Guest

Preview Tool

Cisco Bug: CSCvh73320 - CAPF Process should not use CallManager-Trust MIC Root for issuer verification

Last Modified

Feb 07, 2019

Products (6)

  • Cisco Unified Communications Manager (CallManager)
  • Cisco Unity Connection Version 11.x
  • Cisco Unified Communications Manager Version 11.5
  • Cisco Unified Communications Manager Version 11.0
  • Cisco Paging Server
  • Cisco Unified Communications Manager Session Management Edition

Known Affected Releases

11.5(1.10000.6) 12.0(1.10000.10)

Description (partial)

Symptom:
The Security Guide includes a recommendation to remove the manufacturing trust points from CallManager-trust to avoid the MIC being used to register:   https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151_chapter_01.html?bookSearch=true#CUCM_RF_P406FBC9_00.   CSCvh45686 was opened to add the newer MIC Roots.

Customer Removed:
   CAP-RTP-001
   CAP-RTP-002
   Cisco_Manufacturing_CA
   Cisco_Manufacturing_CA_SHA2
   Cisco_Root_CA_2048
   Cisco_Root_CA_M2
   ACT2_SUDI_CA

When installing LSC, the CAPF Process is using the MIC Roots in the CallManager-Trust for hash verification.
When this happen and the MIC root is not found, the hash verification fails which causes LSC install to fail.

15:46:03.877 |   debug 2:SEP000011112222:Retrieved cert from message.
15:46:03.877 |   debug 2:SEP000011112222:Retrieved SUDI cert from message.
15:46:03.877 |   debug 2:SEP000011112222:Retrieved sha2 datablk from message.

### Verifying against CallManager-Trust, looking for  Cisco_Manufacturing_CA_SHA2
15:46:03.878 |   debug 2:SEP000011112222:hashedfilename is '/usr/local/cm/.security/CallManager/trust-certs/417aa245.0' 
15:46:03.878 |   debug 2:SEP000011112222:hashedfilenamelen is '65'

### Unable to load dot0hash file
15:46:03.878 |   debug 2:SEP000011112222:Unable to read dot0hash file
15:46:03.878 |   debug 2:SEP000011112222:Try default Cisco CA certificate
15:46:03.878 |   debug 2:SEP000011112222:Signature did not match the certificate
15:46:03.878 |   debug 2:SEP000011112222:Validating Issuer failed .
15:46:03.878 |   debug 2:SEP000011112222:In capf_ui_set_ph_opStatus_id()

### Operation Failed
15:46:03.880 |-->SetOperationStatus(Fail:CAPF_OP_FAIL):2 
15:46:03.880 |   SetOperationStatus(Fail:CAPF_OP_FAIL):2 Operation status Value is '2'

15:46:03.880 |-->CAPFDevice::MapCapf_OpStatusToDBLTypeCertificateStatus(OPERATION_UPGRADE, Fai 
15:46:03.880 |   CAPFDevice::MapCapf_OpStatusToDBLTypeCertificateStatus(OPERATION_UPGRADE, Fai =>DbStatus=CERT_STATUS_UPGRADE_FAIL
15:46:03.880 |<--CAPFDevice::MapCapf_OpStatusToDBLTypeCertificateStatus(OPERATION_UPGRADE, Fai 
15:46:03.880 |   SetOperationStatus(Fail:CAPF_OP_FAIL):2 Operation status is set to 
15:46:03.880 |   SetOperationStatus(Fail:CAPF_OP_FAIL):2 Operation status is set to Fail:CAPF_OP_FAIL
15:46:03.880 |   SetOperationStatus(Fail:CAPF_OP_FAIL):2 sql query - (UPDATE Device SET tkcertificatestatus='6' WHERE my_lower(name)=my_lower('SEP000011112222'))
15:46:03.945 |<--SetOperationStatus(Fail:CAPF_OP_FAIL):2

Conditions:
Delete All Cisco MIC from CallManager-Trust Store

LSC install fails if Install by LSC or MIC Precedence is used and CAPF Process uses the CallManager-Trust for hash verification.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.