[cisco-voip] tokenless CTL client - how to move devices between mixed mode clusters?

Ryan Ratliff (rratliff) rratliff at cisco.com
Thu Aug 13 09:27:45 EDT 2015


Only the 7940s and 7960s these days validate the TFTP server in the CTL (maybe TX endpoints too).

-Ryan

On Aug 12, 2015, at 10:45 PM, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:

Ryan, would you need to add the other cluster in the TFTP server list?  I know I usually had to do this with the actual CTL client but not sure how this would work in tokenless unless there's a CLI command for it.

On Wed, Aug 12, 2015 at 10:03 PM, Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:
The tokenless CTL is signed by the CallManager.pem on the publisher.  Upload that cert as a phone-trust cert and TVS on that cluster will be able to authenticate files signed by that cert.

CTL Record #:1
          ----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1701
2 DNSNAME 20 videolab-ucm11a-pub
3 SUBJECTNAME 70 CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 70 CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US
6 SERIALNUMBER 16 52:0B:74:69:CF:4F:5A:CD:5B:48:6F:EE:99:9E:E0:B8
7 PUBLICKEY 270
8 SIGNATURE 256
9 CERTIFICATE 961 76 5D 15 01 0E 41 0D 16 BE EA 8A 98 29 33 EE 27 B6 3E D3 01 (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.


admin:show cert own CallManager/CallManager.pem
[
  Version: V3
  Serial Number: 520B7469CF4F5ACD5B486FEE999EE0B8
…


 -
Ryan

On Aug 12, 2015, at 9:06 PM, Dave Goodwin <Dave.Goodwin at december.net<mailto:Dave.Goodwin at december.net>> wrote:

For anyone who has an environment with multiple mixed mode clusters (CTL file is present), do you know of a way to move devices from one cluster to another?

Using the eToken SAST (physical USB devices), it seems you can do this by using the same signing token to sign the CTL file on each cluster. With the new tokenless CTL client, it seems each cluster's publisher private key is used to sign that cluster's CTL file - so it seems the old way will not work.

I realize it can be done by deleting the CTL file on the phone (or factory reset) if you're standing in front of it, and I also realize there are commercial software tools that can perform feats like this (like UnifiedFX and other competitive offerings). I am looking for a way to do this without either of those methods.

-Dave
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150813/e1bc62a0/attachment.html>


More information about the cisco-voip mailing list