CUCM 10.5 migration with BCD Bulk Certificate question

balukr · ‎06-11-2014

We are migrating one of our customers CUCM from 8.6 to 10.5 using PCD. Since customer wants move this to new UCS server and move to DC we have to change the hostname and IP address of the servers as well. We finished the migration over the weekend, since we did a network migration with PCD I didn't do the last step of shutting down the current 8.6 PUB and SUB servers so it did not pause for Bulk certificate changes. This coming weekend we are cutting them over to new CUCM and I'm little confused on the Bulk Certificate process, here is what I'm planning to do let me know if this is going to cause any issues

1. Migrate the Bulk Certificate Process using this procedure and change the TFTP Ip address on the DHCP and reset the phones from current CUCM and hoping it will register to the new CUCM. Is this the correct way to do it or am I missing something here please let me know.

Bulk Certificate Management

For information on performing a CTL update, see the “Security basics” section in Cisco Unified Communications Manager Security Guide: http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_maintenance_guides_list.html

Bulk certificate management must be done manually on both source nodes and destination nodes. Both source nodes and destination nodes must be up and running at this point. Phones are registered with the source nodes.

Follow the steps in the sections below to manage certificates on destination and source nodes.

Procedure

Step 1	On the Destination Cluster Publisher, navigate to Cisco Unified Operating System Administration and choose Security > Bulk Certificate Management.
Step 2	Define the Central SFTP server IP address, port, user, password, and directory.
Step 3	Use the Export button to export all TFTP certificates from the destination cluster to the central SFTP server.
Step 4	On the Source Cluster Publisher, navigate to Cisco Unified Operating System Administration. Select Security > Bulk Certificate Management.
Step 5	Define the Central SFTP server with same parameters used in Step 2.
Step 6	Click the Export button to export all TFTP certificates from source cluster to the central SFTP server.
Step 7	Click the Consolidate button to consolidate all the TFTP certificates on the central SFTP server. This step can be performed on either the source or destination cluster, using the Bulk Certificate Management interface.
Step 8	On the Source cluster, click the Bulk Certificate Import button to import the TFTP certificates from the central SFTP server.
Step 9	On the Destination cluster, click the Bulk Certificate Import button to import the TFTP certificates from the central SFTP server.
Step 10	Use DHCP option 150, or some other method, to point the phones to the new destination cluster TFTP server. Upon reset or power cycle, the phones will download the new destination cluster ITL file and attempt to authenticate the new ITL file signature with the certificates in the existing ITL file. No certificate in the existing ITL file can be used to authenticate the signature, so the phone requests the signer's certificate from the old TVS server on the source cluster. The phone sends this request to the source cluster TVS service on TCP port 2445. The bulk certificate exchange in steps 1 through 9 provides the TVS service in the source cluster with the TFTP certificate on the destination cluster that signed the new ITL file. TVS returns the certificate to the phone, which allows the phone to authenticate the signature and replace the old ITL file with the newly downloaded ITL file. The phone can now download and authenticate the signed configuration files from the new destination cluster. Thanks for your help.

Brian Meade · ‎06-11-2014

Make sure to do the export from both clusters and then you only run the consolidate from one cluster. After that, you import to both clusters.

balukr · ‎06-11-2014

Brian,

Thanks for your quick response. Just to clarify I have to do this at the time of cut over before I restart the phones to register to new CUCM 10.x correct?

Thanks for your help again.

Brian Meade · ‎06-11-2014

Yea, you need to have this done before you change the TFTP cluster over to the new server or else the phones will just stay registered to the old cluster.

balukr · ‎06-11-2014

Thanks again for your quick response.

Sami Ahmad · ‎09-11-2015

Hi,

Were you able to successfully complete certificate consolidation on both clusters?

Did you run into any issues?

Thanks,

Sami

balukr · ‎09-11-2015

We still had issues old phone models no problems but all other models we had some issues we ended up changing the CM servers back to old IP to fix the issue.

Sami Ahmad · ‎09-12-2015

Thanks, you followed the procedure from security guide and still had issues with ITL?

Did you have TAC troubleshoot on this?

could you please specify the phone models you ran issues with authentication of new cluster.

I am going to have new SIP phones on the 10.5 cluster and SCCP phones from old cluster.

Will perform bulk certificate anytime this weekend. Do let me know, your experience.

Thanks

Sami

Sami Ahmad · ‎09-27-2015

We were able to successfully migrate phones (7911/41/61/42/62) from 8.0.3 to 10.5.2, with no issues.

We exported the bulk certs from both clusters, consolidated and then imported in 8.0 cluster.

Change DHCP option 150 and then reset all the phones.

Thanks,
Sami

CoDeC · ‎03-31-2016

Hi Smiulla,

when I press the Consolidation button in the old cluster I got the error message "Sftp operation failure".

I have found that there was a but w/ similar issue : CSCua20054

somebody know what it is the root cause for this? thanks.

Regards,

Brian Meade · ‎03-31-2016

This may just be SFTP server issues. What do the logs show on your SFTP server?

CoDeC · ‎03-31-2016

Hi,

I have tested with freeFTP (windows) and SSH-2.0-OpenSSH_6.7p1 Debian-5

Attached the log file and sshd_config

thanks a lot.

Alberto

Brian Meade · ‎03-31-2016

It looks like the log file didn't attach.

CoDeC · ‎03-31-2016

I loaded it with not allowed file type.

now, I loaded into zip file.

thanks.

Brian Meade · ‎03-31-2016

Not a lot of detail in the log about while files are being accessed. You may want to check your directory and file permissions so the SFTP users has Read/Write privileges.