[cisco-voip] tokenless CTL client - how to move devices between mixed mode clusters?

Dave Goodwin dave.goodwin at december.net
Wed Aug 12 23:23:07 EDT 2015 

Ryan, let me lay out an example to make sure I understand. Please note that
I haven't found anywhere that this has been well-explained, so I am laying
out the following logic flow as a guess. Hopefully it's at least close;
please set me straight. Say we have an old cluster and a new cluster, and
that I want to move phones registered to the old cluster to instead
register to the new cluster. Are you saying:


   1. Download the CallManager.pem from new cluster pub and upload that
   cert as phone-trust to the old cluster. This will enable the old cluster
   TVS to have TVS-aware phones trust the new cluster.
   2. When the phone is told (say, via change in DHCP option 150 value) to
   register to the new cluster, it will fail to authenticate the new cluster's
   CTL file due to a different file signer.
   3. So, the phone will then connect with its already-trusted TVS server
   in the old cluster. At this point, since the new cluster pub cert was added
   as phone-trust in the old cluster, TVS will instruct the phone to trust the
   cert.
   4. Then, based on TVS's go-ahead, the phone will now load and install
   the new cluster CTL file.
   5. At this stage, the phone will trust only the entries in the new
   cluster CTL file - and also any certs that the new cluster's TVS can trust.


Also, it seems like this procedure would also work with the token-based CTL
client, as long as TVS is present and all the moving endpoints support TVS.

-Dave

On Wed, Aug 12, 2015 at 10:45 PM, Brian Meade <bmeade90 at vt.edu> wrote:

> Ryan, would you need to add the other cluster in the TFTP server list?  I
> know I usually had to do this with the actual CTL client but not sure how
> this would work in tokenless unless there's a CLI command for it.
>
> On Wed, Aug 12, 2015 at 10:03 PM, Ryan Ratliff (rratliff) <
> rratliff at cisco.com> wrote:
>
>> The tokenless CTL is signed by the CallManager.pem on the publisher.
>> Upload that cert as a phone-trust cert and TVS on that cluster will be able
>> to authenticate files signed by that cert.
>>
>> CTL Record #:1
>>           ----
>> BYTEPOS TAG LENGTH VALUE
>> ------- --- ------ -----
>> 1 RECORDLENGTH 2 1701
>> 2 DNSNAME 20 videolab-ucm11a-pub
>> 3 SUBJECTNAME 70
>> CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US
>> 4 FUNCTION 2 System Administrator Security Token
>> 5 ISSUERNAME 70
>> CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US
>> 6 SERIALNUMBER 16 52:0B:74:69:CF:4F:5A:CD:5B:48:6F:EE:99:9E:E0:B8
>> 7 PUBLICKEY 270
>> 8 SIGNATURE 256
>> 9 CERTIFICATE 961 76 5D 15 01 0E 41 0D 16 BE EA 8A 98 29 33 EE 27 B6 3E
>> D3 01 (SHA1 Hash HEX)
>> 10 IPADDRESS 4
>> This etoken was used to sign the CTL file.
>>
>>
>> admin:show cert own CallManager/CallManager.pem
>> [
>>   Version: V3
>>   Serial Number: 520B7469CF4F5ACD5B486FEE999EE0B8
>>>>
>>
>>  -
>> Ryan
>>
>> On Aug 12, 2015, at 9:06 PM, Dave Goodwin <Dave.Goodwin at december.net>
>> wrote:
>>
>> For anyone who has an environment with multiple mixed mode clusters (CTL
>> file is present), do you know of a way to move devices from one cluster to
>> another?
>>
>> Using the eToken SAST (physical USB devices), it seems you can do this by
>> using the same signing token to sign the CTL file on each cluster. With the
>> new tokenless CTL client, it seems each cluster's publisher private key is
>> used to sign that cluster's CTL file - so it seems the old way will not
>> work.
>>
>> I realize it can be done by deleting the CTL file on the phone (or
>> factory reset) if you're standing in front of it, and I also realize there
>> are commercial software tools that can perform feats like this (like
>> UnifiedFX and other competitive offerings). I am looking for a way to do
>> this without either of those methods.
>>
>> -Dave
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150812/ae5a27be/attachment.html>

More information about the cisco-voip mailing list