Forced to Upgrade PBX firmware... 5

[SNJQuintin]

Got this from our Mitel vendor yesterday: "Root Certificate Update (RCU) - All systems must be patched or upgraded by Aug 2020 or they will stop working".

Can anyone confirm this? What happens if we don't do the update, will our phone system really stop working? Can anyone explain the reasoning for this (management doesn't like being told they HAVE to do something lol).

We have a Mitel 3330.

Thanks!

 

[SNJQuintin]

I think I answered my own question

https://www.mitel.com/en-ca/support...-business-security-certificate-update-19-0004

Looks like you can just install the security certificate update.

Q

 

[John Keri]

Can anyone explain the reasoning for this"
Yes, Mitel should be able to.
Most software related issues are documented by the designers who investigated it.
Some of the issues arise from software that is not even Mitel and some apply to specific platforms or software levels only.

The first suggestion is to review the release notes and locate the fault in question.
Review the details and open a support request if necessary.
They should be able to answer your questions.

PS:
To highlight the complexity and silliness of technical glitches, see the article below:

https://www.techradar.com/news/hpe-ssd-drives-could-fail-at-this-critical-moment

Tagline: "SSD bug could cause drives to fail after 32,768 hours of operation if a new patch isn't applied

 

[kwbMitel]

As you discovered, you are not forced to upgrade as there is a patch for every software load MCD5.0 and higher.

If your system predates 5.0, then yes, you needed to upgrade quite a while ago.

Also yes your system will shut down due to a license violation if this is not done.

 

[John Keri]

Further consideration:
"your system will shut down due to a license violation"
The system in question is Mitel 3330 that I assume is an ICP running Vxworks (at least before MiVB 9.0).
No ICP will generate license violation UNLESS it is a member of a DLM Group or it was overprovisioned on purpose.

Plausible logic of the problem is:
The Root Certificate has an expiry that can be in most cases manually updated by doing a refresh.
That certificate with the expiry is used during license retrieval or verification (MSL: every four hours).
For the minimum deployment scenario of an MN3300 with no issues or changes in licensing and without software assurance, the upgrade/patch is not necessary.

But the devil is always in the details and the problem is choice that complicates everything.
". . . management doesn't like being told they HAVE to do something"
That same management has no problem allowing Microsoft to deploy automatic updates even without explanation or detailed documentation.
For Windows, any Root Certificate related issue would go into a security update. Done.

 

[jpruder]

Here is some info on the reason

Title
Root Certificate Update (RCU) for AMC root certificate expiring on August 21, 2020
Symptoms
On August 21, 2020, the MiVB’s AMC root certificate will expire. Mitel is releasing a Root Certificate Update (RCU) for all MiVB systems running release MCD 5.0 to MIVB 9.0 SP2. The RCU delivers a new AMC root certificate and maintains the consistency of your communications.
Internal Notes
The symptom is that MiVB will go into the critical license violation. For PPC, even though it is not synchronized with AMC regularly, on MiVB reboot after Aug 21, 2020, it will go into license violation.

 

[nytalkin]

I have done several hundred of these patches for the root certificate. You MUST have a clean data base (no view or table errors). Also be sure you have access to the AMC and have SWA. Don't install the patch until and unless you have access. This process should really be handled by your vendor and a technician certified on MCD. There are different procedures for 3300 controllers and vMCD instances. Any backups made prior to the installation of the patches will not be able to be restored. Be sure you have a new backup after the patch is installed.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.

 

[meneerB]

How can I check this for our 3330?

 

[John Keri]

Suggest you contact the phone number listed in the article:
United States & Canada: +1 800 722 1301

https://www.mitel.com/en-ca/support...-business-security-certificate-update-19-0004

As far as I know, Mitel had a commitment for hardware platforms, which is 3300 ICP or MN 3300 systems, that guarantee system operation without extra charges.
If that is still true, then you do not have to purchase SWA unless you wish to upgrade.

 

[nytalkin]

As long as you never want to upgrade your system software or purchase additional licenses this patch isn't necessary. After August 2020 any communication with the AMC will fail if this patch isn't applied. After the patch is applied it is verified by the AMC as authentic and appends the current software release with a 9; i.e. 14.0.9.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.

 

[meneerB]

John,
I was just wondering where I could find and see the certificate in the 3300.

 

[John Keri]

Should be under Webserver.

 

[nytalkin]

The certificate is in /sysro/rootCertxxxx_ppc

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.

 

[kwbMitel]

@nytalkin re:As long as you never want to upgrade your system software or purchase additional licenses this patch isn't necessary.

The certificate that is due to expire is already on the system. IMO, when the certificate expires, it will do exactly what Mitel says it will do.

The symptom is that MiVB will go into the critical license violation. For PPC, even though it is not synchronized with AMC regularly, on MiVB reboot after Aug 21, 2020, it will go into license violation.

PPC = AX, CX, CXi, LX, MX, or MXe Systems

 

[nytalkin]

I believe that the issue will not come up as long as the system doesn't try to communicate with the AMC after the certificate expires in August.

I suppose you're entitled to your opinion, I'm just not going to suppose very hard.

 

[kwbMitel]

I have seen a release 5.0 system perform a sync on a reboot
I have every reason to believe that if the system reboots, it will fail as described.

 

[TLDuk]

As long as you never want to upgrade your system software or purchase additional licenses this patch isn't necessary. After August 2020 any communication with the AMC will fail if this patch isn't applied. After the patch is applied it is verified by the AMC as authentic and appends the current software release with a 9; i.e. 14.0.9.

I believe that the issue will not come up as long as the system doesn't try to communicate with the AMC after the certificate expires in August.

This is wrong, soon as the unpatched systems hit the 21th August 2020 the internal license file can no longer be verified because the internal certificate to decrypt it has expired, the system will go into 21 days left license violation.

This has been tested in a LAB setup, all affected systems HAVE to be patched.

If its not broke tweak it..

 

[TLDuk]

FYI: This is the message you will get when you run the License Status command on unpatched system after the 21st

License Violation Level : Critical
Time at current License Violation Level: less than 1 hour
Time remaining until next escalation : 21 days
Local Violation Cause(s):
- The License Keys cannot be validated

If its not broke tweak it..

 

[kwbMitel]

Thanks TLDuK for the definitive answer. I was concerned that people might be on the wrong track

 

[John Keri]

TLDuk:
Please identify the 'system' you are referring to.
There are two questions that are very important.
One:
Does Mitel force owners to upgrade for fees a system without any change? The system, in this case, is a physical ICP.
This is not a technical question.

Two:
The system in your statement is type and software load?
Was this tested on systems that are not set to communicate with AMC?
The presumption is that ICP type systems do not have regular communication with AMC ergo license verification does not occur.
It is also questionable if the local cerificate can be re-signed in the ICP system without AMC connection the way it used to be?