[cisco-voip] cnf.xml.sgn for non-secure cluster?
Ovidiu Popa
ovi.popa at gmail.com
Mon May 21 17:53:03 EDT 2012
It appears that I was focused in the wrong direction. The problem is not
the fact that the phones request a signed configuration file it's the
fact that the TFTP answers with "File not found".
The test cluster is based on a restore from a production backup and the
the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work
(restarted tftp, deleted itl, rebooted the phone several times, deleted
phone security and network settings, apply config button)... If I try
to modify and save the configuration the operation is rejected with the
following message " Update failed. Could not insert new row - duplicate
value in a UNIQUE INDEX column (Unique Index:x_device_name)".
This is weird since I'm not trying to add a new phone, I'm only
modifying the existing phone.
On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but
> you need it set before phones see the upgraded CallManager. So any
> upgrade you need to shutdown phones first I suspect.
>
> *From:*cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf Of *Ed Leatherman
> *Sent:* Monday, May 21, 2012 4:35 PM
> *To:* Ovidiu Popa
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is
> in use and your phone is going to get an ITL file and thus request
> signed config files:
>
> https://supportforums.cisco.com/docs/DOC-17679
>
> Security By Default provides these three functions for supported IP
> Phones:
>
> 1. Default authentication of TFTP downloaded files (configuration,
> locale, ringlist, etc) using a signing key.
> 2. Optional encryption of TFTP configuration files using a signing key.
> 3. Certificate verification for phone initiated HTTPS connections
> using a remote certificate trust store on Communications Manager
> (Trust Verification Service).
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com
> <mailto:ovi.popa at gmail.com>> wrote:
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session
> to the TVS web service (not related to cluster mixed mode as https web
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my
> question still stands: how come the phone requests a signed file if
> the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on
> it will always request a signed configuration file, unless the CTL or
> ITL files are manually deleted from the phone. If i'm incorrect
> hopefully someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com
> <mailto:ovi.popa at gmail.com>> wrote:
>
> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed or
> unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though the
> cluster is not in mixed mode and I cannot identify why they behave
> this way. Does the ITL file contain information about the cluster
> security mode?
>
> The phone logs say that the TFTP server is secure and keep trying for
> the cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
>
> Ovidiu
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> --
> Ed Leatherman
>
>
>
> --
> Ed Leatherman
>
>
>
> itevomcid
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120521/55d108c9/attachment.html>
More information about the cisco-voip
mailing list