Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Forced to Upgrade PBX firmware... 5

Status
Not open for further replies.

SNJQuintin

IS-IT--Management
Oct 20, 2008
96
CA
Got this from our Mitel vendor yesterday: "Root Certificate Update (RCU) - All systems must be patched or upgraded by Aug 2020 or they will stop working".

Can anyone confirm this? What happens if we don't do the update, will our phone system really stop working? Can anyone explain the reasoning for this (management doesn't like being told they HAVE to do something lol).

We have a Mitel 3330.

Thanks!

 
Please identify the 'system' you are referring to : as per Mitel's documentation any unpatched Physical or Virtual controller running MiVB 5.0 to 9.0 SP2 software
There are two questions that are very important.
One:
Does Mitel force owners to upgrade for fees a system without any change? No Mitel has provided a patch for free for 5.0 - 8.0sp3 systems, if you have 9.0 9.0 SP2 you will have to have a software upgrade to 9.0sp3 this again is free, it's up to your agreement with your vendor if the engineering time required to complete these task comes at a cost, that being said any good vendor should be encouraging you to upgrade if you are on the lower end of the software scale, simple tasks such as backing up a system has become very difficult without compromising the client system by having to old java and tls versions.

Two:
The system in your statement is type and software load? MiVB 7.2 virtual
Was this tested on systems that are not set to communicate with AMC? Yes it was isolated from the internet

The presumption is that ICP type systems do not have regular communication with AMC ergo license verification does not occur ? There is a misconception that the certificate update is to maintain communication to the Mitel AMC licensing servers, this is wrong the cert is question is used to verify the authenticity of the license already on the controller received from the AMC, when the cert is updated the software version is slightly modified appended by a .9 and on next connection to the AMC a new compatible license file is downloaded.

It is also questionable if the local certificate can be re-signed in the ICP system without AMC connection the way it used to be ? The offline method has long gone, you can license a system via the software installer tool if the tool is installed on the windows pc with internet connection but I haven't tested doing this on a patched system, nor will I try not worth the effort IMO.

If its not broke tweak it..
 

Thank you for the detailed answer.
Request a few minor clarifications.

One: This is the one really matters.
Free of charge shall mean that no SWA is required either to access the patch and the instructions.
Your description suggests that, but the instructions did not state it.

Two: More of an academic question of understanding.
Your statement of system type "MiVB 7.2 virtual" in combination with "it was isolated from the internet" is out of scope as that setup will lead to license violation.
My question is exactly to the point you started in your answer as
"the cert is question is used to verify the authenticity of the license already on the controller received from the AMC"
What is not clear is that if a system in question is an ICP, that does not require AMC communication once licensed, it shell require no update of the cert.
The 'resigning' or 'renewal' in my question refers to the cert and not the license. This was a process to update the 'date' on the certificate after every few years.
 
One: The patch is freely available to accredited resellers to access, applying this or making this available to you either free or with a charge will depend on your agreement with your vendor.

Two: More of an academic question of understanding.

Your statement of system type "MiVB 7.2 virtual" in combination with "it was isolated from the internet" is out of scope as that setup will lead to license violation. : Why ?

What is not clear is that if a system in question is an ICP, that does not require AMC communication once licensed, it shall require no update of the cert. : I will quote the product bulletin below, nowhere in any documentation for this does it state the system has to communicate to the AMC to go into violation.

"Q: What will happen after the Security certificate expires?
A: After the certificate expiry date in August 2020 a MiVoice Business system will go into a Critical license
violation when the MiVoice Business system validates the certificate embedded in the license key files. This
will result in a critical system alarm. The displays of idle IP phones will indicate “License Violation”, and
administrators will be notified accordingly."


If its not broke tweak it..
 
@TLDuk

My version of the bulliten states that the physical systems (PPE) will go into license violation after a system reboot. I agree that they will not fail immediately based on this but I am cautioning people not to risk leaving this undealt with.
 
So a question for you all.
Do we need to be physically on site to do this patch or can this be done remotely?
 
Nasom:
Do we need to be physically on site to do this patch or can this be done remotely?
That depends. In general no, but you have to do your own risk assessment.
Understand that for customers four hour drive away this is an issue, but that is more of a business question.

TLDuk
Thank you for the answers.
The financial impact is the same or less than a software upgrade and no change to service contracts, at least unlikely.
Once the money issue is cleared, deploying the patch is a no brainer.
You never know when license sync becomes urgently necessary and can turn into an emergency.

As to the academic question:
Only MSL based system contacts AMC every four hours and performs a license refresh overnight.
There were cases of systems going into license violation due to that process failing before.
None of those affected ICP systems.

The devil hiding in the details is in your answer like this:
"when the MiVoice Business system validates the certificate embedded in the license key files"
That is the question:
When does the MiVoice Business system validate the certificate embedded in the license key files?
Because the answer to this question determines the "point of failure".
There are two answers provided so far as AMC sync or system boot.
 
As to the academic question:
Only MSL based system contacts AMC every four hours and performs a license refresh overnight.
There were cases of systems going into license violation due to that process failing before.
None of those affected ICP systems.

Yes the MSL can fall into a sort of violation but that can take upto 6 months after the first failed AMC sync in MSL

The devil hiding in the details is in your answer like this:
"when the MiVoice Business system validates the certificate embedded in the license key files"
That is the question:
When does the MiVoice Business system validate the certificate embedded in the license key files?
Because the answer to this question determines the "point of failure".
There are two answers provided so far as AMC sync or system boot.

I can guarantee it verifies the file on boot.
Now here's the sticky bit, once the patch is applied the logs now show the internal license being verified every 24hrs it will look like this "2020/Feb/11 06:22:12 Main Licensing AMC sync 3300-14.0.9=software" in the maint logs, I suspect but have not proven this was the behaviour before but with the patch it now creates a log entry for the event


If its not broke tweak it..
 
I can verify what TLDuk is saying is correct.

I have a MiVB 7.0 system not connected to the internet as it is sitting on my desk. I changed the date to the 22nd Aug 2020 and rebooted the system. It comes up with a license violation. A "LICENSE STATUS" confirms that it can't validate the license.

Changing the date back and rebooting cleared the issue.

This is all without the AMC being involved.

@TLDuk
What happens if the controller can't reach the AMC?? If it verifies every 24 hours will it go into license violation eventually?
 
I have done most of these remotely. Some customers have FTP and/or SSH blocked making it necessary to visit the site. I have only had one MSL version go into license violation; the fix was easy and there was no down-time incurred.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.
 
FYI there is now a patch available for version 9 systems

If I never did anything I'd never done before , I'd never do anything.....

 
Yes after partners complained like hell because they were having to upgrade customers who had just spent a fortune upgrading to version 9..

Also have a dig around on KMS some bod at mitel has made a windows based script / exe to speed up deployment

If its not broke tweak it..
 
Hello,

We received the notification from our Vendor just only yesterday, all our Mitel systems are going to be phased out but not before 2022 or so.
We are on MCD 4.0.
As I just read there is a Patch for 5.0 till 9.0 , what about 4.0?

 
4.0 is not affected.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.
 
Wow thanks for the clarification, all the information on this thread is useful. We have a 3300ICP running 7.1 and are moving away from Mitel (handsets have good compatibility with SIP). This pay to play is so annoying. " The patch is freely available to accredited resellers to access, applying this or making this available to you either free or with a charge will depend on your agreement with your vendor." If it's free, where do I download it?
 
@ntnher

"The patch is freely available to accredited resellers" "If it's free, where do I download it?"

If you are an accredited reseller, you have access to download it. If not, ...
 
I think it all has to do with the try before buy, as to whether a system would be affected by the expiration of the root cerfificate
 
Look at Sarond's last post on the subject. The controller will go into license violation.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.
 
Just a couple of comments after talking to a rep.

The patch is available in the down load area of the Mitel web site. You would need an access to that area to be able to download and if you have that access it is free. Only accredited techs with accredited dealers will get access.

Also in that location are scripts that can be run to install the certificate in multiple systems at the same time. This would be particularly handy for someone with a MiCD. Otherwise the systems would need to all be on the same network. If you have a customer with multiple 3300's in a cluster you could update them in one shot. You just need to edit the script to put in the IP address of each system and its user name and password.

There are three methods you can use to update the certificate. The manual process to install the certificate, using the software installer tool (needs reboot). Upgrading the system to MCD9 SP3. There is a guide from Mitel on how to do each.

There is a new training course from Mitel on their training web site for technicians that covers some of this detail. It is free to certified technicians.

Physical systems (MXE, CX, AX etc) do not communicate on a regular basis with the AMC so if not rebooted they could potentially run past Aug 20th without issue. Virtual and server bases MiVB's however sync constantly with the AMC and will therefore reach license violation much sooner.

If you install the certification and then have to re-install the software at a later date due to a hard drive failure for example, you will need to re-install the certificate again. If you have a MiCD then each time you add a new MiVB instance you will need to add the certificate.

Installing the certificate via the manual process does not take a reboot. Reboots are only required when the software installer tool is used.

Think that is everything I was told.
 
Welcome TinkyDinky, not bad for your first day on the site.

Look forward to seeing more from you.

P.S. I havent seen anything about scripts being available. I have a MiCD with 70 clients and doing it manually took just under 3 hours.
 
For the update script there are 3 variants, MiCD, vMiVB and physical MiVB.

In KMS find the following articles.
SO4839 - MiCD instance certificate update script
SO4841 - VMiVB Certificate update script
SO4842 - Physical MiVB system certificate update script
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top