July 30, 2014
It has been over four years since the release of Cisco Unified Communications Manager 8.X, and a lot of these systems are coming up for hardware replacement or version upgrade. Before rushing to upgrade, here’s what you should consider.
With the release of version 8, a new feature was introduced called Security by Default. The main component of Security by Default is the Trust Verification Service, outlined below:
- TVS runs on the Cisco Unified Communications Manager server and authenticates certificates on behalf of the Cisco Unified IP Phone.
- Instead of downloading all the trusted certificates, Cisco Unified IP Phone only need to trust TVS.
- The TVS certificates and a few key certificates are bundled in a new file: the Identity Trust List file (ITL).
- The ITL file gets generated automatically without user intervention.
- The ITL file gets downloaded by Cisco Unified IP Phones and trust flows from there.
Once a trust is established between a phone and its Communications Manager cluster, it cannot trust any other cluster without some work. If you attempt to register the phone to a new cluster, it will receive a Trust List Update error and will not function correctly.
The server certificate that this relies on is generated based on several parameters that are set within the server including hostname and IP address.
This presents an issue any time you are attempting to perform anything but a straight upgrade on the same hardware. For example, if you were performing a jump upgrade to new hardware and are changing the IP address in the process. If you attempt this and register the phones to the new cluster without some preparation the phones will be unable to access the new cluster, and the only way to fix this issue, without paying for 3rd party software, will be to manually visit every phone and delete the ITL file that resides on it. To avoid these unnecessary and costly issues, there are several things that can be done.
The first is what’s known as a Bulk Certificate Export – this requires both clusters be online at the same time. This procedure requires you to export the certificate from the old cluster and new cluster to a centralized SFTP server. Once exported, you can consolidate the certificate and import it into the old cluster.
To use the Bulk Certificate Export Method, complete the following procedure:
From Cisco Unified Operating System Administration, choose Security > Bulk Certificate Management.
Export certificates from new destination cluster (TFTP only) to a central SFTP server.
Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface.
On the origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server.
Use DHCP option 150, or some other method, to point the phones to the new destination cluster.
The phones download the new destination cluster ITL file and attempt to verify it against their existing ITL file. The certificate is not in the existing ITL file, so the phone requests the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request.
If the certificate export/consolidate/import process works correctly then the TVS returns success, and the phone replaces the ITL file in memory with the newly downloaded ITL file. The phones can now download and verify the signed configuration files from the new cluster.
If you cannot have both clusters up at the same time, use the Prepare Cluster For Pre-8.0 Enterprise Parameter procedure:
This will force the phones to download a new empty ITL file that will allow the phones to register to any cluster.
From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters.
The Enterprise Parameters Configuration window displays.
Set the Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True.
Restart the Cisco Trust Verification Service on all Nodes.
From Cisco Unified Serviceability, choose Tools > Control Center – Network Services. The Control Center – Network Services window displays.
To restart the Cisco Trust Verification Service, click the Restart button at the bottom of the window.
Restart the Cisco Trust Verification Service on all nodes in the cluster. Restart the Cisco TFTP Service on the TFTP Servers.
From Cisco Unified Serviceability, choose Tools > Control Center – Feature Services. The Control Center – Feature Services window displays.
Restart the Cisco Tftp service on each node on which it is active.
Wait five minutes for TFTP to rebuild the files. Next, reset all Cisco Unified IP Phones.
From Cisco Unified Communications Manager Administration, choose System > Enterprise Parameters. The Enterprise Parameters Configuration window displays.
Wait ten minutes for the Cisco Unified IP Phones to register with Cisco Unified Communications Manager.
By following one of these procedures, you can avoid manually resetting the ITL file on all phones. Keep this in mind before attempting an upgrade on any system version 8.X or greater.
Like what you read?
Mindsight, a Chicago IT consultancy and services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We’ve always prided ourselves in delivering the full spectrum of IT services and solutions, from design and implementation to support and management. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for a local business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.