If you change the IP address or the hostname of a server in a Cisco Unified Communications Manager release 8.0 or later cluster, the Initial Trust List (ITL) file and the certificates in the ITL are regenerated. The regenerated files do not match the files stored on the phones.
But I also noticed that on ver 8.6 guide it's quite different:
If you change the IP address, hostname, and domain name of a server in a Cisco Unified Communications Manager release 8.0 or later cluster, the Initial Trust List (ITL) file and the certificates in the ITL are regenerated. The regenerated files do not match the files stored on the phones.
Is it a mistake? Are ITL files regenerated whith ver. 8.5.1?
Yes, ITL Files contain the self-signed certificates of the relevant TFTP & TVS CUCM Nodes, so a trust relationship can be established by default (aka Security by Default).
Because these certificates are self-signed, if you change certain parameters (i.e. the domain name) of any CUCM nodes, the certificate is regenerated, and the ITL File on ALL phones needs to be updated with the new cert. So it's critical you follow the documented procedure carefully. If you end up with any phones with an ITL Files out-of-sync, then it can prevent firmware upgrades and/or the directory and services on the phone from working.
UnifiedFX (http://www.unifiedfx.com) and Akhil Behl (author of "Securing Cisco IP Telephony Networks") hosted a series of webinars recently that covers this topic in detail. I recommend you watch the following videos:
FREE Educational seminars on The Essentials of Endpoint Security & Compliance • Session 1: The Impact of Security by Default (Recording: http://goo.gl/2yJaKm) • Session 2: Understanding and Managing ITL & CTL Files (Recording: http://goo.gl/w05Dqh)
Of particular note is the Endpoint Report that can be used to check for ITL Issues before/after an upgrade as well as provide information that will prevent you from visiting every IP Phone to manually remove ITL Files.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.