[cisco-voip] Couple misc. CTL/certificate questions...

Matthew Loraditch MLoraditch at heliontechnologies.com
Wed Jun 20 15:28:41 EDT 2012


All of the phonebook, directory, em services, etc can now use https, so if you enable the rollback parameter you can’t do that, but non ssl versions of all of the services still exist and work.


Matthew G. Loraditch – CCNP-Voice, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax.  410.252.9284

Twitter<http://twitter.com/heliontech>  |  Facebook<http://www.facebook.com/#!/pages/Helion/252157915296>  | Website<http://www.heliontechnologies.com/>  |  Email Support<mailto:support at heliontechnologies.com?subject=Technical%20Support%20Request>


From: Lelio Fulgenzi [mailto:lelio at uoguelph.ca]
Sent: Wednesday, June 20, 2012 1:06 PM
To: Matthew Loraditch
Cc: Cisco VOIP; Jason Burns
Subject: Re: [cisco-voip] Couple misc. CTL/certificate questions...

Are these HTTPS services on the phone's internal web server or HTTPS services somewhere else that you use the phone's web browser to access?

If the later, are we seeing more CCM services/apps (like CCMUser) that the phones access pushing towards HTTPS?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)

________________________________
From: "Matthew Loraditch" <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>, "Jason Burns" <burns.jason at gmail.com<mailto:burns.jason at gmail.com>>
Cc: "Cisco VOIP" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Wednesday, June 20, 2012 1:03:37 PM
Subject: RE: [cisco-voip] Couple misc. CTL/certificate questions...


You can set the cluster to pre-8.x mode and this will turn off all of the security by default features for the phones. You will not be able to use https phone services, etc, but you also won’t have to worry about anything except your certs on ccmadmin access. It’s a judgement call really as to whether to do it or not.


Matthew G. Loraditch – CCNP-Voice, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax.  410.252.9284

Twitter<http://twitter.com/heliontech>  |  Facebook<http://www.facebook.com/#%21/pages/Helion/252157915296>  | Website<http://www.heliontechnologies.com/>  |  Email Support<mailto:support at heliontechnologies.com?subject=Technical%20Support%20Request>


From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net]<mailto:[mailto:cisco-voip-bounces at puck.nether.net]> On Behalf Of Lelio Fulgenzi
Sent: Wednesday, June 20, 2012 12:58 PM
To: Jason Burns
Cc: Cisco VOIP
Subject: Re: [cisco-voip] Couple misc. CTL/certificate questions...

This whole security things gives me the willies. ;)

Is it possible to upgrade to 8.x/9.x and turn security off? Any reason to turn it on? Just seems like yet another thing to worry about.

Good god, can you imagine DST time changes and certificates expiring at the same time?

---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)
________________________________
From: "Jason Burns" <burns.jason at gmail.com<mailto:burns.jason at gmail.com>>
To: "Ed Leatherman" <ealeatherman at gmail.com<mailto:ealeatherman at gmail.com>>
Cc: "Cisco VOIP" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Wednesday, June 20, 2012 12:18:43 PM
Subject: Re: [cisco-voip] Couple misc. CTL/certificate questions...

Ed,

Good catch on the CAPF certs on every node. You're right that they just get ignored on the subscriber nodes. I'm not sure myself what function they serve as the only useful CAPF cert is the one from the publisher.

Since you're on 7.X and you're about to enable security but this isn't a new install, I would definitely recommend taking a look at all of your certificate expiration dates. They're typically 5 years from creation for the self signed certificates (install date). Personally, I would regenerate:

CAPF.pem - Publisher
CallManager.pem - All Nodes

before I enabled security with the CTL client and USB tokens. This means you'd have 5 years before ever having to worry about running the CTL client again for certificate expiration. You may have to run it again if you changed other things that  regenerated certs (host name change), and it's easy to run again, but why worry about it. You'll also have 5 years before CAPF expires, which gives you a guaranteed 5 year life time before worrying about any LSCs signed by this CAPF (since the LSC is what gets pushed to the phones and they're signed by CAPF).

Now is also a good time to point the cluster to an SMTP email server, as well as populate an email address in the Certificate Monitor fields in OS Administration. This will notify someone before that 5 year timer pops.

Once you've regenerated CAPF and CallManager certificates you'll want to restart CAPF on the pub and CCM on all nodes. If you can't restart CCM for operational reasons then I'd skip the CallManager.pem regen step but still perform the CAPF regen step. We want to make sure we don't have to mess with any CAPF or LSC regeneration for another 5 years.

Enable security and push LSCs to the phones.

In 4 years and some months you'll get an email telling you the CAPF cert is about to expire. You also know that all of your LSCs are about to expire. You can take proactive action to generate a new CAPF cert, run CTL client, reset phones, and use BAT to push new LSCs to phones.


If this is 8.X you can still regenerate the CAPF.pem, but don't touch the CallManager.pem unless you have to.

-Jason
On Wed, Jun 20, 2012 at 9:12 AM, Ed Leatherman <ealeatherman at gmail.com<mailto:ealeatherman at gmail.com>> wrote:
I'm getting ready to install security tokens soon on CM 7.1, and noticed a few things while I was pulling my plan together. I was hoping someone might know the answer(s)

- While looking around at the existing certs on my cluster (non-secure mode right now) I noticed a CAPF.pem on every node, with a different serial numbers and CNs. I thought this should only exist on the publisher? Does it just ignore the certs on the other nodes when i put the cluster in mixed mode?

- Also while poking around - once again, non-secure mode - I noticed all the CallManager.pem files have varying expiration dates on them (seems to coincide with when I refreshed hardware). Some of them expire as early as 2014.. would it be a good idea to refresh the certs now so that they have later expiration dates, before I start pushing CTL files out to phones? If I do this, do I need to restart the CM service?

Thanks !


--
Ed Leatherman

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120620/8bfb6a0c/attachment.html>


More information about the cisco-voip mailing list