We are migrating one of our customers CUCM from 8.6 to 10.5 using PCD. Since customer wants move this to new UCS server and move to DC we have to change the hostname and IP address of the servers as well. We finished the migration over the weekend, since we did a network migration with PCD I didn't do the last step of shutting down the current 8.6 PUB and SUB servers so it did not pause for Bulk certificate changes. This coming weekend we are cutting them over to new CUCM and I'm little confused on the Bulk Certificate process, here is what I'm planning to do let me know if this is going to cause any issues
1. Migrate the Bulk Certificate Process using this procedure and change the TFTP Ip address on the DHCP and reset the phones from current CUCM and hoping it will register to the new CUCM. Is this the correct way to do it or am I missing something here please let me know.
For information on performing a CTL update, see the “Security basics” section in Cisco Unified Communications Manager Security Guide: http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html
Bulk certificate management must be done manually on both source nodes and destination nodes. Both source nodes and destination nodes must be up and running at this point. Phones are registered with the source nodes.
Follow the steps in the sections below to manage certificates on destination and source nodes.
|Step 1||On the Destination Cluster Publisher, navigate to Cisco Unified Operating System Administration and choose Security > Bulk Certificate Management.|
|Step 2||Define the Central SFTP server IP address, port, user, password, and directory.|
|Step 3||Use the Export button to export all TFTP certificates from the destination cluster to the central SFTP server.|
|Step 4||On the Source Cluster Publisher, navigate to Cisco Unified Operating System Administration. Select Security > Bulk Certificate Management.|
|Step 5||Define the Central SFTP server with same parameters used in Step 2.|
|Step 6||Click the Export button to export all TFTP certificates from source cluster to the central SFTP server.|
|Step 7||Click the Consolidate button to consolidate all the TFTP certificates on the central SFTP server. This step can be performed on either the source or destination cluster, using the Bulk Certificate Management interface.|
|Step 8||On the Source cluster, click the Bulk Certificate Import button to import the TFTP certificates from the central SFTP server.|
|Step 9||On the Destination cluster, click the Bulk Certificate Import button to import the TFTP certificates from the central SFTP server.|
Use DHCP option 150, or some other method, to point the phones to the new destination cluster TFTP server. Upon reset or power cycle, the phones will download the new destination cluster ITL file and attempt to authenticate the new ITL file signature with the certificates in the existing ITL file. No certificate in the existing ITL file can be used to authenticate the signature, so the phone requests the signer's certificate from the old TVS server on the source cluster. The phone sends this request to the source cluster TVS service on TCP port 2445. The bulk certificate exchange in steps 1 through 9 provides the TVS service in the source cluster with the TFTP certificate on the destination cluster that signed the new ITL file. TVS returns the certificate to the phone, which allows the phone to authenticate the signature and replace the old ITL file with the newly downloaded ITL file. The phone can now download and authenticate the signed configuration files from the new destination cluster.
Thanks for your help.
Make sure to do the export from both clusters and then you only run the consolidate from one cluster. After that, you import to both clusters.
Thanks for your quick response. Just to clarify I have to do this at the time of cut over before I restart the phones to register to new CUCM 10.x correct?
Thanks for your help again.
Yea, you need to have this done before you change the TFTP cluster over to the new server or else the phones will just stay registered to the old cluster.
We still had issues old phone models no problems but all other models we had some issues we ended up changing the CM servers back to old IP to fix the issue.
Thanks, you followed the procedure from security guide and still had issues with ITL?
Did you have TAC troubleshoot on this?
could you please specify the phone models you ran issues with authentication of new cluster.
I am going to have new SIP phones on the 10.5 cluster and SCCP phones from old cluster.
Will perform bulk certificate anytime this weekend. Do let me know, your experience.
We were able to successfully migrate phones (7911/41/61/42/62) from 8.0.3 to 10.5.2, with no issues.
We exported the bulk certs from both clusters, consolidated and then imported in 8.0 cluster.
Change DHCP option 150 and then reset all the phones.
when I press the Consolidation button in the old cluster I got the error message "Sftp operation failure".
I have found that there was a but w/ similar issue : CSCua20054
somebody know what it is the root cause for this? thanks.
Not a lot of detail in the log about while files are being accessed. You may want to check your directory and file permissions so the SFTP users has Read/Write privileges.
The problem is that the security libraries in 8.x and 10.5.2+ are incompatible. This is why you cannot consolidate the certificates by using the older version. However, you can consolidate them through the new cluster but then you will not be able to import the BULK store back to the old version.
More details -> CSCuy43181
thanks. the bug have the same date that I opene the case. finally I used the paramenter of rollback pre-version 8 and I have not problems for migrate the phones from CUCM 8 cluster to CUCM 10.5.
I will have to migrate the old cluster 8.6.2 to new 11.5. So, the old cucm will need to be up after migration, then I will migrate to a different ip address in the new cluster.
My doubt is about the Bulk Certificate mangement, in the step of Task to migration via PCD> the process will stop to bulk certificate and consolidate insite of old CUCM. After do that, I would like migrate the phones by step to new cluster, because there are a lot of sites in different timezones.
I will need to mantaining the both server up until I move all phones to new cluster?
Are there onother or different way to migrate the certificates to new cluster?