Solved: IP Phones ITL Certificate verification

JAMES WEST · ‎11-04-2015

Good afternoon everyone.

We have recently gone through an upgrade on CUCM from version 8.6 to version 10.5. Everything is working as exepected, but l am looking for clarification as to the ITL file installed on the phone, and how to cross reference this against the CUCM.

I have been reading Jason Burn's excellent doc, but when l look at my CERT's installed on CUCM, against the ITL file on the phone they do not match. I have this on both our Production CUCM servers, and our DEV test servers.

I thought that the Phone downloaded the CERT from the Call Manager.PEM cert and this could be crossed referenced via the CLI on the CUCM server with the - (show itl) command.

Phone Status Message:

15:44:33 Trust List Updated
15:44:34 SEP34DBFDCC577A.cnf.xml.sgn(HTTP)

Show itl command from DEV Server:

BYTEPOS TAG             LENGTH VALUE
------- ---             ------ -----
1       RECORDLENGTH    2       1211
2       DNSNAME         2
3       SUBJECTNAME     81      CN=app-d-cucm01.domain.com;OU=Systems;O=ABC;L=Office;ST=New;C=GB
4       FUNCTION        2       System Administrator Security Token
5       ISSUERNAME      81      CN=app-d-cucm01.domain.com;OU=Systems;O=ABC;L=Office;ST=New;C=GB
6       SERIALNUMBER    16      6A:38:83:6D:F6:E4:E4:1A:EC:BF:F4:7E:D3:DC:B3:17
7       PUBLICKEY       140
8       SIGNATURE       128
9       CERTIFICATE     732     E2 7E D7 E8 0A 05 52 D9 CC E2 CB 80 4E E2 B1 8F 05 17 93 25 (SHA1 Hash HEX)
This etoken was used to sign the ITL file

ITL file on the phone is - 93 C9 6D E8.......

Thanks and best regards,

James

Rob Huffman · ‎11-04-2015

Hi James,

Maybe you are hitting this bug;

ITL MD5 or SHA1 value changes whenever you restart TFTP Service

CSCuw12959

Symptom:
CUCM version 10.5.2.11900-3
Tested in lab -- results
show itl on TFTP --
admin:show itl
The checksum value of the ITL file:
70ec842d09ada54add46e0a59dea4f6c(MD5)
3c899ae5580459c7397884a2b1a74a184ef12c34(SHA1)
Restart TFTP Service -- show itl on TFTP -- with different SHA 1 or MD5 value even though no change in certificate
admin:show itl
The checksum value of the ITL file:
a9fc299d7e3b944377bda84fcc4d0411(MD5)
60818f8ab0e834b8af27be205a76187b7a8efe67(SHA1)
Now we need to reset or restart the Phone to make the ITL file match.
I dont think this is right behavior --
ITL file change algorithm needs to check if there has been a certificate change and then restarting TFTP service should change these values -- else not.

Conditions:
CUCM Version 10.5.2

Workaround:
None

Cheers!

Rob

View solution in original post

Rob Huffman · ‎11-04-2015

Hi James,

Maybe you are hitting this bug;

ITL MD5 or SHA1 value changes whenever you restart TFTP Service

CSCuw12959

Symptom:
CUCM version 10.5.2.11900-3
Tested in lab -- results
show itl on TFTP --
admin:show itl
The checksum value of the ITL file:
70ec842d09ada54add46e0a59dea4f6c(MD5)
3c899ae5580459c7397884a2b1a74a184ef12c34(SHA1)
Restart TFTP Service -- show itl on TFTP -- with different SHA 1 or MD5 value even though no change in certificate
admin:show itl
The checksum value of the ITL file:
a9fc299d7e3b944377bda84fcc4d0411(MD5)
60818f8ab0e834b8af27be205a76187b7a8efe67(SHA1)
Now we need to reset or restart the Phone to make the ITL file match.
I dont think this is right behavior --
ITL file change algorithm needs to check if there has been a certificate change and then restarting TFTP service should change these values -- else not.

Conditions:
CUCM Version 10.5.2

Workaround:
None

Cheers!

Rob

JAMES WEST · ‎11-05-2015

Hi Rob,

Thanks for the feedback. I have restarted the TFTP service, and then reset the Cisco phone, and the ITL File changes once the above have been restarted.

Is there a way to cross reference the Callmanager.PEM CERT against the file installed on the phone, as none of the Production or Dev phones seem to have the same settings as the CERTs installed on CUCM.

Regards,

James