[cisco-voip] question about those funky USB token keys

Sat May 18 14:22:34 EDT 2013

Good point Eric,

Its for the point you made that I recommend reading Akhil's book (http://www.amazon.com/dp/1587142953) before doing any work with CTL Files.

In-fact everyone running (or upgrading to) UCM 8.0 or above should read his book as IPT Security is no longer an add-on/option because of Security by Default. It's very important to have a good understanding of how Cisco's internal implementation of PKI works, especially when working with multiple clusters are you pointed out.

UnifiedFX are starting the beta of the next version of PhoneView (Version 3.1) that has some great new and unique features, including a very relevant endpoint security feature. If anyone is interested in testing out the new version email beta at unifiedfx.com<mailto:beta at unifiedfx.com>

Also,
The book has some good reviews (some almost as long as the book ;) I also wrote a review if anyone wants a quick summary:

http://www.amazon.com/review/R30F5QJYK17QZU/ref=cm_cr_pr_perm?ie=UTF8&ASIN=1587142953&linkCode=&nodeID=&tag=

Thanks

Stephen Welsh
CTO
http://www.unifiedfx.com

On 18 May 2013, at 17:59, Eric Pedersen <PedersenE at bennettjones.com<mailto:PedersenE at bennettjones.com>>
 wrote:

If you want to be able to move phones between the clusters without erasing the CTL, you need to put all the keys on both clusters. Otherwise when the phone moves to the other cluster it will get a new CTL file signed by an unknown certificate and reject it.  I made that mistake before I understood what was going on...

________________________________
From: cisco-voip [cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] on behalf of Erich Novak [Erich.Novak at nts.eu<mailto:Erich.Novak at nts.eu>]
Sent: Friday, May 17, 2013 12:20 PM
To: Lelio Fulgenzi
Cc: VoIP List Cisco
Subject: Re: [cisco-voip] question about those funky USB token keys

You could use all keys on both clusters... Or any combination of at least 2 on each cluster - there is nothing happening on the tokens.

Brgds
Erich
Am 17.05.2013 um 20:09 schrieb "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>:

So I need to buy some of those USB token keys for security. We have two clusters, a test cluster and a production cluster. I'd like to buy two for the test cluster and three for the production cluster to be sure.

>From what I understand, the product is: KEY-CCM-ADMIN-K9= and there's no "pairing" of the keys by any means from the factory, so I can just order as many as I need, so I'm thinking, just order 5.

Question though, can I use the same key to store the certs from different clusters?

Lelio

---
Lelio Fulgenzi, B.A.
Senior Analyst, Data Centre and Communications Facilities
Computing and Communications Services (CCS)
University of Guelph

519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130518/f6c4e31c/attachment.html>