Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
13
Helpful
6
Replies

Stopping CAPF om CUCM 9.1, what consequences?

Go to solution
tony loktu
Level 1
Level 1

‎11-17-2015 03:46 AM - edited ‎03-17-2019 04:55 AM

Hi

I have a customer that have two CUCM clusters, both running 9.1.1 (long story why it ended up so).

One cluster have not enabled "Cisco CTL Provider" or "Cisco Certificate Authority Proxy Function" and the other have not. Why its like this i don't know.

The one cluster where both of these services are enable we have started to get warnings about "capf certificate is about to expire".

Both clusters are working fine.

We don't use Sip Secure and most (almost every) device uses SCCP.

What would happen if disable  "Cisco CTL Provider" and "Cisco Certificate Authority Proxy Function"?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee
In response to tony loktu

‎11-17-2015 04:57 AM

Hi Tony,

Please chck under System > Clusterwide parameters on cucm admin page

This parameter indicates the security mode of the cluster. A value of 0 indicates Non Secure (phones will register in non-secure mode [no security]); 1 indicates Mixed (the cluster allows the registration of both secure devices and non-secure devices).

If the value is 0, then it should be okay as per what you see on the IP phones.

Manish

View solution in original post

6 Replies 6

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee

‎11-17-2015 04:09 AM

Hi Tony,

CAPF works in tandem with CTL as explained in detail here

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_0_1/secugd/CUCM_BK_C68276B4_00_cucm-security-guide-100/CUCM_BK_C68276B4_00_cucm-security-guide-100_chapter_01010.html#CUCM_TP_CBFA1090_00

You don't need these services if the server is not running in secure or mixed-mode.

Manish

- Do rate helpful posts -

Go to solution
tony loktu
Level 1
Level 1
In response to Manish Gogna

‎11-17-2015 04:48 AM

Hi Manish

Just to be sure:

I have located all the phones and every device has LSC status "none" or nothing in the "CAPF Auth String" colom.

Does that mean i don't have a single device depending on CTL or CAPF?

/Tony

0 Helpful

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee
In response to tony loktu

‎11-17-2015 04:57 AM

Hi Tony,

Please chck under System > Clusterwide parameters on cucm admin page

This parameter indicates the security mode of the cluster. A value of 0 indicates Non Secure (phones will register in non-secure mode [no security]); 1 indicates Mixed (the cluster allows the registration of both secure devices and non-secure devices).

If the value is 0, then it should be okay as per what you see on the IP phones.

Manish

Go to solution
tony loktu
Level 1
Level 1
In response to Manish Gogna

‎11-17-2015 05:12 AM

Hi Manish In Enterprise Parameters Configuration - Security Parameters, I find that

Security Parameters

Cluster Security Mode Required Field

0

 

LBM Security Mode Required Field

Insecure

CAPF Phone Port Required Field

3804

CAPF Operation Expires in (days) Required Field

10

Enable Caching Required Field

False

I can safely stop those services?

/Tony

0 Helpful

Go to solution
Rajan
VIP Alumni
VIP Alumni
In response to tony loktu

‎11-17-2015 05:32 AM

Hi Tony,

Yes. As Manish mentioned, if your Cluster Security Mode is 0, then you can safely stop the CAPF service because your cluster is non-secure and does not need this service to be active.

HTH

Rajan

Go to solution
tony loktu
Level 1
Level 1
In response to Rajan

‎12-01-2015 04:15 AM

Hi Rajan

I have stopped the services and nothing happend. Thats good news.

The alarm about an expiering certificat still pops up in prime though.

/Tony

0 Helpful
Customers Also Viewed These Support Documents