遷移採用無令牌CTL的CUCM混合模式
簡介
本文檔介紹使用/不使用硬體USB電子令牌時Cisco Unified Communications Manager (CUCM)安全性的區別。
必要條件
需求
思科建議您瞭解CUCM版本10.0(1)或更高版本。此外,請確保:
- CUCM版本11.5.1SU3及更高版本的許可證伺服器必須是Cisco Prime License Manager (PLM) 11.5.1SU2或更高版本。這是因為CUCM版本11.5.1SU3需要加密許可證才能啟用混合模式,而PLM在11.5.1SU2之前不支援加密許可證。
有關詳細資訊,請參閱Cisco Prime License Manager版本11.5(1)SU2發行版本註釋。
- 您對CUCM發佈伺服器節點的命令列介面(CLI)具有管理訪問許可權。
- 您可以存取硬體USB eToken,並且您的PC上已安裝CTL使用者端外掛程式,以處理需要您移回使用硬體eToken的案例。
為了更清楚瞭解,此要求僅在您在任何時候都有需要USB eToken的場景時才適用。大多數人都需要USB電子令牌的可能性很小。
- 集群中的所有CUCM節點之間具有完全連線。這一點非常重要,因為CTL檔案透過SSH檔案傳輸協定(SFTP)複製到群集中的所有節點。
- 群集中的資料庫(DB)複製工作正常,伺服器即時複製資料。
- 部署中的裝置預設支援Security (TVS)。您可以使用Cisco Unified Reporting網頁中的Unified CM電話功能清單(https://<CUCM IP或FQDN>/cucreports/)來確定預設情況下支援安全的裝置。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- CUCM版本10.5.1.10000-7(兩個節點的集群)
- 思科7975系列IP電話透過瘦客戶端控制協定(SCCP)註冊,韌體版本為SCCP75.9-3-1SR4-1S
- 兩個思科安全令牌,用於使用CTL客戶端軟體將集群設定為混合模式
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
本文檔介紹使用和不使用硬體USB電子令牌時Cisco Unified Communications Manager (CUCM)安全性的區別。
本檔案也說明涉及無標籤憑證信任清單(CTL)的基本實行案例,以及用來確保系統在變更後可正常運作的程式。
無令牌CTL是CUCM版本10.0(1)及更高版本中的一項新功能,允許對IP電話的呼叫信令和媒體進行加密,而無需使用硬體USB電子令牌和CTL客戶端外掛,這是早期CUCM版本中的要求。
當使用CLI命令將群集置於混合模式時,CTL檔案使用發佈伺服器節點的CCM+TFTP(伺服器)證書進行簽名,並且CTL檔案中沒有eToken證書。
從非安全模式到混合模式(無令牌CTL)
本節介紹透過CLI將CUCM集群安全移至混合模式的過程。
在此場景之前,CUCM處於非安全模式,這意味著任何節點上都不存在CTL檔案,並且註冊的IP電話僅安裝身份信任清單(ITL)檔案,如以下輸出所示:
admin:show ctl Length of CTL file: 0 CTL File not found. Please run CTLClient plugin or run the CLI - utils ctl.. to
generate the CTL file. Error parsing the CTL File. admin:
run sql select paramname,paramvalue from processconfig where paramname='ClusterSecurityMode' paramname paramvalue =================== ========== ClusterSecurityMode 0
要透過使用新的無令牌CTL功能將CUCM集群安全移至混合模式,請完成以下步驟:
- 獲取CUCM發佈伺服器節點CLI的管理訪問許可權。
- 在CLI中輸入utils ctl set-cluster mixed-mode命令:
admin:utils ctl set-cluster mixed-mode
This operation sets the cluster to Mixed mode. Do you want to continue? (y/n):y
Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster
that run these services
admin: - 導航到CUCM管理頁面>系統>企業引數,驗證集群是否已設定為混合模式(值1表示混合模式):
- 在運行這些服務的群集中的所有節點上重新啟動TFTP和Cisco CallManager服務。
- 重新啟動所有IP電話,以便它們可以從CUCM TFTP服務獲取CTL檔案。
- 要驗證CTL檔案的內容,請在CLI中輸入show ctl命令。
- 在CTL檔案中,您可以看到CUCM發佈伺服器節點的CCM+TFTP(伺服器)證書用於簽署CTL檔案(此檔案在群集中的所有伺服器上均相同)。以下是輸出示例:
admin:show ctl
The checksum value of the CTL file:
0c05655de63fe2a042cf252d96c6d609(MD5)
8c92d1a569f7263cf4485812366e66e3b503a2f5(SHA1)
Length of CTL file: 4947
The CTL File was last modified on Fri Mar 06 19:45:13 CET 2015
[...]
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D 21
A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4 This etoken was used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D 21
A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
[...]
The CTL file was verified successfully. - 在IP電話端,您可以驗證服務重新啟動後,會下載現在位於TFTP伺服器中的CTL檔案(與CUCM的輸出相比,MD5校驗和匹配):
從硬體eToken到無標籤解決方案
本節介紹如何將CUCM集群安全從硬體令牌遷移到使用新的無令牌解決方案。
在某些情況下,已使用CTL客戶端在CUCM上配置了混合模式,並且IP電話使用包含硬體USB電子令牌證書的CTL檔案。
在此場景中,CTL檔案由來自其中一個USB電子令牌的證書簽名並安裝在IP電話上。在此範例中:
admin:show ctl
The checksum value of the CTL file:
256a661f4630cd86ef460db5aad4e91c(MD5)
3d56cc01476000686f007aac6c278ed9059fc124(SHA1)
Length of CTL file: 5728
The CTL File was last modified on Fri Mar 06 21:48:48 CET 2015
[...]
CTL Record #:5
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1186
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN008580ef ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 SERIALNUMBER 10 83:E9:08:00:00:00:55:45:AF:31
7 PUBLICKEY 140
9 CERTIFICATE 902 85 CD 5D AD EA FC 34 B8 3E 2F F2 CB 9C 76 B0 93
3E 8B 3A 4F (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.
The CTL file was verified successfully.
完成以下步驟,以便將CUCM集群安全更改為使用無令牌CTL:
- 獲取CUCM發佈伺服器節點CLI的管理訪問許可權。
- 輸入utils ctl update CTLFile CLI命令:
admin:utils ctl update CTLFile
This operation updates the CTLFile. Do you want to continue? (y/n):y
Updating CTL file
CTL file Updated
Please Restart the TFTP and Cisco CallManager services on all nodes in
the cluster that run these services - 在運行這些服務的群集中的所有節點上重新啟動TFTP和CallManager服務。
- 重新啟動所有IP電話,以便它們可以從CUCM TFTP服務獲取CTL檔案。
- 在CLI中輸入show ctl命令,以便驗證CTL檔案的內容。在CTL檔案中,您可以看到CUCM發佈伺服器節點的CCM+TFTP(伺服器)證書用於簽署CTL檔案,而不是來自硬體USB電子令牌的證書。
- 在此案例中,更重要的差異在於所有硬體USB eToken的憑證會從CTL檔案中移除。以下是輸出示例:
admin:show ctl
The checksum value of the CTL file:
1d97d9089dd558a062cccfcb1dc4c57f(MD5)
3b452f9ec9d6543df80e50f8b850cddc92fcf847(SHA1)
Length of CTL file: 4947
The CTL File was last modified on Fri Mar 06 21:56:07 CET 2015
[...]
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D
21 A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D
21 A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
[...]
The CTL file was verified successfully. - 在IP電話端,您可以驗證IP電話重新啟動後,他們下載了更新的CTL檔案版本(與CUCM的輸出相比,MD5校驗和匹配):
從無標籤解決方案到硬體電子令牌
本節介紹如何將CUCM集群安全從新的無令牌解決方案遷移回使用硬體電子令牌。
如果使用CLI命令將CUCM集群安全設定為混合模式,並且CTL檔案使用CUCM Publisher節點的CCM+TFTP(伺服器)證書進行簽名,則CTL檔案中不存在來自硬體USB電子令牌的證書。
因此,當您運行CTL客戶端以更新CTL檔案(返回使用硬體電子令牌)時,將顯示以下錯誤消息:
The Security Token you have inserted does not exist in the CTL File Please remove any Security Tokens already inserted and insert another
Security Token. Click Ok when done.
在包括將系統降級到不包括utils ctl 命令的10.x之前版本的情況下(當切換回版本時),這一點尤為重要。
之前的CTL檔案在刷新或Linux到Linux (L2)升級過程中被遷移(其內容沒有更改),並且它不包含eToken證書,如前所述。以下是輸出示例:
admin:show ctl
The checksum value of the CTL file:
1d97d9089dd558a062cccfcb1dc4c57f(MD5)
3b452f9ec9d6543df80e50f8b850cddc92fcf847(SHA1)
Length of CTL file: 4947
The CTL File was last modified on Fri Mar 06 21:56:07 CET 2015
Parse CTL File
----------------
Version: 1.2
HeaderLength: 336 (BYTES)
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
3 SIGNERID 2 149
4 SIGNERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
5 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
6 CANAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
7 SIGNATUREINFO 2 15
8 DIGESTALGORTITHM 1
9 SIGNATUREALGOINFO 2 8
10 SIGNATUREALGORTITHM 1
11 SIGNATUREMODULUS 1
12 SIGNATURE 128
65 ba 26 b4 ba de 2b 13
b8 18 2 4a 2b 6c 2d 20
7d e7 2f bd 6d b3 84 c5
bf 5 f2 74 cb f2 59 bc
b5 c1 9f cd 4d 97 3a dd
6e 7c 75 19 a2 59 66 49
b7 64 e8 9a 25 7f 5a c8
56 bb ed 6f 96 95 c3 b3
72 7 91 10 6b f1 12 f4
d5 72 e 8f 30 21 fa 80
bc 5d f6 c5 fb 6a 82 ec
f1 6d 40 17 1b 7d 63 7b
52 f7 7a 39 67 e1 1d 45
b6 fe 82 0 62 e3 db 57
8c 31 2 56 66 c8 91 c8
d8 10 cb 5e c3 1f ef a
14 FILENAME 12
15 TIMESTAMP 4
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D
21 A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D
21 A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
CTL Record #:3
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1138
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 60 CN=CAPF-e41e7d87;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CAPF
5 ISSUERNAME 60 CN=CAPF-e41e7d87;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 74:4B:49:99:77:04:96:E7:99:E9:1E:81:D3:C8:10:9B
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 680 46 EE 5A 97 24 65 B0 17 7E 5F 7E 44 F7 6C 0A
F3 63 35 4F A7 (SHA1 Hash HEX)
10 IPADDRESS 4
CTL Record #:4
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1161
2 DNSNAME 17 cucm-1051-a-sub1
3 SUBJECTNAME 63 CN=cucm-1051-a-sub1;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 63 CN=cucm-1051-a-sub1;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 6B:EB:FD:CD:CD:8C:A2:77:CB:2F:D1:D1:83:A6:0E:72
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 696 21 7F 23 DE AF FF 04 85 76 72 70 BF B1 BA 44
DB 5E 90 ED 66 (SHA1 Hash HEX)
10 IPADDRESS 4
The CTL file was verified successfully.
admin:
對於此方案,請完成以下步驟以安全地更新CTL檔案,而無需使用丟失電子令牌的過程(最終需要手動刪除所有IP電話上的CTL檔案):
- 獲取CUCM發佈伺服器節點CLI的管理訪問許可權。
- 在發佈伺服器節點CLI中輸入file delete tftp CTLFile.tlv命令以刪除CTL檔案:
admin:file delete tftp CTLFile.tlv
Delete the File CTLFile.tlv?
Enter "y" followed by return to continue: y
files: found = 1, deleted = 1 - 在已安裝CTL客戶端的Microsoft Windows電腦上打開SafeNet身份驗證客戶端(隨CTL客戶端自動安裝):
- 在SafeNet身份驗證客戶端中,導航到高級檢視:
- 插入第一個硬體USB eToken。
- 在User certificates資料夾下選擇證書,然後將其導出到PC上的資料夾。當提示輸入口令時,請使用預設口令Cisco123:
- 對第二個硬體USB eToken重複以下步驟,以便兩個證書都導出到PC:
- 登入到Cisco Unified Operating System (OS) Administration並導航到Security > Certificate Management > Upload Certificate:
- 接著顯示[Upload Certificate]頁面。從「Certificate Purpose」下拉選單中選擇Phone-SAST-trust,並選擇您從第一個eToken導出的證書:
- 完成前述步驟,以上傳您從第二個eToken匯出的憑證:
- 運行CTL客戶端,提供CUCM發佈伺服器節點的IP地址/主機名,並輸入CCM管理員憑證:
- 由於集群已處於混合模式,但發佈伺服器節點上不存在CTL檔案,因此顯示此警告消息(按一下確定以忽略它):
No CTL File exists on the server but the Call Manager Cluster Security Mode
is in Secure Mode.
For the system to function, you must create the CTL File and set Call Manager
Cluster the Secure Mode. - 從CTL客戶端中,按一下Update CTL File單選按鈕,然後按一下Next:
- 插入第一個安全令牌,然後按一下OK:
- 顯示安全令牌詳細資訊後,按一下Add:
- 一旦CTL檔案的內容出現,請按一下Add Token以增加第二個USB eToken:
- 在顯示安全令牌詳細資訊之後,按一下Add:
- CTL檔案的內容顯示之後,按一下完成。當提示輸入口令時,請輸入Cisco123:
- 當顯示CTL檔案所在的CUCM伺服器清單時,點選完成:
- 在運行這些服務的群集中的所有節點上重新啟動TFTP和CallManager服務。
- 重新啟動所有IP電話,以便他們可以從CUCM TFTP服務獲取新版本的CTL檔案。
- 要驗證CTL檔案的內容,請在CLI中輸入show ctl命令。在CTL檔案中,您可以看到來自兩個USB電子令牌的證書(其中一個用於簽署CTL檔案)。以下是輸出示例:
admin:show ctl
The checksum value of the CTL file:
2e7a6113eadbdae67ffa918d81376902(MD5)
d0f3511f10eef775cc91cce3fa6840c2640f11b8(SHA1)
Length of CTL file: 5728
The CTL File was last modified on Fri Mar 06 22:53:33 CET 2015
[...]
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1186
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN0054f509 ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 SERIALNUMBER 10 3C:F9:27:00:00:00:AF:A2:DA:45
7 PUBLICKEY 140
9 CERTIFICATE 902 19 8F 07 C4 99 20 13 51 C5 AE BF 95 03 93 9F F2
CC 6D 93 90 (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was not used to sign the CTL file.
[...]
CTL Record #:5
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1186
2 DNSNAME 1
3 SUBJECTNAME 56 cn="SAST-ADN008580ef ";ou=IPCBU;o="Cisco Systems
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 42 cn=Cisco Manufacturing CA;o=Cisco Systems
6 SERIALNUMBER 10 83:E9:08:00:00:00:55:45:AF:31
7 PUBLICKEY 140
9 CERTIFICATE 902 85 CD 5D AD EA FC 34 B8 3E 2F F2 CB 9C 76 B0 93
3E 8B 3A 4F (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.
The CTL file was verified successfully. - 在IP電話端,您可以驗證IP電話重新啟動後,他們下載了更新的CTL檔案版本(與CUCM的輸出相比,MD5校驗和匹配):
此更改之所以可能,是因為您之前已將電子令牌證書導出並上傳到CUCM證書信任庫,並且IP電話能夠驗證此未知證書,該證書用於根據CUCM上運行的信任驗證服務(TVS)對CTL檔案進行簽名。
此日誌代碼段說明IP電話如何聯絡CUCM TVS並請求驗證未知的eToken證書,該證書以Phone-SAST-trust 格式上傳且受信任:
//In the Phone Console Logs we can see a request sent to TVS server to verify unknown
certificate
8074: NOT 23:00:22.335499 SECD: setupSocketToTvsProxy: Connected to TVS proxy server
8075: NOT 23:00:22.336918 SECD: tvsReqFlushTvsCertCache: Sent Request to TVS proxy,
len: 3708
//In the TVS logs on CUCM we can see the request coming from an IP Phone which is being
successfully verified
23:00:22.052 | debug tvsHandleQueryCertReq
23:00:22.052 | debug tvsHandleQueryCertReq : Subject Name is: cn="SAST-ADN008580ef
";ou=IPCBU;o="Cisco Systems
23:00:22.052 | debug tvsHandleQueryCertReq : Issuer Name is: cn=Cisco Manufacturing
CA;o=Cisco Systems
23:00:22.052 | debug tvsHandleQueryCertReq :subjectName and issuerName matches for
eToken certificate
23:00:22.052 | debug tvsHandleQueryCertReq : SAST Issuer Name is: cn=Cisco
Manufacturing CA;o=Cisco Systems
23:00:22.052 | debug tvsHandleQueryCertReq : This is SAST eToken cert
23:00:22.052 | debug tvsHandleQueryCertReq : Serial Number is: 83E9080000005545AF31
23:00:22.052 | debug CertificateDBCache::getCertificateInformation - Looking up the
certificate cache using Unique MAP ID : 83E9080000005545AF31cn=Cisco Manufacturing
CA;o=Cisco Systems
23:00:22.052 | debug ERROR:CertificateDBCache::getCertificateInformation - Cannot find
the certificate in the cache
23:00:22.052 | debug CertificateCTLCache::getCertificateInformation - Looking up the
certificate cache using Unique MAP ID : 83E9080000005545AF31cn=Cisco Manufacturing
CA;o=Cisco Systems, len : 61
23:00:22.052 | debug CertificateCTLCache::getCertificateInformation - Found entry
{rolecount : 1}
23:00:22.052 | debug CertificateCTLCache::getCertificateInformation - {role : 0}
23:00:22.052 | debug convertX509ToDER -x509cert : 0xa3ea6f8
23:00:22.053 | debug tvsHandleQueryCertReq: Timer started from tvsHandleNewPhConnection
//In the Phone Console Logs we can see reply from TVS server to trust the new certificate
(eToken Certificate which was used to sign the CTL file)
8089: NOT 23:00:22.601218 SECD: clpTvsInit: Client message received on TVS proxy socket
8090: NOT 23:00:22.602785 SECD: processTvsClntReq: Success reading the client TVS
request, len : 3708
8091: NOT 23:00:22.603901 SECD: processTvsClntReq: TVS Certificate cache flush
request received
8092: NOT 23:00:22.605720 SECD: tvsFlushCertCache: Completed TVS Certificate cache
flush request
無令牌CTL解決方案的證書再生
本節介紹在使用無令牌CTL解決方案時如何重新生成CUCM集群安全證書。
在CUCM維護過程中,有時會更改CUCM發佈伺服器節點CallManager證書。
發生這種情況的情況包括更改主機名、更改域或僅僅重新生成證書(由於關閉證書過期日期)。
更新CTL檔案後,使用與IP電話上安裝的CTL檔案中存在的證書不同的證書對其進行簽名。
通常,這個新的CTL檔案不被接受;但是,當IP電話找到用於簽署CTL檔案的未知證書後,它會聯絡CUCM上的TVS服務。
成功驗證TVS伺服器後,IP電話會使用新版本更新其CTL檔案。這種情況下會發生以下事件:
- CTL檔案存在於CUCM和IP電話上。CUCM發佈伺服器節點的CCM+TFT(伺服器)證書用於簽署CTL檔案:
admin:show ctl
The checksum value of the CTL file:
7b7c10c4a7fa6de651d9b694b74db25f(MD5)
819841c6e767a59ecf2f87649064d8e073b0fe87(SHA1)
Length of CTL file: 4947
The CTL File was last modified on Mon Mar 09 16:59:43 CET 2015
[...]
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D
21 A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1156
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 70:CA:F6:4E:09:07:51:B9:DF:22:F4:9F:75:4F:C5:BB
7 PUBLICKEY 140
8 SIGNATURE 128
9 CERTIFICATE 694 E9 D4 33 64 5B C8 8C ED 51 4D 8F E5 EA 5B 6D
21 A5 A3 8C 9C (SHA1 Hash HEX)
10 IPADDRESS 4
[...]
The CTL file was verified successfully.
- CallManager.pem檔案(CCM+TFTP證書)將重新生成,並且您會看到證書的序列號更改:
- 在CLI中輸入utils ctl update CTLFile命令以更新CTL檔案:
admin:utils ctl update CTLFile
This operation updates the CTLFile. Do you want to continue? (y/n):y
Updating CTL file
CTL file Updated
Please Restart the TFTP and Cisco CallManager services on all nodes in
the cluster that run these services
admin: - TVS服務使用新的CTL檔案詳細資訊更新其證書快取:
17:10:35.825 | debug CertificateCache::localCTLCacheMonitor - CTLFile.tlv has been
modified. Recaching CTL Certificate Cache
17:10:35.826 | debug updateLocalCTLCache : Refreshing the local CTL certificate cache
17:10:35.827 | debug tvs_sql_get_all_CTL_certificate - Unique Key used for Caching ::
6B1D357B6841740B078FEE4A1813D5D6CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL, length : 93
17:10:35.827 | debug tvs_sql_get_all_CTL_certificate - Unique Key used for Caching ::
6B1D357B6841740B078FEE4A1813D5D6CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL, length : 93
17:10:35.827 | debug tvs_sql_get_all_CTL_certificate - Unique Key used for Caching ::
744B5199770516E799E91E81D3C8109BCN=CAPF-e41e7d87;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL, length : 91
17:10:35.827 | debug tvs_sql_get_all_CTL_certificate - Unique Key used for Caching ::
6BEBFDCDCD8CA277CB2FD1D183A60E72CN=cucm-1051-a-sub1;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL, length : 94 - 當您檢視CTL檔案內容時,可以看到該檔案已使用發佈伺服器節點的新CallManager伺服器證書簽名:
admin:show ctl
The checksum value of the CTL file:
ebc649598280a4477bb3e453345c8c9d(MD5)
ef5c006b6182cad66197fac6e6530f15d009319d(SHA1)
Length of CTL file: 6113
The CTL File was last modified on Mon Mar 09 17:07:52 CET 2015
[..]
CTL Record #:1
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1675
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 System Administrator Security Token
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 6B:1D:35:7B:68:41:74:0B:07:8F:EE:4A:18:13:D5:D6
7 PUBLICKEY 270
8 SIGNATURE 256
9 CERTIFICATE 955 5C AF 7D 23 FE 82 DB 87 2B 6F 4D B7 F0 9D D5
86 EE E0 8B FC (SHA1 Hash HEX)
10 IPADDRESS 4
This etoken was used to sign the CTL file.
CTL Record #:2
----
BYTEPOS TAG LENGTH VALUE
------- --- ------ -----
1 RECORDLENGTH 2 1675
2 DNSNAME 16 cucm-1051-a-pub
3 SUBJECTNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
4 FUNCTION 2 CCM+TFTP
5 ISSUERNAME 62 CN=cucm-1051-a-pub;OU=TAC;O=Cisco;L=Krakow;
ST=Malopolska;C=PL
6 SERIALNUMBER 16 6B:1D:35:7B:68:41:74:0B:07:8F:EE:4A:18:13:D5:D6
7 PUBLICKEY 270
8 SIGNATURE 256
9 CERTIFICATE 955 5C AF 7D 23 FE 82 DB 87 2B 6F 4D B7 F0 9D D5
86 EE E0 8B FC (SHA1 Hash HEX)
10 IPADDRESS 4
[...]
The CTL file was verified successfully. - 從Unified Serviceability頁面,TFTP和Cisco CallManager服務將在運行這些服務的集群中的所有節點上重新啟動。
- IP電話重新啟動,並與TVS伺服器聯絡,以驗證當前用於簽署CTL檔案新版本的未知證書:
// In the Phone Console Logs we can see a request sent to TVS server to verify
unknown certificate
2782: NOT 17:21:51.794615 SECD: setupSocketToTvsProxy: Connected to TVS proxy server
2783: NOT 17:21:51.796021 SECD: tvsReqFlushTvsCertCache: Sent Request to TVS
proxy, len: 3708
// In the TVS logs on CUCM we can see the request coming from an IP Phone which is
being successfully verified
17:21:51.831 | debug tvsHandleQueryCertReq
17:21:51.832 | debug tvsHandleQueryCertReq : Subject Name is: CN=cucm-1051-a-pub;
OU=TAC;O=Cisco;L=Krakow;ST=Malopolska
17:21:51.832 | debug tvsHandleQueryCertReq : Issuer Name is: CN=cucm-1051-a-pub;
OU=TAC;O=Cisco;L=Krakow;ST=Malopolska;
17:21:51.832 | debug tvsHandleQueryCertReq : Serial Number is:
6B1D357B6841740B078FEE4A1813D5D6
17:21:51.832 | debug CertificateDBCache::getCertificateInformation - Looking up the
certificate cache using Unique MAPco;L=Krakow;ST=Malopolska;C=PL
17:21:51.832 | debug CertificateDBCache::getCertificateInformation - Found entry
{rolecount : 2}
17:21:51.832 | debug CertificateDBCache::getCertificateInformation - {role : 0}
17:21:51.832 | debug CertificateDBCache::getCertificateInformation - {role : 2}
17:21:51.832 | debug convertX509ToDER -x509cert : 0xf6099df8
17:21:51.832 | debug tvsHandleQueryCertReq: Timer started from
tvsHandleNewPhConnection
// In the Phone Console Logs we can see reply from TVS server to trust the new
certificate (new CCM Server Certificate which was used to sign the CTL file)
2797: NOT 17:21:52.057442 SECD: clpTvsInit: Client message received on TVS
proxy socket
2798: NOT 17:21:52.058874 SECD: processTvsClntReq: Success reading the client TVS
request, len : 3708
2799: NOT 17:21:52.059987 SECD: processTvsClntReq: TVS Certificate cache flush
request received
2800: NOT 17:21:52.062873 SECD: tvsFlushCertCache: Completed TVS Certificate
cache flush request - 最後,在IP電話上,您可以驗證CTL檔案是否更新為新版本,以及新CTL檔案的MD5校驗和是否與CUCM的校驗和匹配:
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
3.0 |
11-Sep-2024 |
重新認證 |
1.0 |
08-Apr-2015 |
初始版本 |
意見