在安全群集之間遷移電話
下載選項
無偏見用語
本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
關於此翻譯
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
簡介
本文說明如何在兩個安全的Cisco Unified Communications Manager(CUCM)集群之間遷移電話。
作者:David Norman,思科TAC工程師。
必要條件
需求
思科建議您瞭解CUCM。
採用元件
本檔案中的資訊是根據以下軟體版本:
源群集:CUCM版本10.5.2.11900-3
目標群集: CUCM版本11.0.1.10000-10
使用韌體sip88xx.10-3-1-20的8861電話
CertificateTrust List(CTL)檔案使用CallManager證書(不是USB標籤)進行簽名
背景
在遷移過程中,電話會嘗試建立到源群集思科信任驗證服務(TVS)的安全連線,以驗證目標群集CallManager證書。如果電話的證書信任列表(CTL)和身份信任清單(ITL)檔案無效,電話將無法完成與TVS的安全握手,並且無法成功遷移到目標群集。開始電話遷移過程之前,請確認電話安裝了正確的CTL/ITL檔案。此外,在源群集上,確認企業功能「準備群集以便回滾到8.0之前」設定為False。
設定
將目標群集CallManager證書匯入到源群集CallManager-trust和Phone-SAST-trust儲存。有兩種方法。
方法1.
使用批次證書工具並在源群集和目標群集上完成這些步驟。
步驟1。在來源和目的地叢集上導覽至Cisco Unified OS Administration page > Security > Bulk Certificate Management。
步驟2.輸入安全檔案傳輸通訊協定(SFTP)伺服器的詳細資訊,然後選擇Save。
步驟3.選擇Export並匯出簡單式檔案傳輸通訊協定(TFTP)憑證。
步驟4.按一下Consolidate按鈕執行證書合併。 這將建立一個PKCS12檔案,其中包含源和目標CallManager證書。
步驟5.將統一證書匯入回每個群集。
在合併過程中(步驟5), 源群集CallManager證書將上載到CallManager-trust和Phone-SAST-trust儲存中的目標群集。這樣,電話就可以遷移回源群集。如果遵循手動方法,則源集群CallManager證書 不會 上載到目標群集。這意味著您不能將電話遷移回源群集。如果您希望選擇將電話遷移回源集群, 需要將源群集CallManager證書上載到目標群集CallManager-trust和Phone-SAST-trust儲存。
附註:兩個叢集都必須將TFTP憑證匯出到同一SFTP伺服器和同一SFTP目錄。
附註:僅在一個群集上需要步驟4。如果在CUCM 8.x或9.x版之間遷移電話至CUCM 10.5.2.13900-12版或更高版本,請在合併證書之前注意此思科錯誤ID CSCuy43181。
方法2.
手動匯入證書。在目標群集上完成這些步驟。
步驟1.導覽至Cisco Unified OS Administration page > Security > Certificate Management。
步驟2.選擇CallManager.pem certificate並下載。
步驟3.選擇ITLrecovery.pem certificate並下載
步驟4.將CallManager證書作為CallManger-trust和Phone-SAST-trust證書上傳到源群集發佈器。
步驟5.將ITLrecovery證書作為Phone-SAST-Trust上傳到源群集
步驟6.在源群集的所有節點中重新啟動TVS。
然後證書複製到群集中的其他節點。
步驟3、5、6適用於將電話從8.x遷移到12.x的場景
附註:需要從目標群集上運行TFTP服務的所有節點下載CallManager證書。
使用上述方法之一上傳證書後,將電話動態主機配置協定(DHCP)選項150更改為指向目標群集TFTP地址。
注意:在非安全群集之間遷移電話的一種方法是在源群集上將「準備群集以便回滾到8.0之前」設定為True,然後重新啟動電話。在安全群集之間遷移電話時,此選項不可用。這是因為,回滾到8.0之前的功能僅將ITL檔案清空(它不會將CTL檔案清空)。 這意味著當遷移電話並從目標群集下載CTL檔案時,它需要使用源群集TVS驗證新的CTL。由於電話的ITL檔案不包含源集群TVS證書,因此當電話嘗試建立與TVS服務的安全連線時,握手會失敗。
驗證
這是源群集的電話控制檯日誌和TVS日誌(設定為詳細日誌)的摘錄。片段顯示了電話註冊到目標群集的過程。
1.電話從目標群集啟動並下載CTL檔案。
3232 NOT Nov 29 06:33:59.011270 downd-DDFORK - execing [/usr/sbin/dgetfile][-L620][ ] 3233 NOT Nov 29 06:33:59.033132 dgetfile(870)-GETXXTP [GT870][src=CTLSEPB000B4BA0AEE.tlv][dest=/tmp/CTLFile.tlv][serv=][serv6=][sec=0]
2. CTL檔案由目標集群呼叫管理器證書簽名,該證書不在電話現有的CTL或ITL檔案中。這表示電話需要連線至其TVS服務以驗證憑證。此時,電話仍舊有包含源群集TVS服務的IP地址的舊配置(電話配置中指定的TVS與電話呼叫管理器組相同)。 電話建立與TVS服務的SSL連線。當TVS服務向電話提供其證書時,電話對照其ITL檔案中的證書驗證證書。如果相同,則握手成功完成。
3287 INF Nov 29 06:33:59.395199 SECUREAPP-Attempting connect to TVS server addr [192.168.11.32], mode [IPv4] 3288 INF Nov 29 06:33:59.395294 SECUREAPP-TOS set to [96] on sock, [192.168.11.32][11] 3289 INF Nov 29 06:33:59.396011 SECUREAPP-TCP connect() successful, [192.168.11.32] [11] 3290 DEB Nov 29 06:33:59.396111 SECUREAPP-BIO created with: addr:192.168.11.32, port:2445, mode:IPv4 3291 INF Nov 29 06:33:59.396231 SECUREAPP-Sec SSL Connection - TVS. 3292 INF Nov 29 06:33:59.396379 SECUREAPP-SSL session setup - Requesting Cert 3293 DEB Nov 29 06:33:59.396402 SECUREAPP-Obtaining certificate. 3294 INF Nov 29 06:33:59.396444 SECUREAPP-SSL session setup - Get Active cert ok 3295 DEB Nov 29 06:33:59.396464 SECUREAPP-SSL session setup - cert len=785, type=LSC 3296 DEB Nov 29 06:33:59.396854 SECUREAPP-Certificate subject name = /serialNumber=PID:CP-8861 SN:FCH18198CNQ/C=AU/O=stormin/OU=IST/CN=CP-8861-SEPB000B4BA0AEE 3297 DEB Nov 29 06:33:59.396917 SECUREAPP-SSL session setup - Certificate issuer name = /C=AU/O=stormin/OU=IST/CN=CAPF-a7fb32bf/ST=NSQ/L=Sydney 3298 INF Nov 29 06:33:59.396947 SECUREAPP-SSL session setup - Requesting Pkey 3299 INF Nov 29 06:33:59.397024 SECUREAPP-SSL session setup - Get private key ok 3300 DEB Nov 29 06:33:59.397045 SECUREAPP-SSL session setup - key len=1191 3301 INF Nov 29 06:33:59.399181 SECUREAPP-Setup SSL session - SSL use certificate okay 3302 INF Nov 29 06:33:59.399477 SECUREAPP-Setup SSL session - SSL use private key okay 3303 DEB Nov 29 06:33:59.399974 SECUREAPP-Sec SSL Connection - Added SSL connection handle 0x40e01270, connDesc 11 to table. 3304 DEB Nov 29 06:33:59.400225 SECUREAPP-Sec SSL Connection - check status & perform handshake. 3305 DEB Nov 29 06:33:59.401086 SECUREAPP-Blocked TVS Secure Connection - Waiting (0) .... 3306 DEB Nov 29 06:33:59.401796 SECUREAPP-Sec SSL Connection - check status & perform handshake. 3307 DEB Nov 29 06:33:59.403321 SECUREAPP-SSL session setup Cert Verification - Role is = 21 3308 INF Nov 29 06:33:59.403412 SECUREAPP-SSL session setup Cert Verification - Invoking certificate validation helper plugin. 3309 INF Nov 29 06:33:59.403662 SECUREAPP-SSL session setup Cert Verification - Certificate validation helper plugin returned. 3310 INF Nov 29 06:33:59.403731 SECUREAPP-SSL session setup Cert Verification - Certificate is valid. 3311 DEB Nov 29 06:33:59.403784 SECUREAPP-SSL session setup Cert Verification - returning validation result = 1 3312 ERR Nov 29 06:33:59.428892 downd-SOCKET accept errno=4 "Interrupted system call" 3313 DEB Nov 29 06:33:59.907337 SECUREAPP-Blocked TVS Secure Connection - Waiting (1) .... 3314 DEB Nov 29 06:33:59.907393 SECUREAPP-Sec SSL Connection - check status & perform handshake. 3315 NOT Nov 29 06:33:59.908586 SECUREAPP-Sec SSL Connection - Handshake successful. 3316 INF Nov 29 06:33:59.908696 SECUREAPP-Sec SSL Connection - caching disabled, session not saved 3317 DEB Nov 29 06:33:59.908752 SECUREAPP-Connection to server succeeded
3. TVS日誌顯示來自電話的傳入連線,握手成功。
18:01:05.333 | debug Accepted TCP connection from socket 0x00000012, fd = 8 18:01:05.333 | debug Total Session attempted = 7 accepted = 7 18:01:05.334 | debug tvsGetNextThread 18:01:05.334 | debug Recd event 18:01:05.334 | debug new ph on fd 8 18:01:05.334 | debug 7:UNKNOWN:Got a new SCB from RBTree 18:01:05.334 | debug ipAddrStr (Phone) 192.168.11.100 18:01:05.334 | debug 8:UNKNOWN:Got a new ph conn 192.168.11.100 on 8, Total Acc = 7.. 18:01:05.334 | debug addded 8 to readset 18:01:05.338 | debug after select, 8 was set 18:01:05.338 | debug ipAddrStr (Phone) 192.168.11.100 18:01:05.855 | debug tvsSSLHandShakeNotify 18:01:05.855 | debug 192.168.11.100: tvsSSLHandShake Session ciphers - AES256-SHA 18:01:05.855 | debug addded 8 to readset 18:01:05.855 | debug Recd event 18:01:05.855 | debug TLS HS Done for ph_conn
4.電話控制檯日誌顯示電話向TVS服務傳送請求以驗證來自目標群集的呼叫管理器證書。
3318 DEB Nov 29 06:33:59.908800 SECUREAPP-TVS provider Init - connect returned TVS srvr sock: 11 3319 DEB Nov 29 06:33:59.908848 SECUREAPP-TVS process request - processing TVS Query Certificate request. 3320 NOT Nov 29 06:33:59.909322 SECUREAPP-TVS process request - Successfully sent the TVS request to TVS server, bytes written : 153 3321 DEB Nov 29 06:33:59.909364 SECUREAPP-==== TVS process request - request byte dump ====, len = 153 3322 DEB Nov 29 06:33:59.913075 SECUREAPP-TVS Service receives 1480 bytes of data 3323 DEB Nov 29 06:33:59.913270 SECUREAPP-==== TVS process response - response byte dump ====, len = 1480 3324 DEB Nov 29 06:33:59.914466 SECUREAPP-Found the work order from pending req list element at index 0
5. TVS日誌顯示已收到請求。
18:01:06.345 | debug 8:UNKNOWN:Incoming Phone Msg:
HEX_DUMP: Len = 153:
18:01:06.345 | debug 57 01 03 00 00 00 03 e9
18:01:06.345 | debug 00 8f 01 00 18 01 43 50
18:01:06.345 | debug 2d 38 38 36 31 2d 53 45
18:01:06.345 | debug 50 42 30 30 30 42 34 42
18:01:06.345 | debug 41 30 41 45 45 03 00 42
18:01:06.345 | debug 43 4e 3d 75 63 6d 31 31
18:01:06.345 | debug 70 75
18:01:06.345 | debug tvsPhoneDecodeMsg -
Decoded Phone Msg:
18:01:06.345 | debug Protocol Discriminator: 57
18:01:06.345 | debug MsgType : TVS_MSG_QUERY_CERT_REQ
18:01:06.345 | debug Session Id : 0
18:01:06.345 | debug Length : 143
18:01:06.345 | debug 8:UNKNOWN:TVS CORE: Rcvd Event: TVS_EV_QUERY_CERT_REQ in State: TVS_STATE_AWAIT_REQ
18:01:06.345 | debug tvsHandleQueryCertReq
18:01:06.345 | debug tvsHandleQueryCertReq : Subject Name is: CN=ucm11pub.stormin.local;OU=IST;O=Stormin;L=Brisbane;ST=QLD;C=AU
18:01:06.345 | debug tvsHandleQueryCertReq : Issuer Name is: CN=stormin-WIN2012-CA
18:01:06.345 | debug tvsHandleQueryCertReq : Serial Number is: 24000000179479B8F124AC3F3B000000000017
18:01:06.345 | debug CertificateDBCache::getCertificateInformation - Looking up the certificate cache using Unique MAP ID : 24000000179479B8F124AC3F3B000000000017CN=stormin-WIN2012-CA
18:01:06.345 | debug CertificateDBCache::getCertificateInformation - Found entry {rolecount : 2}
18:01:06.345 | debug CertificateDBCache::getCertificateInformation - {role : 0}
18:01:06.346 | debug CertificateDBCache::getCertificateInformation - {role : 3}
18:01:06.346 | debug convertX509ToDER -x509cert : 0xbb696e0
6. TVS日誌顯示其儲存中的證書,並且TVS向電話傳送響應。
18:01:06.346 | debug 8:UNKNOWN:Sending QUERY_CERT_RES msg 18:01:06.346 | debug tvsPhoneDecodeMsg - Decoded Phone Msg: 18:01:06.346 | debug Protocol Discriminator: 57 18:01:06.346 | debug MsgType : TVS_MSG_QUERY_CERT_RES 18:01:06.346 | debug Session Id : 0 18:01:06.346 | debug Length : 1470 18:01:06.346 | debug ReasonInfo : 0��0���$ 18:01:06.346 | debug Number of Certs : 1 18:01:06.346 | debug Cert[0] : 18:01:06.346 | debug Cert Type : 0 HEX_DUMP: Len = 1451: 18:01:06.346 | debug 30 82 05 a7 30 82 04 8f 18:01:06.346 | debug a0 03 02 01 02 02 13 24 18:01:06.346 | debug 00 00 00 17 94 79 b8 f1 18:01:06.346 | debug 24 ac 3f 3b 00 00 00 00 18:01:06.346 | debug 00 17 30 0d 06 09 2a 86 18:01:06.346 | debug 48 86 f7 0d 01 01 0b 05 18:01:06.346 | debug 00 30 18:01:06.346 | debug Version : 0 18:01:06.346 | debug PublicKey : HEX_DUMP: Len = 4: 18:01:06.347 | debug 00 01 51 80 18:01:06.347 | debug Sending TLS Msg .. HEX_DUMP: Len = 1480: 18:01:06.347 | debug 57 01 04 f7 00 00 03 e9 18:01:06.347 | debug 05 be 07 00 01 00 02 05 18:01:06.347 | debug ab 30 82 05 a7 30 82 04 18:01:06.347 | debug 8f a0 03 02 01 02 02 13 18:01:06.347 | debug 24 00 00 00 17 94 79 b8 18:01:06.347 | debug f1 24 ac 3f 3b 00 00 00 18:01:06.347 | debug 00 00 18:01:06.347 | debug ipAddrStr (Phone) 192.168.11.100
7.電話控制檯日誌顯示,已成功驗證證書,並且更新了CTL檔案。
3325 INF Nov 29 06:33:59.915121 SECUREAPP-TVS added cert to TVS cache - expires in 24 hours 3333 NOT Nov 29 06:34:00.411671 SECUREAPP-Hashes match... authentication successful. 3334 WRN Nov 29 06:34:00.412849 SECUREAPP-AUTH: early exit from parser loop; old version header? 3335 WRN Nov 29 06:34:00.412945 SECUREAPP-AUTH: hdr ver 1.2 (knows only upto 1.1) 3336 NOT Nov 29 06:34:00.413031 SECUREAPP-updateFromFile: TL parse to table: CTL_SUCCESS 3337 NOT Nov 29 06:34:00.413088 SECUREAPP-updateFromFile: Updating master TL table 3338 DEB Nov 29 06:34:00.413442 SECUREAPP-TL file verified successfully. 3339 INF Nov 29 06:34:00.413512 SECUREAPP-TL file updated.
8.電話下載其ITL檔案時,電話控制台日誌會顯示。
3344 NOT Nov 29 06:34:00.458890 dgetfile(877)-GETXXTP [GT877][src=ITLSEPB000B4BA0AEE.tlv][dest=/tmp/ITLFile.tlv][serv=][serv6=][sec=0] 3345 NOT Nov 29 06:34:00.459122 dgetfile(877)-In normal mode, call - > makeXXTPrequest (V6...) 3281 NOT Dec 14 06:34:00.488697 dgetfile(851)-XXTP complete - status = 100 3282 NOT Dec 14 06:34:00.488984 dgetfile(851)-XXTP actualserver [192.168.11.51]
9.國際交易日誌檔案已根據CTL檔案進行核查。CTL檔案包含目標群集CallManager證書。這表示電話無需與源群集TVS服務聯絡即可驗證證書。
3287 NOT Nov 29 06:34:00.499372 SECUREAPP-Hashes match... authentication successful. 3288 WRN Nov 29 06:34:00.500821 SECUREAPP-AUTH: early exit from parser loop; old version header? 3289 WRN Nov 29 06:34:00.500987 SECUREAPP-AUTH: hdr ver 1.2 (knows only upto 1.1) 3290 NOT Nov 29 06:34:00.501083 SECUREAPP-updateFromFile: TL parse to table: CTL_SUCCESS 3291 NOT Nov 29 06:34:00.501147 SECUREAPP-updateFromFile: Updating master TL table 3292 DEB Nov 29 06:34:00.501584 SECUREAPP-TL file verified successfully. 3293 INF Nov 29 06:34:00.501699 SECUREAPP-TL file updated.
疑難排解
在遷移過程之前,檢驗電話上的CTL/ITL。有關如何驗證CTL/ITL的更多資訊,請訪問以下網站: https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html#anc9
由思科工程師貢獻
- David NormanCisco TAC工程師
意見