Just by way of a follow-up from my work today.<div><br></div><div>- The troubleshooting section of Jason's CTL doc was very handy to follow through and verify operations when I finished all my tasks.</div><div><br></div>
<div>- Regenerating certs went off without a problem</div><div><br></div><div>- The login for CTL Client is the application administrator login, not the platform administrator as I had expected, thought that was a little odd.</div>
<div><br></div><div>- The CTL client refused to recognize my security tokens as valid when run on my crappy windows XP laptop - said they were not from Cisco CA. I even downloaded the newer CTL Client from <a href="http://cisco.com">cisco.com</a>, thinking it was just a newer security token manufacturer (since there is a bug about that). I've used the same tokens to sign my CTL on cm 8 test cluster without issues.</div>
<div><br></div><div>- Ended up installing CTL on my windows 7 desktop and running in compatibility mode. Everything worked fine, and it accepted all my tokens.</div><div><br></div><div>- The serial numbers printed on the tokens/packaging do not match the serial number listed in the CTL. The SN in CTL is in the format SAST-ADNXXXXXX, which matches up with what Jason's CTL document is showing. The serial numbers printed on my tokens/packaging all look like FTXXXXXXX, like a router serial number or something.</div>
<div><br></div><div>- Before restarting all phones/CM services, I reloaded TFTP and then reset my desk phone and a couple other phones in interesting locations on campus (ie behind asa's etc), and used that to verify correct CTL was downloaded etc. Yes i'm a little paranoid, but I figured this way if I had an issue I could run the CTL client again and switch back to non-secure mode before any other phones started requesting signed configs.</div>
<div><br></div><div>- It was not sufficient to just restart the CM service to get phones to request a CTL file, I had to actually reset them. CM service needed to be restarted anyway so no harm done. I was just hoping for the former just to minimize how many devices I had re-registering this morning, oh well learned something :)</div>
<div><br></div><div><br></div><div><br><div class="gmail_quote">On Wed, Jun 20, 2012 at 1:37 PM, Ed Leatherman <span dir="ltr"><<a href="mailto:ealeatherman@gmail.com" target="_blank">ealeatherman@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jason,<div><br></div><div>Thanks for the reply! That was exactly what I was looking/hoping for. I will just regenerate the certs and reset CCM prior to setting up security to get the certs refreshed, and then again after I'm done to push the changes out.</div>
<div><br></div><div>Ed</div><div><br></div><div><div><div class="h5"><br><div class="gmail_quote">On Wed, Jun 20, 2012 at 12:18 PM, Jason Burns <span dir="ltr"><<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ed,<br><br>Good catch on the CAPF certs on every node. You're right that they just get ignored on the subscriber nodes. I'm not sure myself what function they serve as the only useful CAPF cert is the one from the publisher.<br>
<br>Since you're on 7.X and you're about to enable security but this isn't a new install, I would definitely recommend taking a look at all of your certificate expiration dates. They're typically 5 years from creation for the self signed certificates (install date). Personally, I would regenerate:<br>
<br>CAPF.pem - Publisher<br>CallManager.pem - All Nodes <br><br>before I enabled security with the CTL client and USB tokens. This means you'd have 5 years before ever having to worry about running the CTL client again for certificate expiration. You may have to run it again if you changed other things that regenerated certs (host name change), and it's easy to run again, but why worry about it. You'll also have 5 years before CAPF expires, which gives you a guaranteed 5 year life time before worrying about any LSCs signed by this CAPF (since the LSC is what gets pushed to the phones and they're signed by CAPF).<br>
<br>Now is also a good time to point the cluster to an SMTP email server, as well as populate an email address in the Certificate Monitor fields in OS Administration. This will notify someone before that 5 year timer pops.<br>
<br>Once you've regenerated CAPF and CallManager certificates you'll want to restart CAPF on the pub and CCM on all nodes. If you can't restart CCM for operational reasons then I'd skip the CallManager.pem regen step but still perform the CAPF regen step. We want to make sure we don't have to mess with any CAPF or LSC regeneration for another 5 years.<br>
<br>Enable security and push LSCs to the phones.<br><br>In 4 years and some months you'll get an email telling you the CAPF cert is about to expire. You also know that all of your LSCs are about to expire. You can take proactive action to generate a new CAPF cert, run CTL client, reset phones, and use BAT to push new LSCs to phones.<br>
<br><br>If this is 8.X you can still regenerate the CAPF.pem, but don't touch the CallManager.pem unless you have to.<br><br>-Jason<br><br><div class="gmail_quote"><div><div>On Wed, Jun 20, 2012 at 9:12 AM, Ed Leatherman <span dir="ltr"><<a href="mailto:ealeatherman@gmail.com" target="_blank">ealeatherman@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>I'm getting ready to install security tokens soon on CM 7.1, and noticed a few things while I was pulling my plan together. I was hoping someone might know the answer(s)<div>
<br></div><div>- While looking around at the existing certs on my cluster (non-secure mode right now) I noticed a CAPF.pem on every node, with a different serial numbers and CNs. I thought this should only exist on the publisher? Does it just ignore the certs on the other nodes when i put the cluster in mixed mode?</div>
<div><br></div><div>- Also while poking around - once again, non-secure mode - I noticed all the CallManager.pem files have varying expiration dates on them (seems to coincide with when I refreshed hardware). Some of them expire as early as 2014.. would it be a good idea to refresh the certs now so that they have later expiration dates, before I start pushing CTL files out to phones? If I do this, do I need to restart the CM service?</div>
<div><br></div><div>Thanks !</div><span><font color="#888888"><div><br><div><div><div><br></div>-- <br>Ed Leatherman<br><br>
</div></div></div>
</font></span><br></div></div>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Ed Leatherman<br><br>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Ed Leatherman<br><br>
</div>