Signing CUCM certificates

When signing CUCM certificates using a Microsoft CA, not all extensions that are present in the self-signed certificate will be available.

Create the template as a duplicate from Web Server, add Client Authentication and IP security end system (in addition to Server Authentication) as Application Policy and make sure that Digital Signature, Allow key exchange only with key encryption and Allow encryption of user data is selected under under Key Usage Extension.

Issue the certificate using the newly defined template.

Failed Presence/IM&P upgrade

Attempted CUP/IM&P upgrade from 8.6(4) to 10.5(2)a but ended up with failed refresh upgrade (RU) and system booting back to 8.6.

Investigating install.log shows the following;

03/24/2015 02:13:32 IPM|Internal Error, File:ipm.c:2011, Function: ipmReadNormalizedInputLine(), "/usr/local/cm/script/cm-dbl-install RU PostInstall 10.5.2.20000-1 8.6.4.10000-28 /usr/local/cm/ /common/component/database /common/log/install/capture.txt " failed (1)|<LVL::Critical>
03/23/2015 18:13:34 InstallWizard|Platform Install: view|<LVL::Info>
03/24/2015 02:13:34 IPM| end-of-session "Installing database component": 4387.198 secs.|<LVL::Info>
03/24/2015 02:13:34 IPM|Close progress meter "Component Install"|<LVL::Info>
03/24/2015 02:13:34 component_install|Writing database into /common/log/install/component_failed.xml file.|<LVL::Info>
03/24/2015 02:13:34 component_install|/common/log/install/component_failed.xml created : 0|<LVL::Info>
...
03/24/2015 02:13:34 component_install|File:/opt/cisco/install/bin/component_install:807, Function: exec_progmeter(), /opt/cisco/install/bin/progmeter failed (1)|<LVL::Error>
03/24/2015 02:13:34 appmanager.sh|Internal Error, File:/usr/local/bin/base_scripts/appmanager.sh:273, Function: refresh_upgrade(), failed to refresh_upgrade infrastructure_post components|<LVL::Critical>
03/24/2015 02:13:34 post_install|File:/opt/cisco/install/bin/post_install:961, Function: install_applications(), /usr/local/bin/base_scripts/appmanager.sh -refresh-upgrade failed (1)|<LVL::Error>
03/24/2015 02:13:34 post_install|Exiting with result 1|<LVL::Info>
...
03/24/2015 02:13:38 post_install|_set_upgrade_status_attribute: status set to upgrade.stage.error|<LVL::Debug>
03/24/2015 02:13:38 post_install|File:/opt/cisco/install/bin/post_install:624, Function: handle_refresh_upgrade_failure(), Refresh upgrade failed. Trying to reboot to currently active version.|<LVL::Error>

Investigating syslog/messages on the INACTIVE partition after the RU failure shows multiple avc denials, similar to the following examples;

Mar 23 18:12:01 HOSTNAME kern 6 kernel:SELinux:  Context admin_u:object_r:cli_tmp_t:s0 is not valid (left unmapped).
Mar 23 18:12:01 HOSTNAME kern 5 kernel:type=1400 audit(1427159521.658:796866): avc:  denied  { getattr } for  pid=1842 comm="installdb" path="/common/log/install/downloaded_versions" dev=sda6 ino=1769674 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:12:03 HOSTNAME kern 5 kernel:type=1400 audit(1427159523.390:796867): avc:  denied  { setattr } for  pid=2085 comm="chown" name="drfuser" dev=sda1 ino=612031 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Mar 23 18:13:16 HOSTNAME kern 5 kernel:type=1400 audit(1427159596.820:796876): avc:  denied  { ioctl } for  pid=6070 comm="sftp_connect.sh" path="/home/sftpuser/sftp_connect.sh" dev=sda1 ino=612018 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.576:796877): avc:  denied  { remove_name } for  pid=1842 comm="installdb" name="sqlhosts_9BoX7x" dev=sda1 ino=612082 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.576:796878): avc:  denied  { unlink } for  pid=1842 comm="installdb" name="sqlhosts_9BoX7x" dev=sda1 ino=612082 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.841:796879): avc:  denied  { getattr } for  pid=6158 comm="cupl2_new.py" path="/common/component/database/cupl2.export" dev=sda6 ino=1000180 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.851:796880): avc:  denied  { getattr } for  pid=6158 comm="cupl2_new.py" path="/common/component/database/cupl2.export/dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.036:796881): avc:  denied  { read } for  pid=6310 comm="installdb" name="dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.036:796882): avc:  denied  { open } for  pid=6310 comm="installdb" name="dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.246:796883): avc:  denied  { write } for  pid=6333 comm="rm" name="cupl2.export" dev=sda6 ino=1000180 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796889): avc:  denied  { read } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612062 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796890): avc:  denied  { open } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612062 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796891): avc:  denied  { write } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612071 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.949:796893): avc:  denied  { create } for  pid=8184 comm="sed" name="sedYOAA0s" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.949:796894): avc:  denied  { write } for  pid=8184 comm="sed" name="sedYOAA0s" dev=sda6 ino=1769710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.950:796895): avc:  denied  { rename } for  pid=8184 comm="sed" name="sedYOAA0s" dev=sda6 ino=1769710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Workaround;
This does not seem to be documented, but with the bad feeling from avc denials – applying workaround from similar bugs – CSCul25056 and CSCue18397 did the trick. Boot to a linux-disc and modify grub.conf to include enforcing=0.