08-26-2021 10:19 AM
RTMT for our CUCM cluster is sending alerts for ....
%UC_CERT-2-CertValidfor7days: %[Message=Certificate expiration Notification....
I've attached a list in case anyone needs to see (the names of the nodes have been changed).
CUCM version 11.0
cucm1 is pub in a cluster with 4 subs.
Cisco Unified CM Administration > System > Enterprise Parameters > Cluster Security Mode = 0
Cisco CTL Provider and Cisco Certificate Authority Proxy Function on the Publisher are currently active.
I have been looking online for information but then came across conflicting directions and need confirmation.
Am I missing anything or is anything out of order?
Solved! Go to Solution.
08-26-2021 10:56 PM
As @Adam Pawlowski pointed out if you don’t use Mixed mode you can disregard the parts about CTL certificates. However these would still be generating alerts, so recommend you to renew and remove the old once as if memory serves me they are not removed automatically.
For any other certificates please have a look at this document that I wrote awhile ago that covers certificate handling in Cisco UC systems. Cisco UC Certificates Renewal Guide
09-20-2021 02:56 PM
08-26-2021 04:26 PM
Generically , you need to review what services are configured or are running , and what certificates are going to expire.
If you’re not in mixed mode or using a CTL you don’t have to play with it.
The rollback parameter to me says your infrastructure is broken or the prior admin did not understand security by default , and wasn’t sure what order to process certificates in .
I’m on mobile and can’t review too closely, but no those steps sound incorrect . There is no need to stop TFTP or delete the trust certificates in my experience . Grab the security guide for your version of the UCM and review it’s guidance . Perhaps you can then repair SBD and trust lists to improve cluster security.
08-27-2021 06:10 AM
Adam Pawlowski, if I could ask him why he set "Prepare Cluster for Rollback to pre 8.0 Feature" to True, I would. It was a surprise to me when I came across it. However, I won't be changing any of it until we upgrade and get back under support, just in case there was a real reason it was set this way.
08-27-2021 06:51 AM
When security by default became a thing, it introduced a trust requirement, that phones would have to pick up on new trust lists and be able to verify them with signatures they had, or trust verification service (which itself must be in the trust list). It introduces the ability to cause trouble with the phones if too many things change at once, without the phones being reset to pick up on them. It also means that a phone which is off the system for long enough is connected, it may have to have the trust list erased.
This can manifest itself in a few ways, where a phone's directories stop updating, configuration changes don't apply, or the user may notice they can't select ringers or wallpapers. You could end up in a boat where you'd have to go to the devices and clear the trust list manually, which could be a real pain. UnifiedFX markets a tool that helps you back out of that problem should you find yourself in it. You can also cook up something yourself to do this with the embedded URIs on the phone's webserver to control it.
I can understand the apprehension of such a feature, and why someone may want to set it for fear of breaking things, or perhaps someone deemed a site visit to a phone for repair unacceptable.
Once you go through this process, hopefully you will find that it really isn't all that complicated, and the certificate guide will alert you to actions which may require a CTL to be regenerated, phones to be reset, etc. Largely for me the best thing I can think of is that after reading it, it made it clear that I'd want to do this over a period of time to account for devices which aren't connected presently, and reduce the duration of service disruptions while restarting services.
08-27-2021 08:19 AM - edited 08-27-2021 08:20 AM
@Adam Pawlowski wrote:...
I can understand the apprehension of such a feature, and why someone may want to set it for fear of breaking things, or perhaps someone deemed a site visit to a phone for repair unacceptable....
[lightbulb!] This makes sense! We have about 15 sites and the PC techs at the sites are uncomfortable with troubleshooting phones. If this was a problem in the past then the previous admin might have configured that setting to avoid having to travel out to 15 sites to fix phones.
08-26-2021 10:56 PM
As @Adam Pawlowski pointed out if you don’t use Mixed mode you can disregard the parts about CTL certificates. However these would still be generating alerts, so recommend you to renew and remove the old once as if memory serves me they are not removed automatically.
For any other certificates please have a look at this document that I wrote awhile ago that covers certificate handling in Cisco UC systems. Cisco UC Certificates Renewal Guide
08-27-2021 06:05 AM
That's a better document than the Cisco webpage I found. Thank you.
08-27-2021 07:59 AM
Your very welcome. It's mostly based on general available document sources, but also incorporate some hard learned facts from real life experience. Glad you found it useful. ':-)'
09-20-2021 02:56 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide