[cisco-voip] Changing CUCM Servers to use IP instead of DNS
Eric Pedersen
PedersenE at bennettjones.com
Fri Jul 26 10:01:37 EDT 2013
Thank you for testing this out Ryan! If I understand SBD correctly, phones only lose the ITL trust if the CM cert and TVS cert change and from your test changing from hostname to IP doesn't regenerate the CM cert.
Do you think we will need to reboot the cluster after each Server change or can wait until they are all changed since the IP addresses aren't actually changing?
From: Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com]
Sent: 25 July 2013 12:27 PM
To: Stephen Welsh
Cc: Eric Pedersen; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Changing CUCM Servers to use IP instead of DNS
Importance: High
CUCM 9.1(1a), default System->Server value from fresh install. This is from the OS Admin Certificate Management display of the CallManager.pem.
Version: V3
Serial Number: 99480614108321596406940253707831773761
SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Issuer Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
Validity From: Thu Apr 25 14:28:18 EDT 2013
To: Tue Apr 24 14:28:17 EDT 2018
Subject Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
Here's the "show itl' output.
admin:show itl
The checksum value of the ITL file:
a1fe51f30c31ed586dc839e9b51d1046(MD5)
cb3637f73ae2d0ccf1e9b11d9b4b2a6302428e18(SHA1)
Length of ITL file: 4243
The ITL File was last modified on Thu Apr 25 14:53:47 EDT 2013
After changing System->Server to IP address.
[
Version: V3
Serial Number: 99480614108321596406940253707831773761
SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Issuer Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
Validity From: Thu Apr 25 14:28:18 EDT 2013
To: Tue Apr 24 14:28:17 EDT 2018
Subject Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
And the "show itl".
admin:show itl
The checksum value of the ITL file:
00b6ca74a635657cd533080d8f970315(MD5)
8f9573112f81c8a37661f03e639379f1dba2874e(SHA1)
Length of ITL file: 4243
The ITL File was last modified on Thu Jul 25 14:20:05 EDT 2013
So in part you are correct, the ITL will be regenerated. We do this way too frequently (even changing a CM group regenerates ITLs) but the ITL itself isn't as important as the cert used to sign the ITL. That doesn't change just by changing the value in the processnode table.
-Ryan
On Jul 25, 2013, at 12:41 PM, Stephen Welsh <stephen.welsh at unifiedfx.com<mailto:stephen.welsh at unifiedfx.com>> wrote:
Hi Ryan,
I have to disagree, changing from Hostname <-> IP Address will mean the subject name of the certificates (Callmanager.Pem & TVS.Pem) on the relevant nodes will change, so those certificates will be regenerated.
As long as you follow this document you should be okay:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/install/8_6_1/ipchange/ipchg861.html
However, we do typically find during a change like this a small percentage of devices don't update their ITL Files correctly, so you may end up with 1-2% of endpoints with problems and not know it...
UnifiedFX (http://www.unifiedfx.com<http://www.unifiedfx.com/>) just announces a brand new version of PhoneView (Version 3.5) that allows you to detect, report and fix any ITL Issues, we just published this video showing the new features, very relevant to Eric's project, or anyone upgrading/changing CUCM for that matter:
http://www.youtube.com/watch?v=-2FH-_rzdnE
Thanks
Stephen Welsh
On 25 Jul 2013, at 16:47, "Ryan Ratliff (rratliff)" <rratliff at cisco.com<mailto:rratliff at cisco.com>>
wrote:
It won't impact ITLs since they are based on the actual server info, nothing in the database.
The biggest issue with doing this comes when changing the IP address of a server. if the value in System->Server doesn't match or cannot resolve to the IP of the server then the database won't start, and all kinds of bad things happen.
-Ryan
On Jul 25, 2013, at 10:32 AM, Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>> wrote:
I'm considering changing the CUCM Servers to be configured as IP addresses instead of host names to remove the dependency of phones on DNS. Is this a safe thing to do? I couldn't find much information about this on the Cisco site. I'm particularly concerned about ITL issues after change.
Thanks,
Eric
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130726/5f0d6ded/attachment.html>
More information about the cisco-voip
mailing list