Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CUCM Cluster mode change from Mixed to Non secure

Hello everyone


We have a CUCM cluster 6.1.2 and we have lost the tokens we used to create CTL

The problem is that our certificates has expired and there is no way to renew them without the security tokens


Moreover, I have manually regenerated CallManager.pem certificate, and apparently it has resigned all configuration files (correct me if I am wrong) and now some of the phones do not accept these configuration files with this error:

877: xxx 17:30:28.895819 SECD: EROR:verifyFile: sgn verify file failed </usr/ram/SEPB4A4E329D635.cnf.xml>, errclass 8, errcode 19 (signer not in CTL)

and register on the subscriber (dont know why).


Some of the phones are not able to register (rejected) with Security Mode set to Non secure, and I need to configure them with LCS, but looks like if I hard reset the phone, the CTL file on the phone will change and it will not accept the configuration file

Is there any way to disable this functionality and change the cluster mode from mixed to non-secure or somehow "unsign" the configuration files so the phones could take it?


Thank you in advance

  • IP Telephony

Accepted Solutions

Correct but the phone will

Correct but the phone will reject the new CTL if it isn't signed by the same tokens.  That's the problem we have to avoid by deleting the existing CTL on each phone.


Hi,Given the situation you


Given the situation you have described I think the simplest thing you can do is delete all the CTL (and probably ITL) files on your phones. As you no longer have access to the security tokens you will ultimately need to remove the CTL files anyway.

I recommend you have a look at PhoneView from UnifiedFX:

Here is a short demo video on managing ITL Files, it's very similar to CTL files:


New Member

Thank you, stephenwelsh Can I

Thank you, stephenwelsh


Can I change the cluster mode from Mixed to Non secure if I have no tokens? Is it possible with this command

utils ctl set-cluster non-secure-mode

Will I have to delete the CTL file from the phones manually or they will receive a new CTL once I go non-secure (an empty CTL in this case)




The process for doing this is

The process for doing this is to delete the CTL file from EACH node in the cluster:

file delete tftp CTLFile.tlv

Then restart TFTP on all nodes.

You then want to set all phones to non-secure security profiles and delete all the encrypted security profiles.

You then can run this on the publisher to change the Cluster Security Mode:

run sql update processconfig set paramvalue='0' where paramname='ClusterSecurityMode'



Check that it took affect:

run sql select paramname,paramvalue from processconfig where paramname = 'ClusterSecurityMode'


You can also check under System->Enterprise Parameters


You then need to somehow delete the CTLs off of all the phones either manually or in bulk through some sort of tool like PhoneView.  The phones will try to request the CTL after this but it will have been deleted on each node.


This isn't the supported process for doing this though.  The supported process is to buy new tokens, delete the old CTL from each node, run the CTL client with the new tokens to put into mixed mode then run CTL client again with the new tokens to switch to non-secure.  My process should achieve the same result though.


That "utils ctl set-cluster non-secure-mode" command is for CUCM 10.x only.

New Member

Thank you for your reply I

Thank you for your reply


I have purchased the PhoneView application, but it does not detecting the phones, most probably because the URL Authentication is wrong on my CUCM, and if I change it, I will need to reset all the phones. I am afraid that after reset the phones will fail to register and moreover, some of the phones are now registered to the subscriber (since CTL file on the publisher is corrupted). They register on the subscriber but with a default configuration file (they do not download a real config file with all configuration) - not sure why they register there, the subscriber has the same CTL as a publisher


If I buy the tokens, and go with the second option, will I need to remove old CTL files from the phones? If I buy new tokens, delete old CTL files from cluster, renew the certificates and CTL and then leave the cluster in MIXED mode, will I have to manually renew CTL on the phones?


Either option will require

Either option will require deleting the old CTLs from the phones in some way.  This is why you're supposed to lock up the 2 tokens in separate locations in safes when you put a cluster in mixed-mode.

New Member

They were lost by our

They were lost by our previous IT people.. What I read on the internet is that the phone requests a CTL file when it boots up. I even saw it in the console logs of the phone - it boots up, requests a CTL, compares it to the one it has in its memory and then decides whether to update it or no

Correct but the phone will

Correct but the phone will reject the new CTL if it isn't signed by the same tokens.  That's the problem we have to avoid by deleting the existing CTL on each phone.

New Member

Thank you, Brian!

Thank you, Brian!

New Member

Dear Brian,Kind reminder

Dear Brian,

Kind reminder


Thank you

This widget could not be displayed.