[cisco-voip] CTL/Security Token question

Jason Burns burns.jason at gmail.com
Mon Apr 4 19:23:29 EDT 2011


It's important to note that the CTL file has a fixed max size. It must
contain a trust list of all nodes in the cluster, all token certificates,
the CAPF certificate, and certificates for all TFTP servers.

If the CAPF certificate is signed by a Certificate Authority (instead of the
default self signed) this must also be included in the CAPF file.

Under normal circumstances this is never a problem for customers.

If you have a mega cluster with CA signed CAPF certificates, and 4 TFTP
servers though - just keep in mind that you reach a point of diminishing
returns when adding more tokens. Keep enough so that you will NEVER lose
one, but at some point you just can't add any more.

http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secuauth.html#wpmkr1169210

<http://www.cisco.com/en/US/partner/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secuauth.html#wpmkr1169210>This
isn't a case of 2 being good... and then 100 being better. You can (but are
unlikely to) hit a point where you can have too many. Just wanted to throw
that into the conversation.

-Jason Burns

On Mon, Apr 4, 2011 at 2:33 PM, Bernhard Albler
<bernhard.albler at gmail.com>wrote:

> > Not as far as i know. We have been doing this for customer where there
> > is a development/test and a production enviroment. Keeps complexity
> > down. We just use the same tokens, generally buying a total of 4 for
> > max redundancy (paranoia) and putting all of them on both CTLs.
> what I meant: there is no impact on the tokens. As other have said: it
> works just fine with multiple clusters. We just generally use at least
> 4 tokens if we use the tokens for multiple clusters so we have
> multiple access paths to the CTL. If you lose one token (or the
> password) you can still change the CTL.
>
> regards
> bernhard
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110404/6d603cc3/attachment.html>


More information about the cisco-voip mailing list