Guest

Preview Tool

Cisco Bug: CSCvu56176 - CUCM 11.5 Security guide has no information regarding utils ctl reset localkey

Last Modified

Jun 26, 2020

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

11.5(1.10000.1)

Description (partial)

Symptom:
CUCM 11.5 Security Guide does not have any information about the utils ctl reset localkey command

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151.html

Guide should include information about the command on the Security Basics > Default Security Setup and have a section such as the ITL one:

Perform Bulk Reset of CTL File on a Mixed Mode cluster
When devices on a Unified Communications Manager cluster are locked and lose their trusted status, perform a bulk reset of the CTL file with the CLI command utils ctl reset localkey . 

This command is used to regenerate the CTL file and sign it with the secondary SAST role (ITLRecovery). Use this command where the CallManager certificate that was used to sign the original CTL file has changed and so, the endpoints are locked out.

Before you begin
Make sure that you perform this procedure on the Unified Communications Manager publisher.

Procedure
Step 1	
Run the following command:

Run utils ctl reset localkey .

This step generates a new CTL file by taking the existing file on the system and replacing the signature of that file with the recovery key signature. The key is then copied to the TFTP servers in the cluster.

Step 2	
Run show ctl to verify that the reset was successful.

Step 3	
From Unified Communications Manager Administration, choose System > Enterprise Parameters

Step 4	
Click Reset.

Step 5	
Restart the TFTP service and restart all devices.

The devices download the CTL file that is signed with the ITLRecovery Key and register correctly to Unified Communications Manager again.

Note: You must run this on the Unified Communications Manager publisher node.
After the endpoints receive the new CTL file, which is signed by ITLrecovery and contains the new CallManager certificate, execute the CTL update command again to sign it with the new CallManager certificate. The CTL file is regenerated but signed by the new CallManager certificate, which is then trusted by the endpoints.

Conditions:
Using Security guide for 11.5 should mention that the command "utils ctl reset localkey" is available to be used to sign the CTL by the ITL Recovery Cert for Mixed Mode Clusters
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.