Who Me Too'd this topic

ANTONIO MANCHON · ‎03-04-2014

Hi,

Company has a call manager with 3 nodes on version 6.1.3:

- NODO1: 10.102.224.254

- NODO2: 10.102.224.253

- NODO3: 10.102.239.20

From S.O. web can be seen that some certs are going to expire. We have received a warning via e-mail. And we have checked opening certifications that expiration date is about to happen.

This is the security mode configuration:

Service parameters --> Publisher --> Call Manager-->Security Parameters

Cluster Security Mode: 1

CAPF Phone port:3804

CAPF Operation expires in (days):10

Enable caching: false

Certificates that are going to expire are the following:

CallManager_pem

CallManager_der

CAPF_pem

CAPF_der

CAPF-e09c40eb_pem

CAPF-e09c40eb_der

ipsec_cert_der

ipsec_cert_pem

NODO1_der

NODO1_pem

tomcat_cert_der

tomcat_cert_pem

At publisher, it can be seen no CTI file,

show itl

Executed command unsuccessfully

No valid command entered

There is only a CTL file, and it´s the following:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.19 17:47:46 =~=~=~=~=~=~=~=~=~=~=~=

show ctl //Note: at the following file, some digits of the "SIGNATURE" have been changed with "*". And some name. Nothing else.

Length of CTL file: 5946

Parse CTL File

--------------

Version: 1.2

HeaderLength: 304 (BYTES)

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

3 SIGNERID 2 117

4 SIGNERNAME 56

5 SERIALNUMBER 10

6 CANAME 42

7 SIGNATUREINFO 2 15

8 DIGESTALGORTITHM 1

9 SIGNATUREALGOINFO 2 8

10 SIGNATUREALGORTITHM 1

11 SIGNATUREMODULUS 1

12 SIGNATURE 128

8d e3 61 8a d9 8 e a3

8d 5b 82 6f 51 81 a3 1b

e2 fe e5 57 66 f7 ab 54

f 69 fb ** 72 bf 3f a1

ee ea a3 fb b5 80 0 af

74 20 ac b 92 b0 c5 fd

fa f6 6e 52 c3 90 25 e1

2a ** 83 f0 ee 4f d3 9b

2e 6b c4 4d 45 79 40 41

f2 b7 3 7e 7f 7a ** b4

76 cc 45 e2 52 b1 4e 63

74 b1 a7 d8 36 97 22 47

8a 80 63 88 67 7e 7a 8d

2d ** eb 24 57 7b c2 74

cf 4 bb 9d dd b1 a a

e7 a9 5a 58 88 0 3f 67

14 FILENAME 12

15 TIMESTAMP 4

CTL Record #:1

----

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

1 RECORDLENGTH 2 1186

2 DNSNAME 1

3 SUBJECTNAME 56 cn="SAST-ADN597e8314 ";ou=IPCBU;o="Cisco Systems

4 FUNCTION 2 System Administrator Security Token

5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems

6 ISSUERNAME 10

7 PUBLICKEY 140

9 CERTIFICATE 902

10 IPADDRESS 4

This etoken was not used to sign the CTL file.

CTL Record #:2

----

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

1 RECORDLENGTH 2 1180

2 DNSNAME 1

3 SUBJECTNAME 56 cn="SAST-ADN592dfe14 ";ou=IPCBU;o="Cisco Systems

4 FUNCTION 2 System Administrator Security Token

5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems

6 ISSUERNAME 10

7 PUBLICKEY 141

9 CERTIFICATE 895

10 IPADDRESS 4

This etoken was used to sign the CTL file.

CTL Record #:3

----

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

1 RECORDLENGTH 2 765

2 DNSNAME 15 10.102.224.253

3 SUBJECTNAME 13 cn=NODO2

4 FUNCTION 2 CCM+TFTP

5 ISSUERNAME 13 cn=NODO2

6 ISSUERNAME 8

7 PUBLICKEY 140

9 CERTIFICATE 541

10 IPADDRESS 4

CTL Record #:4

----

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

1 RECORDLENGTH 2 765

2 DNSNAME 15 10.102.224.254

3 SUBJECTNAME 13 cn=NODO1

4 FUNCTION 2 CCM+TFTP

5 ISSUERNAME 13 cn=NODO1

6 ISSUERNAME 8

7 PUBLICKEY 140

9 CERTIFICATE 541

10 IPADDRESS 4

CTL Record #:5

----

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

1 RECORDLENGTH 2 982

2 DNSNAME 15 10.102.224.254

3 SUBJECTNAME 43 cn=CAPF-e09c40eb;ou=AREA TIC;o=NOMBREX

4 FUNCTION 2 CAPF

5 ISSUERNAME 43 cn=CAPF-e09c40eb;ou=AREA TIC;o=NOMBREX

6 ISSUERNAME 8

7 PUBLICKEY 140

9 CERTIFICATE 698

10 IPADDRESS 4

CTL Record #:6

----

BYTEPOS TAG LENGTH VALUE

------- --- ------ -----

1 RECORDLENGTH 2 764

2 DNSNAME 14 10.102.239.20

3 SUBJECTNAME 13 cn=NODO3

4 FUNCTION 2 CCM+TFTP

5 ISSUERNAME 13 cn=NODO3

6 ISSUERNAME 8

7 PUBLICKEY 140

9 CERTIFICATE 541

10 IPADDRESS 4

The CTL file was verified successfully.

*******************

Certificates at publisher are the following:

admin:show cert list own

tomcat

ipsec

CallManager

CAPF

admin:show cert list

ipsec-trust/NODO1.pem

ipsec-trust/NODO1.der

ipsec-trust/c92d8a04.0

CallManager-trust/CAP-RTP-001.pem

CallManager-trust/CAP-RTP-002.pem

CallManager-trust/Cisco_Manufacturing_CA.pem

CallManager-trust/Cisco_Root_CA_2048.pem

CallManager-trust/a0440f4c.0

CallManager-trust/a69d2e04.0

CallManager-trust/f7a74b2c.0

CallManager-trust/dcc12642.0

CallManager-trust/0d40b14e.0

CallManager-trust/CAPF-7EC94D72.pem

CallManager-trust/CAPF-97FA3FDE.pem

CallManager-trust/CAPF-e09c40eb.pem

CallManager-trust/3e92ebd9.0

CallManager-trust/8eb380b0.0

CAPF-trust/CAP-RTP-001.pem

CAPF-trust/CAP-RTP-002.pem

CAPF-trust/Cisco_Manufacturing_CA.pem

CAPF-trust/Cisco_Root_CA_2048.pem

CAPF-trust/a0440f4c.0

CAPF-trust/a69d2e04.0

[1mPress <enter> for 1 line, <space> for one page, or <q> to quit [0m

[KCAPF-trust/f7a74b2c.0

CAPF-trust/CAPF.der

CAPF-trust/CAPF.pem

CAPF-trust/dcc12642.0

CAPF-trust/8eb380b0.0

admin:utils service list

Requesting service status, please wait...

System SSH [STARTED]

Cluster Manager [STARTED]

Service Manager is running

Getting list of all services

>> Return code = 0

A Cisco DB[STARTED]

A Cisco DB Replicator[STARTED]

Cisco AMC Service[STARTED]

Cisco AXL Web Service[STARTED]

Cisco Bulk Provisioning Service[STARTED]

Cisco CAR Scheduler[STARTED]

Cisco CAR Web Service[STARTED]

Cisco CDP[STARTED]

Cisco CDP Agent[STARTED]

Cisco CDR Agent[STARTED]

Cisco CDR Repository Manager[STARTED]

Cisco CTIManager[STARTED]

Cisco CTL Provider[STARTED]

Cisco CallManager[STARTED]

Cisco CallManager Admin[STARTED]

Cisco CallManager Attendant Console Server[STARTED]

Cisco CallManager Cisco IP Phone Services[STARTED]

Cisco CallManager Personal Directory[STARTED]

Cisco CallManager SNMP Service[STARTED]

Cisco CallManager Serviceability[STARTED]

Cisco CallManager Serviceability RTMT[STARTED]

Cisco Certificate Authority Proxy Function[STARTED]

Cisco Certificate Expiry Monitor[STARTED]

Cisco DRF Local[STARTED]

Cisco DRF Master[STARTED]

Cisco Database Layer Monitor[STARTED]

Cisco Dialed Number Analyzer[STARTED]

Cisco DirSync[STARTED]

Cisco Extended Functions[STARTED]

Cisco Extension Mobility Application[STARTED]

Cisco IP Manager Assistant[STARTED]

Cisco IP Voice Media Streaming App[STARTED]

Cisco License Manager[STARTED]

Cisco Log Partition Monitoring Tool[STARTED]

Cisco RIS Data Collector[STARTED]

Cisco RTMT Reporter Servlet[STARTED]

Cisco SOAP - CDRonDemand Service[STARTED]

Cisco Serviceability Reporter[STARTED]

Cisco Syslog Agent[STARTED]

Cisco Tftp[STARTED]

Cisco Tomcat[STARTED]

Cisco Tomcat Stats Servlet[STARTED]

Cisco Trace Collection Service[STARTED]

Cisco Trace Collection Servlet[STARTED]

Cisco UXL Web Service[STARTED]

Cisco WebDialer Web Service[STARTED]

Host Resources Agent[STARTED]

MIB2 Agent[STARTED]

Native Agent Adapter[STARTED]

SNMP Master Agent[STARTED]

SOAP -Log Collection APIs[STARTED]

SOAP -Performance Monitoring APIs[STARTED]

SOAP -Real-Time Service APIs[STARTED]

System Application Agent[STARTED]

Cisco DHCP Monitor Service[STOPPED] Service Not Activated

Cisco Extension Mobility[STOPPED] Service Not Activated

Cisco Messaging Interface[STOPPED] Service Not Activated

Cisco TAPS Service[STOPPED] Service Not Activated

Cisco Unified Mobile Voice Access Service[STOPPED] Service Not Activated

Primary Node =true

admin:

*****

Perfil de seguridad Ej:para un CP-7960

-Phone Security Profile Info

Device Protocol: SCCP

Name: SP_7960_Encriptado

Description: Migrated Profile: Sec_mode 3 Auth_mode 2

Device Security Mode: Encrypted

-Phone Security profile CAPF Info

Authentication mode: By null string

Key Size: 1024

*****

At this forum, it says for version 5x to /7x I have simply to regenerate certificates:

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-version-50/99815-ccm-sec-cert.html

These are the doubts I have:

- Is it necessary to regenerate any certificate in first plase?, if so ¿what is the place I should follow for each certificate?

- Is it necessary to restart any service before regenerating the certificates? for version 8.0 and higher, I saw that it´s necessary to restart TFTP and Call Manager services.

- After regenerating certificates, is it necessary to create a new CTL file? If so, Do I need the two tokens we used to create CTL file at the begining?

- Regarding CAPF certificate. Do i need to push the LSC certificates to the phones? Or I just need to reset phones to do so?

Thank you in advance!

Who Me Too'd this topic

How to regenerate security certificates? CUCM 6.1.3