[cisco-voip] Issues with certificate security following upgrade to 8.6

Ryan Ratliff rratliff at cisco.com
Tue Aug 23 17:04:53 EDT 2011


Not having a TVS server won't be a problem moving from 7.x to 8.x since the SBD feature isn't present in 7.x.  In bridge mode you get no services so the phones won't ever get an ITL or config file with a TVS server populated.

Since we're on the topic of SBD and Jason didn't do it himself he wrote a great document on SBD operation and troubleshooting that everyone running or supporting CUCM 8.x should read. 
https://supportforums.cisco.com/docs/DOC-17679

-Ryan

On Aug 23, 2011, at 4:13 PM, Carter, Bill wrote:

Jason,
Thanks for helping us out here. I have about 5 UCM 7.X to 8.X upgrades scheduled. These all involve moving from Physical to Virtual servers. What process should be followed to prevent these ITL/TVS problems?
 
In all cases we are doing a bridge upgrade. The problem I see is that we get the physical servers up to 8.0X, but because they are in bridge mode the phones cannot contact a TVS server until we restore to a Virtual UCM 8.0X server. Then we run the upgrade to 8.5.
 
 
-Bill Carter
 
From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jason Burns
Sent: Saturday, August 20, 2011 7:42 AM
To: Nathan Reeves
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Issues with certificate security following upgrade to 8.6
 
Nathan, when you updated the servers to use dns, does that mean you added a domain name? Also, are you still on 8.0?

If so, then that regenerated all of your certificates, including the itl file and tvs certs. With the previously mentioned defect that would explain the problem I think.

https://supportforums.cisco.com/docs/DOC-17679#Changing_Host_Names_or_Domain_Names

Also, there is no way to do an upgrade to 8.6 without booting into 8.6. The install will ignore your pleas to do otherwise. This is pretty well documented in the upgrade pages after you install the special cop file(that new cop file allows the 8.6 advisory text to be displayed before upgrade), and in the 8.6 release notes. We need to boot into the new environment to run the binaries built for that environment because of the rhel upgrade.

First compare the certs in the itl using show itl, to the certs in OS admin cert administration.

Then compare the md5 of your itl in tftp to the md5 in the phone.

Compare the md5 of the itl with the md5 on the phone.

On Aug 17, 2011 10:49 AM, "Nathan Reeves" <nathan.a.reeves at gmail.com> wrote:
> Upgraded our cluster from 8.0.3 to 8.6.1 last weekend. Upgrade
> completed successfully (took a while but given it was a major jump I
> expected that). Everything appeared to be working fine but come
> Monday I started getting calls from users who couldn't use the
> corporate directory on their phones. When they attempted to access
> it, a 'host not found' error occurred. Ended up tracing this back to
> the phones being unable to access https based links due to a tvs /
> certain issue.
> 
> At this point, the manual deletion of the phones security tlv file
> fixes the issue. I think i've got about 100 phones affected, so the
> process isn't too bad to get done, just going to be time consuming.
> 
> What I want to try and work out is what I've done wrong in the upgrade
> process which has caused this issue. Basic overview of the steps
> taken is as follows:
> - upgraded pub to 8.6.1. Booted back into 8.0.3 following upgrade.
> - upgraded sub to 8.6.1. For some reason, even though I marked not
> to boot to the upgraded partition, it booted into 8.6.1.
> - booted pub into 8.6.1.
> - waited for phones to settle down. Eg from switchback to sub and
> firmware upgrades etc.
> - updated servers to use dns (previously dns was not set).
> - checked that db replication was successful (saw some issues which a
> reboot and updating reverse dns entries appeared to fix.)
> - 48 hours later installed new tomcat certs which had been signed by
> our windows domain CA.
> 
> In troubleshooting the cert issue on the phones, I can see it heads to
> the tvs to do a cert verify when it tries to access ssl links and
> secured tftp. On the phones I can see it send a request to the tvs
> and it lists a certificate serial which I'm assuming it is trying to
> verify. The request then fails and the phone fails to load the
> cnf.XML etc. If I check the two servers, both have a certificate
> which matches the serial listed on the phone when it is requesting the
> tvs to check the cert.
> 
> I saw the previus issue with 8.5.1 and the tftp tlv file failing to be
> written but it's a different issue to that. In looking at the tvs
> logs, I do see a file failed to be written but with an error -2. The
> file was ctlfile.tlv.
> 
> Have I caused this issue with the update of the dns settings on the
> servers and a possible regeneration of the certifates at this point.
> Was there a process I should have followed.
> 
> I'm considering contacting tac in the morning to see if theres
> anything obvious I've done wrong and if there's a way to resolve the
> issue without touching phones manually, but if it's obvious to someone
> here what I've screwed up it would be great to hear it.
> 
> Thanks
> 
> Nathan
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110823/dc2354d9/attachment.html>


More information about the cisco-voip mailing list