[cisco-voip] cnf.xml.sgn for non-secure cluster?

Ovidiu Popa ovi.popa at gmail.com
Tue May 22 14:10:39 EDT 2012


Does utils dbreplication runtimestate on the Publisher count ?
I have 2 screenshots from yesterday with the result (replication = 2
and replication queue growing from 592 in the first screenshot to 720 in
the second screenshot)

On Tue, May 22, 2012 at 8:06 PM, Ryan Ratliff <rratliff at cisco.com> wrote:

> Unfortunately CCMAdmin still reads from the publisher's database so I
> wouldn't count that as a reliable indicator of subscriber db state.
>
> When you get access I'd run a 'utils dbreplication status' on the pub to
> have it check the tables.
>
>  -Ryan
>
> On May 22, 2012, at 1:31 PM, Ovidiu Popa wrote:
>
> Hello Ryan
>
> Thanks for the information. Here's my replies and sorry for the delay:
> - customer not available for manual tftp download test. will update asap
> - dedicated tftp
> - replication status is at 2. I do however see a high number of replicates
> that are queued in the replication queue. I also saw that the publisher has
> lost synchronization with the NTP server. Could this cause the issue?
> - I tried to do the modification directly on the TFTP server so it knew
> about the device
>
> Ovidiu
>
>
> On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>
>> For starters Ed's original response is correct.  If a phone has an ITL or
>> CTL it will always request a signed config file.
>>
>> To your issue first of all can you even do a manual TFTP download of the
>> phone's config file?  Unless there's some serious cert issues and TFTP just
>> isn't able to sign a config file then the file not being present is
>> unlikely to be a security issue.
>> is the TFTP server the publisher or a sub?  If it's a sub then what's
>> your database replication look like?  TFTP can only build config files for
>> phones it knows about via the local database.  If you can't save a device
>> from CCMAdmin then you've got some database issues that could be impacting
>> TFTP as well.
>>
>>  -Ryan
>>
>> On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:
>>
>>  It appears that I was focused in the wrong direction. The problem is not
>> the fact that the phones request a signed configuration file it's the fact
>> that the TFTP answers with "File not found".
>>
>> The test cluster is based on a restore from a production backup and the
>> the same phone works correctly with the production cluster.
>> If I try to generate the signed configuration file nothing seems to work
>> (restarted tftp, deleted itl, rebooted the phone several times, deleted
>> phone security and network settings, apply config button)...  If I try to
>> modify and save the configuration the operation is rejected with the
>> following message " Update failed. Could not insert new row - duplicate
>> value in a UNIQUE INDEX column (Unique Index:x_device_name)".
>>
>> This is weird since I'm not trying to add a new phone, I'm only modifying
>> the existing phone.
>>
>>
>>
>> On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>>
>> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you
>> need it set before phones see the upgraded CallManager. So any upgrade you
>> need to shutdown phones first I suspect.****
>>
>> ** **
>>
>> *From:* cisco-voip-bounces at puck.nether.net [
>> mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
>> *On Behalf Of *Ed Leatherman
>> *Sent:* Monday, May 21, 2012 4:35 PM
>> *To:* Ovidiu Popa
>> *Cc:* cisco-voip
>> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?****
>>
>> ** **
>>
>>
>>
>> Per my understanding, being on CUCM 8+ implies security-by-default is in
>> use and your phone is going to get an ITL file and thus request signed
>> config files:****
>>
>> ** **
>>
>> https://supportforums.cisco.com/docs/DOC-17679****
>>
>> Security By Default provides these three functions for supported IP
>> Phones:****
>>
>>    1. Default authentication of TFTP downloaded files (configuration,
>>    locale, ringlist, etc) using a signing key. ****
>>    2. Optional encryption of TFTP configuration files using a signing
>>    key. ****
>>    3. Certificate verification for phone initiated HTTPS connections
>>    using a remote certificate trust store on Communications Manager (Trust
>>    Verification Service).****
>>
>> ** **
>>
>> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:*
>> ***
>>
>> My understanding is that ITL is required for several reasons:
>> - used to store the trusted certificates required for the TLS session to
>> the TVS web service (not related to cluster mixed mode as https web
>> services can be activated even if the cluster is unsecure)
>> - used to validate file signatures (only if the cluster is in mixed mode)
>>
>> If this is correct I think it is normal that I have an ITL file but my
>> question still stands: how come the phone requests a signed file if the
>> cluster not secure ?
>>
>> Thanks,
>> Ovidiu****
>>
>>
>>
>>
>>
>> On 21/May/12 8:03 PM, Ed Leatherman wrote: ****
>>
>> Hello, ****
>>
>> ** **
>>
>> My understanding is that the phone requests a CTL or ITL file when it
>> boots. If it ever actually gets a CTL or ITL file, from that point on it
>> will always request a signed configuration file, unless the CTL or ITL
>> files are manually deleted from the phone. If i'm incorrect hopefully
>> someone will chime in :)****
>>
>> ** **
>>
>> Ed****
>>
>> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:*
>> ***
>>
>> Hello everyone ****
>>
>> ** **
>>
>> Anyone know how a phone detects if it needs to download a signed or
>> unsigned configuration file? ****
>>
>> ** **
>>
>> I have a few phones that keep requesting signed file even though the
>> cluster is not in mixed mode and I cannot identify why they behave this
>> way. Does the ITL file contain information about the cluster security mode?
>> ****
>>
>> ** **
>>
>> The phone logs say that the TFTP server is secure and keep trying for the
>> cnf.xml.sgn files. Where does it get this information?****
>>
>> ** **
>>
>> Thank for any input.****
>>
>> ** **
>>
>> Regards.****
>>
>> Ovidiu****
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Ed Leatherman****
>>
>> ** **
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Ed Leatherman****
>>
>>
>>
>> itevomcid ****
>>
>>
>>  _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120522/944aaa51/attachment.html>


More information about the cisco-voip mailing list