How to - Removing CTL and ITL from 7900-series phones via SSH

Which Cisco UC engineer does not know the challenge when he runs a CUCM in mixed mode:

How to remove a Certificate Trust List on a phone nobody has physical access to during a CUCM migration?


The normal way like using the same security tokens on old and new CUCM is not possible. Sending somebody on site during the migration is also not possible. These limitations raised the need for an alternate solution.

After some testing, I decided to create a small Python script. The final script connects via SSH to the phone and uses the test key functions of the Cisco SIP phone debug-mode to press the required phone buttons via command line interface.

 Main requirement is to enable SSH for phone on the CUCM and to configure a username and password for the SSH access.

The following script is based on Python 3.4 and uses as additionally Paramiko for the possibility to connect via SSH to the Cisco IP phones. Besides Paramiko also the time class is required to implement some delay between the different commands.

    import paramiko

    import time

The hosts variable defines the IP addresses of the Cisco IP Phones to which the script should connect to.

           phones = ["192.168.2.113"]

 The function delete_CTL establishes after the start directly a SSH connection to the phone. 
    def delete_CTL(host):
     client = paramiko.SSHClient()
     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     client.connect(hostname=host, username='admin',         
       password='12345', port=22, 
       look_for_keys=False, 
       allow_agent=False)

 The user credentials are at the moment hardcoded. In this example I used username='admin' and password='12345' these parameters could be easily adjusted.
     client_shell = client.invoke_shell()
     client_shell.recv(1024)

 After the SSH connection is running an additional login is required to access the debug-modus of the phone. To access the debug modus you have to use the username 'debug' and the password 'debug'.

     client_shell.send("debug\n")
     time.sleep(2)
     client_shell.send("debug\n")
     time.sleep(2)

 In the debug modus you can now start the test modus to send key pressures via SSH to the phone. This function could be started with the command test open.

     client_shell.send("test open\n")
     time.sleep(2)
     client_shell.send("test key set\n")
     time.sleep( 2)
     client_shell.send("test key **#\n")
     time.sleep(2)
     client_shell.send("test key 4\n")
     time.sleep(2)
     client_shell.send("test key 5\n")
     time.sleep(2)
     client_shell.send("test key 1\n")
     time.sleep(2)
     client_shell.send("test key soft4\n")
     time.sleep(2)
     client_shell.send("test key soft2\n"
     time.sleep(2)
     client_shell.send("test close\n")
     time.sleep(2)
     client.close()
     time.sleep(2)
     output=client_shell.recv(1024)
     return output.decode('ascii')

The main function that calls just the delete_CTL function for each IP included in the phones variable.

   if __name__ == "__main__":
      for i in hosts:
        delete_CTL(i)

The actual version of the script is based on a 7965 phone and needs only minimal adjustments to work also with other versions of the 7900- series. The required debug mode for sending key pressures via SSH is only available to the SIP fimware and not available for the SCCP version.

I'm no Pyhton expert, so every advise for improvement is very welecome :-)






Comments

  1. AnonymousSeptember 21, 2016 at 10:44 AM

    please help me to do with sccp phone . test key command not available in my 7911 sccp phone.

    email. aashiq.prince07@gmail.com

    Thanks
    Aashiq

    ReplyDelete
  2. ChikkisNovember 3, 2018 at 4:44 AM

    Great work. i am also try some of the stuff like this. if interested lets collaborate. you can reach via email :- chikkiv at gmail dot com

    ReplyDelete
  3. yangJuly 22, 2022 at 9:42 AM

    Thanks,liked the way you expressed your views in this post. weatherproof hotline emergency telephone

    ReplyDelete

Post a Comment

Popular posts from this blog

How to - Install Python and Paramiko in offline Windows environment (Optimized Method)

After using more and more Paramiko and Python for automation of endpoint testing and changed requirements for the the usage of Paramiko in newer versions my old how-to  becomes outdated. With the newest release of Python, Python 3.6 , I started to optimize the installation process to reduce complexity and make the installation process more simple. Instead of downloading manually all required files from the different homepages I use Python included functions for this work.  Step by Step overview: 1. Creation of reference system For preparation of the required files and for verification I'm using normally a test system i setup in VMware Fusion on my MacBook. For the Microsoft operating system I use the trial version from Microsoft Technet Evaluation Center for 180 days testing. After the system is finally setup based on my requirements I create a snapshot to have a valid reference point for my installation. 2. Installation of Python in reference system and downloadin
Read more

How to - Install Python 3.4 and Paramiko in offline Windows environment

Image
This how to is based on Python 3.4, a how to for for newer Python releases will follow. PyCrypt is not maintained anymore and other solution are recommended to use with newer Paramiko releases. An updated version can be found here . In my last post I described how to use Python and Paramiko to delete a CTL file from a Cisco SIP phone during a migration. In the preparation phase of the migration I was confronted with the challenge to install Python on a Windows server in our management environment without direct Internet access. To install Python and Paramiko you need the following packages on your Windows machine: Python installation package  3.4.3 PyCrypt installation package  2.61 Paramiko installation package   ecdsa installation package  0.13 The required installation pacakages for Python,  PyCrypt and Paramiko are easy to find compared to the ecdsa installation package. The versions I found using Google were not compatible with Paramiko. So I used the download l
Read more