[cisco-voip] cnf.xml.sgn for non-secure cluster?
Jason Aarons (AM)
jason.aarons at dimensiondata.com
Mon May 21 16:40:59 EDT 2012
There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.
From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ed Leatherman
Sent: Monday, May 21, 2012 4:35 PM
To: Ovidiu Popa
Cc: cisco-voip
Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:
https://supportforums.cisco.com/docs/DOC-17679
Security By Default provides these three functions for supported IP Phones:
1. Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
2. Optional encryption of TFTP configuration files using a signing key.
3. Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).
On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com<mailto:ovi.popa at gmail.com>> wrote:
My understanding is that ITL is required for several reasons:
- used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
- used to validate file signatures (only if the cluster is in mixed mode)
If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?
Thanks,
Ovidiu
On 21/May/12 8:03 PM, Ed Leatherman wrote:
Hello,
My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)
Ed
On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com<mailto:ovi.popa at gmail.com>> wrote:
Hello everyone
Anyone know how a phone detects if it needs to download a signed or unsigned configuration file?
I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode?
The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?
Thank for any input.
Regards.
Ovidiu
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
--
Ed Leatherman
--
Ed Leatherman
itevomcid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120521/212813fc/attachment.html>
More information about the cisco-voip
mailing list