Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6411
Views
0
Helpful
2
Replies

Change domain name on CUCM 8.5.1

lorenz84gDD
Level 1
Level 1

‎09-23-2013 09:04 AM - edited ‎03-16-2019 07:30 PM

Hello All,

I'm planning to change the domain name of my CUCM cluster (2 nodes) ver. 8.5.1

I went through this guide:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/install/8_5_1/ipchange/ipchg851.html#wp57408

and it's clearly stated that:

If you change the IP address or the hostname of a  server in a Cisco Unified Communications Manager release 8.0 or later  cluster, the Initial Trust List (ITL) file and the certificates in the  ITL are regenerated. The regenerated files do not match the files stored  on the phones.

But I also noticed that on ver 8.6 guide it's quite different:

If you change the IP address, hostname, and domain  name of a server in a Cisco Unified Communications Manager release 8.0  or later cluster, the Initial Trust List (ITL) file and the certificates  in the ITL are regenerated. The regenerated files do not match the  files stored on the phones.

Is it a mistake? Are ITL files regenerated whith ver. 8.5.1?

many thanks for your attention

Lorenz

-------
have a look to my blog lgrconsulting.com       

------- have a look to my blog lgrconsulting.com
1 person had this problem
Labels:
0 Helpful
2 Replies 2

Stephen Welsh
Level 4
Level 4

‎09-23-2013 09:23 AM

Hi,

Yes, ITL Files contain the self-signed certificates of the relevant TFTP & TVS CUCM Nodes, so a trust relationship can be established by default (aka Security by Default).

Because these certificates are self-signed, if you change certain parameters (i.e. the domain name) of any CUCM nodes, the certificate is regenerated, and the ITL File on ALL phones needs to be updated with the new cert. So it's critical you follow the documented procedure carefully. If you end up with any phones with an ITL Files out-of-sync, then it can prevent firmware upgrades and/or the directory and services on the phone from working.

UnifiedFX (http://www.unifiedfx.com) and Akhil Behl (author of "Securing Cisco IP Telephony Networks") hosted a series of webinars recently that covers this topic in detail. I recommend you watch the following videos:

FREE Educational seminars on The Essentials of Endpoint Security & Compliance
• Session 1: The Impact of Security by Default (Recording: http://goo.gl/2yJaKm)
• Session 2: Understanding and Managing ITL & CTL Files (Recording: http://goo.gl/w05Dqh)

• Session 3: Leading Practices for Endpoint Security & Compliance (Recording: http://goo.gl/GuXy2P)

Of particular note is the Endpoint Report that can be used to check for ITL Issues before/after an upgrade as well as provide information that will prevent you from visiting every IP Phone to manually remove ITL Files.

Kind Regards.

Stephen Welsh

0 Helpful

Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎09-23-2013 09:25 AM

Lorenz,

If I were you, I will stick with the first document that states that the ITL files will be regenerated therefore invalidating the certificates on the phones.

The document below categorically states that changine hostname or domain name will regenerate all certs on the phone

https://supportforums.cisco.com/docs/DOC-17679

Changing Host Names or Domain Names

Changing the hostname or domain name of a CM server regenerates all certificates at once

on that server. In the certificate regeneration section above we learned that regenerating

both TVS.pem and CallManager.pem is a "bad thing

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts
0 Helpful
Customers Also Viewed These Support Documents