cucm migration to secure

jack samuel · ‎11-04-2015

Dears,

I am moving from non secure mode to secure mode and i need a confirmation from you experts b4 i proceed,

just upgraded the server from 8.6 to 11.0
utils ctl set-cluster mixed-mode apply in both pub and sub ( does it restart the server (pub&sub) ?? can i do it in office hrs if any one of the server is rebooted no issue for me, until & unless the services are up from subscriber
create a device security profile according to the phones model
in Enterprise parameter prepare cluster for rollback to pre-8.0 make it true. ----please confirm this step is needed
reset the phones and phones will come up with empty itl file
create a CAPF profile for the phone through bulk administration and assign to phones.
assign a device security profile to the phones thoruigh bulk administrtion

Please add if any thing is missing.

thanks

Manish Gogna · ‎11-04-2015

Hi Jack,

All your questions are answered here with a detailed procedure to convert from non-secure to mixed-mode cluster

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html#anc5

It does involve a restart of TFTP and callmanager services on all nodes of the cluster.

Manish

jack samuel · ‎11-04-2015

Dear Manish,

Thanks for the link,

so here it is i will proceed.

utils ctl set-cluster mixed-mode

restart the Cisco Call Manager service and TFTP service from serviceability web page

device security profile for each model and assign to the phone thorugh bulk but i will not reset phones.

how to create a CAPF in bulk with authentication string and how for 1000 phones i can assign these CAPF I want to use authentication string method in CAPF, but things are not clear for me to implement.

thanks

Manish Gogna · ‎11-05-2015

Hi Jack,

Restart of the phones is needed after a restart of the tftp and ccm services so that the phones can download the CTL file. We need to go by the documented method otherwise it may create issues on the cluster.

Manish

jack samuel · ‎11-05-2015

Dear Manish,

i have restarted the services and reset all phones and now all phones are with CTL as per instructed in the document but now i facing the below issue to update all the phones,

when i go in Bulk administration to update phones with device security profile and CAPF when i select those option and click on submit there is no aaction on the webpage i tried with multiple browsers, when i remove the CAPF opertion tick then the submit button takes effect,Is ther any other way to install capf and assign device security profile for 1000 phones.

I want to know the CAPF certificate validity how i can come to know.

also i have read from the cucm security guide

CAPF System Interactions and Requirements

All servers in the Cisco Unified Communications Manager cluster must use the same administrator username and password, so CAPF can authenticate to all servers in the cluster.
which password it is mentioning by the above statement.
thanks

jack samuel · ‎11-05-2015

Dears,

Any body can help me for the above query

Manish Gogna · ‎11-05-2015

It seems to work in my lab, can you share the screenshots of which options you are checking on BAT page or maybe share the video of the same. The admin usernames and passwords are the ones through which you login into cucm OS admin page.

Manish

jack samuel · ‎11-07-2015

Dear Manish,

Thanks for the reply,

attached is the sampleof the capf not the actual of productiion.

cucm version 11.0, Bulk Administration Tool > Phones > Update Phones > Query. tick only device security profile and Certificate authority proxy function (CAPF) information

there is one of the field in CAPF information " operation completes by" i m entering tomorrows date for this field, please correct me if i m wrong.

how i can know the validity for the LSC . ???

jack samuel · ‎11-07-2015

Dears

Anybody can help me for the above query.

thanks