Cisco_Systems_Frozen_Dessert_Maker

Software Authentication Manager Commands on Cisco IOS XR Software

This chapter describes the Cisco IOS XR software commands used to configure Software Authentication Manager (SAM).

For detailed information about SAM concepts, configuration tasks, and examples, see the Configuring Software Authentication Manager on Cisco IOS XR Software configuration module.

Cisco IOS XR System Security Command Reference

SR-207

Software Authentication Manager Commands on Cisco IOS XR Software

sam add certificate

To add a new certificate to the certificate table, use the sam add certificate command in EXEC mode.

sam add certificate filepath location {trust | untrust}

Command Modes

Command History

EXEC

Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

For security reasons, the sam add certificate command can be issued only from the console or auxiliary port of the networking device; the command cannot be issued from a Telnet connection to any other interface on the networking device.

The certificate must be copied to the network device before it can be added to the certificate table. If the certificate is already present in the certificate table, the SAM rejects the attempt to add it.

When adding root certificates, follow these guidelines:

???Only the certificate authority (CA) root certificate can be added to the root location.

???To add a root certificate, you must use the trust keyword. Adding the root certificate with the untrust keyword is not allowed.

Use of the trust keyword assumes that you received the new certificate from a source that you trust, and therefore have enough confidence in its authenticity to bypass validation by the SAM. One example of acquiring a certificate from a trusted source is downloading it from a CA server (such as Cisco.com) that

Cisco IOS XR System Security Command Reference

SR-208

Software Authentication Manager Commands on Cisco IOS XR Software

sam delete certificate

To delete a certificate from the certificate table, use the sam delete certificate command in EXEC mode.

sam delete certificate location certificate-index

Syntax Description

Defaults

Command Modes

Command History

No default behavior or values

EXEC

Cisco IOS XR System Security Command Reference

SR-210

Software Authentication Manager Commands on Cisco IOS XR Software

sam delete certificate

The following example shows how to cancel the deletion of the certificate identified by the index number 1 from the root location:

RP/0/RP0/CPU0:router# sam delete certificate root 1

Do you really want to delete the root CA certificate (Y/N): N

SAM: Delete certificate (index 1) canceled

The following example shows how to delete the certificate identified by the index number 1 from the root location:

RP/0/RP0/CPU0:router# sam delete certificate root 1

Do you really want to delete the root CA certificate (Y/N): Y

SAM: Successful deleting certificate index 1

Cisco IOS XR System Security Command Reference

SR-211

Software Authentication Manager Commands on Cisco IOS XR Software

sam prompt-interval

To set the interval that the Software Authentication Manager (SAM) waits after prompting the user for input when it detects an abnormal condition at boot time and to determine how the SAM responds when it does not receive user input within the specified interval, use the sam prompt-interval command in global configuration mode. To reset the prompt interval and response to their default values, use the no form of this command.

sam prompt-interval time-interval {proceed | terminate}

no sam prompt-interval time-interval {proceed | terminate}

Command Modes

Command History

Global configuration

Use the sam prompt-interval command to control the action taken when the system detects an exception condition, such as an expired certificate during initialization of the SAM at boot time. The following message appears when the software detects the abnormal condition of a certificate authority (CA) certificate expired:

SAM detects expired CA certificate. Continue at risk (Y/N):

The SAM waits at the prompt until you respond or the time interval controlled by the sam prompt-interval command expires, whichever is the earlier event. If you respond ???N??? to the prompt, the boot process is allowed to complete, but no packages can be installed.

Cisco IOS XR System Security Command Reference

SR-212

Software Authentication Manager Commands on Cisco IOS XR Software

sam verify

To use the Message Digest 5 (MD5) hash algorithm to verify the integrity of the software component on a flash memory card and ensure that it has not been tampered with during transit, use the sam verify command in EXEC mode.

sam verify {location | file-system} {MD5 | SHA [digest]}

Command Modes

Command History

EXEC

Use the sam verify command to generate a message digest for a given device. The message digest is useful for determining whether software on a flash memory card has been tampered with during transit. The command generates a hash code that can be used to compare the integrity of the software between the time it was shipped and the time you received it.

For example, if you are given a flash memory card with preinstalled software and a previously generated MD5 message digest, you can verify the integrity of the software using this command:

sam verify device MD5 digest

where device is the flash device and digest is the message digest supplied by the originator of the software.

Cisco IOS XR System Security Command Reference

SR-214

Software Authentication Manager Commands on Cisco IOS XR Software

show sam certificate

To display records in the certificate table, use the show sam certificate command in EXEC mode.

Command Modes

Command History

EXEC

Use the show sam certificate command when you want to display all the certificates stored in the system. Attributes are certificate number, certificate flag, serial number, subject name, issued by, version, issuing algorithm, not-before and not-after dates, public key, and signature.

To get the certificate number, use the show sam certificate summary all command. When used with the summary keyword, the all keyword displays selected attributes for all the entries in the table.

When used with the summary keyword, the location argument displays selected attributes for only the certificates stored in a specific location. Use one of the following: root, mem, disk0, disk1, or other flash device on router.

Cisco IOS XR System Security Command Reference

SR-216

Software Authentication Manager Commands on Cisco IOS XR Software

show sam certificate

CRL Distribution Point

file://\\CodeSignServer\CertEnroll\Code%20Signing%20Server%20Certificate %20Authority.crl

Table 16 describes the significant fields shown in the display.

Cisco IOS XR System Security Command Reference

SR-217

Software Authentication Manager Commands on Cisco IOS XR Software

show sam certificate

The following sample output from the show sam certificate command shows how to display particular SAM details:

RP/0/RP0/CPU0:router# show sam certificate detail mem 1

------------------------------------------------------------

CRL Distribution Point

file://\\CodeSignServer\CertEnroll\Code%20Signing%20Server%20Certificate

Cisco IOS XR System Security Command Reference

SR-218

Software Authentication Manager Commands on Cisco IOS XR Software

show sam crl

To display the records in the certificate revocation list (CRL) table, use the show sam crl command in EXEC mode.

show sam crl {summary | detail crl-index}

Command Modes

Command History

EXEC

Use the show sam crl command when you want to display all the revoked certificates currently stored on the system. Attributes are CRL index number, issuer, and update information.

To get the CRL index number, use the show sam crl summary command.

Issuer:CN = Code Sign Server Certificate Manager, OU = Cisco HFR mc , O =

Cisco,

L = San Jose, ST = CA, C = US, EA =<16> iosmx-css-cert@cisco.com

Including updates of:

Sep 09, 2002 03:50:41 GMT

Cisco IOS XR System Security Command Reference

SR-220

Software Authentication Manager Commands on Cisco IOS XR Software

show sam crl

Table 18 describes the significant fields shown in the display.

The following sample output is from the show sam crl detail 1 command:

RP/0/RP0/CPU0:router# show sam crl detail 1

-----------------------------------------------------------------

Issuer:CN = Code Sign Server Certificate Manager, OU = Cisco HFR mc , O = Cisco,

L = San Jose, ST = CA, C = US, EA =<16> iosmx-css-cert@cisco.com

Including updates of:

Sep 09, 2002 03:50:41 GMT

Revoked certificates include:

Serial #:61:2C:5C:83:00:00:00:00:00:44, revoked on Nov 03, 2002 00:59:02 GMT Serial #:21:2C:48:83:00:00:00:00:00:59, revoked on Nov 06, 2002 19:32:51 GMT

-------------------------------------------------------------------------------

Table 19 describes the significant fields shown in the display.

Cisco IOS XR System Security Command Reference

SR-221

Software Authentication Manager Commands on Cisco IOS XR Software

show sam log

To display the contents of the Software Authentication Manager (SAM) log file, use the show sam log command in EXEC mode.

show sam log [lines-number]

Command Modes

Command History

EXEC

The SAM log file records changes to the SAM tables, including any expired or revoked certificates, table digest mismatches, and SAM server restarts.

33 entries shown

Each line of output shows a particular logged event such as a table change, expired or revoked certificates, table digest mismatches, or SAM server restarts.

Cisco IOS XR System Security Command Reference

SR-222

Software Authentication Manager Commands on Cisco IOS XR Software

show sam package

To display information about the certificate used to authenticate the software for a particular package installed on the networking device, use the show sam package command in EXEC mode.

show sam package package-name

Command Modes

Command History

EXEC

Cisco IOS XR System Security Command Reference

SR-223

Software Authentication Manager Commands on Cisco IOS XR Software

show sam sysinfo

To display current configuration settings for the Software Authentication Manager (SAM), use the show sam sysinfo command in EXEC mode.

show sam sysinfo

Syntax Description This command has no arguments or keywords.

Command Modes

Command History

EXEC

Prompt Default Response : NO

Table 21 describes the significant fields shown in the display.

Cisco IOS XR System Security Command Reference

SR-226

Software Authentication Manager Commands on Cisco IOS XR Software

show sam sysinfo

it detects an abnormal condition and determines how the SAM responds when it does not receive user input within the specified interval.

Cisco IOS XR System Security Command Reference

SR-227