Cisco Unified Communications Manager 8.0(1) and later introduced the new Security By Default feature and the use of Initial Trust List (ITL) files. With this new feature, you must be careful when moving phones between different Unified CM clusters and ensure that you follow the proper steps for migration.
Failure to follow the proper steps may lead to a situation where thousands of phones must manually have their ITL files deleted.
Cisco Unified IP Phones that support the new ITL file must download this special file from their Unified CM TFTP server. Once an ITL file is installed on a phone, all future configuration files and ITL file updates must be signed by one of the following items:
The TFTP server certificate that is currently installed on the phone or
A TFTP certificate that can be validated TVS services on one of the clusters. You can find the certificates of TVS services within the cluster listed in the ITL file.
With this new security functionality in mind, three problems can occur when moving a phone from one cluster to another cluster:
The ITL file of the new cluster is not signed by the current ITL file signer, so the phone cannot accept the new ITL file or configuration files.
The TVS servers listed in the existing ITL of the phone may not be reachable when the phones are moved to the new cluster.
Even if the TVS servers are reachable for certificate verification, the old cluster servers may not have the new server certificates.
If one or more of these three problems are encountered, one possible solution is to delete the ITL file manually from all phones being moved between clusters. However, this is not a desirable solution since it requires massive effort as the number of phones increases.
The most preferred option is to make use of the Cisco Unified CM Enterprise Parameter Prepare Cluster for Rollback to pre-8.0. Once this parameter is set to True, the phones download a special ITL file that contains empty TVS and TFTP certificate sections.
When a phone has an empty ITL file, the phone accepts any unsigned configuration file (for migrations to Unified CM pre-8.x clusters), and also accepts any new ITL file (for migrations to different Unified CM 8.x clusters).
The empty ITL file can be verified on the phone by checking . Empty entries appear where the old TVS and TFTP servers used to be.
The phones must have access to the old Unified CM servers only as long as it takes them to download the new empty ITL files.
If you plan to keep the old cluster online, disable the Prepare Cluster for Rollback to pre-8.0 Enterprise Parameter to restore Security By Default.