Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I validate a security password on CUCM 8.6?

Hi all,

we need to check if the security password is documented correct for a CUCM 8.6 cluster.

Is there a way to validate a given security password like a CLI command "validate security password"?

The only way I know is setting up a system in the lab and check if I can restore a backup.

I know I can reset the security password, but that's something I want to avoid because it requires rebooting the servers.

Thank you in advance

Jörg

Everyone's tags (2)
13 REPLIES
Cisco Employee

How can I validate a security password on CUCM 8.6?

No, there's no way to validate the security pwd.

The only method to see if it's correct or not is what you mention, either do a restore or change it.

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
New Member

Jamie,There is a way to

Jamie,

There is a way to validate the password, without changing the password.

I have just tested it. The trick is to reset the password with a new password which is based on a dictionary word!

Example: "cisco123"

 

If the Old password is entered correctly - you will get the following error when you attempt to change the password:

 

"BAD PASSWORD: It is based on a dictionary word"

 

If the old password is incorrect, you will a different error (as below) and hence you can validate if your security password is as you suspect or not!

"The old password did not match"

Gerry

 

 

New Member

I have confirmed that this

I have confirmed that this procedure works - I needed to verify a cluster security password for a client, and your method did work and I was able to verify the password without changing it.


Thank you for the suggestion!

 

Pete

New Member

I know its an old thread, but

I know its an old thread, but wanted to Thank you.  I am rolling out a new CUCM environment.  I was able to confirm my CUCM security passcode because I was able to add an IMP server.  But we're going to add a second CUC server later, so I wanted to confirm the CUC security code before starting to configure it.  I found this article, and it worked like a charm.

I tried to validate the

I tried to validate the security password on CUCM.

Used the command set password user security, entered the password which I have at the prompt.

Then it is asked me to enter the password, entered the previous password, it gave error as old and new password is same.

Again used the command set password user security and entered some other word as password, this time also it accepted the password and prompted me to enter new password.

Seems like, this way we can't validate the security password.

Cisco Employee

Again used the command set

Again used the command set password user security and entered some other word as password, this time also it accepted the password and prompted me to enter new password.

When it prompted to enter the new password, did you enter the new password or left the process at that time. I believe you did not because if you had then only system would have checked the password that you entered first time after issuing the set password user security command and should have issued something like below since you entered the wrong password intentionally

Continue (y/n)?y

Please wait...

The old password did not match.

Secondly, I do not understand why would someone play with it like this in a real environment unless they are facing one of the below issues:

1) If you are going to add the second server to the existing cluster. During this, system will check if the Security Password matches with the primary node or not. If not, then the DB replication will not come up at all

2) If the DRS backup was taken of a UCCX system or any other UC system for that matter, then while doing the restore system will ask you to enter the Security Password and if it does not match with the one that was there while the backup was taken then the restore will not go through.

BTW, there is a Password Guess utility available in the platform config file that can be accessed only by TAC using the root of your system if you really want to test your Security Password. However, I would definitely not take the risk of playing with Security Password in a production environment using CLI unless I am facing one of the above issues as mentioned above.

Regards

Deepak

Hi Deepak,

Hi Deepak,

Thanks for the response.

"If the DRS backup was taken of a UCCX system or any other UC system for that matter, then while doing the restore system will ask you to enter the Security Password and if it does not match with the one that was there while the backup was taken then the restore will not go through."

I have been provided with a password, but no one knows that is correct or not.

Incase if it is not correct, the cluster is running at risk as backup can't be restored in DR situation.so wanted to validate the password.

New Member

i have a cucm , unity and

i have a cucm , unity and presence , is it possible to try it on a presence subscriber node to avoid any effect on a production environment? do all nodes share the same security password?

Cisco Employee

Hi,

Hi,

It has to be done on all server otherwise they would stop replicating database. Also DRS has to run again aftre changing the security password through out the cluster.

JB

New Member

Every node in a cluster will

Every node in a cluster will use the same password, so you are able to test it from any server in that cluster.  But we need to define a cluster based on what you were asking.

Unity and CUCM are two completely separate entities.  Even though there is a high likelihood that whoever built your system used the same passwords, they didnt necessarily have to.  Then on to Presence, it depends on the version.  If its 9 and below, Presence was also its own separate cluster.  In version 10 and above, it is part of the CUCM cluster.

New Member

There is no official way of

There is no official way of validating this but I found an unofficial way which worked for me.

  • Try to change the password with command ‘set password user security’
  • It will prompt you to type existing password
  • Then it will prompt you to type new password

 

If you enter the existing and new password the same and if the existing password is correct, it will give you an error ‘please use a password different from the existing one

 

Press Ctr-C for a forceful log out. 

New Member

FYI, this is not valid. If

FYI, this is not valid.

 

If you use the command "set password user security" and you type in anything for the "old password" and you type the same thing in for "new password" it will say that "old and new password are the same" - therefore it's not checking it against the current security password.

The post that gorourke posted below however IS valid.

New Member

My results weren't quite as

My results weren't quite as advertised, so I thought I'd share.  Applies to CUCM 7.1.5.34063-1

This is what I found as the output when doing this trick, and guessing correctly the old password:

admin:set password user security
Please enter the old password: *********
Please enter the new password: ******** <--cisco123
Reenter new password to confirm: ******** <--cisco123
The Security password has now been reset <-- (well, not really, keep going)

WARNING:
Please make sure that the security password on the publisher is changed first.
The security password needs to be the same on all the cluster nodes,
or the publisher and subscriber(s) will not communicate.
After changing the security password on a cluster node, please restart that node.

Continue (y/n)?y

Please wait...


Executed command unsuccessfully
BAD PASSWORD: it is based on a dictionary word

This is what I saw when my password guess was wrong:

admin:set password user security
Please enter the old password: ***********
Please enter the new password: ********
Reenter new password to confirm: ********
The Security password has now been reset

WARNING:
Please make sure that the security password on the publisher is changed first.
The security password needs to be the same on all the cluster nodes,
or the publisher and subscriber(s) will not communicate.
After changing the security password on a cluster node, please restart that node.

Continue (y/n)?y

Please wait...


Executed command unsuccessfully
Password changed too soon

4253
Views
30
Helpful
13
Replies
CreatePlease to create content