(1.) Has anyone actually tried the Backup/Restore XML method (under Windows 10) going between different firmware versions?

Unknown options in XML file are ignored. Missing option doesn't cause the configuration file will be rejected. Options are not renamed across firmware versions. Thus XML file created for version A can be used on version B.

(2.) What are the benefits of updating from firmware 1.4.1SR1 to 1.4.1SR5? Does Cisco have a bug/change list?

Read Release Notes of particular version.

Can the service provider passwords be edited into the lines, with a text editor,
<Password_1_ ua="na"/>
<Password_2_ ua="na"/>

Yes, of course. Generic syntax of XML language needs to be honored.

Hi RonZ,

Can you please help with these 3 questions,

(1.) Has anyone actually tried the Backup/Restore XML method (under Windows 10) going between different firmware versions? For example, can config.xml backup files created with "1.4.1SR1" firmware be restored to "1.4.1SR5" without any problem?

First some context since I found the ATA191 naming unclear at first, and I'm relying on the Moderator to correct any errors...

Cisco's ATA strategy seems to have two vectors: a domestic product for individuals and small & medium enterprises, and a corporate product for large organisations which need centralised administration (secure O/S and configuration updates from a server during business hours, unified numbering and functionality, etc.).

The SPA devices have reached end-of-life, and there are now two replacements, the ATA191-MPP for domestic and small-business use, and the ATA191 corporate version which ONLY works with Cisco's provisioning server. The ATA191-MPP "multiplatform" implementation is also, confusingly, sometimes known as the ATA191-3PW-K9; I think "K9" refers to US export laws concerning encryption.

All these flavours can be configured using an XML file, which specifies differences between the factory-default config for a given ATA and changes made by the sysadmin. The old GUI configuration model where saves & restores can be done with .cfg files is completely incompatible AFAIK (see below).

Except where exceptions are specifically noted, I think all Cisco's ATA products have compatible XML syntax which is defined in the appropriate Provisioning guide, so for example:
<DTMF_Relay_MIME_Type ua="na">application/dtmf-relay</DTMF_Relay_MIME_Type>
has the same effect on an SPA112, SPA122, ATA191-MPP, etc.

(2.) What are the benefits of updating from firmware 1.4.1SR1 to 1.4.1SR5? Does Cisco have a bug/change list? Otherwise it might not be worthwhile to update from 1.4.1SR1, since it seems to be working perfectly.

I'd strongly suggest upgrading the firmware to SR5 before doing anything else because that upgrades the embedded-Linux O/S and fixes many security and other bugs in the process; all configuration changes should be preserved because they're stored in a different area of memory.  But first dump the existing configuration in the .cfg format you're familiar with so you can recover from any disasters, then upgrade the O/S to SR5.

When that's done, I'd suggest dumping the existing config as an XML file. Just login as the SPA "admin" as usual and go to <ATA IP address>/admin/config.xml  This XML file can then be saved from the browser's File menu, and you can inspect the result at your leisure.

(3.) I have 2 config files that need to be flipped around and restored every few days. One config file has settings optimized for voice, the other is optimized for FAX. Can the service provider passwords be edited into the lines, with a text editor,
<Password_1_ ua="na"/>
<Password_2_ ua="na"/>
or will something more be needed after each restore?

It's better than that! The bulk of the configuration can be saved in one xml file, say "common.xml".  Then the differences only need to be configured in, say, "Voice.xml" and "FAX.xml".

Alternatively, why not use one FXS interface for FAX and the other for Voice, and configure both just once? You might have to use one service at a time, but you could also just have two numbers, one for each service, even with different providers.

Let's know how you go...

D30

And the short answer to your question:

1.) Has anyone actually tried the Backup/Restore XML method (under Windows 10) going between different firmware versions? For example, can config.xml backup files created with "1.4.1SR1" firmware be restored to "1.4.1SR5" without any problem?

is "yes" I've done exactly that, and I've also configured an ATA191-MPP with an XML configuration from my SPA112.  The only gotcha is that the XML file contains the MAC address and other details from the original device which need to be changed or deleted from the new XML file.

Kompare allows one to select the source (original) & destination (factory default) files and merge each difference into a new configuration file, as required.

D30

Can you please help me with a Restore from a config.xml file.
My SPA122 (firmware 1.4.1SR1) IP Address "192.168.0.113".
Windows 10 laptop already had the "curl" command available in PowerShell.
The config.xml file is in laptop folder c:\swsetup\spa122\ .

I believe this would be the Linux command to Restore.
curl -d @/<path>config.xml "http://192.168.0.113/admin/config.xml"

What is the equivalent using Windows PowerShell?
This did not work in PowerShell,
cd \swsetup\spa122
curl.exe -d config.xml "http://192.168.0.113/admin/config.xml"

I also would appreciate help editing passwords into the config.xml file.

Where do the Login passwords go?
Password for Username admin
Password for Username cisco

<Web_Login_Admin_Name>admin</Web_Login_Admin_Name>
<!-- <Web_Login_Admin_Password></Web_Login_Admin_Password> -->
<Web_Login_Guest_Name>cisco</Web_Login_Guest_Name>
<!-- <Web_Login_Guest_Password></Web_Login_Guest_Password> -->

Password for Line 1 (Localphone):
I assume this password belongs on the Password_1 line where na is.
Should the quotes remain?

<Display_Name_1_ ua="na">Localphone</Display_Name_1_>
<User_ID_1_ ua="na">1234567</User_ID_1_>
<Password_1_ ua="na"/>

Password for Line 2 (Callcentric):
I assume this password belongs on the Password_2 line where na is.

<Display_Name_2_ ua="na">Callcentric</Display_Name_2_>
<User_ID_2_ ua="na">1234567</User_ID_2_>
<Password_2_ ua="na"/>

Thanks for your help...

As mentioned already, generic XML syntax needs to be honored. <!-- ... --> are XML comments. They needs to be removed to make inner content effective. Thus line like

<!-- <Web_Login_Admin_Password></Web_Login_Admin_Password> -->

needs to be changed to

<Web_Login_Admin_Password>MyLoginPassword</Web_Login_Admin_Password>

The second case - <.... /> is XML construct for empty attribute (attribute with no value). Thus line like:

<Password_2_ ua="na"/>

needs to be changed to

<Password_2_ ua="na">MyLine2Password</Password_2_>

Can you please help me with a Restore from a config.xml file.
My SPA122 (firmware 1.4.1SR1) IP Address "192.168.0.113".
Windows 10 laptop already had the "curl" command available in PowerShell.
The config.xml file is in laptop folder c:\swsetup\spa122\ .

I believe this would be the Linux command to Restore.
curl -d @/<path>config.xml "http://192.168.0.113/admin/config.xml"

What is the equivalent using Windows PowerShell?

This did not work in PowerShell,
cd \swsetup\spa122
curl.exe -d config.xml "http://192.168.0.113/admin/config.xml"

The bad news is that I've always had to have a couple of goes before getting it right with the curl method, but it does work. Did PowerShell report a specific error? You'll need to make sure you have 'admin' access to the SPA122 before invoking curl, and you haven't specified whether the system running curl is connected to the main LAN or the local SPA122 LAN port. But assuming no firewall problems:

(a) Log into the ADMIN account using your browser then, before it times out, execute the CLI curl command:

curl -d @/<path>config.xml "http://<ATA>/admin/config.xml"
# curl will return:
<?xml version="1.0"?>
<cif-response>
<head><code>OK</code></head>
</cif-response>

The suntax specified on page‑36 of the Provisioning Guide which includes the ATA access credentials in the URL (&xuser=<username>&xpassword=<password>) doesn’t appear to work here because SPA devices don't support the xuser, xpassword syntax due to a bug;

see

Also refer to Provisioning Guide “Applying a Profile to the IP Telephony Device” page 36.

You then wait for several minutes until the SPA122 lights resume their normal pattern and test.

-------------------------------

I also would appreciate help editing passwords into the config.xml file.

Where do the Login passwords go?
Password for Username admin
Password for Username cisco

<Web_Login_Admin_Name>admin</Web_Login_Admin_Name>
<!-- <Web_Login_Admin_Password></Web_Login_Admin_Password> -->
<Web_Login_Guest_Name>cisco</Web_Login_Guest_Name>
<!-- <Web_Login_Guest_Password></Web_Login_Guest_Password> -->

Password for Line 1 (Localphone):

<Display_Name_1_ ua="na">Localphone</Display_Name_1_>
<User_ID_1_ ua="na">1234567</User_ID_1_>
<Password_1_ ua="na"/>

Password for Line 2 (Callcentric):

<Display_Name_2_ ua="na">Callcentric</Display_Name_2_>
<User_ID_2_ ua="na">1234567</User_ID_2_>
<Password_2_ ua="na"/>

That's right I think, and no quotes are required around the access strings, but editing passwords into the XML file might not be a good idea for security reasons. Interactive passwords are never included when a config is dumped in XML format, and they're not overwritten when loading a config file either AFAIK. Is it really necessary? In any case, there's nothing to prevent you from saving them later using the factory default of admin / admin.

I should be said there are much easier & more secure methods of initiating the download of an XML configuration file, too.

-------------------------------

Cheers, D30

Interactive passwords are never included when a config is dumped in XML format, and they're not overwritten when loading a config file either

Wrong. Passwords can be part of provisioning file. They are just not dumped out.

According security, I assume you are using HTTPS (and you use it properly, e.g. certificates are verified against proper root CA) thus no one can catch passwords on the wire. But as noted in this thread already (few years ago), SPAxxx devices are NOT designed to run in unfriendly environment.

---

@Dan Lukes wrote:

Interactive passwords are never included when a config is dumped in XML format, and they're not overwritten when loading a config file either

Wrong. Passwords can be part of provisioning file. They are just not dumped out.

---

I think that's a little out of context; my understanding is this:

1.   passwords are not included when an XML configuration is downloaded;

2.   current passwords are not overwritten when an XML config is uploaded if the relevant parameter is not explicitly specified (because that's usually bad practice);

3.   but if a password is explicitly specified in an XML config then it will be actioned as you say.

Yes, it's true, although I disagree with "it's bad practice" statement.

XML file contains the MAC address and other details from the original device which need to be changed or deleted from the new XML file.

Options like serial number, MAC address, firmware version, device type and so on are read-only. You can't (re)configure them. Not necessary to remove them.

Attempts to modify option you have no permission to modify, attempts to set unacceptable value for particular option, even attempts to configure option that doesn't exists at all are just ignored - like most of other faults related to the content of provisioning XML file.

Every device have embedded certificate issued by dedicated Cisco CA (one of, there are multiple CA used for the purpose). for example, embedded certificates for SPA1xx are issued by either

/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Client Root Authority 1/emailAddress=ciscosb-certadmin@cisco.com

or

/C=US/ST=California/L=San Jose/O=Cisco Small Business/OU=Cisco Small Business Certificate Authority/CN=Cisco Small Business Client Root Authority 2/emailAddress=ciscosb-certadmin@cisco.com

It depends on manufacturing date of SPA112. So of you wish to connect to SPA1xx securely, you need to verify its certificate by one of those root CA keys.

Embedded certificate itself is linked to the particular device by content of certificate subject, but exact format vary by issuing CA. Those two mentioned above for SPA1xx have CN looking like the following one:

SPA112, MAC: CCEF48AA000E, Serial: CBT15000000

so you can use device type and serial and/or MAC to verify particular device against your list of authorized devices. If you do it properly, no unauthorized device (even genuine SPA112 bought by a rogue user) can fetch valid passwords from your server.

David30 and Dan Lukes,

Thank you so very much for your tips and knowedge.

Success! I upgraded my SPA122 to 1.4.1 (SR5). Also have Backup/Restore working to Voice_config.xml and FAX_config.xml.

Much appreciated...

As SPA122 is claimed EoL, you may be interested to know the same will work with it's successor ATA191-MPP. The only difference is that the embedded client certificate are issued by /O=Cisco/CN=Cisco Manufacturing CA SHA2 (which is issued by /O=Cisco/CN=Cisco Root CA M2) and embedded certificate needs to be linked to device by either MAC taken from CN=ATA191-ATA81510321AD03 or by serial taken from serialNumber=PID:ATA191 SN:FCH212D31YW