Re: [cisco-voip] Serious 11.5 installation defect

2016-08-24 Thread Abhiram Kramadhati (akramadh) 
Just a quick update. We tested this with UCCX/CUIC/Finesse 11.5 and the issue 
is not seen. The issue seems to be with the encryption method.

In UCCX/CUIC/Finesse:
((/usr/local/platform/.security/dkey_status.txt file and install.log:08/23/2016 
15:25:44 
InstallWizard|ccmEncryptionConfigOptional:dynamicKeyCCMEncryption='optional'.|).

In CUCM:
(/usr/local/platform/.security/dkey_status.txt file and also from the 
installation log install.log:08/10/2016 21:36:10 
InstallWizard|ccmEncryptionConfigOptional: 
dynamicKeyCCMEncryption='enable'.|) .

With the encryptionAPI used in CUCM, the length of the encrypted password is 
going beyond 64 characters and that could be the problem (but that is not 
confirmed yet). We'll monitor this and take the necessary action if anything is 
needed on the contact centre products. Thanks.

Regards,
Abhiram Kramadhati
Technical Solutions Manager, CCBU
CCIE Collaboration # 40065


From: cisco-voip 
<cisco-voip-boun...@puck.nether.net<mailto:cisco-voip-boun...@puck.nether.net>> 
on behalf of Anthony Holloway 
<avholloway+cisco-v...@gmail.com<mailto:avholloway+cisco-v...@gmail.com>>
Date: Monday, 22 August 2016 at 1:57 PM
To: "dan...@ohnesorge.me<mailto:dan...@ohnesorge.me>" 
<dan...@ohnesorge.me<mailto:dan...@ohnesorge.me>>
Cc: Cisco VoIP Group 
<cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>>
Subject: Re: [cisco-voip] Serious 11.5 installation defect

Wow, good to know, but I cannot say that I have ever seen a password that long 
on a server before.  That's a first for me.  I tend to still use 8 character 
length.  Old habit, I'm sure.

Are you consistently deploy 16+ character passwords now a days?

On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip 
<cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>> wrote:
Hi All,

Just wanted to make you all aware of a serious installation defect with 11.5 
that the Cisco DE's are currently investigating and will soon be raising a new 
defect against.

Basically, the CUCM Publisher installation goes ahead fine but once you try to 
install any subscriber (including the CUPS DB PUB), the installation will fail 
after all Network and Connectivity checks passed. It has taken TAC, BU and DE's 
2 weeks to figure out what was going wrong, it turns out that the password used 
for the Application User is too long (even though it is withing documentation 
guidelines). The password I used was 1 Uppercase, 14 lowercase, 1 number and 1 
special character (underscore). DE's have been able to replicate the issue in 
the lab using the same complexity. When using a password such as ipcbu123 the 
installation is successful. This affects CUCM, CUPS and CUC.

Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Serious 11.5 installation defect

2016-08-22 Thread Daniel Ohnesorge via cisco-voip 
This is going to cause problems for US Government customers that are 
wanting to deploy FedRAMP mode...


From 
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151_chapter_011010.html


"Credential Policy

When FedRAMP mode is enabled, the following credential policy takes 
effect automatically for new passwords and password changes. After 
FedRAMP mode is enabled, administrators can use the set password *** 
series of CLI commands to modify any of these requirements:


Password Length should be between 14 to 127 characters.
Password should have at least 1 lowercase, 1 uppercase, 1 digit and 1 
special character.

Any of the previous 24 passwords cannot be reused.
Minimum age of the password is 1 day and Maximum age of the password is 
60 days.
Any newly generated password's character sequence will need to differ by 
at least 4 characters from the old password's character sequence."



On 2016-08-23 00:33, Scott Voll wrote:

Sounds like one we had with Cisco Security Manager.  it would send a 
password under 15 characters correct because it encrypted the whole 
password.  but after 15 characters it would encrypt the 15 characters 
and add padding to the addition characters after the encryption. rather 
than sending the password with padding than encrypting it.


Reminder that if it's Cisco to make sure your password is less than 16 
characters ;-)


Scott

On Sun, Aug 21, 2016 at 10:43 PM, Daniel Ohnesorge via cisco-voip 
 wrote:
In this case, the customer has a strict password policy and the 
password was generated via an internal web app. Normally I would also 
not use one that long!


On 2016-08-22 13:57, Anthony Holloway wrote:

Wow, good to know, but I cannot say that I have ever seen a password 
that long on a server before.  That's a first for me.  I tend to still 
use 8 character length.  Old habit, I'm sure.


Are you consistently deploy 16+ character passwords now a days?

On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip 
 wrote:


Hi All,

Just wanted to make you all aware of a serious installation defect with 
11.5 that the Cisco DE's are currently investigating and will soon be 
raising a new defect against.


Basically, the CUCM Publisher installation goes ahead fine but once you 
try to install any subscriber (including the CUPS DB PUB), the 
installation will fail after all Network and Connectivity checks 
passed. It has taken TAC, BU and DE's 2 weeks to figure out what was 
going wrong, it turns out that the password used for the Application 
User is too long (even though it is withing documentation guidelines). 
The password I used was 1 Uppercase, 14 lowercase, 1 number and 1 
special character (underscore). DE's have been able to replicate the 
issue in the lab using the same complexity. When using a password such 
as ipcbu123 the installation is successful. This affects CUCM, CUPS and 
CUC.


Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

 ___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Serious 11.5 installation defect

2016-08-22 Thread James Buchanan 
Let's all make a pact to set all our passwords as cisco/cisco. Who's game?

On Mon, Aug 22, 2016 at 10:33 AM, Scott Voll  wrote:

> Sounds like one we had with Cisco Security Manager.  it would send a
> password under 15 characters correct because it encrypted the whole
> password.  but after 15 characters it would encrypt the 15 characters and
> add padding to the addition characters after the encryption. rather than
> sending the password with padding than encrypting it.
>
> Reminder that if it's Cisco to make sure your password is less than 16
> characters ;-)
>
> Scott
>
>
> On Sun, Aug 21, 2016 at 10:43 PM, Daniel Ohnesorge via cisco-voip <
> cisco-voip@puck.nether.net> wrote:
>
>> In this case, the customer has a strict password policy and the password
>> was generated via an internal web app. Normally I would also not use one
>> that long!
>>
>>
>> On 2016-08-22 13:57, Anthony Holloway wrote:
>>
>> Wow, good to know, but I cannot say that I have ever seen a password that
>>> long on a server before.  That's a first for me.  I tend to still use 8
>>> character length.  Old habit, I'm sure.
>>>
>>> Are you consistently deploy 16+ character passwords now a days?
>>>
>>> On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip <
>>> cisco-voip@puck.nether.net> wrote:
>>>
>>> Hi All,

 Just wanted to make you all aware of a serious installation defect with
 11.5 that the Cisco DE's are currently investigating and will soon be
 raising a new defect against.

 Basically, the CUCM Publisher installation goes ahead fine but once you
 try to install any subscriber (including the CUPS DB PUB), the installation
 will fail after all Network and Connectivity checks passed. It has taken
 TAC, BU and DE's 2 weeks to figure out what was going wrong, it turns out
 that the password used for the Application User is too long (even though it
 is withing documentation guidelines). The password I used was 1 Uppercase,
 14 lowercase, 1 number and 1 special character (underscore). DE's have been
 able to replicate the issue in the lab using the same complexity. When
 using a password such as ipcbu123 the installation is successful. This
 affects CUCM, CUPS and CUC.

 Thanks,
 Daniel
 ___
 cisco-voip mailing list
 cisco-voip@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-voip

>>>
>>> ___
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Serious 11.5 installation defect

2016-08-21 Thread Daniel Ohnesorge via cisco-voip 
In this case, the customer has a strict password policy and the password 
was generated via an internal web app. Normally I would also not use one 
that long!


On 2016-08-22 13:57, Anthony Holloway wrote:

Wow, good to know, but I cannot say that I have ever seen a password 
that long on a server before.  That's a first for me.  I tend to still 
use 8 character length.  Old habit, I'm sure.


Are you consistently deploy 16+ character passwords now a days?

On Sun, Aug 21, 2016 at 5:54 PM, Daniel Ohnesorge via cisco-voip 
 wrote:



Hi All,

Just wanted to make you all aware of a serious installation defect 
with 11.5 that the Cisco DE's are currently investigating and will 
soon be raising a new defect against.


Basically, the CUCM Publisher installation goes ahead fine but once 
you try to install any subscriber (including the CUPS DB PUB), the 
installation will fail after all Network and Connectivity checks 
passed. It has taken TAC, BU and DE's 2 weeks to figure out what was 
going wrong, it turns out that the password used for the Application 
User is too long (even though it is withing documentation guidelines). 
The password I used was 1 Uppercase, 14 lowercase, 1 number and 1 
special character (underscore). DE's have been able to replicate the 
issue in the lab using the same complexity. When using a password such 
as ipcbu123 the installation is successful. This affects CUCM, CUPS 
and CUC.


Thanks,
Daniel
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip


___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip