[cisco-voip] tokenless CTL client - how to move devices between mixed mode clusters?

Brian Meade bmeade90 at vt.edu
Wed Aug 12 22:45:06 EDT 2015


Ryan, would you need to add the other cluster in the TFTP server list?  I
know I usually had to do this with the actual CTL client but not sure how
this would work in tokenless unless there's a CLI command for it.

On Wed, Aug 12, 2015 at 10:03 PM, Ryan Ratliff (rratliff) <
rratliff at cisco.com> wrote:

> The tokenless CTL is signed by the CallManager.pem on the publisher.
> Upload that cert as a phone-trust cert and TVS on that cluster will be able
> to authenticate files signed by that cert.
>
> CTL Record #:1
>           ----
> BYTEPOS TAG LENGTH VALUE
> ------- --- ------ -----
> 1 RECORDLENGTH 2 1701
> 2 DNSNAME 20 videolab-ucm11a-pub
> 3 SUBJECTNAME 70
> CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US
> 4 FUNCTION 2 System Administrator Security Token
> 5 ISSUERNAME 70
> CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US
> 6 SERIALNUMBER 16 52:0B:74:69:CF:4F:5A:CD:5B:48:6F:EE:99:9E:E0:B8
> 7 PUBLICKEY 270
> 8 SIGNATURE 256
> 9 CERTIFICATE 961 76 5D 15 01 0E 41 0D 16 BE EA 8A 98 29 33 EE 27 B6 3E
> D3 01 (SHA1 Hash HEX)
> 10 IPADDRESS 4
> This etoken was used to sign the CTL file.
>
>
> admin:show cert own CallManager/CallManager.pem
> [
>   Version: V3
>   Serial Number: 520B7469CF4F5ACD5B486FEE999EE0B8
>>
>
>  -
> Ryan
>
> On Aug 12, 2015, at 9:06 PM, Dave Goodwin <Dave.Goodwin at december.net>
> wrote:
>
> For anyone who has an environment with multiple mixed mode clusters (CTL
> file is present), do you know of a way to move devices from one cluster to
> another?
>
> Using the eToken SAST (physical USB devices), it seems you can do this by
> using the same signing token to sign the CTL file on each cluster. With the
> new tokenless CTL client, it seems each cluster's publisher private key is
> used to sign that cluster's CTL file - so it seems the old way will not
> work.
>
> I realize it can be done by deleting the CTL file on the phone (or factory
> reset) if you're standing in front of it, and I also realize there are
> commercial software tools that can perform feats like this (like UnifiedFX
> and other competitive offerings). I am looking for a way to do this without
> either of those methods.
>
> -Dave
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150812/a72881b3/attachment.html>


More information about the cisco-voip mailing list