[cisco-voip] Changing CUCM Servers to use IP instead of DNS

Ryan Ratliff (rratliff) rratliff at cisco.com
Mon Jul 29 09:52:10 EDT 2013


8.6 and later will automatically reset the phones on cert changes.

-Ryan

On Jul 27, 2013, at 12:28 PM, Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>>
 wrote:

I think when a new Callmanager or TVS cert is generated, CM automatically resets all the phones so they pick it up. We had a corrupted TVS cert once and that's what happened when we regenerated it.

From: Tim Smith [mailto:tim at timhughsmith.com<http://timhughsmith.com>]
Sent: 27 July 2013 2:47 AM
To: 'Ryan Ratliff (rratliff)'; Eric Pedersen
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] Changing CUCM Servers to use IP instead of DNS

Just in regard to the phones picking up their new ITL.
I’m pretty sure I saw them restart after ITL is regenerated. Did not tell them to reset, just added a new server.

Cheers,

Tim.

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan Ratliff (rratliff)
Sent: Saturday, 27 July 2013 12:43 AM
To: Eric Pedersen
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Changing CUCM Servers to use IP instead of DNS
Importance: High

You don't need to reboot any servers when making this change.  The phones will pick up the change at their next reset or apply config.

Your assumption on trust is correct.  Remember that the TVS cert the phone cares about is the one from the first CM in it's CM group (the server it registers with).  The CM cert is from the TFTP server.

If you want to test your TVS just change a phone's TFTP server to from a primary to a backup.  You'll see the TFTP role in the trust list change and the phone has to use TVS to validate the new ITL.

-Ryan

On Jul 26, 2013, at 10:01 AM, Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>>
 wrote:

Thank you for testing this out Ryan!  If I understand SBD correctly, phones only lose the ITL trust if the CM cert and TVS cert change and from your test changing from hostname to IP doesn't regenerate the CM cert.

Do you think we will need to reboot the cluster after each Server change or can wait until they are all changed since the IP addresses aren't actually changing?

From: Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com<http://cisco.com/>]
Sent: 25 July 2013 12:27 PM
To: Stephen Welsh
Cc: Eric Pedersen; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Changing CUCM Servers to use IP instead of DNS
Importance: High

CUCM 9.1(1a), default System->Server value from fresh install.  This is from the OS Admin Certificate Management display of the CallManager.pem.
 Version: V3
  Serial Number: 99480614108321596406940253707831773761
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
  Validity From: Thu Apr 25 14:28:18 EDT 2013
           To:   Tue Apr 24 14:28:17 EDT 2018
  Subject Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US

Here's the "show itl' output.
admin:show itl
The checksum value of the ITL file:
a1fe51f30c31ed586dc839e9b51d1046(MD5)
cb3637f73ae2d0ccf1e9b11d9b4b2a6302428e18(SHA1)


Length of ITL file: 4243
The ITL File was last modified on Thu Apr 25 14:53:47 EDT 2013


After changing System->Server to IP address.
[
  Version: V3
  Serial Number: 99480614108321596406940253707831773761
  SignatureAlgorithm: SHA1withRSA (1.2.840.113549.1.1.5)
  Issuer Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US
  Validity From: Thu Apr 25 14:28:18 EDT 2013
           To:   Tue Apr 24 14:28:17 EDT 2018
  Subject Name: L=NC, ST=RTP, CN=ucm9a-new, OU=TAC, O=Cisco, C=US

And the "show itl".
admin:show itl
The checksum value of the ITL file:
00b6ca74a635657cd533080d8f970315(MD5)
8f9573112f81c8a37661f03e639379f1dba2874e(SHA1)


Length of ITL file: 4243
The ITL File was last modified on Thu Jul 25 14:20:05 EDT 2013

So in part you are correct, the ITL will be regenerated.  We do this way too frequently (even changing a CM group regenerates ITLs) but the ITL itself isn't as important as the cert used to sign the ITL.  That doesn't change just by changing the value in the processnode table.

-Ryan

On Jul 25, 2013, at 12:41 PM, Stephen Welsh <stephen.welsh at unifiedfx.com<mailto:stephen.welsh at unifiedfx.com>> wrote:

Hi Ryan,

I have to disagree, changing from Hostname <-> IP Address will mean the subject name of the certificates (Callmanager.Pem & TVS.Pem) on the relevant nodes will change, so those certificates will be regenerated.

As long as you follow this document you should be okay:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/install/8_6_1/ipchange/ipchg861.html

However, we do typically find during a change like this a small percentage of devices don't update their ITL Files correctly, so you may end up with 1-2% of endpoints with problems and not know it...

UnifiedFX (http://www.unifiedfx.com<http://www.unifiedfx.com/>) just announces a brand new version of PhoneView (Version 3.5) that allows you to detect, report and fix any ITL Issues, we just published this video showing the new features, very relevant to Eric's project, or anyone upgrading/changing CUCM for that matter:

http://www.youtube.com/watch?v=-2FH-_rzdnE

Thanks

Stephen Welsh

On 25 Jul 2013, at 16:47, "Ryan Ratliff (rratliff)" <rratliff at cisco.com<mailto:rratliff at cisco.com>>
 wrote:


It won't impact ITLs since they are based on the actual server info, nothing in the database.

The biggest issue with doing this comes when changing the IP address of a server.  if the value in System->Server doesn't match or cannot resolve to the IP of the server then the database won't start, and all kinds of bad things happen.

-Ryan

On Jul 25, 2013, at 10:32 AM, Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>> wrote:

I'm considering changing the CUCM Servers to be configured as IP addresses instead of host names to remove the dependency of phones on DNS.  Is this a safe thing to do? I couldn't find much information about this on the Cisco site.  I'm particularly concerned about ITL issues after change.

Thanks,
Eric


The contents of this message may contain confidential and/or privileged

subject matter. If this message has been received in error, please contact

the sender and delete all copies. Like other forms of communication,

e-mail communications may be vulnerable to interception by unauthorized

parties. If you do not wish us to communicate with you by e-mail, please

notify us at your earliest convenience. In the absence of such

notification, your consent is assumed. Should you choose to allow us to

communicate by e-mail, we will not take any additional security measures

(such as encryption) unless specifically requested.



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



The contents of this message may contain confidential and/or privileged

subject matter. If this message has been received in error, please contact

the sender and delete all copies. Like other forms of communication,

e-mail communications may be vulnerable to interception by unauthorized

parties. If you do not wish us to communicate with you by e-mail, please

notify us at your earliest convenience. In the absence of such

notification, your consent is assumed. Should you choose to allow us to

communicate by e-mail, we will not take any additional security measures

(such as encryption) unless specifically requested.






The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130729/d2068606/attachment.html>


More information about the cisco-voip mailing list