[cisco-voip] cnf.xml.sgn for non-secure cluster?
Ryan Ratliff
rratliff at cisco.com
Mon May 21 21:43:38 EDT 2012
For starters Ed's original response is correct. If a phone has an ITL or CTL it will always request a signed config file.
To your issue first of all can you even do a manual TFTP download of the phone's config file? Unless there's some serious cert issues and TFTP just isn't able to sign a config file then the file not being present is unlikely to be a security issue.
is the TFTP server the publisher or a sub? If it's a sub then what's your database replication look like? TFTP can only build config files for phones it knows about via the local database. If you can't save a device from CCMAdmin then you've got some database issues that could be impacting TFTP as well.
-Ryan
On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:
It appears that I was focused in the wrong direction. The problem is not the fact that the phones request a signed configuration file it's the fact that the TFTP answers with "File not found".
The test cluster is based on a restore from a production backup and the the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work (restarted tftp, deleted itl, rebooted the phone several times, deleted phone security and network settings, apply config button)... If I try to modify and save the configuration the operation is rejected with the following message " Update failed. Could not insert new row - duplicate value in a UNIQUE INDEX column (Unique Index:x_device_name)".
This is weird since I'm not trying to add a new phone, I'm only modifying the existing phone.
On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.
>
> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ed Leatherman
> Sent: Monday, May 21, 2012 4:35 PM
> To: Ovidiu Popa
> Cc: cisco-voip
> Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:
>
> https://supportforums.cisco.com/docs/DOC-17679
> Security By Default provides these three functions for supported IP Phones:
>
> Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
> Optional encryption of TFTP configuration files using a signing key.
> Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed or unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode?
>
> The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
> Ovidiu
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
> Ed Leatherman
>
>
>
>
>
> --
> Ed Leatherman
>
>
>
> itevomcid
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120521/cfb1e1d5/attachment.html>
More information about the cisco-voip
mailing list