Cisco IOS XR System Security Configuration Guide for the Cisco XR 12000 Series Router
Configuring Software Authentication Manager on Cisco IOS XR Software
Downloads: This chapterpdf (PDF - 340.0KB) The complete bookPDF (PDF - 3.58MB) | Feedback

Configuring Software Authentication Manager on Cisco IOS XR Software

Table Of Contents

Configuring Software Authentication Manager on Cisco IOS XR Software

Contents

Prerequisites for Configuring Software Authentication Manager

Information about Software Authentication Manager

How to set up a Prompt Interval for the Software Authentication Manager


Configuring Software Authentication Manager on Cisco IOS XR Software


Software Authentication Manager (SAM) is a component of the Cisco IOS XR software operating system that ensures that software being installed on the router is safe, and that the software does not run if its integrity has been compromised.

For information on SAM commands, see the Software Authentication Manager Commands on
Cisco IOS XR Software
module in Cisco IOS XR System Security Command Reference.

For information on setting the system clock, see the clock set command in the Clock Commands on Cisco IOS XR Software module in Cisco IOS XR System Management Command Reference.

Feature History for Configuring Software Authentication Manager on the Cisco XR 12000 Series Router

Release
Modification

Release 3.5.0

This feature was introduced on the Cisco XR 12000 Series Router.

Release 3.6.0

No modification

Release 3.7.0

No modification

Release 3.8.0

No modification.

Release 3.9.0

No modification.


Contents

Prerequisites for Configuring Software Authentication Manager

Information about Software Authentication Manager

How to set up a Prompt Interval for the Software Authentication Manager

Prerequisites for Configuring Software Authentication Manager

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command.

If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Information about Software Authentication Manager

For SAM to verify software during installation, the software to be installed must be in a Packager for IOS/ENA (PIE) format. PIEs are digitally signed and SAM verifies the digital signature before allowing bits from that PIE to reside on the router. Each time an installed piece of software is run, SAM ensures that the integrity of the software is not been compromised since it was installed. SAM also verifies that software preinstalled on a flash card has not been tampered with while in transit.

When the initial image or a software package update is loaded on the router, SAM verifies the validity of the image by checking the expiration date of the certificate used to sign the image. If an error message is displayed indicating that your certificate has expired, check the system clock and verify that it is accurate. If the system clock is not set correctly, the system does not function properly.

How to set up a Prompt Interval for the Software Authentication Manager

When the SAM detects an abnormal condition during boot time, it prompts the user to take action and waits for a certain interval. When the user does not respond within this interval, SAM proceeds with a predetermined action that can also be configured.

To set up the Prompt Interval, perform the following tasks.

SUMMARY STEPS

1. configure

2. sam prompt-interval time-interval {proceed | terminate}

3. end
or
commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/0/CPU0:router# configure

Enters global configuration mode.

Step 2 

sam prompt-interval time-interval {proceed | terminate}

Example:

RP/0/0/CPU0:router(config)# sam prompt-interval 25 {proceed | terminate}

Sets the prompt interval in seconds, after which the SAM either proceeds or terminates the interval. The Prompt interval ranges from 0 to 300 seconds.

If the user responds, SAM considers it as a `Yes' and proceeds with the next action. If the user does not respond, SAM considers it as a `No' and terminates the action. The default time for which SAM waits is 10 seconds.

Step 3 

end

or

commit

Example:

RP/0/0/CPU0:router(config-sam-prompt-interval)#  end

or

RP/0/0/CPU0:router(config-sam-prompt-interval)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting (yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.