<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    It appears that I was focused in the wrong direction. The problem is
    not the fact that the phones request a signed configuration file
    it's the fact that the TFTP answers with "File not found". <br>
    <br>
    The test cluster is based on a restore from a production backup and
    the the same phone works correctly with the production cluster.<br>
    If I try to generate the signed configuration file nothing seems to
    work (restarted tftp, deleted itl, rebooted the phone several times,
    deleted phone security and network settings, apply config
    button)...  If I try to modify and save the configuration the
    operation is rejected with the following message " Update failed.
    Could not insert new row - duplicate value in a UNIQUE INDEX column
    (Unique Index:x_device_name)". <br>
    <br>
    This is weird since I'm not trying to add a new phone, I'm only
    modifying the existing phone.<br>
    <br>
    <br>
    <br>
    On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
    <blockquote
cite="mid:4E38DB0A1959B04C8C83EDCF069B53ED0D16E4F549@USISPCLEXDB01.na.didata.local"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1586374955;
        mso-list-template-ids:894330162;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There
            is the Pre-8.0 Rollback Service Parameter that disables ITL
            but you need it set before phones see the upgraded
            CallManager. So any upgrade you need to shutdown phones
            first I suspect.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
                <a class="moz-txt-link-abbreviated" href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>
                [<a class="moz-txt-link-freetext" href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>] <b>On
                  Behalf Of </b>Ed Leatherman<br>
                <b>Sent:</b> Monday, May 21, 2012 4:35 PM<br>
                <b>To:</b> Ovidiu Popa<br>
                <b>Cc:</b> cisco-voip<br>
                <b>Subject:</b> Re: [cisco-voip] cnf.xml.sgn for
                non-secure cluster?<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><br>
          <br>
          Per my understanding, being on CUCM 8+ implies
          security-by-default is in use and your phone is going to get
          an ITL file and thus request signed config files:<o:p></o:p></p>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><a moz-do-not-send="true"
              href="https://supportforums.cisco.com/docs/DOC-17679">https://supportforums.cisco.com/docs/DOC-17679</a><o:p></o:p></p>
          <div>
            <p>Security By Default provides these three functions for
              supported IP Phones:<o:p></o:p></p>
            <ol start="1" type="1">
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
                level1 lfo1">Default authentication of TFTP downloaded
                files (configuration, locale, ringlist, etc) using a
                signing key. <o:p></o:p></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
                level1 lfo1">Optional encryption of TFTP configuration
                files using a signing key. <o:p></o:p></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
                level1 lfo1">Certificate verification for phone
                initiated HTTPS connections using a remote certificate
                trust store on Communications Manager (Trust
                Verification Service).<o:p></o:p></li>
            </ol>
            <div>
              <p class="MsoNormal"><o:p> </o:p></p>
            </div>
            <div>
              <p class="MsoNormal">On Mon, May 21, 2012 at 4:28 PM,
                Ovidiu Popa <<a moz-do-not-send="true"
                  href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>>
                wrote:<o:p></o:p></p>
              <div>
                <p class="MsoNormal">My understanding is that ITL is
                  required for several reasons:<br>
                  - used to store the trusted certificates required for
                  the TLS session to the TVS web service (not related to
                  cluster mixed mode as https web services can be
                  activated even if the cluster is unsecure)<br>
                  - used to validate file signatures (only if the
                  cluster is in mixed mode)<br>
                  <br>
                  If this is correct I think it is normal that I have an
                  ITL file but my question still stands: how come the
                  phone requests a signed file if the cluster not secure
                  ?<br>
                  <br>
                  Thanks,<br>
                  Ovidiu<o:p></o:p></p>
                <div>
                  <div>
                    <p class="MsoNormal"><br>
                      <br>
                      <br>
                      <br>
                      On 21/May/12 8:03 PM, Ed Leatherman wrote: <o:p></o:p></p>
                    <p class="MsoNormal">Hello, <o:p></o:p></p>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal">My understanding is that the
                        phone requests a CTL or ITL file when it boots.
                        If it ever actually gets a CTL or ITL file, from
                        that point on it will always request a signed
                        configuration file, unless the CTL or ITL files
                        are manually deleted from the phone. If i'm
                        incorrect hopefully someone will chime in :)<o:p></o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal"><o:p> </o:p></p>
                    </div>
                    <div>
                      <p class="MsoNormal" style="margin-bottom:12.0pt">Ed<o:p></o:p></p>
                      <div>
                        <p class="MsoNormal">On Mon, May 21, 2012 at
                          1:12 PM, Ovidiu Popa <<a
                            moz-do-not-send="true"
                            href="mailto:ovi.popa@gmail.com"
                            target="_blank">ovi.popa@gmail.com</a>>
                          wrote:<o:p></o:p></p>
                        <div>
                          <p class="MsoNormal">Hello everyone <o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">Anyone know how a phone
                            detects if it needs to download a signed or
                            unsigned configuration file? <o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">I have a few phones that
                            keep requesting signed file even though the
                            cluster is not in mixed mode and I cannot
                            identify why they behave this way. Does the
                            ITL file contain information about the
                            cluster security mode? <o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">The phone logs say that
                            the TFTP server is secure and keep trying
                            for the cnf.xml.sgn files. Where does it get
                            this information?<o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">Thank for any input.<o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><o:p> </o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal">Regards.<o:p></o:p></p>
                        </div>
                        <div>
                          <p class="MsoNormal"><span
                              style="color:#888888">Ovidiu<o:p></o:p></span></p>
                        </div>
                        <p class="MsoNormal"
                          style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
                          cisco-voip mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:cisco-voip@puck.nether.net"
                            target="_blank">cisco-voip@puck.nether.net</a><br>
                          <a moz-do-not-send="true"
                            href="https://puck.nether.net/mailman/listinfo/cisco-voip"
                            target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
                      </div>
                      <p class="MsoNormal"><br>
                        <br clear="all">
                        <o:p></o:p></p>
                      <div>
                        <p class="MsoNormal"><o:p> </o:p></p>
                      </div>
                      <p class="MsoNormal" style="margin-bottom:12.0pt">--
                        <br>
                        Ed Leatherman<o:p></o:p></p>
                    </div>
                    <p class="MsoNormal"><o:p> </o:p></p>
                  </div>
                </div>
              </div>
            </div>
            <p class="MsoNormal"><br>
              <br clear="all">
              <o:p></o:p></p>
            <div>
              <p class="MsoNormal"><o:p> </o:p></p>
            </div>
            <p class="MsoNormal" style="margin-bottom:12.0pt">-- <br>
              Ed Leatherman<o:p></o:p></p>
          </div>
        </div>
        <p class="MsoNormal"><br>
          <br>
          <span style="color:white">itevomcid</span> <o:p></o:p></p>
      </div>
    </blockquote>
    <br>
  </body>
</html>