Cisco IOS XR System Security Configuration Guide for the Cisco XR 12000 Series Router, Release 4.2.x
Configuring Software Authentication Manager
Downloads: This chapterpdf (PDF - 1.11MB) The complete bookPDF (PDF - 3.42MB) | Feedback

Configuring Software Authentication Manager

Configuring Software Authentication Manager

Software Authentication Manager (SAM) is a component of the the Cisco IOS XR Software operating system that ensures that software being installed on the router is safe, and that the software does not run if its integrity has been compromised.

For information on SAM commands, see the Software Authentication Manager Commands on Cisco IOS XR Software module in the Cisco IOS XR System Security Command Reference for the Cisco XR 12000 Series Router.

For information on setting the system clock, see the clock set command in the Clock Commands on Cisco IOS XR Software module in Cisco IOS XR System Management Command Reference for the Cisco XR 12000 Series Router.

Feature History for Configuring Software Authentication Manager

Release

Modification

Release 3.5.0

This feature was introduced.

Prerequisites for Configuring Software Authentication Manager

You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Information about Software Authentication Manager

For SAM to verify software during installation, the software to be installed must be in a Packager for IOS/ENA (PIE) format. PIEs are digitally signed and SAM verifies the digital signature before allowing bits from that PIE to reside on the router. Each time an installed piece of software is run, SAM ensures that the integrity of the software is not been compromised since it was installed. SAM also verifies that software preinstalled on a flash card has not been tampered with while in transit.

When the initial image or a software package update is loaded on the router, SAM verifies the validity of the image by checking the expiration date of the certificate used to sign the image. If an error message is displayed indicating that your certificate has expired, check the system clock and verify that it is accurate. If the system clock is not set correctly, the system does not function properly.

How to set up a Prompt Interval for the Software Authentication Manager

When the SAM detects an abnormal condition during boot time, it prompts the user to take action and waits for a certain interval. When the user does not respond within this interval, SAM proceeds with a predetermined action that can also be configured.

To set up the Prompt Interval, perform the following tasks.

SUMMARY STEPS

    1.    configure

    2.    sam promptinterval time-interval {proceed | terminate}

    3.    Use one of these commands:

    • end
    • commit


DETAILED STEPS
      Command or Action Purpose
    Step 1 configure


    Example:
    RP/0/0/CPU0:router# configure
     

    Enters global configuration mode.

     
    Step 2 sam promptinterval time-interval {proceed | terminate}


    Example:
    RP/0/0/CPU0:router(config)# sam prompt-interval 25 {proceed | terminate}
    
     

    Sets the prompt interval in seconds, after which the SAM either proceeds or terminates the interval. The Prompt interval ranges from 0 to 300 seconds.

    If the user responds, SAM considers it as a ‘Yes’ and proceeds with the next action. If the user does not respond, SAM considers it as a ‘No’ and terminates the action. The default time for which SAM waits is 10 seconds.

     
    Step 3 Use one of these commands:
    • end
    • commit


    Example:
    RP/0/0/CPU0:router(config)# end

    or

    RP/0/0/CPU0:router(config)# commit
     

    Saves configuration changes.

    • When you issue the end command, the system prompts you to commit changes:
      Uncommitted changes found, commit them
      before exiting(yes/no/cancel)? [cancel]:
      
      • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
      • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
      • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
    • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.