[cisco-voip] Changing CUCM Servers to use IP instead of DNS
Ryan Ratliff (rratliff)
rratliff at cisco.com
Thu Jul 25 16:19:46 EDT 2013
Excellent recommendations. Starting with the next few phone releases we'll also be getting CTL/ITL information displayed in the phone's web page and even sent back to CUCM where it can be parsed out of the syslog.
-Ryan
On Jul 25, 2013, at 4:16 PM, Stephen Welsh <stephen.welsh at unifiedfx.com<mailto:stephen.welsh at unifiedfx.com>>
wrote:
Sorry Ryan,
I was getting confused, in the past I’ve seen issues with mismatched certificate subject names when changing the hostname, I was under the impression this would apply when changing to IP Address. So it’s a hostname change that would cause and issue, but as you state if the change is only in the process node table that does not map out to the certificate.
As you say the ITL File is regenerated (I always get nervous when that happens ;), but as long at the certs don’t change and the ITL File currently on the phone has valid cert entires then the new ITL File will be installed.
However, I do recommend for anyone performing CUCM Changes/Upgrades to do the following to ensure if any phones do get an ITL Issue they can be resolved remotely:
* Enable Settings Menu Access (This is the default, but sometimes public phones are set to Restricted/Disabled)
* Enabled the phone web server (i.e. in Enterprise Phone Configuration)
* Change the Secure Authentication URL to non-secure i.e. http://[IPAddress]:8080/ccmcip/authenticate.jsp
Thanks
Stephen
On 25 Jul 2013, at 19:27, Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:
CUCM 9.1(1a), default System->Server value from fresh install. This is from the OS Admin Certificate Management display of the CallManager.pem.
Version: V3
Serial Number: 99480614108321596406940253707831773761
SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Issuer Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
Validity From: Thu Apr 25 14:28:18 EDT 2013
To: Tue Apr 24 14:28:17 EDT 2018
Subject Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
Here's the "show itl' output.
admin:show itl
The checksum value of the ITL file:
a1fe51f30c31ed586dc839e9b51d1046(MD5)
cb3637f73ae2d0ccf1e9b11d9b4b2a6302428e18(SHA1)
Length of ITL file: 4243
The ITL File was last modified on Thu Apr 25 14:53:47 EDT 2013
After changing System->Server to IP address.
[
Version: V3
Serial Number: 99480614108321596406940253707831773761
SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Issuer Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
Validity From: Thu Apr 25 14:28:18 EDT 2013
To: Tue Apr 24 14:28:17 EDT 2018
Subject Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
And the "show itl".
admin:show itl
The checksum value of the ITL file:
00b6ca74a635657cd533080d8f970315(MD5)
8f9573112f81c8a37661f03e639379f1dba2874e(SHA1)
Length of ITL file: 4243
The ITL File was last modified on Thu Jul 25 14:20:05 EDT 2013
So in part you are correct, the ITL will be regenerated. We do this way too frequently (even changing a CM group regenerates ITLs) but the ITL itself isn't as important as the cert used to sign the ITL. That doesn't change just by changing the value in the processnode table.
-Ryan
On Jul 25, 2013, at 12:41 PM, Stephen Welsh <stephen.welsh at unifiedfx.com<mailto:stephen.welsh at unifiedfx.com>> wrote:
Hi Ryan,
I have to disagree, changing from Hostname <-> IP Address will mean the subject name of the certificates (Callmanager.Pem & TVS.Pem) on the relevant nodes will change, so those certificates will be regenerated.
As long as you follow this document you should be okay:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/install/8_6_1/ipchange/ipchg861.html
However, we do typically find during a change like this a small percentage of devices don't update their ITL Files correctly, so you may end up with 1-2% of endpoints with problems and not know it...
UnifiedFX (http://www.unifiedfx.com<http://www.unifiedfx.com/>) just announces a brand new version of PhoneView (Version 3.5) that allows you to detect, report and fix any ITL Issues, we just published this video showing the new features, very relevant to Eric's project, or anyone upgrading/changing CUCM for that matter:
http://www.youtube.com/watch?v=-2FH-_rzdnE
Thanks
Stephen Welsh
On 25 Jul 2013, at 16:47, "Ryan Ratliff (rratliff)" <rratliff at cisco.com<mailto:rratliff at cisco.com>>
wrote:
It won't impact ITLs since they are based on the actual server info, nothing in the database.
The biggest issue with doing this comes when changing the IP address of a server. if the value in System->Server doesn't match or cannot resolve to the IP of the server then the database won't start, and all kinds of bad things happen.
-Ryan
On Jul 25, 2013, at 10:32 AM, Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>> wrote:
I'm considering changing the CUCM Servers to be configured as IP addresses instead of host names to remove the dependency of phones on DNS. Is this a safe thing to do? I couldn't find much information about this on the Cisco site. I'm particularly concerned about ITL issues after change.
Thanks,
Eric
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130725/2ea4a96e/attachment.html>
More information about the cisco-voip
mailing list