Guest

Preview Tool

Cisco Bug: CSCvv61028 - APNS Access token retrieval fails due to SELinux denials for port 3129

Last Modified

Oct 09, 2020

Products (2)

  • Cisco Unified Communications Manager IM & Presence Service
  • Cisco Unified Communications Manager IM and Presence Service Version 11.5

Known Affected Releases

11.5(1)

Description (partial)

Symptom:
Alerts generated in the XCP Config Manager logs when selinux is in enforce mode

Conditions:
XCP Config manager is unable to retrieve APNS access token under the following conditions: 
-APNS configured with non-default proxy port 3129
-SELinux set to enforced

XCP Config manager service logs shows error like:

2019-09-03 16:06:23,278 DEBUG [Timer-5] xmlframework.XCPConfigMgr - FetchAndStoreAccessToken: Calling createAccessToken() with granttype:refresh_token, refreshToken:ZjU1M2U3ZjctNGFjZi00YmNjLWFhYWEtMWUwNDBhYWRlNDg3ZDRlYmVmODEtYTdj_PF84_10f5b6e1-9cc3-45f6-99cb-47a4242f89dc, accessTokenURL: https://idbroker.webex.com/idb/oauth2/v1/access_token, httpProxyAddress: http://uaproxy.wien.gv.at:3129 proxyUsername:null
2019-09-03 16:06:23,279 ERROR [Timer-5] utilities.CloudOnboarding - Connection timeout Exception:
java.net.ConnectException: Permission denied (connect failed)

As the port 3129 is already assigned to to netport_port_t by default so when we uses 3129 ,alerts get generated and exceptions can be seen in the XCP Config Manager logs.

[root@imp-css-48 ~]# semanage port -l | grep 3129
netport_port_t tcp 3129
netport_port_t udp 3129

Collected SE denials for this issue:

#============= cupd_t ==============
allow cupd_t netport_port_t:tcp_socket name_connect;

#============= system_cronjob_t ==============
allow system_cronjob_t unconfined_t:file open;
[root@ucaeimptn02 vos]#
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.