cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
5
Helpful
4
Replies

SBD Issue and Cisco Hardware Keys

phil
Level 1
Level 1

Hello,

We have call manager 8.0(2) and this uses SBD.  I'm sorry if this sounds like a bit of a daft question but we have a number of clusters and we need to be able to move the phones from one to another without having to delete the itl file most, if not all, the time.  Rolling back to pre 8 CUCM is not an option nor is a centralised SFTP server.  I've looked on the the support forum here and there is an option to use the Cisco Hardware USB keys ( KEY-CCM-ADMIN-K9) which apparently simplify the transfer of phones between clusters. This seems the way to go for us.   We dont need encrypted calls or anything like that.  All we need is the ability to move phones about in the simplest way.  I understand that the keys always come in pairs when you purchase them.  Can the keys be reused or are they linked to one particular cluster (ie if we have 9 clusters do we need 9 sets of keys).  From what I could find it seems you only need one pair of keys no matter how many clusters you have but I'm not too sure.   Could anyone point me in the right direction with regards to how to use them for this as info on them seems a little sketchy.

Thanks very much

Phil

1 Accepted Solution

Accepted Solutions

Hi Phil,

Note: The video I included is for PhoneView Version 2.1, it's not available for public download until 9th Feb.

Just to enable phones to register/move between clusters from a certificate point of view you only need to update the new cluster. However there will be other related tasks, i.e. if you have centralised TFTP you will need to update the central TFTP service with the new cluster etc.

If you think that the USB Key(s) has the root cert, and you are adding it to the new cluster, as the phones will only accept config files signed by that USB Key(s).

Thanks

Stephen

View solution in original post

4 Replies 4

Stephen Welsh
Level 4
Level 4

Hi Phil,

The USB keys are really just Cisco Signed Certificates that can be used to sign/encrypt various elements of Phone communications. In your case you are using the keys in their most basic form to remove the need for ITL files on the phone associated with Security by Default (SBD). In that case you are signing the phones config sent from the TFTP server using CTL files instead of the SBD self generated ITL files.

This is a wise approach as there have been a number of issues with ITL files that have only been possible to resovle by deleting the ITL file from the phone, in some cases manually. So you don't need to enable encryption etc. if you just use them to sign the phone configuration, and as you can install the certificates across multiple clusters this will allow the CTL file to trust any cluster and simplify the movement of phones between clusters.

As far as the number of USB keys to buy/use, I believe technically you can share one pair of keys across multiple clusters, however if you need to update a cluster at some stage and require the certificates from the USB keys, keep in-mind the logistics of moving the keys from one cluster to another. Also, if you do unfortunately loose both keys (this is the main reason you get two keys), which is quite possible if you are posting something that looks like a USB memory stick between offices, you may have to manually delete the CTL files from the phone before you can use replacement USB keys.

One key point I'd like to make, for any situation with SBD or USB Keys and implimenting ITL/CTL files, if you ever find that you need too, or would be best too delete the ITL or CTL file from the phones. You do NOT have to physically go to every phone, there is a 3rd party product that provides complete endpoint management allowing almost any operation remotely for 1000's of phones. This includes managing ITL and CTL files remotely, the product is called PhoneView and you can get it from Unified FX (http://www.unifiedfx.com)

I've embedded a video that shows how to manage ITL files remotely, the same principle applies to CTL files and any setting on the phone:

Thanks

Stephen

Hi Stephen,

Sorry about the late reply.  Thanks very much for the info!  We've downloaded a trial copy of Phone View and we are looking at how it can help us.  I think that the keys are the way to go personally but if you have 8 clusters that you have configured with the keys and the ctl client, and you add another cluster do you then have to update all the other ones to include the new cluster or am I missing something.

Thanks,

Phil

Hi Phil,

Note: The video I included is for PhoneView Version 2.1, it's not available for public download until 9th Feb.

Just to enable phones to register/move between clusters from a certificate point of view you only need to update the new cluster. However there will be other related tasks, i.e. if you have centralised TFTP you will need to update the central TFTP service with the new cluster etc.

If you think that the USB Key(s) has the root cert, and you are adding it to the new cluster, as the phones will only accept config files signed by that USB Key(s).

Thanks

Stephen

Hi Stephen,

Thanks very much for the email.  The management here are going to get a pair of keys and we'll configure the call manager clusters we have.

I'll also look at downloading the newest version of PhoneView as and when it becomes available.  If not for work then for my lab at home.

I'll mark the question as answered and if I come across any more issues regarding SBD then I'll open up another discussion.

Again many thanks,

Phil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: