[cisco-voip] cnf.xml.sgn for non-secure cluster?

Wes Sisk wsisk at cisco.com
Tue May 22 14:26:11 EDT 2012


Russ wrote a great doc on this:

https://supportforums.cisco.com/docs/DOC-13672

Replication state 2 only means the agents are communicating.  It does not mean the table contents are in sync.

Regards,
Wes

On May 22, 2012, at 2:10 PM, Ovidiu Popa wrote:

Does utils dbreplication runtimestate on the Publisher count ? 
I have 2 screenshots from yesterday with the result (replication = 2 and replication queue growing from 592 in the first screenshot to 720 in the second screenshot) 

On Tue, May 22, 2012 at 8:06 PM, Ryan Ratliff <rratliff at cisco.com> wrote:
Unfortunately CCMAdmin still reads from the publisher's database so I wouldn't count that as a reliable indicator of subscriber db state.

When you get access I'd run a 'utils dbreplication status' on the pub to have it check the tables.  

-Ryan

On May 22, 2012, at 1:31 PM, Ovidiu Popa wrote:

Hello Ryan

Thanks for the information. Here's my replies and sorry for the delay:
- customer not available for manual tftp download test. will update asap
- dedicated tftp
- replication status is at 2. I do however see a high number of replicates that are queued in the replication queue. I also saw that the publisher has lost synchronization with the NTP server. Could this cause the issue?
- I tried to do the modification directly on the TFTP server so it knew about the device

Ovidiu


On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
For starters Ed's original response is correct.  If a phone has an ITL or CTL it will always request a signed config file.  

To your issue first of all can you even do a manual TFTP download of the phone's config file?  Unless there's some serious cert issues and TFTP just isn't able to sign a config file then the file not being present is unlikely to be a security issue.
is the TFTP server the publisher or a sub?  If it's a sub then what's your database replication look like?  TFTP can only build config files for phones it knows about via the local database.  If you can't save a device from CCMAdmin then you've got some database issues that could be impacting TFTP as well.

-Ryan

On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:

It appears that I was focused in the wrong direction. The problem is not the fact that the phones request a signed configuration file it's the fact that the TFTP answers with "File not found". 

The test cluster is based on a restore from a production backup and the the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work (restarted tftp, deleted itl, rebooted the phone several times, deleted phone security and network settings, apply config button)...  If I try to modify and save the configuration the operation is rejected with the following message " Update failed. Could not insert new row - duplicate value in a UNIQUE INDEX column (Unique Index:x_device_name)". 

This is weird since I'm not trying to add a new phone, I'm only modifying the existing phone.



On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
> 
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.
> 
>  
> 
> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ed Leatherman
> Sent: Monday, May 21, 2012 4:35 PM
> To: Ovidiu Popa
> Cc: cisco-voip
> Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
> 
>  
> 
> 
> 
> Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:
> 
>  
> 
> https://supportforums.cisco.com/docs/DOC-17679
> 
> Security By Default provides these three functions for supported IP Phones:
> 
> Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
> Optional encryption of TFTP configuration files using a signing key.
> Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).
>  
> 
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
> 
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
> 
> If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?
> 
> Thanks,
> Ovidiu
> 
> 
> 
> 
> 
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
> 
> Hello,
> 
>  
> 
> My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)
> 
>  
> 
> Ed
> 
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa at gmail.com> wrote:
> 
> Hello everyone 
> 
>  
> 
> Anyone know how a phone detects if it needs to download a signed or unsigned configuration file? 
> 
>  
> 
> I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode? 
> 
>  
> 
> The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?
> 
>  
> 
> Thank for any input.
> 
>  
> 
> Regards.
> 
> Ovidiu
> 
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> 
> 
> 
>  
> 
> -- 
> Ed Leatherman
> 
>  
> 
> 
> 
> 
>  
> 
> -- 
> Ed Leatherman
> 
> 
> 
> itevomcid
> 

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip




_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120522/bf76a98e/attachment.html>


More information about the cisco-voip mailing list