cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25680
Views
186
Helpful
23
Replies

How can I validate a security password on CUCM 8.6?

joergwesely
Level 1
Level 1

Hi all,

we need to check if the security password is documented correct for a CUCM 8.6 cluster.

Is there a way to validate a given security password like a CLI command "validate security password"?

The only way I know is setting up a system in the lab and check if I can restore a backup.

I know I can reset the security password, but that's something I want to avoid because it requires rebooting the servers.

Thank you in advance

Jörg

23 Replies 23

Jaime Valencia
Cisco Employee
Cisco Employee

No, there's no way to validate the security pwd.

The only method to see if it's correct or not is what you mention, either do a restore or change it.

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate

Jamie,

There is a way to validate the password, without changing the password.

I have just tested it. The trick is to reset the password with a new password which is based on a dictionary word!

Example: "cisco123"

 

If the Old password is entered correctly - you will get the following error when you attempt to change the password:

 

"BAD PASSWORD: It is based on a dictionary word"

 

If the old password is incorrect, you will a different error (as below) and hence you can validate if your security password is as you suspect or not!

"The old password did not match"

Gerry

 

 

I have confirmed that this procedure works - I needed to verify a cluster security password for a client, and your method did work and I was able to verify the password without changing it.


Thank you for the suggestion!

 

Pete

I know its an old thread, but wanted to Thank you.  I am rolling out a new CUCM environment.  I was able to confirm my CUCM security passcode because I was able to add an IMP server.  But we're going to add a second CUC server later, so I wanted to confirm the CUC security code before starting to configure it.  I found this article, and it worked like a charm.

I tried to validate the security password on CUCM.

Used the command set password user security, entered the password which I have at the prompt.

Then it is asked me to enter the password, entered the previous password, it gave error as old and new password is same.

Again used the command set password user security and entered some other word as password, this time also it accepted the password and prompted me to enter new password.

Seems like, this way we can't validate the security password.

Again used the command set password user security and entered some other word as password, this time also it accepted the password and prompted me to enter new password.

When it prompted to enter the new password, did you enter the new password or left the process at that time. I believe you did not because if you had then only system would have checked the password that you entered first time after issuing the set password user security command and should have issued something like below since you entered the wrong password intentionally

Continue (y/n)?y

Please wait...

The old password did not match.

Secondly, I do not understand why would someone play with it like this in a real environment unless they are facing one of the below issues:

1) If you are going to add the second server to the existing cluster. During this, system will check if the Security Password matches with the primary node or not. If not, then the DB replication will not come up at all

2) If the DRS backup was taken of a UCCX system or any other UC system for that matter, then while doing the restore system will ask you to enter the Security Password and if it does not match with the one that was there while the backup was taken then the restore will not go through.

BTW, there is a Password Guess utility available in the platform config file that can be accessed only by TAC using the root of your system if you really want to test your Security Password. However, I would definitely not take the risk of playing with Security Password in a production environment using CLI unless I am facing one of the above issues as mentioned above.

Regards

Deepak

Hi Deepak,

Thanks for the response.

"If the DRS backup was taken of a UCCX system or any other UC system for that matter, then while doing the restore system will ask you to enter the Security Password and if it does not match with the one that was there while the backup was taken then the restore will not go through."

I have been provided with a password, but no one knows that is correct or not.

Incase if it is not correct, the cluster is running at risk as backup can't be restored in DR situation.so wanted to validate the password.

i have a cucm , unity and presence , is it possible to try it on a presence subscriber node to avoid any effect on a production environment? do all nodes share the same security password?

Hi,

It has to be done on all server otherwise they would stop replicating database. Also DRS has to run again aftre changing the security password through out the cluster.

JB

Every node in a cluster will use the same password, so you are able to test it from any server in that cluster.  But we need to define a cluster based on what you were asking.

Unity and CUCM are two completely separate entities.  Even though there is a high likelihood that whoever built your system used the same passwords, they didnt necessarily have to.  Then on to Presence, it depends on the version.  If its 9 and below, Presence was also its own separate cluster.  In version 10 and above, it is part of the CUCM cluster.

Man ,You're idea is out of the world. Awesome , Thank you so much for this wonderful trick. Thanks Again , gorourke.

I also just confirmed this works on CUCM 10.5.2:

  1. Log in as platform admin
  2. set password user security
  3. Enter <what you suspect is old password>
  4. Enter "cisco123" as new password
  5. Confirm "cisco123" is new password
  6. When prompted for DRS warning, hit "y"
  7. Wait...
  8. First time my old password was wrong and got "The old password did not match"
  9. Second time my old password was CORRECT and got "BAD PASSWORD: based on a dictionary word"

SUPER HELPFUL! Thanks so much gorourke!

This does work..first time wrong password, second time right password.   I used cisco123 as the new password both times.  

 

admin:set password user security
Please enter the old password: *************
   Please enter the new password: **
Control-C pressed

admin:set password user security
Please enter the old password: *************
   Please enter the new password: ********
Reenter new password to confirm: ********
WARNING:
The Disaster Recovery System is dependent on this security password you are attempting to change.
If you need to use any of the older backup archive to restore this system, you need to remember the
older security  password. To avoid this scenario, we recommend you to conduct a DRS Backup of your
system/cluster immediately after this password change.
Please make sure that the security password on the publisher is changed first.
The security password needs to be the same on all cluster nodes,
or the publisher and subscriber(s) will not communicate.
After changing the security password on a cluster node, please restart that node.

Continue (y/n)?y

Please wait...

The old password did not match.


###########################################################################
admin:set password user security Please enter the old password: ***************** Please enter the new password: ******** Reenter new password to confirm: ******** WARNING: The Disaster Recovery System is dependent on this security password you are attempting to change. If you need to use any of the older backup archive to restore this system, you need to remember the older security password. To avoid this scenario, we recommend you to conduct a DRS Backup of your system/cluster immediately after this password change. Please make sure that the security password on the publisher is changed first. The security password needs to be the same on all cluster nodes, or the publisher and subscriber(s) will not communicate. After changing the security password on a cluster node, please restart that node. Continue (y/n)?y Please wait... BAD PASSWORD: it is based on a dictionary word admin:

Works perfect.