Switch from Thales encryption to native encryption

[fluzocapacitor]

Hello,

I have a somewhat complex environment: two active OXE nodes and another two standby ones using Thales encryption. I need to join all the phones (6.000) in just one new virtual OXE (one active node and another standby one), preferibly using native encryption.

Thales ciphers are set up between phone terminals and the OXEs:

Now
Phone terminals -> Thales cipher 1 -> OXE1
Phone terminals -> Thales cipher 2 -> OXE2
Desired change
Phone terminals -> virtual OXE (with native encryption)

Also possible
Phone terminals -> Thales cipher 1 -> virtual OXE

The problem I am facing with is about clearing the encryption in the phone terminals (IP Touch 40xx and IP Touch 80xx) as it seems that they kept some key from Thales ciphers and they do not register on the new virtual OXE node without manual user action whenever I activate the cipher again.

I have tried to remove the Thales ciphers so that traffic do not goes through them. Everything works fine, but on putting againg the Thales cipher 1 in front of the OXE, the terminals which used the Thales cipher 2 seem to refuse to accept the encryption keys from that cipher unit.

I would rather enable native encryption, but then again, I do not know how to clear automatically the encryption keys in the phone terminals so that they register with the new virtual OXE as the would do the first time.

Is there any way to clear up the encryption of the Thales boxes. I read in a previous post that:

"You switch your installation to not encrypted, reboot the CPUS, all the phones are going to reboot and be OK. This is done by renaming the labpbx file from encrypted to not encrypted extension."

How can I remane the labpbx file in six thousand phones automatically?
Do you know whether there is any way to acomplish what I need to do?

Regards,

[frank]

from memory, I think you need to turn off all encryption first, update all phones, make your change, then re-enable all encryption.
did you try that?

[fluzocapacitor]

Hi Frank,

I do appreciate your reply. I am just a newbie when it comes to OXE technology. Our organization is working with people skilled in Alcatel solutions, but they are struggling trying to mix three Call Servers into just two.

I have been reading about Thales Encryption. It seems our setup uses lanpbx.cfg files generated in one node (CS3) and it was copied to the other ones (CS2 and CS1) to setup the encryption in the ABC network. Our support was trying to remove the CS3 node and move the IP sets to CS2. However, as the lanpbx.cfg files were signed by the SSM connected to CS3, on disconnecting that SSM, the IP sets were not able to verify the lanpbx.cfg file they got from CS2.

I'll get back to them with your comments. However, I think the problem might have been removing the CS3. Maybe it should have been better try to migrate IP phones from CS1 to CS2 or CS3.

I hope we can switch to native encryption soon, but most of our phones are IpTouch 4xxx and they do not work with native encryption.

I'll keep you posted.

Regards,

[frank]

lanpbx.cfg provides the mode (protect or bypass)
config_BT.cfg provides the security policy
For every encryption change you have to re-create the Config_BT.cfg file
For every switch from encryption to no-encryption, you need to re-sign lanpbx.cfg

If you want to move phones as per your scenario, you must turn encryption off globally, make your migrations, and re-initialize encryption.
Download the system documentation from this site, and check the oxe_p_100.1_sd_Security PDF File which explains how encryption architecture works.