Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3702
Views
15
Helpful
18
Replies

CUCM Cluster mode change from Mixed to Non secure

Go to solution
fgasimzade
Level 4
Level 4

‎07-30-2014 07:32 AM - edited ‎03-16-2019 11:34 PM

Hello everyone

 

We have a CUCM cluster 6.1.2 and we have lost the tokens we used to create CTL

The problem is that our certificates has expired and there is no way to renew them without the security tokens

 

Moreover, I have manually regenerated CallManager.pem certificate, and apparently it has resigned all configuration files (correct me if I am wrong) and now some of the phones do not accept these configuration files with this error:

877: xxx 17:30:28.895819 SECD: EROR:verifyFile: sgn verify file failed </usr/ram/SEPB4A4E329D635.cnf.xml>, errclass 8, errcode 19 (signer not in CTL)

and register on the subscriber (dont know why).

 

Some of the phones are not able to register (rejected) with Security Mode set to Non secure, and I need to configure them with LCS, but looks like if I hard reset the phone, the CTL file on the phone will change and it will not accept the configuration file

Is there any way to disable this functionality and change the cluster mode from mixed to non-secure or somehow "unsign" the configuration files so the phones could take it?

 

Thank you in advance

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎08-01-2014 06:11 AM

Correct but the phone will reject the new CTL if it isn't signed by the same tokens.  That's the problem we have to avoid by deleting the existing CTL on each phone.

View solution in original post

18 Replies 18

Go to solution
Stephen Welsh
Level 4
Level 4

‎07-30-2014 09:11 AM

Hi,

Given the situation you have described I think the simplest thing you can do is delete all the CTL (and probably ITL) files on your phones. As you no longer have access to the security tokens you will ultimately need to remove the CTL files anyway.

I recommend you have a look at PhoneView from UnifiedFX:

Here is a short demo video on managing ITL Files, it's very similar to CTL files:

https://www.youtube.com/watch?v=xSogoIQNYd8&list=PLxsqZcpVKWYNA5v8h9Ee_1D00X59WRaLY

 

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Stephen Welsh

‎07-30-2014 09:34 AM

Thank you, stephenwelsh

 

Can I change the cluster mode from Mixed to Non secure if I have no tokens? Is it possible with this command

utils ctl set-cluster non-secure-mode

Will I have to delete the CTL file from the phones manually or they will receive a new CTL once I go non-secure (an empty CTL in this case)

 

 

 

0 Helpful

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎07-30-2014 01:01 PM

The process for doing this is to delete the CTL file from EACH node in the cluster:

file delete tftp CTLFile.tlv

Then restart TFTP on all nodes.

You then want to set all phones to non-secure security profiles and delete all the encrypted security profiles.

You then can run this on the publisher to change the Cluster Security Mode:

run sql update processconfig set paramvalue='0' where paramname='ClusterSecurityMode'

 

 

Check that it took affect:

run sql select paramname,paramvalue from processconfig where paramname = 'ClusterSecurityMode'

 

You can also check under System->Enterprise Parameters

 

You then need to somehow delete the CTLs off of all the phones either manually or in bulk through some sort of tool like PhoneView.  The phones will try to request the CTL after this but it will have been deleted on each node.

 

This isn't the supported process for doing this though.  The supported process is to buy new tokens, delete the old CTL from each node, run the CTL client with the new tokens to put into mixed mode then run CTL client again with the new tokens to switch to non-secure.  My process should achieve the same result though.

 

That "utils ctl set-cluster non-secure-mode" command is for CUCM 10.x only.

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎07-31-2014 08:29 AM

Thank you for your reply

 

I have purchased the PhoneView application, but it does not detecting the phones, most probably because the URL Authentication is wrong on my CUCM, and if I change it, I will need to reset all the phones. I am afraid that after reset the phones will fail to register and moreover, some of the phones are now registered to the subscriber (since CTL file on the publisher is corrupted). They register on the subscriber but with a default configuration file (they do not download a real config file with all configuration) - not sure why they register there, the subscriber has the same CTL as a publisher

 

If I buy the tokens, and go with the second option, will I need to remove old CTL files from the phones? If I buy new tokens, delete old CTL files from cluster, renew the certificates and CTL and then leave the cluster in MIXED mode, will I have to manually renew CTL on the phones?

 

0 Helpful

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎07-31-2014 08:40 AM

Either option will require deleting the old CTLs from the phones in some way.  This is why you're supposed to lock up the 2 tokens in separate locations in safes when you put a cluster in mixed-mode.

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎07-31-2014 08:56 AM

They were lost by our previous IT people.. What I read on the internet is that the phone requests a CTL file when it boots up. I even saw it in the console logs of the phone - it boots up, requests a CTL, compares it to the one it has in its memory and then decides whether to update it or no
0 Helpful

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎08-01-2014 06:11 AM

Correct but the phone will reject the new CTL if it isn't signed by the same tokens.  That's the problem we have to avoid by deleting the existing CTL on each phone.

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎08-01-2014 06:14 AM

Thank you, Brian!

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎08-01-2014 04:21 AM

Dear Brian,

Kind reminder

 

Thank you

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎08-14-2014 05:49 AM

Dear Brian,

Is there any way to download the CTL file from CUCM before I delete it?

 

0 Helpful

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎08-14-2014 07:51 AM

file get tftp CTLFile.tlv

 

If you want to back them up, make sure to download them from each node.  You could also download via a TFTP client.

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎08-14-2014 08:18 AM

Thank you! But how can I upload it back if anything goes wrong? I could not find any file upload command

0 Helpful

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎08-14-2014 08:19 AM

On the OS Admin web page, there's TFTP File Management.

0 Helpful

Go to solution
fgasimzade
Level 4
Level 4
In response to Brian Meade

‎08-18-2014 06:28 AM

Dear Brian,

 

One more question - When I delete the CTL and change the cluster mode to Non secure what happens to all configuration files which are also signed I believe

 

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents