[cisco-voip] cnf.xml.sgn for non-secure cluster?

Ovidiu Popa ovi.popa at gmail.com
Tue May 22 13:31:10 EDT 2012


Hello Ryan

Thanks for the information. Here's my replies and sorry for the delay:
- customer not available for manual tftp download test. will update asap
- dedicated tftp
- replication status is at 2. I do however see a high number of replicates
that are queued in the replication queue. I also saw that the publisher has
lost synchronization with the NTP server. Could this cause the issue?
- I tried to do the modification directly on the TFTP server so it knew
about the device

Ovidiu


On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff at cisco.com> wrote:

> For starters Ed's original response is correct.  If a phone has an ITL or
> CTL it will always request a signed config file.
>
> To your issue first of all can you even do a manual TFTP download of the
> phone's config file?  Unless there's some serious cert issues and TFTP just
> isn't able to sign a config file then the file not being present is
> unlikely to be a security issue.
> is the TFTP server the publisher or a sub?  If it's a sub then what's your
> database replication look like?  TFTP can only build config files for
> phones it knows about via the local database.  If you can't save a device
> from CCMAdmin then you've got some database issues that could be impacting
> TFTP as well.
>
>  -Ryan
>
> On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:
>
>  It appears that I was focused in the wrong direction. The problem is not
> the fact that the phones request a signed configuration file it's the fact
> that the TFTP answers with "File not found".
>
> The test cluster is based on a restore from a production backup and the
> the same phone works correctly with the production cluster.
> If I try to generate the signed configuration file nothing seems to work
> (restarted tftp, deleted itl, rebooted the phone several times, deleted
> phone security and network settings, apply config button)...  If I try to
> modify and save the configuration the operation is rejected with the
> following message " Update failed. Could not insert new row - duplicate
> value in a UNIQUE INDEX column (Unique Index:x_device_name)".
>
> This is weird since I'm not trying to add a new phone, I'm only modifying
> the existing phone.
>
>
>
> On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you
> need it set before phones see the upgraded CallManager. So any upgrade you
> need to shutdown phones first I suspect.****
>
> ** **
>
> *From:* cisco-voip-bounces at puck.nether.net [
> mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *Ed Leatherman
> *Sent:* Monday, May 21, 2012 4:35 PM
> *To:* Ovidiu Popa
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?****
>
> ** **
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is in
> use and your phone is going to get an ITL file and thus request signed
> config files:****
>
> ** **
>
> https://supportforums.cisco.com/docs/DOC-17679****
>
> Security By Default provides these three functions for supported IP Phones:
> ****
>
>    1. Default authentication of TFTP downloaded files (configuration,
>    locale, ringlist, etc) using a signing key. ****
>    2. Optional encryption of TFTP configuration files using a signing
>    key. ****
>    3. Certificate verification for phone initiated HTTPS connections
>    using a remote certificate trust store on Communications Manager (Trust
>    Verification Service).****
>
> ** **
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:**
> **
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to
> the TVS web service (not related to cluster mixed mode as https web
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my
> question still stands: how come the phone requests a signed file if the
> cluster not secure ?
>
> Thanks,
> Ovidiu****
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote: ****
>
> Hello, ****
>
> ** **
>
> My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on it
> will always request a signed configuration file, unless the CTL or ITL
> files are manually deleted from the phone. If i'm incorrect hopefully
> someone will chime in :)****
>
> ** **
>
> Ed****
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:**
> **
>
> Hello everyone ****
>
> ** **
>
> Anyone know how a phone detects if it needs to download a signed or
> unsigned configuration file? ****
>
> ** **
>
> I have a few phones that keep requesting signed file even though the
> cluster is not in mixed mode and I cannot identify why they behave this
> way. Does the ITL file contain information about the cluster security mode?
> ****
>
> ** **
>
> The phone logs say that the TFTP server is secure and keep trying for the
> cnf.xml.sgn files. Where does it get this information?****
>
> ** **
>
> Thank for any input.****
>
> ** **
>
> Regards.****
>
> Ovidiu****
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip****
>
>
>
> ****
>
> ** **
>
> --
> Ed Leatherman****
>
> ** **
>
>
>
> ****
>
> ** **
>
> --
> Ed Leatherman****
>
>
>
> itevomcid ****
>
>
>  _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120522/ad633b66/attachment.html>


More information about the cisco-voip mailing list