Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide, Release 4.2.x
Configuring Software Authentication Manager
Downloads: This chapterpdf (PDF - 1.21MB) The complete bookPDF (PDF - 3.44MB) | Feedback

Configuring Software Authentication Manager

Configuring Software Authentication Manager

Software Authentication Manager (SAM) is a component of the the Cisco ASR 9000 Series Router operating system that ensures that software being installed on the router is safe, and that the software does not run if its integrity has been compromised.

For information on SAM commands, see the Software Authentication Manager Commands module in Cisco ASR 9000 Series Aggregation Services Router System Security Command Reference.

For information on setting the system clock, see the clock set command in Clock Commands module in Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference.

Feature History for Configuring Software Authentication Manager

Release

Modification

Release 3.7.2

This feature was introduced.

Prerequisites for Configuring Software Authentication Manager

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Information about Software Authentication Manager

For SAM to verify software during installation, the software to be installed must be in a Packager for IOS/ENA (PIE) format. PIEs are digitally signed and SAM verifies the digital signature before allowing bits from that PIE to reside on the router. Each time an installed piece of software is run, SAM ensures that the integrity of the software is not been compromised since it was installed. SAM also verifies that software preinstalled on a flash card has not been tampered with while in transit.

When the initial image or a software package update is loaded on the router, SAM verifies the validity of the image by checking the expiration date of the certificate used to sign the image. If an error message is displayed indicating that your certificate has expired, check the system clock and verify that it is accurate. If the system clock is not set correctly, the system does not function properly.

How to set up a Prompt Interval for the Software Authentication Manager

When the SAM detects an abnormal condition during boot time, it prompts the user to take action and waits for a certain interval. When the user does not respond within this interval, SAM proceeds with a predetermined action that can also be configured.

To set up the Prompt Interval, perform the following tasks.

SUMMARY STEPS

    1.    configure

    2.    sam promptinterval time-interval {proceed | terminate}

    3.    Use the commit or end command.


DETAILED STEPS
     Command or ActionPurpose
    Step 1 configure


    Example:
    RP/0/RSP0/CPU0:router# configure
     

    Enters global configuration mode.

     
    Step 2sam promptinterval time-interval {proceed | terminate}


    Example:
    RP/0/RSP0/CPU0:router(config)# sam prompt-interval 25 {proceed | terminate}
    
     

    Sets the prompt interval in seconds, after which the SAM either proceeds or terminates the interval. The Prompt interval ranges from 0 to 300 seconds.

    If the user responds, SAM considers it as a ‘Yes’ and proceeds with the next action. If the user does not respond, SAM considers it as a ‘No’ and terminates the action. The default time for which SAM waits is 10 seconds.

     
    Step 3 Use the commit or end command.  

    commit—Saves the configuration changes, and remains within the configuration session.

    end—Prompts user to take one of these actions:
    • Yes— Saves configuration changes and exits the configuration session.
    • No—Exits the configuration session without committing the configuration changes.
    • Cancel—Remains in the configuration mode, without committing the configuration changes.