McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 31

↗ View in doc context
page
31
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::15

Certificate Management Changes for ITLRecovery Certificate • The validity of ITLRecovery has been extended from 5 years to 20 years to ensure that the ITLRecovery certificate remains same for a longer period. The default validity period of ITLRecovery certificate is 5 years. However, you can also configure the validity period of ITLRecovery certificate to 5, 10, 15, or 20 years. While upgrading Unified Communications Manager, the ITLRecovery certificate gets copied to the later release. Note • Before you regenerate an ITLRecovery certificate, a warning message appears on both the CLI and the GUI. This warning message displays that if you use a tokenless CTL and if you regenerate the CallManager certificate, ensure that the CTL file has the updated CallManager certificate and that certificate is updated to endpoints. ITLRecovery Certificate The ITLRecovery Certificate feature introduces a new drop-down list ITL File Status to allow administrators to identify phones that have older ITL so that they can take necessary action for these phones. Some phones do not get the latest ITL file and retain the old ones when the ITL files are updated (like the renewal of CM certificates). The system displays the centralized report of phones with mismatched ITL files in the user interface . Following are the different ITLRecovery scenarios: TFTP Service Activaton: • When the TFTP Service is activated, the hash of the generated ITL file along with the server hostname is stored in the DB. It is updated every time an ITL update happens in TFTP code. • If TFTP hostname is already present in the table, the generated ITL hash is compared against the stored value. • If the ITL hash is not the same, the new ITL hash is updated in the DB. • If the ITL hash is the same, the TFTP log shows "Tftp Itl hash not changed". Device Registration and download of ITLFile • When a phone registers with Unified Communications Manager, if the details of ITLFile (Server hostname, hash, timestamp) present in the server does not exist in the DB, it is inserted. • When a phone registers with Unified Communications Manager, it sends a SIP alarm which contains the details of the ITL file applied on the phone. This is compared against the hash of the ITL file stored in DB. • If the ITL hash is the same, the device hash information is updated with the new timestamp. • If the ITL hash is not the same, the reported ITL hash and timestamp are updated against the device. • When the phone unregisters, the trust hash information of that device is deleted. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 13 An Introduction to Unified CM Security Certificate Management Changes for ITLRecovery Certificate