<div dir="ltr">From the servers on both clusters and the console logs from one of the phones.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 11, 2014 at 4:47 PM, Heim, Dennis <span dir="ltr"><<a href="mailto:Dennis.Heim@wwt.com" target="_blank">Dennis.Heim@wwt.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This is a lab environment, so sharing is not a problem. Are the TVS traces you want frm the servers or the phones?<u></u><u></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:black">Dennis Heim | Collaboration Solutions Architect</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:black">World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" value="+13142121814" target="_blank">+1 314-212-1814</a><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><a href="https://twitter.com/CollabSensei" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";text-decoration:none"><img border="0" width="124" height="25" src="cid:image001.png@01CFB583.EFD17AA0" alt="twitter"></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="95" height="28" src="cid:image002.png@01CFB583.EFD17AA0" alt="chat"></span></a><a href="tel:+13142121814" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="95" height="28" src="cid:image003.png@01CFB583.EFD17AA0" alt="Phone"></span></a><a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="95" height="28" src="cid:image004.png@01CFB583.EFD17AA0" alt="video"></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
</div><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:bmeade90@gmail.com" target="_blank">bmeade90@gmail.com</a> [mailto:<a href="mailto:bmeade90@gmail.com" target="_blank">bmeade90@gmail.com</a>] <b>On Behalf Of </b>Brian Meade<br>
<b>Sent:</b> Monday, August 11, 2014 4:45 PM</span></p><div><div class="h5"><br><b>To:</b> Heim, Dennis<br><b>Cc:</b> Ryan Ratliff (rratliff); cisco-voip voyp list<br><b>Subject:</b> Re: [cisco-voip] TVS & Signed Certificates<u></u><u></u></div>
</div><p></p><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Did you upload the CA root certificate as a CallManager-trust on all nodes? Do you mind sharing your TVS traces from your testing?<u></u><u></u></p>
</div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On Mon, Aug 11, 2014 at 4:34 PM, Heim, Dennis <<a href="mailto:Dennis.Heim@wwt.com" target="_blank">Dennis.Heim@wwt.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It looks like from my testing that the only way is to use the bulk certificate tool as Ryan mentioned. I installed signed certificates for TVS and Callmanager, and was unable to move a phone between both clusters.</span><u></u><u></u></p>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:black">Dennis Heim | Collaboration Solutions Architect</span></b><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:black">World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" target="_blank">+1 314-212-1814</a></span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><a href="https://twitter.com/CollabSensei" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";text-decoration:none"><img border="0" width="124" height="25" src="cid:image001.png@01CFB583.EFD17AA0" alt="twitter"></span></a><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img border="0" width="95" height="28" src="cid:image002.png@01CFB583.EFD17AA0" alt="chat"></span><a href="tel:+13142121814" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="95" height="28" src="cid:image003.png@01CFB583.EFD17AA0" alt="Phone"></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img border="0" width="95" height="28" src="cid:image004.png@01CFB583.EFD17AA0" alt="video"></span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
</div><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:bmeade90@gmail.com" target="_blank">bmeade90@gmail.com</a> [mailto:<a href="mailto:bmeade90@gmail.com" target="_blank">bmeade90@gmail.com</a>] <b>On Behalf Of </b>Brian Meade<br>
<b>Sent:</b> Monday, August 11, 2014 3:15 PM<br><b>To:</b> Heim, Dennis<br><b>Cc:</b> Ryan Ratliff (rratliff); cisco-voip voyp list</span><u></u><u></u></p><div><div><p class="MsoNormal"><br><b>Subject:</b> Re: [cisco-voip] TVS & Signed Certificates<u></u><u></u></p>
</div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">The important part is having the root CA uploaded as a CallManager-trust on all nodes on both clusters and having the CallManager.pem certificates CA-signed.<u></u><u></u></p>
</div><div><p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p><div><p class="MsoNormal">On Mon, Aug 11, 2014 at 3:07 PM, Heim, Dennis <<a href="mailto:Dennis.Heim@wwt.com" target="_blank">Dennis.Heim@wwt.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"><div><div><p class="MsoNormal"><span style="color:#1f497d">Ryan:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="color:#1f497d">I installed enterprise signed certificates (TVS) on both clusters. However, the usual issue between moving phones between clusters is still there. Apparently that idea does not work.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="color:#1f497d"> </span><u></u><u></u></p><div><div><p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;color:black">Dennis Heim | Collaboration Solutions Architect</span></b><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;color:black">World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" target="_blank">+1 314-212-1814</a></span><u></u><u></u></p></div>
<p class="MsoNormal" style="text-autospace:none"><a href="https://twitter.com/CollabSensei" target="_blank"><span style="text-decoration:none"><img border="0" width="124" height="25" src="cid:image001.png@01CFB583.EFD17AA0" alt="twitter"></span></a><u></u><u></u></p>
<div><p class="MsoNormal" style="text-autospace:none"><span style="color:#1f497d"><img border="0" width="95" height="28" src="cid:image002.png@01CFB583.EFD17AA0" alt="chat"></span><a href="tel:+13142121814" target="_blank"><span style="color:#1f497d;text-decoration:none"><img border="0" width="95" height="28" src="cid:image003.png@01CFB583.EFD17AA0" alt="Phone"></span></a><span style="color:#1f497d"><img border="0" width="95" height="28" src="cid:image004.png@01CFB583.EFD17AA0" alt="video"></span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="color:black"> </span><u></u><u></u></p></div></div><p class="MsoNormal"><span style="color:#1f497d"> </span><u></u><u></u></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ryan Ratliff (rratliff) [mailto:<a href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>] <br><b>Sent:</b> Monday, August 11, 2014 9:48 AM<br><b>To:</b> Heim, Dennis<br>
<b>Cc:</b> cisco-voip voyp list<br><b>Subject:</b> Re: [cisco-voip] TVS & Signed Certificates<u></u><u></u></p></div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Yes, but not by nature of the TVS cert itself being CA-signed. Since the TVS cert will get into the ITL who signs it doesn't matter. <u></u><u></u></p>
<div><p class="MsoNormal">Why it may help is because TVS will authorize any cert in the local server's trust store. If the other certs (the ones the endpoint presents to TVS) are CA-signed and TVS has the root cert available then in theory any cert signed by that root cert will be authorized, regardless of whether the actual cert has been uploaded to UCM. <u></u><u></u></p>
<div><p class="MsoNormal">This of course is an educated guess, and I'd thoroughly test it in the lab first.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p><div><p class="MsoNormal">-Ryan <u></u><u></u></p>
</div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal">On Aug 8, 2014, at 8:15 PM, Heim, Dennis <<a href="mailto:Dennis.Heim@wwt.com" target="_blank">Dennis.Heim@wwt.com</a>> wrote:<u></u><u></u></p>
</div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal">If you used signed certificates by your enterprise CA for TVS, would that allow TVS to validate across multiple clusters if both clusters TVS certificates were signed by the same CA?<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">I am trying to determine if there would ever be an advantage to doing a non-self signed certificate on the TVS.<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt">Dennis Heim | Collaboration Solutions Architect</span></b><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt">World Wide Technology, Inc. | <a href="tel:%2B1%20314-212-1814" target="_blank">+1 314-212-1814</a></span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none"><a href="https://twitter.com/CollabSensei" target="_blank"><span style="text-decoration:none"><image001.png></span></a><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none">
<image002.png><a href="tel:+13142121814" target="_blank"><span style="color:windowtext;text-decoration:none"><image003.png></span></a><image004.png><u></u><u></u></p><p class="MsoNormal" style="text-autospace:none">
<u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p></div><p class="MsoNormal">_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p></div></div><p class="MsoNormal"> <u></u><u></u></p></div></div></div>
</div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p></blockquote></div><p class="MsoNormal"> <u></u><u></u></p></div></div>
</div></div></div></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div></blockquote></div><br></div>