Guest

Cisco TelePresence System 3000 Series

Manufacturer Installed Certificate (MIC) Issues on CTS / TX Series Codecs Troubleshooting Guide

Techzone Article content

Document ID: 116124

Updated: May 31, 2013

Contributed by Paul Anholt, Cisco TAC Engineer.

   Print

Introduction

This document describes how to troubleshoot Manufacturer Installed Certificate (MIC) issues on a Cisco TelePresence System (CTS and TX Series).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco TelePresence System, CTS or TX Series
  • Cisco Unified Communications Manager (CUCM)

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for information on document conventions.

Background Information

A digital X.509v3 certificate is a MIC that is signed by the Cisco Certificate Authority and is installed in supported phones by Cisco Manufacturing. The MIC is used as the authentication mechanism to the Certificate Authority Proxy Function (CAPF) when locally significant certificates (LSCs) are installed in phones.

Because the MIC is used in authentication, MIC errors can disrupt secure communication between the CTS/TX Series endpoint and the CUCM. The most common symptom is that you are unable to register to the CUCM in secure mode. The most common causes are:

  1. Improper MIC installed in manufacturing
  2. Missing or corrupted MIC
  3. Issues with compact flash

Most MIC errors, regardless of the cause, display this message in the sysop log during boot:

2011-10-07 16:35:10: WARN
******************************
WARNING= No valid Manufacturing Installed Certificate found Secure mode operation
may not be possible
******************************

You can view the sysop log on the admin GUI interface.You may also see the sysop log flooded with certificate errors such as:

2011-10-07 16:50:11: ERROR Unable to load Certificate Authority file 
/nv/security/mic/ca/root-pem.crt

or

2011-10-07 16:50:12: ERROR No certificates, unable to make secure calls

Troubleshoot MIC

Determine whether a MIC is installed and, if so, which MIC is installed.

Is a MIC installed?

You can review the output of the command-line interface (CLI) show hardware system command:

admin:show hardware system
CEFDK_Ver : 3.4.0
Mfg Installed Cert : CN=CTS-CODEC-SING-G1-SEP1CDF0F76F57
Locally Significant Cert : CN=SEP1CDF0F76F579,OU=TSG,O=CISCO,C=USS
CF_Model : WDC SSD-C51M-443

You can also consult the showsysinfo.log, which is viewable when you download the logs:

Mfg_Installed_Cert=INFO:No certificate found

MIC Not Installed

If no MIC is found, read and implement Field Notice 63636 "Manufacturer Installed Certificates (MICs) Deleted During Install of Cisco TelePresence System Software, Versions 1.9(X) and Later" if it applies to your product and software.

If no MIC is found and the field notice does not apply, use the Recovery Steps.

MIC Installed

If a MIC is found, compare the machine name portion of the Mfg_Installed_Cert, which begins with SEP, to the Machine Name listed as output from the CLI show tech system command. In this example, the names do not match:

Mfg_Installed_Cert=CN=CTS-CODEC-PRIM-SEP001D4526E0CA

admin:show tech system
-------------------- show platform system --------------------
Machine Name: SEP001DA238B730

If the names do not match, use the Recovery Steps.

Recovery Steps

This procedure describes how to reset the system back to factory configuration.

  1. Use Secure Shell (SSH) in order to gain access to the admin account.

    Note: Any static network configuration is erased after Step 2.

  2. Enter the utils system factory init command.

    Command Line Interface is starting up, please wait ...

    Welcome to the TelePresence Command Line Interface (version 2.0)

    Last login: Fri Apr 5 14:01:59 EDT 2013 from 10.117.92.51
    admin:utils system factory init
    Are you sure you want to reset the system back to the factory configuration ?
    This will cause a system restart !
    Enter "yes" to reset to factory configuration and restart or any other key to abort
    continue: yes
  3. Check that the newly-generated certificate matches the machine name.

  4. Log in to the admin GUI in order to reconfigure the endpoint. The endpoint should now register with the CUCM.

Note: Perform the camera and audio calibration after the new MIC is installed.

Troubleshoot Compact Flash

A corrupt compact flash storage device might also be the reason for inability to register to the CUCM in secure mode. This is an example of a corrupt filesystem as seen in the rc.log:

*** Verifying nv
/sbin/e2fsck: No such device or address while trying to open /dev/hda7
Possibly non-existent or swap device?
e2fsck returns 8
*** Mounting nv
mount: Mounting /dev/hda7 on /nv failed: No such device or address
**************************************************
Severe Internal Error - Cannot mount nv filesystem
Please contact Technical Assistance
**************************************************
Starting CF /nv recovery
Unable to read /dev/hda

Related Information

Updated: May 31, 2013
Document ID: 116124