Software Authentication Manager Commands on
Cisco IOS XR Software
This chapter describes the Cisco IOS XR software commands used to configure Software Authentication
Manager (SAM).
For detailed information about SAM concepts, configuration tasks, and examples, see the Configuring Software Authentication Manager on Cisco IOS XR Software configuration module.
Cisco IOS XR System Security Command Reference
SR-207
sam add certificate
sam add certificate
To add a new certificate to the certificate table, use the sam add certificate command in EXEC mode.
sam add certificate filepathlocation {trust | untrust}
Software Authentication Manager Commands on Cisco IOSXR Software
Syntax Description
DefaultsNo default behavior or values
Command ModesEXEC
Command History
filepath Absolute path to the source location of the certificate.
locationStorage site of the certificate. Use one of the following: root, mem, disk0, disk1,
or other flash device on router.
trustAdds the certificate to the certificate table without validation by the Software
Authentication Manager (SAM). To add a root certificate, you must use the trust
keyword. Adding a root certificate with the untrust keyword is not allowed.
untrustAdds the certificate to the certificate table after the SAM has vali dated it. Adding
a root certificate with the untrust keyword is not allowed. To add a root
certificate, you must use the trust keyword.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
Usage GuidelinesTo use this command, you must be in a user grou p associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
For security reasons, the sam add certificate command can be issued o nly from the console or au xiliary
port of the networking device; the command cannot be issued from a Telnet connection to any other
interface on the networking device.
The certificate must be copied to the network device before it can be added to the certif icate table. If the
certificate is already present in the certificate table, the SAM rejects the attempt to add it.
When adding root certificates, follow these guidelines:
• Only the certificate authority (CA) root certificate can be added to the root location.
• To add a root certificate, you must use the trust keyword. Adding the root certificate with the
untrust keyword is not allowed.
Use of the trust keyword assumes that you receiv ed the ne w certif icate from a source that you trust, and
therefore have enough confidence in its authenticity to bypass validation by the SAM. One example of
acquiring a certificate from a trusted source is downloading it from a CA server (such as Cisco. com) that
Cisco IOS XR System Security Command Reference
SR-208
Software Authentication Manager Commands on Cisco IOSXR Software
sam add certificate
requires user authentication. Another example is acquiring the certificate from a person or entity that
you can verify, such as by checking the identification badge for a person. If you bypass the validation
protection offered by the SAM, yo u must verify the id entity and integrity o f the certificat e by some other
valid process.
Certificates added to the memory (mem) location validate software installed in memory. Certificates
added to the disk0 or disk1 location validate software installed on those devices, respectively.
NoteIf the sam add certificate command fails with a message indicating that the certificate has expired, the
networking device clock may have been set incorrectly. Use the show clock command to determine if
the clock is set correctly.
ExamplesThe following example shows ho w to add the certificate found at /bootflash/ca.bin to the certificate table
in the root location without first validating the certificate:
RP/0/RP0/CPU0:router# sam add certificate /bootflash/ca.bin root trust
The following example shows how to add the certificate found at /bootflash/css.bin to the certificate
table in the memory (mem) location after validating the certificate:
RP/0/RP0/CPU0:router# sam add certificate /bootflash/css.bin mem untrust
sam delete certificateDeletes a certificate from the certificate table.
show sam certificateDisplays records in the certificate table, including the location of the
certificates.
show clockDisplays networking device clock information.
Cisco IOS XR System Security Command Reference
SR-209
sam delete certificate
sam delete certificate
T o delete a certificate from the certificate table, use the sam delete certificate command in EXEC mode.
sam delete certificate locationcertificate-index
Software Authentication Manager Commands on Cisco IOSXR Software
Syntax Description
DefaultsNo default behavior or values
Command ModesEXEC
Command History
Usage GuidelinesTo use this command, you must be in a user grou p associated with a task group that includes the proper
locationStorage site of the certificate. Use one of the following: root, mem, disk0, disk1,
or other flash device on router.
certificate-index Number in the range from 1 to 65000.
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
For security reasons, the sam delete certificate command can be issued only from the console port of
the networking device; the command cannot be is sued from a Telnet connection to any other interface
on the networking device.
Use the show sam certificate summary command to display certificates by their index numbers.
Because the certificate authority (CA) certificate must not be unknowingly deleted, the Software
Authentication Manager (SAM) prompts the user for confirmati on when an attempt is made to delete the
CA certificate.
If a certificate stored on the system is no longer valid (for example, if the certificate has expired), you
can use the sam delete certificate command to remove the certificate from the list.
ExamplesThe following example shows how to delete the certificate identified by the index number 2 from the
memory location:
RP/0/RP0/CPU0:router# sam delete certificate mem 2
SAM: Successful deleting certificate index 2
Cisco IOS XR System Security Command Reference
SR-210
Software Authentication Manager Commands on Cisco IOSXR Software
The following example sho ws how to can cel the deletion of the certificat e identified b y the index number
1 from the root location:
RP/0/RP0/CPU0:router# sam delete certificate root 1
Do you really want to delete the root CA certificate (Y/N): N
SAM: Delete certificate (index 1) canceled
The following example shows how to delete the certificate identified by the index number 1 from the
root location:
RP/0/RP0/CPU0:router# sam delete certificate root 1
Do you really want to delete the root CA certificate (Y/N): Y
SAM: Successful deleting certificate index 1
Related CommandsCommandDescription
sam add certificateAdds a new certificate to the certificate table.
show sam certificateDisplays records in the certificate table, including the location of the
certificates stored.
sam delete certificate
Cisco IOS XR System Security Command Reference
SR-211
sam prompt-interval
sam prompt-interval
To set the interval that the Software Authentication Manager (SAM) waits after prompting the user for
input when it detects an abnormal condition at boot time and to determine how the SAM responds when
it does not receive user input within the specified interval, use the sam prompt-interval command in
global configuration mode. To reset the prompt interval and response to their default values, use the no
form of this command.
sam prompt-interval time-interval {proceed | terminate}
no sam prompt-interval time-interval {proceed | terminate}
Software Authentication Manager Commands on Cisco IOSXR Software
Syntax Description
DefaultsThe default response is for the SAM to wait 10 seconds and then terminate the authentication task.
Command ModesGlobal configuration
Command History
Usage GuidelinesTo use this command, you must be in a user grou p associated with a task group that includes the proper
time-interval Prompt time, in the range from 0 to 300 s econds.
proceedCauses the SAM to respond as if it had re cei ved a “yes” when the prompt int erv al
expire s .
terminateCauses the SAM to respond as if it had received a “no” when the prompt interval
expire s .
ReleaseModification
Release 2.0This command was introduced on the Cisco CRS-1.
Release 3.0No modification.
Release 3.2This command was supported on the Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the sam prompt-interval command to control the action taken wh en the system detects an exception
condition, such as an expired certificate during initialization of the SAM at boot time. The following
message appears when the software detects the abnormal condition of a certificate authority (CA)
certificate expired:
SAM detects expired CA certificate. Continue at risk (Y/N):
SR-212
The SAM waits at the prompt until you respond or the time interval controlled by the sam
prompt-interval command exp ires, whichever is the earlier e vent. If you respond “N” to the pro mpt, the
boot process is allowed to complete, but no packages can be installed.
Cisco IOS XR System Security Command Reference
Software Authentication Manager Commands on Cisco IOSXR Software
The following message appears when the software detects the abnormal condition of a Code Signing
Server (CSS) certificate expired:
SAM detects CA certificate (Code Signing Server Certificate Authority) has expired. The
validity period is Oct 17, 2000 01:46:24 UTC - Oct 17, 2015 01:51:47 UTC. Continue at
risk? (Y/N) [Default:N w/in 10]:
If you do not respond to the prompt, the SAM waits for the specif ied interval to expire, and then it takes
the action specified in the sam prompt-interval command (either the proceed or terminate keyword).
If you enter the command with the proceed keyword, the SAM w aits for the specified interval to e xpire,
and then it proceeds as if you had given a “yes” response to the prompt.
If you enter the command with the terminate keyword, the SAM waits for the specified interval to
expire, and then it proceeds as if you had gi v en a “no” r esponse to the p rompt. This use of the command
keeps the system from waiting indefinitely when the system console is unattended.
NoteAfter the software has booted up, the time-interval argument set using this command has no effect. This
value applies at boot time only.
sam prompt-interval
ExamplesThe following example shows how to tell the SAM to wait 30 seconds for a user response to a prompt
and then terminate the requested SAM processing task:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# sam prompt-interval 30 terminate
Related CommandsCommandDescription
show sam sysinfoDisplays the current status information for the SAM.
Cisco IOS XR System Security Command Reference
SR-213
Loading...
+ 15 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.