be used for single sign on purposes. However, if incorrectly configured, it can lock administrators out of the VCS web interface.

The steps in this document are used to disable Client certificate-based security on the Cisco VCS.

Problem

If Client certificate-based security is enabled on a VCS, and is incorrectly configured, users might not be able to access the VCS web interface. Attempts to access the web interface are met with a Transport Layer Security (TLS) handshake failure.

This is the configuration change that triggers the issue:

Solution

Complete these steps in order to disable Client certificate-based security and return the system to a state where administrators are able to access the web interface of the VCS:

  1. Connect to the VCS as root via Secure Shell (SSH).
  2. Enter this command as root in order to hard-code Apache to never use Client certificate-based security:
    echo "SSLVerifyClient none" > /tandberg/persistent/etc/opt/apache2/ssl.d/removecba.conf

    Note: After this command is entered, the VCS cannot be reconfigured for Client certificate-based security until the removecba.conf file is deleted and the VCS is restarted.

  3. You must restart the VCS in order for this configuration change to take effect. When you are ready to restart the VCS, enter these commands:
    tshell
    xcommand restart

    Note: This restarts the VCS and drops all calls/registrations.

  4. Once the VCS reloads, Client certificate-based security is disabled. However, it is not disabled in a desirable way. Log in to the VCS with a read-write admin account. Navigate to System > System page on the VCS.



    On the system administration page of the VCS, ensure that Client certificate-based security is set to "Not required":



    Once this change is made, save the changes.
  5. Once complete, enter this command as root in SSH in order to reset Apache back to normal:
    rm /tandberg/persistent/etc/opt/apache2/ssl.d/removecba.conf

    Warning: If you skip this step, you can never re-enable Client certificate-based security.

  6. Restart the VCS one more time in order to verify that the procedure worked. Now that you have web access, you can restart the VCS from the web interface under Maintenance > Restart.

Congratulations! Your VCS now runs with Client cerificate-based security disabled.

Revision History

Revision Publish Date Comments
1.0
09-Aug-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Vernon Depee
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products