[cisco-voip] cnf.xml.sgn for non-secure cluster?

Ovidiu Popa ovi.popa at gmail.com
Mon May 21 17:53:03 EDT 2012 

It appears that I was focused in the wrong direction. The problem is not 
the fact that the phones request a signed configuration file it's the 
fact that the TFTP answers with "File not found".

The test cluster is based on a restore from a production backup and the 
the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work 
(restarted tftp, deleted itl, rebooted the phone several times, deleted 
phone security and network settings, apply config button)...  If I try 
to modify and save the configuration the operation is rejected with the 
following message " Update failed. Could not insert new row - duplicate 
value in a UNIQUE INDEX column (Unique Index:x_device_name)".

This is weird since I'm not trying to add a new phone, I'm only 
modifying the existing phone.



On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but 
> you need it set before phones see the upgraded CallManager. So any 
> upgrade you need to shutdown phones first I suspect.
>
> *From:*cisco-voip-bounces at puck.nether.net 
> [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf Of *Ed Leatherman
> *Sent:* Monday, May 21, 2012 4:35 PM
> *To:* Ovidiu Popa
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is 
> in use and your phone is going to get an ITL file and thus request 
> signed config files:
>
> https://supportforums.cisco.com/docs/DOC-17679
>
> Security By Default provides these three functions for supported IP 
> Phones:
>
>  1. Default authentication of TFTP downloaded files (configuration,
>     locale, ringlist, etc) using a signing key.
>  2. Optional encryption of TFTP configuration files using a signing key.
>  3. Certificate verification for phone initiated HTTPS connections
>     using a remote certificate trust store on Communications Manager
>     (Trust Verification Service).
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com 
> <mailto:ovi.popa at gmail.com>> wrote:
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session 
> to the TVS web service (not related to cluster mixed mode as https web 
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my 
> question still stands: how come the phone requests a signed file if 
> the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it 
> boots. If it ever actually gets a CTL or ITL file, from that point on 
> it will always request a signed configuration file, unless the CTL or 
> ITL files are manually deleted from the phone. If i'm incorrect 
> hopefully someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com 
> <mailto:ovi.popa at gmail.com>> wrote:
>
> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed or 
> unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though the 
> cluster is not in mixed mode and I cannot identify why they behave 
> this way. Does the ITL file contain information about the cluster 
> security mode?
>
> The phone logs say that the TFTP server is secure and keep trying for 
> the cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
>
> Ovidiu
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> -- 
> Ed Leatherman
>
>
>
> -- 
> Ed Leatherman
>
>
>
> itevomcid
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120521/55d108c9/attachment.html>

More information about the cisco-voip mailing list