<div dir="ltr">Ryan, <div><br></div><div>Could you elaborate a little on this change ? I did an upgrade on my lab system to 11.5(1)su3a and after the upgrade I see from the output of 'show itl' that the callmanager.pem is still the signer of the ITL file.</div><div><br></div><div>Would the ITLRecovery only be the signer of the ITL on a fresh install of 11.5(1)su3/3a ?</div><div><br></div><div>The release notes for su3 have a revision history update on October 23rd that says "Removed Enhanced CTL and ITL Trust information, which is not available with
this release." I'm not sure if that's related to your comment or if something has changed.</div><div><br></div><div>Justin</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 20, 2017 at 10:13 AM, Ryan Ratliff (rratliff) <span dir="ltr"><<a href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
Additionally in 11.5SU3 and 12.0 we now sign the ITL and tokenless CTL files with the ITLRecovery certificate instead of CallManager.pem.
<div><a href="https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_5_1/SU3/cucm_b_release-notes-cucm-imp-1151su3/cucm_b_release-notes-cucm-imp-1151su3_chapter_00.html#reference_9C103B26C27EFA3008B593B943A6950C" target="_blank">https://www.cisco.com/c/en/us/<wbr>td/docs/voice_ip_comm/cucm/<wbr>rel_notes/11_5_1/SU3/cucm_b_<wbr>release-notes-cucm-imp-<wbr>1151su3/cucm_b_release-notes-<wbr>cucm-imp-1151su3_chapter_00.<wbr>html#reference_<wbr>9C103B26C27EFA3008B593B943A695<wbr>0C</a></div>
<div><br>
</div>
<div>This should greatly reduce the risk of inadvertent trust list issues caused by certificate operations. </div><span class="HOEnZb"><font color="#888888">
</font></span><div><span class="HOEnZb"><font color="#888888"><br>
<div>-Ryan </div></font></span><div><div class="h5">
<br>
<div>
<div>On Oct 19, 2017, at 3:08 PM, Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>> wrote:</div>
<br class="m_-1789507279161489631Apple-interchange-newline">
<div>
<div dir="ltr">In 10.x, CTL/ITL are signed by the CallManager.pem if you do tokenless. There's a recovery key in the ITL so you can run "utils itl reset localkey" to resign the ITL with the recovery key to recover your cluster. But this doesn't help
you with devices that don't support SBD like Jabber.
<div><br>
</div>
<div>In 11.x, CTL/ITL are signed by the CallManager.pem if you do tokenless but there's also a recovery key for the CTL. You can run "utils ctl reset localkey" to resign the CTL with the recovery key to recover your cluster.</div>
<div><br>
</div>
<div>So I'd recommend in your case that you upgrade to 11.x first or use physical tokens.</div>
<div><br>
</div>
<div>The latest 11.5 SU requires you to order a free encryption license through PUT as well.</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Oct 17, 2017 at 2:01 PM, Ryan Huff <span dir="ltr">
<<a href="mailto:ryanhuff@outlook.com" target="_blank">ryanhuff@outlook.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">Looking at enabling sRTP on a 10.x cluster (CUCM, EXPRESSWAY, CXN, UCCX). As I have been researching this topic; I’ve found the “riskiest” task to be enabling CTL / Mixed Mode in CUCM. Specifically, if you have devices that do not support
Security By Default.
<div><br>
</div>
<div>It’s my understanding that once the callmanager cert changes, any device that can’t negotiate with the TVS service to establish verification will not be able to download the new CTL, and therefore not be able to re-register to CUCM until their
CTL is removed.</div>
<div><br>
</div>
<div>The device/trunk security profile configurations seems straight forward as do the steps to take on CUBE and Expressway (regarding the trunk security).</div>
<div><br>
</div>
<div>I haven’t completed my research into the CXN/UCCX requirements for SRTP with CUCM.</div>
<div><br>
</div>
<div>Are their any other major/general pitfalls I should look out for? Anyone have any horror stories or lessons learned to share?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Ryan</div>
</div>
<br>
______________________________<wbr>_________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailma<wbr>n/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
______________________________<wbr>_________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/<wbr>mailman/listinfo/cisco-voip</a><br>
</div>
</div>
<br>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/<wbr>mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>