Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4429
Views
19
Helpful
11
Replies

Migrating IP Phones Between CUCM 8 and ITL Files

Go to solution
Lulzim Islami
Level 1
Level 1

‎04-19-2013 06:58 AM - edited ‎03-16-2019 04:54 PM

Hi everyone,

My Company is spiltting in two separate companies, as a result of this we have to split also the Cisco IP Telephony system. Currently we are using CUCM 8.6.2 version with up to 1000 phones, we bought another CUCM so we can split phones 50/50. The second CUCM is setup, now is to the final step re hosting licenses with Cisco TAC and registering 50% of the phones to the new CUCM. My question is the following:

How to delete ITL files on half of the phones so they can be registered on the new CUCM - Publisher?

Two CUCM's are online but they are not conected via intercluster trunk, Both on them are using 8.6.2 version.

Thank you,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎04-19-2013 11:43 AM

You dont have to worry about deleting ITL files, you can consolidate certificates between clusters as long as both clusters are online at the same time, so that the phone certs can be trusted by their new cluster. This another way to go about this..

Bulk Certificate Export

Note

The Bulk Certificate Export method will only work if both clusters are online with network connectivity while the phones are being migrated.

Another possible option if both the old and new clusters will be online at the same time is to use the Bulk Certificate migration method.

Remember that the IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file the new cluster presents must be trusted by the old cluster's TVS certificate store.

The Bulk Certificate Export method works in the following way from the OS Adminstration > Security > Bulk Certificate page:

  1. Export certificates from new destination cluster (TFTP only) to a central SFTP server.
  2. Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface.
  3. On the old origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server.
  4. Use DHCP option 150, or some other method, to point the phones to the new destination cluster.
  5. Phones will download the new destination cluster ITL file and attempt to verify it against their existing ITL file.
  6. The cert will not be in the existing ITL file so the phone will ask the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request.
  7. If the certificate export/consolidate/import process worked correctly then TVS returns success, and the phone replaces the in memory ITL file with the newly downloaded ITL file.
  8. The phones can now download and verify the signed configuration files from the new cluster

From this document

https://supportforums.cisco.com/docs/DOC-15799

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

View solution in original post

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Lulzim Islami

‎04-22-2013 04:33 AM

Valdet,

Please use this link to learn how to export, consolidate and import the certifcates from both clusters. Export only the tftp certificates..The video exported all, but you only need TFTP... Start the video at 7:46 (time) this is the section that talks about certifcates

http://www.youtube.com/watch?v=WBHwy6-Uebg

NB: the Import option only appears after you have consolidated the certificates

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

View solution in original post

11 Replies 11

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎04-19-2013 07:39 AM

This has been asked many times, you need to manually delete them from the phones, there are some 3rd party apps that can do this in Bulk, I know Cisco TAC has a tool for that as well, you may want to open a case to see if they can provide it to you.

HTH,

Chris

Go to solution
Leonardo Santana
Spotlight
Spotlight
In response to Chris Deren

‎03-03-2016 05:24 PM

Hello,

I will migrate my CUCM from MCS to UCS, i have version 8.6 i will instal the 8.6 at Vmware and after that i will upgrade to 10.X

My question is i will use the same IP address of my old cluster, i have issues with the ITL Files?

Regards

Leonardo Santana

Regards
Leonardo Santana

*** Rate All Helpful Responses***
0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Leonardo Santana

‎03-04-2016 01:41 AM

Hi,

No this doesn't affect your certificates and hence your ITL files

Please rate all useful posts
0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni

‎04-19-2013 11:43 AM

You dont have to worry about deleting ITL files, you can consolidate certificates between clusters as long as both clusters are online at the same time, so that the phone certs can be trusted by their new cluster. This another way to go about this..

Bulk Certificate Export

Note

The Bulk Certificate Export method will only work if both clusters are online with network connectivity while the phones are being migrated.

Another possible option if both the old and new clusters will be online at the same time is to use the Bulk Certificate migration method.

Remember that the IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file the new cluster presents must be trusted by the old cluster's TVS certificate store.

The Bulk Certificate Export method works in the following way from the OS Adminstration > Security > Bulk Certificate page:

  1. Export certificates from new destination cluster (TFTP only) to a central SFTP server.
  2. Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface.
  3. On the old origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server.
  4. Use DHCP option 150, or some other method, to point the phones to the new destination cluster.
  5. Phones will download the new destination cluster ITL file and attempt to verify it against their existing ITL file.
  6. The cert will not be in the existing ITL file so the phone will ask the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request.
  7. If the certificate export/consolidate/import process worked correctly then TVS returns success, and the phone replaces the in memory ITL file with the newly downloaded ITL file.
  8. The phones can now download and verify the signed configuration files from the new cluster

From this document

https://supportforums.cisco.com/docs/DOC-15799

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Go to solution
Jay Schulze
Level 1
Level 1
In response to Ayodeji Okanlawon

‎04-19-2013 07:23 PM

Great suggestion. I wish I would have seen this a month ago. Had the exact problem and ended having to manually go to each phone.

Cheers.

0 Helpful

Go to solution
Vinh Nguyen
Level 1
Level 1
In response to Ayodeji Okanlawon

‎08-01-2018 01:55 AM

Hi

 

I read through all the forums but nothing mentioned whether I need to export the certificate from each server in the cluster separately and consolidate and import.  For example I have two clusters with 1 PUB and 2 SUBS.  Do I need to run the consolidation on the PUB, then do the same for the SUBs.  When I run the Bulk Import from the PUB all I see is the certs of both PUBs.  I cannot see the name of the two SUBs?

0 Helpful

Go to solution
Lulzim Islami
Level 1
Level 1

‎04-22-2013 03:08 AM

It's all clear except line nr. 3, where cah i find  Bulk Certificate import option to import certificates from the central SFTP server, I have only export option?

Thank you,

0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Lulzim Islami

‎04-22-2013 03:30 AM

Valdet, you will need to import the certificates using the certificate management menu

security>certificate management>upload certificate>TVS

The certifcates you want to upload ashould be done as TVS type..This is where the phones will look when they do not find the correct signature in the CTL or ITL files

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Go to solution
Lulzim Islami
Level 1
Level 1
In response to Ayodeji Okanlawon

‎04-22-2013 03:41 AM

The file that is been exported looks like this: CUCMPUB_tftp.pkcs12

When I'm trying to upload to the originating Cluster it doesen't work: "Error reading the certificate"

Any idea what could it be?

Thank you,

0 Helpful

Go to solution
Ayodeji Okanlawon
VIP Alumni
VIP Alumni
In response to Lulzim Islami

‎04-22-2013 04:33 AM

Valdet,

Please use this link to learn how to export, consolidate and import the certifcates from both clusters. Export only the tftp certificates..The video exported all, but you only need TFTP... Start the video at 7:46 (time) this is the section that talks about certifcates

http://www.youtube.com/watch?v=WBHwy6-Uebg

NB: the Import option only appears after you have consolidated the certificates

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Go to solution
Lulzim Islami
Level 1
Level 1
In response to Ayodeji Okanlawon

‎04-22-2013 06:37 AM

Nice it worked.

I can only add one line on Bulk Certificate Export Document:

  1. Export certificates from new destination cluster (TFTP only) to a central SFTP server.

Export should be done from both sides in order to consolidate the certificates.

Thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents