I’m currently in the midst of migrating two old CUCM clusters (8.6.x, 9.1.x) to a new 12.5 cluster. One of the challenges I faced was how to migrate the IP handsets, which are all secured to their original cluster.
The security provided by CUCM for IP handsets is that of the Initial Trust List file on the phone. It’s then verified against the Trust Verification Service on the Call Manager instance. This stops a phone joining the wrong or rouge Call Manager instance.
So when it comes to migration how can you clear the phones ITL so that it will join the new Call Manager? There are multiple options to achieve this:
1. Downgrade the security level on the existing cluster to pre 8.x which removes need for ITL and TVS. This is destructive and is only really an option if the existing CM is being retired straight away.
2. Buy software that bulk removes the ITL/CTL with AXL etc. Cost prohibitive.
3. Use the Bulk certificate method to update the existing CM with the new CM certificates so the phones will trust the migration.
I worked with TAC on this because specifically there was a cert missing from the Bulk update method on the Cisco website. I was also hitting bug CSCuy43181 wherein the GUI fails to import the generated bulk cert.
Here are the steps to have the existing CM trust the new CM for IP handset migration:
1. On the new CM Servers (in this case 12.5) login to operating system management and browse to the certificates. Export the callmanager.pem (both on the publisher and subscriber) and ITLRecovery.pem (publisher only) certificates.
2. On the existing CM (in this case 8.6 or 9.x) Import the certificates as follows:
callmanager-pub.pem - callmanager-trust
callmanager-pub.pem - Phone-SAST-Trust
callmanager-sub.pem - callmanager-trust
callmanager-sub.pem - Phone-SAST-Trust
ITLrecovery-pub.pem - callmanager-trust
You should find if you import these certificates on the old publisher, they will sync to the subscriber. However do not rely on this make sure they are there.
3. Now restart the Trust Verification Service on both Publisher and Subscriber nodes.
4. Update your IP Phones DHCP pool option 150 to point to the new Call Manager and reboot the phones (as they are POE reboot the switch stack). Phones will migrate to the new cluster.
How does this work? The IP phone when it tries to register to the new CM checks the old CM trust verification service (port 2445) against the ITL list it has. As the old CM now trusts the certificates from the new CM the phone is able to switch active Call Managers. At this point migration is completed. This saved me hours of resetting hundreds of phones. Note that because I am migrating to a 12.x cluster the existing cluster must also trust ITLrecovery.pem
Couple of things I found:
– Some phones just require a factory reset if they get stuck, in my experience so far it’s a low number
– Devices such as ATAs require manual reset if the are non POE powered. Some of these legacy IP Telephony devices are power adapter plugged in.