Showing results for 
Search instead for 
Did you mean: 

CUCM 9.0 Token replacement

Dear all,

Any advice about token replacement on CUCM 9.0?

We need replace the token on new Virtual Server CUCM be after upgrade from

Thanks in Advance

Francisco Almeida


We already see this information on security guide:

For all CTL file updates, you must insert one security token that already exists in the CTL file into the USB port. The client validates the signature of the CTL file through this token. You cannot add new tokens until the Cisco CTL Client validates the signature. If you have two USB ports on the workstation or server, do not insert both security tokens at the same time. security guide cucm "

but our old both Token have been replaced by Cisco RMA.

Please advice.

Bets Regards

Francisco Almeida


Helpfull information - Cisco Unified CallManager Security Guide, Release 4.2(3)

Chapter – Troublshooting

Tip Perform the following procedure during a scheduled maintenance window because you must reboot all servers in the cluster for the changes to take effect.

If you lose the security tokens and you need to update the CTL file, perform the following procedure:


Step 1 On every Cisco Unified CallManager, Cisco TFTP, or alternate TFTP server, browse to directory where the file, CTLFile.tlv, exists.

The following location designates the default directory: C:\program files\cisco\tftppath. To identify where you stored the CTL file, locate the File Location service parameter for the TFTP service in the Service Parameters window of Cisco Unified CallManager Administration.

Step 2 Delete CTLFile.tlv.

Step 3 Repeat Step 1 and Step 2 for every Cisco Unified CallManager, Cisco TFTP, and alternate TFTP server.

Step 4 Obtain at least two new security tokens.

Step 5 By using the Cisco CTL client, create the CTL File, as described in "Installing the Cisco CTL Client" section and "Configuring the Cisco CTL Client" section.

Tip If the clusterwide security mode exists in mixed mode, the Cisco CTL client displays the message, "No CTL File exists on the server but the CallManager Cluster Security Mode is in Mixed Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Mixed Mode. Click OK; then, choose Set CallManager Cluster to Mixed Mode and complete the CTL file configuration.

Step 6 After you create the CTL file on all the servers, delete the CTL file from the phone, as described in "Deleting the CTL File on the Cisco Unified IP Phone" section.

Step 7 Reboot all the servers in the cluster.


That's exactly the produce that needs to be followed (+5), when you lose all the tokens or replace them all meaning you are not going to use a token that was originally used to populate the CTL file.


Hi Joe,


Any waysugestion to easy delete CTLFile.tlv on about 500 phones (local and remote)?


Francisco Almeida


I personally think the easiest is to send an email out to all users with the process to delete it from the phone through the settings menu.  There are also 3rd party tools such as which can automate the button presses to all your phones so that you can remotely delete the CTL file.