Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: VOIP

cnf.xml.sgn for non-secure cluster?

 

 

Cisco voip RSS feed   Index | Next | Previous | View Threaded


ovi.popa at gmail

May 21, 2012, 10:12 AM

Post #1 of 11 (2122 views)
Permalink
cnf.xml.sgn for non-secure cluster?

Hello everyone

Anyone know how a phone detects if it needs to download a signed or
unsigned configuration file?

I have a few phones that keep requesting signed file even though the
cluster is not in mixed mode and I cannot identify why they behave this
way. Does the ITL file contain information about the cluster security mode?

The phone logs say that the TFTP server is secure and keep trying for the
cnf.xml.sgn files. Where does it get this information?

Thank for any input.

Regards.
Ovidiu


ealeatherman at gmail

May 21, 2012, 11:03 AM

Post #2 of 11 (2054 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

Hello,

My understanding is that the phone requests a CTL or ITL file when it
boots. If it ever actually gets a CTL or ITL file, from that point on it
will always request a signed configuration file, unless the CTL or ITL
files are manually deleted from the phone. If i'm incorrect hopefully
someone will chime in :)

Ed

On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:

> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed or
> unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though the
> cluster is not in mixed mode and I cannot identify why they behave this
> way. Does the ITL file contain information about the cluster security mode?
>
> The phone logs say that the TFTP server is secure and keep trying for the
> cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
> Ovidiu
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>


--
Ed Leatherman


ovi.popa at gmail

May 21, 2012, 1:28 PM

Post #3 of 11 (2053 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

My understanding is that ITL is required for several reasons:
- used to store the trusted certificates required for the TLS session to
the TVS web service (not related to cluster mixed mode as https web
services can be activated even if the cluster is unsecure)
- used to validate file signatures (only if the cluster is in mixed mode)

If this is correct I think it is normal that I have an ITL file but my
question still stands: how come the phone requests a signed file if the
cluster not secure ?

Thanks,
Ovidiu



On 21/May/12 8:03 PM, Ed Leatherman wrote:
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on
> it will always request a signed configuration file, unless the CTL or
> ITL files are manually deleted from the phone. If i'm incorrect
> hopefully someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail
> <mailto:ovi.popa [at] gmail>> wrote:
>
> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed
> or unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though
> the cluster is not in mixed mode and I cannot identify why they
> behave this way. Does the ITL file contain information about the
> cluster security mode?
>
> The phone logs say that the TFTP server is secure and keep trying
> for the cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
> Ovidiu
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck <mailto:cisco-voip [at] puck>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
> Ed Leatherman
>


ealeatherman at gmail

May 21, 2012, 1:35 PM

Post #4 of 11 (2047 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

Per my understanding, being on CUCM 8+ implies security-by-default is in
use and your phone is going to get an ITL file and thus request signed
config files:

https://supportforums.cisco.com/docs/DOC-17679

Security By Default provides these three functions for supported IP Phones:

1. Default authentication of TFTP downloaded files (configuration,
locale, ringlist, etc) using a signing key.
2. Optional encryption of TFTP configuration files using a signing key.
3. Certificate verification for phone initiated HTTPS connections using
a remote certificate trust store on Communications Manager (Trust
Verification Service).


On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:

> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to
> the TVS web service (not related to cluster mixed mode as https web
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my
> question still stands: how come the phone requests a signed file if the
> cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on it
> will always request a signed configuration file, unless the CTL or ITL
> files are manually deleted from the phone. If i'm incorrect hopefully
> someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
>
>> Hello everyone
>>
>> Anyone know how a phone detects if it needs to download a signed or
>> unsigned configuration file?
>>
>> I have a few phones that keep requesting signed file even though the
>> cluster is not in mixed mode and I cannot identify why they behave this
>> way. Does the ITL file contain information about the cluster security mode?
>>
>> The phone logs say that the TFTP server is secure and keep trying for
>> the cnf.xml.sgn files. Where does it get this information?
>>
>> Thank for any input.
>>
>> Regards.
>> Ovidiu
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
> --
> Ed Leatherman
>
>
>


--
Ed Leatherman


jason.aarons at dimensiondata

May 21, 2012, 1:40 PM

Post #5 of 11 (2142 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.

From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of Ed Leatherman
Sent: Monday, May 21, 2012 4:35 PM
To: Ovidiu Popa
Cc: cisco-voip
Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?



Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:

https://supportforums.cisco.com/docs/DOC-17679

Security By Default provides these three functions for supported IP Phones:

1. Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
2. Optional encryption of TFTP configuration files using a signing key.
3. Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).

On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail<mailto:ovi.popa [at] gmail>> wrote:
My understanding is that ITL is required for several reasons:
- used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
- used to validate file signatures (only if the cluster is in mixed mode)

If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?

Thanks,
Ovidiu




On 21/May/12 8:03 PM, Ed Leatherman wrote:
Hello,

My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)

Ed
On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail<mailto:ovi.popa [at] gmail>> wrote:
Hello everyone

Anyone know how a phone detects if it needs to download a signed or unsigned configuration file?

I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode?

The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?

Thank for any input.

Regards.
Ovidiu

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck<mailto:cisco-voip [at] puck>
https://puck.nether.net/mailman/listinfo/cisco-voip



--
Ed Leatherman




--
Ed Leatherman


itevomcid


ovi.popa at gmail

May 21, 2012, 2:53 PM

Post #6 of 11 (2063 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

It appears that I was focused in the wrong direction. The problem is not
the fact that the phones request a signed configuration file it's the
fact that the TFTP answers with "File not found".

The test cluster is based on a restore from a production backup and the
the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work
(restarted tftp, deleted itl, rebooted the phone several times, deleted
phone security and network settings, apply config button)... If I try
to modify and save the configuration the operation is rejected with the
following message " Update failed. Could not insert new row - duplicate
value in a UNIQUE INDEX column (Unique Index:x_device_name)".

This is weird since I'm not trying to add a new phone, I'm only
modifying the existing phone.



On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but
> you need it set before phones see the upgraded CallManager. So any
> upgrade you need to shutdown phones first I suspect.
>
> *From:*cisco-voip-bounces [at] puck
> [mailto:cisco-voip-bounces [at] puck] *On Behalf Of *Ed Leatherman
> *Sent:* Monday, May 21, 2012 4:35 PM
> *To:* Ovidiu Popa
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is
> in use and your phone is going to get an ITL file and thus request
> signed config files:
>
> https://supportforums.cisco.com/docs/DOC-17679
>
> Security By Default provides these three functions for supported IP
> Phones:
>
> 1. Default authentication of TFTP downloaded files (configuration,
> locale, ringlist, etc) using a signing key.
> 2. Optional encryption of TFTP configuration files using a signing key.
> 3. Certificate verification for phone initiated HTTPS connections
> using a remote certificate trust store on Communications Manager
> (Trust Verification Service).
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail
> <mailto:ovi.popa [at] gmail>> wrote:
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session
> to the TVS web service (not related to cluster mixed mode as https web
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my
> question still stands: how come the phone requests a signed file if
> the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on
> it will always request a signed configuration file, unless the CTL or
> ITL files are manually deleted from the phone. If i'm incorrect
> hopefully someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail
> <mailto:ovi.popa [at] gmail>> wrote:
>
> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed or
> unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though the
> cluster is not in mixed mode and I cannot identify why they behave
> this way. Does the ITL file contain information about the cluster
> security mode?
>
> The phone logs say that the TFTP server is secure and keep trying for
> the cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
>
> Ovidiu
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck <mailto:cisco-voip [at] puck>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> --
> Ed Leatherman
>
>
>
> --
> Ed Leatherman
>
>
>
> itevomcid
>


rratliff at cisco

May 21, 2012, 6:43 PM

Post #7 of 11 (2169 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

For starters Ed's original response is correct. If a phone has an ITL or CTL it will always request a signed config file.

To your issue first of all can you even do a manual TFTP download of the phone's config file? Unless there's some serious cert issues and TFTP just isn't able to sign a config file then the file not being present is unlikely to be a security issue.
is the TFTP server the publisher or a sub? If it's a sub then what's your database replication look like? TFTP can only build config files for phones it knows about via the local database. If you can't save a device from CCMAdmin then you've got some database issues that could be impacting TFTP as well.

-Ryan

On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:

It appears that I was focused in the wrong direction. The problem is not the fact that the phones request a signed configuration file it's the fact that the TFTP answers with "File not found".

The test cluster is based on a restore from a production backup and the the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work (restarted tftp, deleted itl, rebooted the phone several times, deleted phone security and network settings, apply config button)... If I try to modify and save the configuration the operation is rejected with the following message " Update failed. Could not insert new row - duplicate value in a UNIQUE INDEX column (Unique Index:x_device_name)".

This is weird since I'm not trying to add a new phone, I'm only modifying the existing phone.



On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.
>
> From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of Ed Leatherman
> Sent: Monday, May 21, 2012 4:35 PM
> To: Ovidiu Popa
> Cc: cisco-voip
> Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:
>
> https://supportforums.cisco.com/docs/DOC-17679
> Security By Default provides these three functions for supported IP Phones:
>
> Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
> Optional encryption of TFTP configuration files using a signing key.
> Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
> Hello,
>
> My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
> Hello everyone
>
> Anyone know how a phone detects if it needs to download a signed or unsigned configuration file?
>
> I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode?
>
> The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?
>
> Thank for any input.
>
> Regards.
> Ovidiu
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
> Ed Leatherman
>
>
>
>
>
> --
> Ed Leatherman
>
>
>
> itevomcid

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


ovi.popa at gmail

May 22, 2012, 10:31 AM

Post #8 of 11 (2033 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

Hello Ryan

Thanks for the information. Here's my replies and sorry for the delay:
- customer not available for manual tftp download test. will update asap
- dedicated tftp
- replication status is at 2. I do however see a high number of replicates
that are queued in the replication queue. I also saw that the publisher has
lost synchronization with the NTP server. Could this cause the issue?
- I tried to do the modification directly on the TFTP server so it knew
about the device

Ovidiu


On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff [at] cisco> wrote:

> For starters Ed's original response is correct. If a phone has an ITL or
> CTL it will always request a signed config file.
>
> To your issue first of all can you even do a manual TFTP download of the
> phone's config file? Unless there's some serious cert issues and TFTP just
> isn't able to sign a config file then the file not being present is
> unlikely to be a security issue.
> is the TFTP server the publisher or a sub? If it's a sub then what's your
> database replication look like? TFTP can only build config files for
> phones it knows about via the local database. If you can't save a device
> from CCMAdmin then you've got some database issues that could be impacting
> TFTP as well.
>
> -Ryan
>
> On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:
>
> It appears that I was focused in the wrong direction. The problem is not
> the fact that the phones request a signed configuration file it's the fact
> that the TFTP answers with "File not found".
>
> The test cluster is based on a restore from a production backup and the
> the same phone works correctly with the production cluster.
> If I try to generate the signed configuration file nothing seems to work
> (restarted tftp, deleted itl, rebooted the phone several times, deleted
> phone security and network settings, apply config button)... If I try to
> modify and save the configuration the operation is rejected with the
> following message " Update failed. Could not insert new row - duplicate
> value in a UNIQUE INDEX column (Unique Index:x_device_name)".
>
> This is weird since I'm not trying to add a new phone, I'm only modifying
> the existing phone.
>
>
>
> On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you
> need it set before phones see the upgraded CallManager. So any upgrade you
> need to shutdown phones first I suspect.****
>
> ** **
>
> *From:* cisco-voip-bounces [at] puck [
> mailto:cisco-voip-bounces [at] puck<cisco-voip-bounces [at] puck>]
> *On Behalf Of *Ed Leatherman
> *Sent:* Monday, May 21, 2012 4:35 PM
> *To:* Ovidiu Popa
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?****
>
> ** **
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is in
> use and your phone is going to get an ITL file and thus request signed
> config files:****
>
> ** **
>
> https://supportforums.cisco.com/docs/DOC-17679****
>
> Security By Default provides these three functions for supported IP Phones:
> ****
>
> 1. Default authentication of TFTP downloaded files (configuration,
> locale, ringlist, etc) using a signing key. ****
> 2. Optional encryption of TFTP configuration files using a signing
> key. ****
> 3. Certificate verification for phone initiated HTTPS connections
> using a remote certificate trust store on Communications Manager (Trust
> Verification Service).****
>
> ** **
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:**
> **
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to
> the TVS web service (not related to cluster mixed mode as https web
> services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my
> question still stands: how come the phone requests a signed file if the
> cluster not secure ?
>
> Thanks,
> Ovidiu****
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote: ****
>
> Hello, ****
>
> ** **
>
> My understanding is that the phone requests a CTL or ITL file when it
> boots. If it ever actually gets a CTL or ITL file, from that point on it
> will always request a signed configuration file, unless the CTL or ITL
> files are manually deleted from the phone. If i'm incorrect hopefully
> someone will chime in :)****
>
> ** **
>
> Ed****
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:**
> **
>
> Hello everyone ****
>
> ** **
>
> Anyone know how a phone detects if it needs to download a signed or
> unsigned configuration file? ****
>
> ** **
>
> I have a few phones that keep requesting signed file even though the
> cluster is not in mixed mode and I cannot identify why they behave this
> way. Does the ITL file contain information about the cluster security mode?
> ****
>
> ** **
>
> The phone logs say that the TFTP server is secure and keep trying for the
> cnf.xml.sgn files. Where does it get this information?****
>
> ** **
>
> Thank for any input.****
>
> ** **
>
> Regards.****
>
> Ovidiu****
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip****
>
>
>
> ****
>
> ** **
>
> --
> Ed Leatherman****
>
> ** **
>
>
>
> ****
>
> ** **
>
> --
> Ed Leatherman****
>
>
>
> itevomcid ****
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>


rratliff at cisco

May 22, 2012, 11:06 AM

Post #9 of 11 (2030 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

Unfortunately CCMAdmin still reads from the publisher's database so I wouldn't count that as a reliable indicator of subscriber db state.

When you get access I'd run a 'utils dbreplication status' on the pub to have it check the tables.

-Ryan

On May 22, 2012, at 1:31 PM, Ovidiu Popa wrote:

Hello Ryan

Thanks for the information. Here's my replies and sorry for the delay:
- customer not available for manual tftp download test. will update asap
- dedicated tftp
- replication status is at 2. I do however see a high number of replicates that are queued in the replication queue. I also saw that the publisher has lost synchronization with the NTP server. Could this cause the issue?
- I tried to do the modification directly on the TFTP server so it knew about the device

Ovidiu


On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff [at] cisco> wrote:
For starters Ed's original response is correct. If a phone has an ITL or CTL it will always request a signed config file.

To your issue first of all can you even do a manual TFTP download of the phone's config file? Unless there's some serious cert issues and TFTP just isn't able to sign a config file then the file not being present is unlikely to be a security issue.
is the TFTP server the publisher or a sub? If it's a sub then what's your database replication look like? TFTP can only build config files for phones it knows about via the local database. If you can't save a device from CCMAdmin then you've got some database issues that could be impacting TFTP as well.

-Ryan

On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:

It appears that I was focused in the wrong direction. The problem is not the fact that the phones request a signed configuration file it's the fact that the TFTP answers with "File not found".

The test cluster is based on a restore from a production backup and the the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work (restarted tftp, deleted itl, rebooted the phone several times, deleted phone security and network settings, apply config button)... If I try to modify and save the configuration the operation is rejected with the following message " Update failed. Could not insert new row - duplicate value in a UNIQUE INDEX column (Unique Index:x_device_name)".

This is weird since I'm not trying to add a new phone, I'm only modifying the existing phone.



On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.
>
>
>
> From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of Ed Leatherman
> Sent: Monday, May 21, 2012 4:35 PM
> To: Ovidiu Popa
> Cc: cisco-voip
> Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:
>
>
>
> https://supportforums.cisco.com/docs/DOC-17679
>
> Security By Default provides these three functions for supported IP Phones:
>
> Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
> Optional encryption of TFTP configuration files using a signing key.
> Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).
>
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
>
>
> My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)
>
>
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
>
> Hello everyone
>
>
>
> Anyone know how a phone detects if it needs to download a signed or unsigned configuration file?
>
>
>
> I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode?
>
>
>
> The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?
>
>
>
> Thank for any input.
>
>
>
> Regards.
>
> Ovidiu
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
> --
> Ed Leatherman
>
>
>
>
>
>
>
>
> --
> Ed Leatherman
>
>
>
> itevomcid
>

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip


ovi.popa at gmail

May 22, 2012, 11:10 AM

Post #10 of 11 (2023 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

Does utils dbreplication runtimestate on the Publisher count ?
I have 2 screenshots from yesterday with the result (replication = 2
and replication queue growing from 592 in the first screenshot to 720 in
the second screenshot)

On Tue, May 22, 2012 at 8:06 PM, Ryan Ratliff <rratliff [at] cisco> wrote:

> Unfortunately CCMAdmin still reads from the publisher's database so I
> wouldn't count that as a reliable indicator of subscriber db state.
>
> When you get access I'd run a 'utils dbreplication status' on the pub to
> have it check the tables.
>
> -Ryan
>
> On May 22, 2012, at 1:31 PM, Ovidiu Popa wrote:
>
> Hello Ryan
>
> Thanks for the information. Here's my replies and sorry for the delay:
> - customer not available for manual tftp download test. will update asap
> - dedicated tftp
> - replication status is at 2. I do however see a high number of replicates
> that are queued in the replication queue. I also saw that the publisher has
> lost synchronization with the NTP server. Could this cause the issue?
> - I tried to do the modification directly on the TFTP server so it knew
> about the device
>
> Ovidiu
>
>
> On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff [at] cisco> wrote:
>
>> For starters Ed's original response is correct. If a phone has an ITL or
>> CTL it will always request a signed config file.
>>
>> To your issue first of all can you even do a manual TFTP download of the
>> phone's config file? Unless there's some serious cert issues and TFTP just
>> isn't able to sign a config file then the file not being present is
>> unlikely to be a security issue.
>> is the TFTP server the publisher or a sub? If it's a sub then what's
>> your database replication look like? TFTP can only build config files for
>> phones it knows about via the local database. If you can't save a device
>> from CCMAdmin then you've got some database issues that could be impacting
>> TFTP as well.
>>
>> -Ryan
>>
>> On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:
>>
>> It appears that I was focused in the wrong direction. The problem is not
>> the fact that the phones request a signed configuration file it's the fact
>> that the TFTP answers with "File not found".
>>
>> The test cluster is based on a restore from a production backup and the
>> the same phone works correctly with the production cluster.
>> If I try to generate the signed configuration file nothing seems to work
>> (restarted tftp, deleted itl, rebooted the phone several times, deleted
>> phone security and network settings, apply config button)... If I try to
>> modify and save the configuration the operation is rejected with the
>> following message " Update failed. Could not insert new row - duplicate
>> value in a UNIQUE INDEX column (Unique Index:x_device_name)".
>>
>> This is weird since I'm not trying to add a new phone, I'm only modifying
>> the existing phone.
>>
>>
>>
>> On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>>
>> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you
>> need it set before phones see the upgraded CallManager. So any upgrade you
>> need to shutdown phones first I suspect.****
>>
>> ** **
>>
>> *From:* cisco-voip-bounces [at] puck [
>> mailto:cisco-voip-bounces [at] puck<cisco-voip-bounces [at] puck>]
>> *On Behalf Of *Ed Leatherman
>> *Sent:* Monday, May 21, 2012 4:35 PM
>> *To:* Ovidiu Popa
>> *Cc:* cisco-voip
>> *Subject:* Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?****
>>
>> ** **
>>
>>
>>
>> Per my understanding, being on CUCM 8+ implies security-by-default is in
>> use and your phone is going to get an ITL file and thus request signed
>> config files:****
>>
>> ** **
>>
>> https://supportforums.cisco.com/docs/DOC-17679****
>>
>> Security By Default provides these three functions for supported IP
>> Phones:****
>>
>> 1. Default authentication of TFTP downloaded files (configuration,
>> locale, ringlist, etc) using a signing key. ****
>> 2. Optional encryption of TFTP configuration files using a signing
>> key. ****
>> 3. Certificate verification for phone initiated HTTPS connections
>> using a remote certificate trust store on Communications Manager (Trust
>> Verification Service).****
>>
>> ** **
>>
>> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:*
>> ***
>>
>> My understanding is that ITL is required for several reasons:
>> - used to store the trusted certificates required for the TLS session to
>> the TVS web service (not related to cluster mixed mode as https web
>> services can be activated even if the cluster is unsecure)
>> - used to validate file signatures (only if the cluster is in mixed mode)
>>
>> If this is correct I think it is normal that I have an ITL file but my
>> question still stands: how come the phone requests a signed file if the
>> cluster not secure ?
>>
>> Thanks,
>> Ovidiu****
>>
>>
>>
>>
>>
>> On 21/May/12 8:03 PM, Ed Leatherman wrote: ****
>>
>> Hello, ****
>>
>> ** **
>>
>> My understanding is that the phone requests a CTL or ITL file when it
>> boots. If it ever actually gets a CTL or ITL file, from that point on it
>> will always request a signed configuration file, unless the CTL or ITL
>> files are manually deleted from the phone. If i'm incorrect hopefully
>> someone will chime in :)****
>>
>> ** **
>>
>> Ed****
>>
>> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:*
>> ***
>>
>> Hello everyone ****
>>
>> ** **
>>
>> Anyone know how a phone detects if it needs to download a signed or
>> unsigned configuration file? ****
>>
>> ** **
>>
>> I have a few phones that keep requesting signed file even though the
>> cluster is not in mixed mode and I cannot identify why they behave this
>> way. Does the ITL file contain information about the cluster security mode?
>> ****
>>
>> ** **
>>
>> The phone logs say that the TFTP server is secure and keep trying for the
>> cnf.xml.sgn files. Where does it get this information?****
>>
>> ** **
>>
>> Thank for any input.****
>>
>> ** **
>>
>> Regards.****
>>
>> Ovidiu****
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-voip****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Ed Leatherman****
>>
>> ** **
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Ed Leatherman****
>>
>>
>>
>> itevomcid ****
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>


wsisk at cisco

May 22, 2012, 11:26 AM

Post #11 of 11 (2058 views)
Permalink
Re: cnf.xml.sgn for non-secure cluster? [In reply to]

Russ wrote a great doc on this:

https://supportforums.cisco.com/docs/DOC-13672

Replication state 2 only means the agents are communicating. It does not mean the table contents are in sync.

Regards,
Wes

On May 22, 2012, at 2:10 PM, Ovidiu Popa wrote:

Does utils dbreplication runtimestate on the Publisher count ?
I have 2 screenshots from yesterday with the result (replication = 2 and replication queue growing from 592 in the first screenshot to 720 in the second screenshot)

On Tue, May 22, 2012 at 8:06 PM, Ryan Ratliff <rratliff [at] cisco> wrote:
Unfortunately CCMAdmin still reads from the publisher's database so I wouldn't count that as a reliable indicator of subscriber db state.

When you get access I'd run a 'utils dbreplication status' on the pub to have it check the tables.

-Ryan

On May 22, 2012, at 1:31 PM, Ovidiu Popa wrote:

Hello Ryan

Thanks for the information. Here's my replies and sorry for the delay:
- customer not available for manual tftp download test. will update asap
- dedicated tftp
- replication status is at 2. I do however see a high number of replicates that are queued in the replication queue. I also saw that the publisher has lost synchronization with the NTP server. Could this cause the issue?
- I tried to do the modification directly on the TFTP server so it knew about the device

Ovidiu


On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <rratliff [at] cisco> wrote:
For starters Ed's original response is correct. If a phone has an ITL or CTL it will always request a signed config file.

To your issue first of all can you even do a manual TFTP download of the phone's config file? Unless there's some serious cert issues and TFTP just isn't able to sign a config file then the file not being present is unlikely to be a security issue.
is the TFTP server the publisher or a sub? If it's a sub then what's your database replication look like? TFTP can only build config files for phones it knows about via the local database. If you can't save a device from CCMAdmin then you've got some database issues that could be impacting TFTP as well.

-Ryan

On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:

It appears that I was focused in the wrong direction. The problem is not the fact that the phones request a signed configuration file it's the fact that the TFTP answers with "File not found".

The test cluster is based on a restore from a production backup and the the same phone works correctly with the production cluster.
If I try to generate the signed configuration file nothing seems to work (restarted tftp, deleted itl, rebooted the phone several times, deleted phone security and network settings, apply config button)... If I try to modify and save the configuration the operation is rejected with the following message " Update failed. Could not insert new row - duplicate value in a UNIQUE INDEX column (Unique Index:x_device_name)".

This is weird since I'm not trying to add a new phone, I'm only modifying the existing phone.



On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
>
> There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.
>
>
>
> From: cisco-voip-bounces [at] puck [mailto:cisco-voip-bounces [at] puck] On Behalf Of Ed Leatherman
> Sent: Monday, May 21, 2012 4:35 PM
> To: Ovidiu Popa
> Cc: cisco-voip
> Subject: Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?
>
>
>
>
>
> Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:
>
>
>
> https://supportforums.cisco.com/docs/DOC-17679
>
> Security By Default provides these three functions for supported IP Phones:
>
> Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key.
> Optional encryption of TFTP configuration files using a signing key.
> Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).
>
>
> On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
>
> My understanding is that ITL is required for several reasons:
> - used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)
> - used to validate file signatures (only if the cluster is in mixed mode)
>
> If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?
>
> Thanks,
> Ovidiu
>
>
>
>
>
> On 21/May/12 8:03 PM, Ed Leatherman wrote:
>
> Hello,
>
>
>
> My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)
>
>
>
> Ed
>
> On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <ovi.popa [at] gmail> wrote:
>
> Hello everyone
>
>
>
> Anyone know how a phone detects if it needs to download a signed or unsigned configuration file?
>
>
>
> I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode?
>
>
>
> The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?
>
>
>
> Thank for any input.
>
>
>
> Regards.
>
> Ovidiu
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
> --
> Ed Leatherman
>
>
>
>
>
>
>
>
> --
> Ed Leatherman
>
>
>
> itevomcid
>

_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip




_______________________________________________
cisco-voip mailing list
cisco-voip [at] puck
https://puck.nether.net/mailman/listinfo/cisco-voip

Cisco voip RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.