Cisco SR-207 User Manual

Software Authentication Manager Commands on Cisco IOS XR Software
This chapter describes the Cisco IOS XR software commands used to configure Software Authentication Manager (SAM).
For detailed information about SAM concepts, configuration tasks, and examples, see the Configuring Software Authentication Manager on Cisco IOS XR Software configuration module.
Cisco IOS XR System Security Command Reference
SR-207

sam add certificate

sam add certificate
To add a new certificate to the certificate table, use the sam add certificate command in EXEC mode.
sam add certificate filepath location {trust | untrust}
Software Authentication Manager Commands on Cisco IOSXR Software
Syntax Description
Defaults No default behavior or values
Command Modes EXEC
Command History
filepath Absolute path to the source location of the certificate. location Storage site of the certificate. Use one of the following: root, mem, disk0, disk1,
or other flash device on router.
trust Adds the certificate to the certificate table without validation by the Software
Authentication Manager (SAM). To add a root certificate, you must use the trust keyword. Adding a root certificate with the untrust keyword is not allowed.
untrust Adds the certificate to the certificate table after the SAM has vali dated it. Adding
a root certificate with the untrust keyword is not allowed. To add a root certificate, you must use the trust keyword.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
Usage Guidelines To use this command, you must be in a user grou p associated with a task group that includes the proper
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
For security reasons, the sam add certificate command can be issued o nly from the console or au xiliary port of the networking device; the command cannot be issued from a Telnet connection to any other interface on the networking device.
The certificate must be copied to the network device before it can be added to the certif icate table. If the certificate is already present in the certificate table, the SAM rejects the attempt to add it.
When adding root certificates, follow these guidelines:
Only the certificate authority (CA) root certificate can be added to the root location.
To add a root certificate, you must use the trust keyword. Adding the root certificate with the
untrust keyword is not allowed.
Use of the trust keyword assumes that you receiv ed the ne w certif icate from a source that you trust, and therefore have enough confidence in its authenticity to bypass validation by the SAM. One example of acquiring a certificate from a trusted source is downloading it from a CA server (such as Cisco. com) that
Cisco IOS XR System Security Command Reference
SR-208
Software Authentication Manager Commands on Cisco IOSXR Software
sam add certificate
requires user authentication. Another example is acquiring the certificate from a person or entity that you can verify, such as by checking the identification badge for a person. If you bypass the validation protection offered by the SAM, yo u must verify the id entity and integrity o f the certificat e by some other valid process.
Certificates added to the memory (mem) location validate software installed in memory. Certificates added to the disk0 or disk1 location validate software installed on those devices, respectively.
Note If the sam add certificate command fails with a message indicating that the certificate has expired, the
networking device clock may have been set incorrectly. Use the show clock command to determine if the clock is set correctly.
Examples The following example shows ho w to add the certificate found at /bootflash/ca.bin to the certificate table
in the root location without first validating the certificate:
RP/0/RP0/CPU0:router# sam add certificate /bootflash/ca.bin root trust
SAM: Successful adding certificate /bootflash/ca.bin
The following example shows how to add the certificate found at /bootflash/css.bin to the certificate table in the memory (mem) location after validating the certificate:
RP/0/RP0/CPU0:router# sam add certificate /bootflash/css.bin mem untrust
SAM: Successful adding certificate /bootflash/css.bin
Related Commands Command Description
sam delete certificate Deletes a certificate from the certificate table. show sam certificate Displays records in the certificate table, including the location of the
certificates.
show clock Displays networking device clock information.
Cisco IOS XR System Security Command Reference
SR-209

sam delete certificate

sam delete certificate
T o delete a certificate from the certificate table, use the sam delete certificate command in EXEC mode.
sam delete certificate location certificate-index
Software Authentication Manager Commands on Cisco IOSXR Software
Syntax Description
Defaults No default behavior or values
Command Modes EXEC
Command History
Usage Guidelines To use this command, you must be in a user grou p associated with a task group that includes the proper
location Storage site of the certificate. Use one of the following: root, mem, disk0, disk1,
or other flash device on router.
certificate-index Number in the range from 1 to 65000.
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
For security reasons, the sam delete certificate command can be issued only from the console port of the networking device; the command cannot be is sued from a Telnet connection to any other interface on the networking device.
Use the show sam certificate summary command to display certificates by their index numbers. Because the certificate authority (CA) certificate must not be unknowingly deleted, the Software
Authentication Manager (SAM) prompts the user for confirmati on when an attempt is made to delete the CA certificate.
If a certificate stored on the system is no longer valid (for example, if the certificate has expired), you can use the sam delete certificate command to remove the certificate from the list.
Examples The following example shows how to delete the certificate identified by the index number 2 from the
memory location:
RP/0/RP0/CPU0:router# sam delete certificate mem 2
SAM: Successful deleting certificate index 2
Cisco IOS XR System Security Command Reference
SR-210
Software Authentication Manager Commands on Cisco IOSXR Software
The following example sho ws how to can cel the deletion of the certificat e identified b y the index number 1 from the root location:
RP/0/RP0/CPU0:router# sam delete certificate root 1
Do you really want to delete the root CA certificate (Y/N): N SAM: Delete certificate (index 1) canceled
The following example shows how to delete the certificate identified by the index number 1 from the root location:
RP/0/RP0/CPU0:router# sam delete certificate root 1
Do you really want to delete the root CA certificate (Y/N): Y SAM: Successful deleting certificate index 1
Related Commands Command Description
sam add certificate Adds a new certificate to the certificate table. show sam certificate Displays records in the certificate table, including the location of the
certificates stored.
sam delete certificate
Cisco IOS XR System Security Command Reference
SR-211

sam prompt-interval

sam prompt-interval
To set the interval that the Software Authentication Manager (SAM) waits after prompting the user for input when it detects an abnormal condition at boot time and to determine how the SAM responds when it does not receive user input within the specified interval, use the sam prompt-interval command in global configuration mode. To reset the prompt interval and response to their default values, use the no form of this command.
sam prompt-interval time-interval {proceed | terminate} no sam prompt-interval time-interval {proceed | terminate}
Software Authentication Manager Commands on Cisco IOSXR Software
Syntax Description
Defaults The default response is for the SAM to wait 10 seconds and then terminate the authentication task.
Command Modes Global configuration
Command History
Usage Guidelines To use this command, you must be in a user grou p associated with a task group that includes the proper
time-interval Prompt time, in the range from 0 to 300 s econds.
proceed Causes the SAM to respond as if it had re cei ved a “yes” when the prompt int erv al
expire s .
terminate Causes the SAM to respond as if it had received a “no” when the prompt interval
expire s .
Release Modification
Release 2.0 This command was introduced on the Cisco CRS-1. Release 3.0 No modification. Release 3.2 This command was supported on the Cisco XR 12000 Series Router.
task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the sam prompt-interval command to control the action taken wh en the system detects an exception condition, such as an expired certificate during initialization of the SAM at boot time. The following message appears when the software detects the abnormal condition of a certificate authority (CA) certificate expired:
SAM detects expired CA certificate. Continue at risk (Y/N):
SR-212
The SAM waits at the prompt until you respond or the time interval controlled by the sam prompt-interval command exp ires, whichever is the earlier e vent. If you respond “N” to the pro mpt, the
boot process is allowed to complete, but no packages can be installed.
Cisco IOS XR System Security Command Reference
Software Authentication Manager Commands on Cisco IOSXR Software
The following message appears when the software detects the abnormal condition of a Code Signing Server (CSS) certificate expired:
SAM detects CA certificate (Code Signing Server Certificate Authority) has expired. The validity period is Oct 17, 2000 01:46:24 UTC - Oct 17, 2015 01:51:47 UTC. Continue at risk? (Y/N) [Default:N w/in 10]:
If you do not respond to the prompt, the SAM waits for the specif ied interval to expire, and then it takes the action specified in the sam prompt-interval command (either the proceed or terminate keyword).
If you enter the command with the proceed keyword, the SAM w aits for the specified interval to e xpire, and then it proceeds as if you had given a “yes” response to the prompt.
If you enter the command with the terminate keyword, the SAM waits for the specified interval to expire, and then it proceeds as if you had gi v en a “no” r esponse to the p rompt. This use of the command keeps the system from waiting indefinitely when the system console is unattended.
Note After the software has booted up, the time-interval argument set using this command has no effect. This
value applies at boot time only.
sam prompt-interval
Examples The following example shows how to tell the SAM to wait 30 seconds for a user response to a prompt
and then terminate the requested SAM processing task:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# sam prompt-interval 30 terminate
Related Commands Command Description
show sam sysinfo Displays the current status information for the SAM.
Cisco IOS XR System Security Command Reference
SR-213
Loading...
+ 15 hidden pages