Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

CM 4 with Security (CTL list) migration

Hi Community, 

I'm preparing for the migration of 1000 IP Phones from a CM4 cluster to an exisiting CM 7 cluster.

The problem I'm facing is that security is enabled on the CM4 (not on CM 7) : all phones have CTL file, with servers address configured. 

As a test, I tried to manually enter TFTP server of the new cluster on a phone, but I could not save the change as the IP address were not in the CTL list. 

What would be my option here considering the phone will switch from the old to the new after a DHCP option 150 update. 

The tokens used originally are not available anymore, so I cannot make any change to the existing CTL file. (my first guess was to add new TFTP address).

Can security be disable on all phones/cluster without the token/CTL client ?

 

Thanks

 

James

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi James,As per the security

Hi James,

As per the security guide for cucm 4.x

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/4_1_3/sec413/secutrbl.html#wp1029242

Delete the CTL file on the Cisco IP Phone if the following cases occur:

You lose all security tokens that signed the CTL file.

The security tokens that signed the CTL file appear compromised.

You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

You move a phone from an area with an unknown security policy to a secure cluster.

You change the alternate TFTP server address to a server that does not exist in the CTL file.

HTH

Manish

6 REPLIES
Cisco Employee

Hi James,As per the security

Hi James,

As per the security guide for cucm 4.x

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/4_1_3/sec413/secutrbl.html#wp1029242

Delete the CTL file on the Cisco IP Phone if the following cases occur:

You lose all security tokens that signed the CTL file.

The security tokens that signed the CTL file appear compromised.

You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

You move a phone from an area with an unknown security policy to a secure cluster.

You change the alternate TFTP server address to a server that does not exist in the CTL file.

HTH

Manish

New Member

Thanks Manish, Really no

Thanks Manish, 

Really no other alternatives than manually delete CTL file on 1000 phones? 

I know there is also (expensive?) software such as phoneview that can help doing this but I have no budget for this. 

What about bringing "new" tokens to resign all certificates? and eventually disable everything. 

 

Thanks

 

James

Cisco Employee

Hi James,I am not sure about

Hi James,

I am not sure about any other options or the cost involved in using any third party app. Let's see if someone else wants to provide inputs on this one.

Manish

There are 3rd party tools to

There are 3rd party tools to do this for 5.x and up, I have not seen one for 4.x.

 

Cisco Employee

Nope, you have no other

Nope, you have no other option other than deleting the CTL from every single phone. You can blame whoever misplaced, or whatever that may have happened to the tokens.

What about bringing "new" tokens to resign all certificates? and eventually disable everything. 
NO, because the phones already have a list of what to trust, signed by a token, which you no longer have, and is the only one they trust. If you do that, all you'll achieve is to bring down your entire infrastructure as phones will no longer even trust the TFTPs and CUCMs as they do now.

HTH

java

if this helps, please rate

www.cisco.com/go/pdi
Cisco Employee

Thanks for confirming the

Thanks for confirming the same Jaime [+5].

Manish

57
Views
10
Helpful
6
Replies
CreatePlease to create content