02-18-2020 12:15 PM
hi Experts,
I have few question on re-generate expired certs for UCM 12 ( not in mixed mode )
Following is the expired certs :
- Call Manager
-CAPF
-TVS
- ITL Recovery
-ipsec
-Tomcat
* what is the impact if I let it expired ?
* Which order I need to do it first ? How many hours it take , we have 1 Pub and 5 Subs, 2 TFTP, 10,000 phones
* What tool to check and delete ITL remotely ?
* If I don't restart phone after "Call Manager" cert regenerate, will phone still registered?
* if I don't use Mixed mode, means no need to worry on TVS and CAPF ?
Thanks,
C
Solved! Go to Solution.
02-19-2020 05:33 PM - edited 02-19-2020 05:55 PM
Hi from the practical side:
* what is the impact if I let it expired ?
Service Impact by the Certificate Store
It is critical for good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect normal functionality of the system. A list of potential issues you might have when any of the specific certificates is invalid or expired is shown here. The impact might differ dependent upon your system setup.
CallManager.pem
Tomcat.pem
CAPF.pem
IPSec.pem
TVS (Trust Verification Service)
phone-vpn-trust
* Which order I need to do it first ? How many hours it take , we have 1 Pub and 5 Subs, 2 TFTP, 10,000 phones
First blanks out the ITL for the IP Phones:
The restart of the services are very fast, but it depends of the features that you have like EM and other stuff, but i think within 3 or 4 hours you can handle this maintenance window but again you have to know your environment, see all the features that you have ( like IM&P, UCCX, Extension Mobility). But do not wait them to expire to do this.
This feature "blanks" out your ITL on all servers, so the phones will trust any TFTP server. Phone services (for example, extension mobility) will NOT work when this parameter is set to True. However, users will be able to continue to make and receive basic phone calls.
Once this feature is set, all TFTP servers need to be restarted ( in order to supply the new ITL) and all phones need to be reset in order to force them to request the new "blank" ITL. Once the certificate changes are completed and all necessary services have been restarted, this feature can be set back to "False", TFTP service restarted, and the phone reset (so the phone can obtain the valid ITL file). Then all features will continue to work as they did previously.
This procedure provides a TFTP server with a valid/updated ITL file from a trusted TFTP server that is available.
* What tool to check and delete ITL remotely ?
There are many applications at the market but you have to pay to use them:
https://www.uplinx.com/phonecontrol/erase-ctl-itl-files-from-cisco-phones/
https://www.unifiedfx.com/products/phoneview-itl-delete
* If I don't restart phone after "Call Manager" cert regenerate, will phone still registered?
When you restart CUCM Service the IP Phone will be restarted automatically
* if I don't use Mixed mode, means no need to worry on TVS and CAPF ?
For CAPF you need to worry if you have encryption (mixed mode), but the TVS you need to worry because is responsible for the IP Phones to authenticate with Extension Mobility if you are using this feature.
My advice map all the variables of you environment if you have a valid cisco support contract open a case with TAC to map all these, but they will tell you basically the same thing that we are discussing here. But if you have any problem during the maintenance window your case will oppened and you can raise the severity of the case depending how is the level of your issue.
Regards
Leonardo Santana
02-20-2020 10:27 AM
Hi,
- what you mean by mapping out environment ? You mean feature we used in UCM ?
I mean the features that you have, like Extension Mobility, or like you mentioned MRA, UCCX, Media Sense and CER. You need to check if the certificates of CUCM will impact these applications.
- Also I have Jabber MRA (Expressway), IMP, UCCX, Unity, Media Sense, CER.
* Is there anything break if I update each apps' certs at different time? All the certificates will expire at the same data?
* Do I need to do all UC apps above at the same window? Your apps will expire the certificates?
- I have "Tomcat" certs on UCM that is signed by CA Windows Server, any specific process when i request CSR and apply? This certificate will expire?
- In case something went sideway , what I need to backup before hand for ITL /TVS , when TAC need to restore?
I suggest that you have the backup of your collab enviroment updated
02-26-2020 09:21 AM
The official answer to this is that the only supported method of backup is to capture regular and complete DRS backup sets from the cluster using the built-in DRS components.
Snapshot is not supported
For example if you server you need to do a restore, if is the same hostname, domain i think you dot not need to delete the ITL Files. But if you change your domain/hostname or IP you need to delete the ITL.
Regards
02-18-2020 12:49 PM
Hi,
This table at the first link (Table 3. Certificate Names and Descriptions) shows the services related to each certificate of the CUCM:
Check this links i think all your questions will be answered:
Regards
Leonardo Santana
02-19-2020 01:14 PM
thanks, I read these docs already before i posted question.
But what i look for if someone had experienced before and able to answer from practical perspective.
* what is the impact if I let it expired ?
* Which order I need to do it first ? How many hours it take , we have 1 Pub and 5 Subs, 2 TFTP, 10,000 phones
* What tool to check and delete ITL remotely ?
* If I don't restart phone after "Call Manager" cert regenerate, will phone still registered?
* if I don't use Mixed mode, means no need to worry on TVS and CAPF ?
02-19-2020 05:33 PM - edited 02-19-2020 05:55 PM
Hi from the practical side:
* what is the impact if I let it expired ?
Service Impact by the Certificate Store
It is critical for good functionality of the system to have all certificates updated across the CUCM cluster. If your certificates are expired or invalid they might significantly affect normal functionality of the system. A list of potential issues you might have when any of the specific certificates is invalid or expired is shown here. The impact might differ dependent upon your system setup.
CallManager.pem
Tomcat.pem
CAPF.pem
IPSec.pem
TVS (Trust Verification Service)
phone-vpn-trust
* Which order I need to do it first ? How many hours it take , we have 1 Pub and 5 Subs, 2 TFTP, 10,000 phones
First blanks out the ITL for the IP Phones:
The restart of the services are very fast, but it depends of the features that you have like EM and other stuff, but i think within 3 or 4 hours you can handle this maintenance window but again you have to know your environment, see all the features that you have ( like IM&P, UCCX, Extension Mobility). But do not wait them to expire to do this.
This feature "blanks" out your ITL on all servers, so the phones will trust any TFTP server. Phone services (for example, extension mobility) will NOT work when this parameter is set to True. However, users will be able to continue to make and receive basic phone calls.
Once this feature is set, all TFTP servers need to be restarted ( in order to supply the new ITL) and all phones need to be reset in order to force them to request the new "blank" ITL. Once the certificate changes are completed and all necessary services have been restarted, this feature can be set back to "False", TFTP service restarted, and the phone reset (so the phone can obtain the valid ITL file). Then all features will continue to work as they did previously.
This procedure provides a TFTP server with a valid/updated ITL file from a trusted TFTP server that is available.
* What tool to check and delete ITL remotely ?
There are many applications at the market but you have to pay to use them:
https://www.uplinx.com/phonecontrol/erase-ctl-itl-files-from-cisco-phones/
https://www.unifiedfx.com/products/phoneview-itl-delete
* If I don't restart phone after "Call Manager" cert regenerate, will phone still registered?
When you restart CUCM Service the IP Phone will be restarted automatically
* if I don't use Mixed mode, means no need to worry on TVS and CAPF ?
For CAPF you need to worry if you have encryption (mixed mode), but the TVS you need to worry because is responsible for the IP Phones to authenticate with Extension Mobility if you are using this feature.
My advice map all the variables of you environment if you have a valid cisco support contract open a case with TAC to map all these, but they will tell you basically the same thing that we are discussing here. But if you have any problem during the maintenance window your case will oppened and you can raise the severity of the case depending how is the level of your issue.
Regards
Leonardo Santana
02-19-2020 08:28 PM
Hi Leonardo,
Thanks, much appreciated , this is very clear.
- what you mean by mapping out environment ? You mean feature we used in UCM ?
- Also I have Jabber MRA (Expressway), IMP, UCCX, Unity, Media Sense, CER.
* Is there anything break if I update each apps' certs at different time?
* Do I need to do all UC apps above at the same window?
- I have "Tomcat" certs on UCM that is signed by CA Windows Server, any specific process when i request CSR and apply?
- In case something went sideway , what I need to backup before hand for ITL /TVS , when TAC need to restore?
Thanks,
02-20-2020 10:27 AM
Hi,
- what you mean by mapping out environment ? You mean feature we used in UCM ?
I mean the features that you have, like Extension Mobility, or like you mentioned MRA, UCCX, Media Sense and CER. You need to check if the certificates of CUCM will impact these applications.
- Also I have Jabber MRA (Expressway), IMP, UCCX, Unity, Media Sense, CER.
* Is there anything break if I update each apps' certs at different time? All the certificates will expire at the same data?
* Do I need to do all UC apps above at the same window? Your apps will expire the certificates?
- I have "Tomcat" certs on UCM that is signed by CA Windows Server, any specific process when i request CSR and apply? This certificate will expire?
- In case something went sideway , what I need to backup before hand for ITL /TVS , when TAC need to restore?
I suggest that you have the backup of your collab enviroment updated
02-24-2020 08:19 PM
hi Leonardo,
I suggest that you have the backup of your collab enviroment updated
----->
if I have UCM backup , do I still need to physically remove ITL when i need to roll back?
Rgds,
T
02-25-2020 06:03 AM
Hi,
if I have UCM backup , do I still need to physically remove ITL when i need to roll back?
Are talking to do a restore on the cluster?
Regards
Leonardo Santana
02-26-2020 09:13 AM
correct, let say i took UCM snapshot and restore the snapshot.
after that , do i need to remove ITL for each phone to be registered ?
02-26-2020 09:21 AM
The official answer to this is that the only supported method of backup is to capture regular and complete DRS backup sets from the cluster using the built-in DRS components.
Snapshot is not supported
For example if you server you need to do a restore, if is the same hostname, domain i think you dot not need to delete the ITL Files. But if you change your domain/hostname or IP you need to delete the ITL.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide