03-04-2014 03:21 AM - edited 03-16-2019 10:00 PM
Hi,
Company has a call manager with 3 nodes on version 6.1.3:
- NODO1: 10.102.224.254
- NODO2: 10.102.224.253
- NODO3: 10.102.239.20
From S.O. web can be seen that some certs are going to expire. We have received a warning via e-mail. And we have checked opening certifications that expiration date is about to happen.
This is the security mode configuration:
Service parameters --> Publisher --> Call Manager-->Security Parameters
Cluster Security Mode: 1
CAPF Phone port:3804
CAPF Operation expires in (days):10
Enable caching: false
Certificates that are going to expire are the following:
CallManager_pem
CallManager_der
CAPF_pem
CAPF_der
CAPF-e09c40eb_pem
CAPF-e09c40eb_der
ipsec_cert_der
ipsec_cert_pem
NODO1_der
NODO1_pem
tomcat_cert_der
tomcat_cert_pem
At publisher, it can be seen no CTI file,
show itl
Executed command unsuccessfully
No valid command entered
There is only a CTL file, and it´s the following:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.19 17:47:46 =~=~=~=~=~=~=~=~=~=~=~=
show ctl //Note: at the following file, some digits of the "SIGNATURE" have been changed with "*". And some name. Nothing else.
Length of CTL file: 5946
Parse CTL File
--------------
Version: 1.2
HeaderLength: 304 (BYTES)
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
3 SIGNERID 2 117
4 SIGNERNAME 56
5 SERIALNUMBER 10
6 CANAME 42
7 SIGNATUREINFO 2 15
8 DIGESTALGORTITHM 1
9 SIGNATUREALGOINFO 2 8
10 SIGNATUREALGORTITHM 1
11 SIGNATUREMODULUS 1
12 SIGNATURE 128
8d e3 61 8a d9 8 e a3
8d 5b 82 6f 51 81 a3 1b
e2 fe e5 57 66 f7 ab 54
f 69 fb ** 72 bf 3f a1
ee ea a3 fb b5 80 0 af
74 20 ac b 92 b0 c5 fd
fa f6 6e 52 c3 90 25 e1
2a ** 83 f0 ee 4f d3 9b
2e 6b c4 4d 45 79 40 41
f2 b7 3 7e 7f 7a ** b4
76 cc 45 e2 52 b1 4e 63
74 b1 a7 d8 36 97 22 47
8a 80 63 88 67 7e 7a 8d
2d ** eb 24 57 7b c2 74
cf 4 bb 9d dd b1 a a
e7 a9 5a 58 88 0 3f 67
14 FILENAME 12
15 TIMESTAMP 4
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1186
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN597e8314 ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 ISSUERNAME 10
7 PUBLICKEY 140
9 CERTIFICATE 902
10 IPADDRESS 4
This etoken was not used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1180
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN592dfe14 ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 ISSUERNAME 10
7 PUBLICKEY 141
9 CERTIFICATE 895
10 IPADDRESS 4
This etoken was used to sign the CTL file.
CTL Record #:3
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 765
2 DNSNAME 15 10.102.224.253
3 SUBJECTNAME 13 cn=NODO2
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 13 cn=NODO2
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 541
10 IPADDRESS 4
CTL Record #:4
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 765
2 DNSNAME 15 10.102.224.254
3 SUBJECTNAME 13 cn=NODO1
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 13 cn=NODO1
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 541
10 IPADDRESS 4
CTL Record #:5
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 982
2 DNSNAME 15 10.102.224.254
3 SUBJECTNAME 43 cn=CAPF-e09c40eb;ou=AREA TIC;o=NOMBREX
4 FUNCTION 2 CAPF
5 ISSUERNAME 43 cn=CAPF-e09c40eb;ou=AREA TIC;o=NOMBREX
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 698
10 IPADDRESS 4
CTL Record #:6
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 764
2 DNSNAME 14 10.102.239.20
3 SUBJECTNAME 13 cn=NODO3
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 13 cn=NODO3
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 541
10 IPADDRESS 4
The CTL file was verified successfully.
*******************
Certificates at publisher are the following:
admin:show cert list own
tomcat
ipsec
CallManager
CAPF
admin:show cert list
ipsec-trust/NODO1.pem
ipsec-trust/NODO1.der
ipsec-trust/c92d8a04.0
CallManager-trust/CAP-RTP-001.pem
CallManager-trust/CAP-RTP-002.pem
CallManager-trust/Cisco_Manufacturing_CA.pem
CallManager-trust/Cisco_Root_CA_2048.pem
CallManager-trust/a0440f4c.0
CallManager-trust/a69d2e04.0
CallManager-trust/f7a74b2c.0
CallManager-trust/dcc12642.0
CallManager-trust/0d40b14e.0
CallManager-trust/CAPF-7EC94D72.pem
CallManager-trust/CAPF-97FA3FDE.pem
CallManager-trust/CAPF-e09c40eb.pem
CallManager-trust/3e92ebd9.0
CallManager-trust/8eb380b0.0
CAPF-trust/CAP-RTP-001.pem
CAPF-trust/CAP-RTP-002.pem
CAPF-trust/Cisco_Manufacturing_CA.pem
CAPF-trust/Cisco_Root_CA_2048.pem
CAPF-trust/a0440f4c.0
CAPF-trust/a69d2e04.0
[1mPress <enter> for 1 line, <space> for one page, or <q> to quit [0m
[KCAPF-trust/f7a74b2c.0
CAPF-trust/CAPF.der
CAPF-trust/CAPF.pem
CAPF-trust/dcc12642.0
CAPF-trust/8eb380b0.0
admin:utils service list
Requesting service status, please wait...
System SSH [STARTED]
Cluster Manager [STARTED]
Service Manager is running
Getting list of all services
>> Return code = 0
A Cisco DB[STARTED]
A Cisco DB Replicator[STARTED]
Cisco AMC Service[STARTED]
Cisco AXL Web Service[STARTED]
Cisco Bulk Provisioning Service[STARTED]
Cisco CAR Scheduler[STARTED]
Cisco CAR Web Service[STARTED]
Cisco CDP[STARTED]
Cisco CDP Agent[STARTED]
Cisco CDR Agent[STARTED]
Cisco CDR Repository Manager[STARTED]
Cisco CTIManager[STARTED]
Cisco CTL Provider[STARTED]
Cisco CallManager[STARTED]
Cisco CallManager Admin[STARTED]
Cisco CallManager Attendant Console Server[STARTED]
Cisco CallManager Cisco IP Phone Services[STARTED]
Cisco CallManager Personal Directory[STARTED]
Cisco CallManager SNMP Service[STARTED]
Cisco CallManager Serviceability[STARTED]
Cisco CallManager Serviceability RTMT[STARTED]
Cisco Certificate Authority Proxy Function[STARTED]
Cisco Certificate Expiry Monitor[STARTED]
Cisco DRF Local[STARTED]
Cisco DRF Master[STARTED]
Cisco Database Layer Monitor[STARTED]
Cisco Dialed Number Analyzer[STARTED]
Cisco DirSync[STARTED]
Cisco Extended Functions[STARTED]
Cisco Extension Mobility Application[STARTED]
Cisco IP Manager Assistant[STARTED]
Cisco IP Voice Media Streaming App[STARTED]
Cisco License Manager[STARTED]
Cisco Log Partition Monitoring Tool[STARTED]
Cisco RIS Data Collector[STARTED]
Cisco RTMT Reporter Servlet[STARTED]
Cisco SOAP - CDRonDemand Service[STARTED]
Cisco Serviceability Reporter[STARTED]
Cisco Syslog Agent[STARTED]
Cisco Tftp[STARTED]
Cisco Tomcat[STARTED]
Cisco Tomcat Stats Servlet[STARTED]
Cisco Trace Collection Service[STARTED]
Cisco Trace Collection Servlet[STARTED]
Cisco UXL Web Service[STARTED]
Cisco WebDialer Web Service[STARTED]
Host Resources Agent[STARTED]
MIB2 Agent[STARTED]
Native Agent Adapter[STARTED]
SNMP Master Agent[STARTED]
SOAP -Log Collection APIs[STARTED]
SOAP -Performance Monitoring APIs[STARTED]
SOAP -Real-Time Service APIs[STARTED]
System Application Agent[STARTED]
Cisco DHCP Monitor Service[STOPPED] Service Not Activated
Cisco Extension Mobility[STOPPED] Service Not Activated
Cisco Messaging Interface[STOPPED] Service Not Activated
Cisco TAPS Service[STOPPED] Service Not Activated
Cisco Unified Mobile Voice Access Service[STOPPED] Service Not Activated
Primary Node =true
admin:
*****
Perfil de seguridad Ej:para un CP-7960
-Phone Security Profile Info
Device Protocol: SCCP
Name: SP_7960_Encriptado
Description: Migrated Profile: Sec_mode 3 Auth_mode 2
Device Security Mode: Encrypted
-Phone Security profile CAPF Info
Authentication mode: By null string
Key Size: 1024
*****
At this forum, it says for version 5x to /7x I have simply to regenerate certificates:
These are the doubts I have:
- Is it necessary to regenerate any certificate in first plase?, if so ¿what is the place I should follow for each certificate?
- Is it necessary to restart any service before regenerating the certificates? for version 8.0 and higher, I saw that it´s necessary to restart TFTP and Call Manager services.
- After regenerating certificates, is it necessary to create a new CTL file? If so, Do I need the two tokens we used to create CTL file at the begining?
- Regarding CAPF certificate. Do i need to push the LSC certificates to the phones? Or I just need to reset phones to do so?
Thank you in advance!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: