<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
It appears that I was focused in the wrong direction. The problem is
not the fact that the phones request a signed configuration file
it's the fact that the TFTP answers with "File not found". <br>
<br>
The test cluster is based on a restore from a production backup and
the the same phone works correctly with the production cluster.<br>
If I try to generate the signed configuration file nothing seems to
work (restarted tftp, deleted itl, rebooted the phone several times,
deleted phone security and network settings, apply config
button)... If I try to modify and save the configuration the
operation is rejected with the following message " Update failed.
Could not insert new row - duplicate value in a UNIQUE INDEX column
(Unique Index:x_device_name)". <br>
<br>
This is weird since I'm not trying to add a new phone, I'm only
modifying the existing phone.<br>
<br>
<br>
<br>
On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
<blockquote
cite="mid:4E38DB0A1959B04C8C83EDCF069B53ED0D16E4F549@USISPCLEXDB01.na.didata.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1586374955;
mso-list-template-ids:894330162;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There
is the Pre-8.0 Rollback Service Parameter that disables ITL
but you need it set before phones see the upgraded
CallManager. So any upgrade you need to shutdown phones
first I suspect.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>
[<a class="moz-txt-link-freetext" href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>] <b>On
Behalf Of </b>Ed Leatherman<br>
<b>Sent:</b> Monday, May 21, 2012 4:35 PM<br>
<b>To:</b> Ovidiu Popa<br>
<b>Cc:</b> cisco-voip<br>
<b>Subject:</b> Re: [cisco-voip] cnf.xml.sgn for
non-secure cluster?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><br>
<br>
Per my understanding, being on CUCM 8+ implies
security-by-default is in use and your phone is going to get
an ITL file and thus request signed config files:<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://supportforums.cisco.com/docs/DOC-17679">https://supportforums.cisco.com/docs/DOC-17679</a><o:p></o:p></p>
<div>
<p>Security By Default provides these three functions for
supported IP Phones:<o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Default authentication of TFTP downloaded
files (configuration, locale, ringlist, etc) using a
signing key. <o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Optional encryption of TFTP configuration
files using a signing key. <o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Certificate verification for phone
initiated HTTPS connections using a remote certificate
trust store on Communications Manager (Trust
Verification Service).<o:p></o:p></li>
</ol>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Mon, May 21, 2012 at 4:28 PM,
Ovidiu Popa <<a moz-do-not-send="true"
href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">My understanding is that ITL is
required for several reasons:<br>
- used to store the trusted certificates required for
the TLS session to the TVS web service (not related to
cluster mixed mode as https web services can be
activated even if the cluster is unsecure)<br>
- used to validate file signatures (only if the
cluster is in mixed mode)<br>
<br>
If this is correct I think it is normal that I have an
ITL file but my question still stands: how come the
phone requests a signed file if the cluster not secure
?<br>
<br>
Thanks,<br>
Ovidiu<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
On 21/May/12 8:03 PM, Ed Leatherman wrote: <o:p></o:p></p>
<p class="MsoNormal">Hello, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My understanding is that the
phone requests a CTL or ITL file when it boots.
If it ever actually gets a CTL or ITL file, from
that point on it will always request a signed
configuration file, unless the CTL or ITL files
are manually deleted from the phone. If i'm
incorrect hopefully someone will chime in :)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Ed<o:p></o:p></p>
<div>
<p class="MsoNormal">On Mon, May 21, 2012 at
1:12 PM, Ovidiu Popa <<a
moz-do-not-send="true"
href="mailto:ovi.popa@gmail.com"
target="_blank">ovi.popa@gmail.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">Hello everyone <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Anyone know how a phone
detects if it needs to download a signed or
unsigned configuration file? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I have a few phones that
keep requesting signed file even though the
cluster is not in mixed mode and I cannot
identify why they behave this way. Does the
ITL file contain information about the
cluster security mode? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The phone logs say that
the TFTP server is secure and keep trying
for the cnf.xml.sgn files. Where does it get
this information?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank for any input.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regards.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:#888888">Ovidiu<o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a moz-do-not-send="true"
href="mailto:cisco-voip@puck.nether.net"
target="_blank">cisco-voip@puck.nether.net</a><br>
<a moz-do-not-send="true"
href="https://puck.nether.net/mailman/listinfo/cisco-voip"
target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">--
<br>
Ed Leatherman<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">-- <br>
Ed Leatherman<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<span style="color:white">itevomcid</span> <o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>