03-04-2014 03:21 AM - edited 03-16-2019 10:00 PM
Hi,
Company has a call manager with 3 nodes on version 6.1.3:
- NODO1: 10.102.224.254
- NODO2: 10.102.224.253
- NODO3: 10.102.239.20
From S.O. web can be seen that some certs are going to expire. We have received a warning via e-mail. And we have checked opening certifications that expiration date is about to happen.
This is the security mode configuration:
Service parameters --> Publisher --> Call Manager-->Security Parameters
Cluster Security Mode: 1
CAPF Phone port:3804
CAPF Operation expires in (days):10
Enable caching: false
Certificates that are going to expire are the following:
CallManager_pem
CallManager_der
CAPF_pem
CAPF_der
CAPF-e09c40eb_pem
CAPF-e09c40eb_der
ipsec_cert_der
ipsec_cert_pem
NODO1_der
NODO1_pem
tomcat_cert_der
tomcat_cert_pem
At publisher, it can be seen no CTI file,
show itl
Executed command unsuccessfully
No valid command entered
There is only a CTL file, and it´s the following:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.19 17:47:46 =~=~=~=~=~=~=~=~=~=~=~=
show ctl //Note: at the following file, some digits of the "SIGNATURE" have been changed with "*". And some name. Nothing else.
Length of CTL file: 5946
Parse CTL File
--------------
Version: 1.2
HeaderLength: 304 (BYTES)
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
3 SIGNERID 2 117
4 SIGNERNAME 56
5 SERIALNUMBER 10
6 CANAME 42
7 SIGNATUREINFO 2 15
8 DIGESTALGORTITHM 1
9 SIGNATUREALGOINFO 2 8
10 SIGNATUREALGORTITHM 1
11 SIGNATUREMODULUS 1
12 SIGNATURE 128
8d e3 61 8a d9 8 e a3
8d 5b 82 6f 51 81 a3 1b
e2 fe e5 57 66 f7 ab 54
f 69 fb ** 72 bf 3f a1
ee ea a3 fb b5 80 0 af
74 20 ac b 92 b0 c5 fd
fa f6 6e 52 c3 90 25 e1
2a ** 83 f0 ee 4f d3 9b
2e 6b c4 4d 45 79 40 41
f2 b7 3 7e 7f 7a ** b4
76 cc 45 e2 52 b1 4e 63
74 b1 a7 d8 36 97 22 47
8a 80 63 88 67 7e 7a 8d
2d ** eb 24 57 7b c2 74
cf 4 bb 9d dd b1 a a
e7 a9 5a 58 88 0 3f 67
14 FILENAME 12
15 TIMESTAMP 4
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1186
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN597e8314 ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 ISSUERNAME 10
7 PUBLICKEY 140
9 CERTIFICATE 902
10 IPADDRESS 4
This etoken was not used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1180
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN592dfe14 ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 ISSUERNAME 10
7 PUBLICKEY 141
9 CERTIFICATE 895
10 IPADDRESS 4
This etoken was used to sign the CTL file.
CTL Record #:3
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 765
2 DNSNAME 15 10.102.224.253
3 SUBJECTNAME 13 cn=NODO2
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 13 cn=NODO2
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 541
10 IPADDRESS 4
CTL Record #:4
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 765
2 DNSNAME 15 10.102.224.254
3 SUBJECTNAME 13 cn=NODO1
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 13 cn=NODO1
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 541
10 IPADDRESS 4
CTL Record #:5
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 982
2 DNSNAME 15 10.102.224.254
3 SUBJECTNAME 43 cn=CAPF-e09c40eb;ou=AREA TIC;o=NOMBREX
4 FUNCTION 2 CAPF
5 ISSUERNAME 43 cn=CAPF-e09c40eb;ou=AREA TIC;o=NOMBREX
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 698
10 IPADDRESS 4
CTL Record #:6
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 764
2 DNSNAME 14 10.102.239.20
3 SUBJECTNAME 13 cn=NODO3
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 13 cn=NODO3
6 ISSUERNAME 8
7 PUBLICKEY 140
9 CERTIFICATE 541
10 IPADDRESS 4
The CTL file was verified successfully.
*******************
Certificates at publisher are the following:
admin:show cert list own
tomcat
ipsec
CallManager
CAPF
admin:show cert list
ipsec-trust/NODO1.pem
ipsec-trust/NODO1.der
ipsec-trust/c92d8a04.0
CallManager-trust/CAP-RTP-001.pem
CallManager-trust/CAP-RTP-002.pem
CallManager-trust/Cisco_Manufacturing_CA.pem
CallManager-trust/Cisco_Root_CA_2048.pem
CallManager-trust/a0440f4c.0
CallManager-trust/a69d2e04.0
CallManager-trust/f7a74b2c.0
CallManager-trust/dcc12642.0
CallManager-trust/0d40b14e.0
CallManager-trust/CAPF-7EC94D72.pem
CallManager-trust/CAPF-97FA3FDE.pem
CallManager-trust/CAPF-e09c40eb.pem
CallManager-trust/3e92ebd9.0
CallManager-trust/8eb380b0.0
CAPF-trust/CAP-RTP-001.pem
CAPF-trust/CAP-RTP-002.pem
CAPF-trust/Cisco_Manufacturing_CA.pem
CAPF-trust/Cisco_Root_CA_2048.pem
CAPF-trust/a0440f4c.0
CAPF-trust/a69d2e04.0
[1mPress <enter> for 1 line, <space> for one page, or <q> to quit [0m
[KCAPF-trust/f7a74b2c.0
CAPF-trust/CAPF.der
CAPF-trust/CAPF.pem
CAPF-trust/dcc12642.0
CAPF-trust/8eb380b0.0
admin:utils service list
Requesting service status, please wait...
System SSH [STARTED]
Cluster Manager [STARTED]
Service Manager is running
Getting list of all services
>> Return code = 0
A Cisco DB[STARTED]
A Cisco DB Replicator[STARTED]
Cisco AMC Service[STARTED]
Cisco AXL Web Service[STARTED]
Cisco Bulk Provisioning Service[STARTED]
Cisco CAR Scheduler[STARTED]
Cisco CAR Web Service[STARTED]
Cisco CDP[STARTED]
Cisco CDP Agent[STARTED]
Cisco CDR Agent[STARTED]
Cisco CDR Repository Manager[STARTED]
Cisco CTIManager[STARTED]
Cisco CTL Provider[STARTED]
Cisco CallManager[STARTED]
Cisco CallManager Admin[STARTED]
Cisco CallManager Attendant Console Server[STARTED]
Cisco CallManager Cisco IP Phone Services[STARTED]
Cisco CallManager Personal Directory[STARTED]
Cisco CallManager SNMP Service[STARTED]
Cisco CallManager Serviceability[STARTED]
Cisco CallManager Serviceability RTMT[STARTED]
Cisco Certificate Authority Proxy Function[STARTED]
Cisco Certificate Expiry Monitor[STARTED]
Cisco DRF Local[STARTED]
Cisco DRF Master[STARTED]
Cisco Database Layer Monitor[STARTED]
Cisco Dialed Number Analyzer[STARTED]
Cisco DirSync[STARTED]
Cisco Extended Functions[STARTED]
Cisco Extension Mobility Application[STARTED]
Cisco IP Manager Assistant[STARTED]
Cisco IP Voice Media Streaming App[STARTED]
Cisco License Manager[STARTED]
Cisco Log Partition Monitoring Tool[STARTED]
Cisco RIS Data Collector[STARTED]
Cisco RTMT Reporter Servlet[STARTED]
Cisco SOAP - CDRonDemand Service[STARTED]
Cisco Serviceability Reporter[STARTED]
Cisco Syslog Agent[STARTED]
Cisco Tftp[STARTED]
Cisco Tomcat[STARTED]
Cisco Tomcat Stats Servlet[STARTED]
Cisco Trace Collection Service[STARTED]
Cisco Trace Collection Servlet[STARTED]
Cisco UXL Web Service[STARTED]
Cisco WebDialer Web Service[STARTED]
Host Resources Agent[STARTED]
MIB2 Agent[STARTED]
Native Agent Adapter[STARTED]
SNMP Master Agent[STARTED]
SOAP -Log Collection APIs[STARTED]
SOAP -Performance Monitoring APIs[STARTED]
SOAP -Real-Time Service APIs[STARTED]
System Application Agent[STARTED]
Cisco DHCP Monitor Service[STOPPED] Service Not Activated
Cisco Extension Mobility[STOPPED] Service Not Activated
Cisco Messaging Interface[STOPPED] Service Not Activated
Cisco TAPS Service[STOPPED] Service Not Activated
Cisco Unified Mobile Voice Access Service[STOPPED] Service Not Activated
Primary Node =true
admin:
*****
Perfil de seguridad Ej:para un CP-7960
-Phone Security Profile Info
Device Protocol: SCCP
Name: SP_7960_Encriptado
Description: Migrated Profile: Sec_mode 3 Auth_mode 2
Device Security Mode: Encrypted
-Phone Security profile CAPF Info
Authentication mode: By null string
Key Size: 1024
*****
At this forum, it says for version 5x to /7x I have simply to regenerate certificates:
These are the doubts I have:
- Is it necessary to regenerate any certificate in first plase?, if so ¿what is the place I should follow for each certificate?
- Is it necessary to restart any service before regenerating the certificates? for version 8.0 and higher, I saw that it´s necessary to restart TFTP and Call Manager services.
- After regenerating certificates, is it necessary to create a new CTL file? If so, Do I need the two tokens we used to create CTL file at the begining?
- Regarding CAPF certificate. Do i need to push the LSC certificates to the phones? Or I just need to reset phones to do so?
Thank you in advance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide