Ryan, would you need to add the other cluster in the TFTP server list? I know I usually had to do this with the actual CTL client but not sure how this would work in tokenless unless there's a CLI command for it.
On Wed, Aug 12, 2015 at 10:03 PM, Ryan Ratliff (rratliff) < rratl...@cisco.com> wrote: > The tokenless CTL is signed by the CallManager.pem on the publisher. > Upload that cert as a phone-trust cert and TVS on that cluster will be able > to authenticate files signed by that cert. > > CTL Record #:1 > ---- > BYTEPOS TAG LENGTH VALUE > ------- --- ------ ----- > 1 RECORDLENGTH 2 1701 > 2 DNSNAME 20 videolab-ucm11a-pub > 3 SUBJECTNAME 70 > CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US > 4 FUNCTION 2 System Administrator Security Token > 5 ISSUERNAME 70 > CN=videolab-ucm11a-pub.videolab.local;OU=TAC;O=Cisco;L=NC;ST=RTP;C=US > 6 SERIALNUMBER 16 52:0B:74:69:CF:4F:5A:CD:5B:48:6F:EE:99:9E:E0:B8 > 7 PUBLICKEY 270 > 8 SIGNATURE 256 > 9 CERTIFICATE 961 76 5D 15 01 0E 41 0D 16 BE EA 8A 98 29 33 EE 27 B6 3E > D3 01 (SHA1 Hash HEX) > 10 IPADDRESS 4 > This etoken was used to sign the CTL file. > > > admin:show cert own CallManager/CallManager.pem > [ > Version: V3 > Serial Number: 520B7469CF4F5ACD5B486FEE999EE0B8 > … > > > - > Ryan > > On Aug 12, 2015, at 9:06 PM, Dave Goodwin <dave.good...@december.net> > wrote: > > For anyone who has an environment with multiple mixed mode clusters (CTL > file is present), do you know of a way to move devices from one cluster to > another? > > Using the eToken SAST (physical USB devices), it seems you can do this by > using the same signing token to sign the CTL file on each cluster. With the > new tokenless CTL client, it seems each cluster's publisher private key is > used to sign that cluster's CTL file - so it seems the old way will not > work. > > I realize it can be done by deleting the CTL file on the phone (or factory > reset) if you're standing in front of it, and I also realize there are > commercial software tools that can perform feats like this (like UnifiedFX > and other competitive offerings). I am looking for a way to do this without > either of those methods. > > -Dave > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > > > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip