Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Upgrade CUCM phone security issue

HI


I have a call manager 6.1 and i will upgrade it to 8.5.

the issue is that i have a ctl installed in my version 6 and secured ip phone and i want to work with the same CTL in version 8 without upgrading it.
i don't want to have go through each phone and upgrade the CTL.
can upgrade my CUCM to 8 without modifying the CTL and what's the procedure.

Regards

Everyone's tags (5)
7 REPLIES
VIP Super Bronze

Upgrade CUCM phone security issue

can upgrade my CUCM to 8 without modifying the CTL and what's the procedure.

As long as you do not renew or regenerate any of the certificates included in the CTL (CUCM, TFTP, CAPF, etc) you can upgrade the cluster without rebuilding the CTL. Also, as long as a new version of the CTL is signed by at least one of the tokens that was included in the version already downloaded, the phone will automatically download a newer CTL version.

The CTL Client on your workstation would have to be upgraded the next time you need to modify the CTL though.

Lastly, be sure that you understand the new TVS and ITL mechanisms in CUCM 8.0+. Both of them interact with CTL if you have a mixed mode cluster.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_6_1/secugd/secuview.html

Please remember to rate helpful responses and identify helpful or
New Member

Re: Upgrade CUCM phone security issue

Hi jonathan

when I upgrade the cluster, and i take a phone directly from version six to my new version 8 it doesn't want to register and is rejected (security issue) ,  when I remove the security profile from the phone then the phone moved from the version 6 to version 8 works.

the issue is that I have 4000 ip phone to  move from the version 6 to version 8 and need the security to be set.

Regards

VIP Super Bronze

Re: Upgrade CUCM phone security issue

Moving a phone from one cluster to another, as opposed to upgrading the same 6.x cluster to 8.0 is an entirely different matter.

If you are changing clusters and both are in mixed mode than the new CTL must be signed by one of the tokens that was included in the 6.x CTL; otherwise, the phone will not accept the new CTL nor the ITL and by extension it's TFTP config file.

Please remember to rate helpful responses and identify helpful or
New Member

Re: Upgrade CUCM phone security issue

Hi jonathan,

In fact i am moving from physical to virtual,

Please tell me what's the procedure to do the upgrade without the need to go through  all the phone.

should i sign the CTL before the DRS procedure in the version 6 or After?

If i sign the CTL and upload it to new CUCM 8, all the phone will automaticaly get new ctl? or there is a conflict between the old CTL and the new one?

if I have a DNS in my version 6 installation is there any issue for security  if I install version 8 without DNS?

Thank you for your help

VIP Super Bronze

Re: Upgrade CUCM phone security issue

If you're migrating to UCS the way this should go is:

  • Upgrade the MCS servers to 8.0(2) or newer so that it supports UCS.
  • Install the exact same upgraded version on UCS.
  • Perform a DRS backup of the MCS cluster and restore it to the UCS install one node at a time.
  • Upgrade the UCS cluster to 8.6 or beyond (which MCS likely didn't support).

If you do a DRS backup and restore the certificates and the CTL file should come forward with it. I'm confused why you're talking about building a new 8.x cluster and moving toward it.

If you're deadset on doing a new cluster then you would want to reuse the same security tokens to sign your 8.x CTL file. Since those tokens are already trusted in the 6.x CTL the phone will accept the new CTL.

Please remember to rate helpful responses and identify helpful or
New Member

Re: Upgrade CUCM phone security issue

Hi jonathan,

Yes, I am using DRS from my 6 version to my version 8.

If I understand well, I have just to sign my version 6 CTL with version 8 call manager and phone can register with the version 8?

New Member

Upgrade CUCM phone security issue

Hi Jonathan,

1stly Excellent post thanks for sharing !

quick questions  regarding the upgrade and  security

We are migrating a cluster from 7.1 MCS appliance to 8.6 on UCS,

The upgrade process we are using is as follows.

1. Upgrade exsiting 7.1.5 to 8.0.3 - Take DRS backup

2. Build 8.0.3 on new UCS using the DRS backup above

3. Upgrade this now to 8.6

Jonathan you mention  --> If you do a DRS backup and restore the certificates and the CTL file should come forward with it.

Is  there any chance the CTL file wont come across to 8.0.3 / then 8.6 after upgrdae on UCS or any platform?

And if for instance  the CTL   file didnt come across with upgrade  what is the process to rectify?

Would we reuse the  same security tokens from 7.1.5  to sign a new 8.x CTL file on the 8.6 box?

Also are there any gotchas we need to be aware i.e. dependancies that will effect the CTL for example

Changing hostname once we upgrade to 8.6 on UCS

Changing IP address once we upgrade to 8.6 on UCS

Changing DNS

Mac address changing

etc

thank you kindly

Allan

890
Views
10
Helpful
7
Replies