Cisco Cisco Expressway Release Notes
Open and Resolved Issues
Unified Communications Cisco Expressway Series Software Release Notes (X8.5.3)
Page 9 of 23
Changed functionality
n
When changing an administrator account password, the logged in administrator is now required to authorize
the change by entering their own password.
the change by entering their own password.
n
The IP and Ethernet configuration pages have a new menu location. Previously these were
System
> IP
and
System > Ethernet
. These pages are now
System > Network interfaces > IP
and
System
> Network interfaces > Ethernet
.
n
The Expressway-C now defaults to SHA-256 for signing SSO requests it gives to clients, and you can
change it to use SHA-1 if required. In version X8.5, when the SSO feature was previewed, the
Expressway-C defaulted to SHA-1 and there was no way to select a different algorithm.
change it to use SHA-1 if required. In version X8.5, when the SSO feature was previewed, the
Expressway-C defaulted to SHA-1 and there was no way to select a different algorithm.
Note: If you were using the SSO feature with X8.5, this change may cause it to stop working after upgrade
to X8.5.1. You have two options to resolve this: leave the new default on the Expressway-C, and you may
need to reconfigure the IdP to expect requests to be signed with SHA-256 (recommended for better
security); the other option is to revert the Expressway-C's signing algorithm to SHA-1 for your IdP (go to
to X8.5.1. You have two options to resolve this: leave the new default on the Expressway-C, and you may
need to reconfigure the IdP to expect requests to be signed with SHA-256 (recommended for better
security); the other option is to revert the Expressway-C's signing algorithm to SHA-1 for your IdP (go to
Configuration > Unified Communications > Identity Providers (IdP)
, locate your IdP row, then in
Actions
column click Configure Digest).
Open and Resolved Issues
Follow the links below to read the most recent information about the open and resolved issues in this release.
You need to refresh your browser after you log in to the Cisco Bug Search Tool.
You need to refresh your browser after you log in to the Cisco Bug Search Tool.
n
n
n
n
n
Notable open issues
The following issues are of particular concern for existing deployments at the time of this release.
- CUCM 10.5.2 CN not duplicated into SAN for CSR
A behavior change in Unified Communications CSR 10.5.2 (Cisco Collaboration System Release) causes
its tomcat certificates to fail validation on the Expressway. The impact on Expressway is that version 10.5.2
Unified Communications servers cannot successfully be discovered by Expressway-C when TLS verify
mode is enabled. CSR 10.5.1 and earlier do not appear to be affected by this issue.
its tomcat certificates to fail validation on the Expressway. The impact on Expressway is that version 10.5.2
Unified Communications servers cannot successfully be discovered by Expressway-C when TLS verify
mode is enabled. CSR 10.5.1 and earlier do not appear to be affected by this issue.
The following workarounds are available. Choose the one most suitable for your deployment:
n
On Expressway, disable TLS verify mode when discovering Unified Communications nodes
If you prefer not to disable TLS verify mode, you need to regenerate the tomcat certificate(s) for the nodes
which fail validation. You could use the following approaches, referring to the Unified Communications
security documentation for details:
If you prefer not to disable TLS verify mode, you need to regenerate the tomcat certificate(s) for the nodes
which fail validation. You could use the following approaches, referring to the Unified Communications
security documentation for details:
n
Use “Multi-server(SAN)” Distribution when generating Tomcat certificates on the Unified CM, IM &
Presence Service or Unity Connection cluster.
This will ensure the certificate presented by these servers to Expressway-C has a valid format, with the
fully qualified domain name (FQDN) of each server in that cluster listed as a Subject Alternative Name.
Presence Service or Unity Connection cluster.
This will ensure the certificate presented by these servers to Expressway-C has a valid format, with the
fully qualified domain name (FQDN) of each server in that cluster listed as a Subject Alternative Name.