[cisco-voip] CM 8 ITL and TFTP problems

[Justin Steinberg]

Thanks.   I was using a finicky KVM which had added a lot of
characters to the OU.  I thought I had deleted them all, but
unbeknownst to me there were still many characters to the left of what
was visible on the screen during the OS install.

After using set web-security I regenerated the certs for call manager,
tvs, tomcat, and capf from OS admin.

While we are on the subject of TVS, do you know how I would go about
combining multiple CM8+ clusters into one cluster from a TVS
perspective?  In the past, once I was ready to flick the switch it was
as simple as updating dhcp option 150 values for new cluster and
resetting phones.  Now, with TVS the phones won't trust the new
cluster's ITL file.   How would I handle this?  Would I need to upload
the new cluster's ITL certs to the old cluster and reset the phones so
the old cluster sends the phones the new clusters ITL file before I
point the phones at the new TFTP ?   Would I need to upload other
certs?  I don't see a TFTP cert in the osadmin cert page.  I would
think I would need to upload this cert as well.

Thanks,

Justin

On Thursday, January 6, 2011, Jason Burns <burns.jason at gmail.com> wrote:
> Justin,
>
> I worked with your TAC engineer on this service request and just wanted to bring this conversation back full circle.
>
> I took a closer look at this problem and noticed the Certificate being used for TVS:
>
> "show itl" from the SSH Admin CLI of the CUCM Server
>
> was invalid. The OU was longer than 64 characters.
>
> I've filed this defect:
>
> CSCtl45017    CUCM should validate length of X.500 O, OU, Locale, and State strings
>
> to address the problem.
>
> You correct the issue by running
>
> "set web-security" again with and specifying shorter values in the fields.
>
> So just a heads up to anyone on the list, if you enter too many characters in your certificate (>64 for the O, or OU.... >128 for Locality and State) you may experience odd behavior with TVS and other security operations. This should be corrected moving forward (the command will disallow entry of extra characters past the X.500 specification).
>
> -Jason
>
>
> On Tue, Dec 14, 2010 at 4:12 AM, Ahmed Elnagar <ahmed_elnagar at rayacorp.com> wrote:
>
> What CUCM version exactly are you facing the below problem with?
>  Best Regards,
> Ahmed Elnagar | CCIE#24697 Voice
> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Justin Steinberg
> Sent: Tuesday, December 14, 2010 2:13 AM
> To: Jason Burns
> Cc: cisco voip
> Subject: Re: [cisco-voip] CM 8 ITL and TFTP problems
>  What firmware are your phones running ? I have a TAC case open on this.  It is definitely a problem with the Trust Verification Services (TVS) and Initial Trust List (ITL) setup.
>  A new out of the box phone connects to CM TFTP, downloads the proper firmware (CM 8.0.3a and 7945 SCCP 9.0.3).  Then the phone registers.   Immediately after that, the phone updates the ITL file.  Then the phone begins to reject the configuration file (phone doesn't get proper time zone among other things).  The ringlist.xml.sgn, background images, corporate directory (https i guess), personal directory (https?) also don't work.
>  TAC has tried a few things but still having the problem and we will look into it more tomorrow.
> I did upload 8.5.2sr1 firmware to CM TFTP including term45.defaults.  I then factory reset a 7945 phone having the ITL problem with firmware 9.0.3 and when the phone resets and applys 8.5.2sr1 everything works fine.
>  Documentation on exactly how ITL works and what it is verifying is not good.   In my case, the phone is definitely getting an ITL file, but for whatever reason the subsequent files it receives from the same CM server are being rejected by the ITL verification.
>  This is a new install of 8.0.3a precutover.  This makes me nervous about any existing deployments upgrading to a CM8 version with ITL - especially since I don't really understand the ITL process and can't find much doc on it.  Having to manually go around and delete ITL files off of phones would be a pain.  I'm not sure if that will be required in my case, but I'll update the list as I learn more.
>   On Sun, Dec 12, 2010 at 9:34 PM, Jason Burns <burns.jason at gmail.com> wrote:
> Justin, Option 150 is usually an array of IPv4 addresses. This is how I have it setup with my CUCM 8 cluster and my phones are downloading their configuration files successfully. Your config as you've described it should be fine.
>  I'd be curious to see if the phone is downloading the config file and then rejecting it, or if the phone isn't able to contact the TFTP server.
>  One great way to check is to go to the webserver on the IP Phone (if it's in a state where the web server is active) and download the console log files.
>  The phone is going to try downloading the config file, and then compare the signature in the file with the ITL file contents. Post back the contents of the console logs, or le