Cisco Unified Communications Manager 8.0(1) and later introduced the new Security By Default feature and the use of Initial Trust List (ITL) files. With this new feature, you must be careful when moving phones between different CiscoUnified CM clusters. If you don't follow the proper steps it is possible to encounter a situation where thousands of phones must manually have their ITL files deleted.
Cisco Unified IP Phones that support the new ITL file must download this special file from their
Cisco Unified Communications Manager TFTP server. Once an ITL file is installed on a phone, all future configuration files and ITL file updates must be either signed by the TFTP Server certificate currently installed on the phone or signed by a TFTP certificate that can be validated by one of the cluster's TVS services. The certificates of TVS services within the cluster are listed in the ITL file.
With this new security functionality in mind here are the three problems that can occur when moving a phone from one cluster to another cluster.
The ITL file of the new cluster is not signed by the current ITL file signer, so the phone can not accept the new ITL file or config files.
The TVS servers listed in the existing ITL of the phone may not be reachable when the phones are moved to the new cluster.
Even if the TVS servers are reachable for certificate verification, the old cluster servers may not have the new server's certificates.
If one or more of these three problems are encountered one possible solution is to delete the ITL file manually from all phones being moved between clusters. However, this is not a desirable solution since it requires massive effort as the number of phones increases.
The most preferred option is to make use of the Cisco Unified CM Enterprise Parameter "Prepare Cluster for Rollback to pre-8.0". Once this parameter is set to True, the phones download a special ITL file that contains empty TVS and TFTP certificate sections.
When a phone has an empty ITL file it accepts any unsigned configuration file (for migrations to pre CiscoUnified CM 8.x clusters), and also accepts any new ITL file (for migrations to different CiscoUnified CM 8.x clusters).
The empty ITL file can be verified on the phone by checking . Empty entries appear where the old TVS and TFTP servers used to be.
The phones must have access to the old CiscoUnified CM servers only as long as it takes them to download the new empty ITL files.
If you plan to keep the old cluster online, disable the "Prepare Cluster for Rollback to pre-8.0" Enterprise Parameter to restore Security By Default.