Customer File Uploads to Cisco Technical Assistance Center

Customer File Uploads to Cisco Technical Assistance Center

Contents

Overview
TAC Service Request Tool Java client File Upload
      Uploading the File(s)
Non Java TSRT File Upload
      Uploading the File(s) with Non Java File Upload Tool
TAC Cisco WebEx Support Center and Meeting Center File Transfer
WebEx Personal Folders File Transfer
Alternate File Upload Options
Encrypt Files
      Encrypting Files Using WinZip
      Encrypting Files Using Tar and OpenSSL
      Encrypting Files Using Gzip and GnuPG
E-mail File Attachment Uploads
FTP File Upload
Communicate the Password to the TAC Customer Support Engineer
Customer File Retention
Summary
Additional Information

Overview

Cisco provides multiple options to upload information to the Cisco Technical Assistance Center (TAC) to fit customer’s different operating environments. Some of these options are less secure, leading to certain inherent risks. Each option has limitations that should be considered before deciding on an appropriate upload option. The following table summarizes the available upload options, the availability of file encryption, files size limits, and other relevant limitations.


options table


The preferred and most secure option is to use the TAC Service Request Tool (TSRT) Java client File Upload. Files transferred via this option are encrypted in transit and are size constrained to 256 GB.  The communication channel between the customer’s computing device and Cisco is encrypted and the information is also immediately linked to the associated Service Request and stored in an encrypted format.

A less preferred and most secure option is using TSRT Non-Java File Upload. Files transferred via this option are encrypted in transit. TSRT Non-Java File Upload is less preferred because the tool is limited to file transfers of 20 MB or less. The communication channel between the customer’s computing device and Cisco is encrypted and the information is also immediately linked to the associated Service Request and stored in an encrypted format.

Another option is direct, point-to-point file transfer during a live TAC Cisco WebEx Support Center Session or a TAC Cisco WebEx Meeting Center Session. Cisco WebEx Sessions must be initiated by a Cisco Customer Support Engineer. Files transferred via this option are encrypted in transit and are size constrained to 50 GB.  The communication channel between the customer’s computing device and Cisco is encrypted. This option is less preferred as the files are not automatically linked to the Service Request and must be manually added to the Service Request and removed by the account owner.

Another option is using file transfer via WebEx Personal Folders.   A Cisco Customer Support Engineer will provide instructions on where to upload the file.  Files transferred via this option are encrypted in transit and are size constrained to 50 GB.  This transfer method does not require a live WebEx Session, so the Cisco Customer Support Engineer will need to be informed once the file is posted to this location. This option is less preferred because the files are not automatically linked to the Service Request and must be manually added to the Service Request and removed by the account owner.

 If customers cannot use TSRT or a TAC Cisco WebEx session, the least preferred information upload options are via an e-mail message to attach@cisco.com and through the use of File Transfer Protocol (FTP) to ftp.cisco.com/incoming. Files transferred via e-mail are size constrained to 20 MB and files transferred via FTP are size constrained to 50 GB. These options do not inherently secure the communication channel between the customer’s computing device and Cisco, nor is the information stored securely until it is attached to the customer’s Service Request. If either of these alternative options are used, it is incumbent upon the customer to explicitly encrypt the data before it is uploaded. The customer should employ a strong password, and communicate the password used to Service Request Customer Support Engineer owner out-of-band, for example over the telephone or via TSRT case update.

TAC Service Request Tool Java Client File Upload

TSRT Java client File Upload is the preferred and most secure upload option. This tool allows customers to create and query Service Requests. Customers can query the history and status of the Service Requests that have opened with the Cisco TAC and update those Service Requests while they are open. TSRT Java client File Upload feature also allows customers to upload files. These files are attached to the Service Request and will be used by the Service Request Customer Support Engineer owner to help resolve the issue.

Files up to 256 GB in size may be attached to a Service Request. Files are encrypted during upload to Cisco. A Java applet initiates the upload on the client side and encrypts the files while providing the widest interoperability for different browsers and different operating systems.

Note: Java Runtime Environment (JRE) 1.6.0_17 or later is required. Download the latest Java update at www.Java.com . Non-Java users can use the TSRT Non-Java File Upload to securely transfer multiple files (totaling 20 MB) to Cisco. The TSRT Non-Java File Upload is documented later in this document. Additional system requirements and limitations are documented at the following link:http://www.cisco.com/web/tsweb/tsrt/system_requirements.html

Uploading the File(s)

Complete the following steps to upload files using this method:

Step 1   Search for the Service Request using TSRT at the following link:
https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.do

Step 2 Accept the Java Applet from Cisco, and navigate to the Upload Options section, as shown in Figure 1.


Figure 1. Upload Options

Fig 1 Upload options

Step 3 Figure 2 shows the screen that will be displayed.


Figure 2. File Upload

Fig 2 File upload

Select a file to be uploaded by clicking the Browse button and choosing a file from the local directory. 

Step 4 Select the file type under File Type and enter any additional information in the Comments for TAC field.

Step 5  Click the Upload File button to upload the file.

Repeat Steps 4 and 5 for each additional file that will be uploaded.

A message confirming the upload will be displayed, and a notification will be sent to the Service Request Customer Support Engineer owner.

Non Java TSRT File Upload

As mentioned earlier in this document, the TSRT File Upload feature requires Java Runtime Environment (JRE) 1.6.0_17 or later. Non-Java users can use the Non Java File Upload to transfer files to Cisco. Files transferred using this option are encrypted in transit. TSRT without Java is less preferred because the tool is limited to file transfers of 20 MB or less. The communication channel between the customer’s computing device and Cisco is encrypted and the information is also immediately linked to the associated Service Request and stored in an encrypted format.

Uploading the File(s) with Non Java File Upload Tool

Complete the following steps to upload files using this method:

Step 1  Search for the Service Request using TSRT at the following link:
https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.do

Step 2 Navigate to the Upload Options section, as shown in Figure 3.


Figure 3. Non Java File Upload Tool

Fig 3 Non Java file upload

Step 3 Click on the Non Java File Upload Tool link, as shown above

Step 4 The following screen will be shown. Use the fields displayed on that page to upload up to three files at one time (totaling 20 MB) to the Service Request.  Additional comments describing each file can be added in the Comments for TAC field.

Figure 4 shows the screen that will be displayed.


Figure 4. Upload New Files

Fig 4 upload new files


TAC Cisco WebEx Support Center and Meeting Center File Transfer

Another option is direct, point-to-point file transfer during a live TAC Cisco WebEx Support Center session or a TAC Cisco WebEx Meeting Center session. Cisco WebEx sessions must be initiated by a Cisco Customer Support Engineer. Files transferred with this option are encrypted in transit and are size-constrained to 50 GB.  The communication channel between the customer’s computing device and Cisco is encrypted. This option is less preferred because the files are not automatically linked to the Service Request and must be manually added to the Service Request and removed by the account owner.

WebEx Personal Folders File Transfer

Another option is using file transfer via WebEx Personal Folders. A Cisco Customer Support Engineer will provide instructions on where to upload the file.  Files transferred with this option are encrypted in transit and are size-constrained to 50 GB.  This transfer method does not require a live WebEx session, so the Cisco Customer Support Engineer will need to be informed once the file is posted to this location. This option is less preferred because the files are not automatically linked to the Service Request and must be manually added to the Service Request and removed by the account owner.

Alternate File Upload Options

If the TAC Service Request Tool or a TAC Cisco WebEx session cannot be used to upload files, there are alternate upload methods available. Please note that these alternate upload methods are fundamentally insecure and do not encrypt the file or the communication session used to transport the file between the customer and Cisco.
It is incumbent upon the customer to explicitly encrypt the files before they are uploaded using the alternate upload methods. As an additional security best practice, any sensitive information (such as passwords) should be obfuscated or removed from any configuration file or log that is sent over an unsecure channel. The following section describes how to encrypt these files.

Encrypt Files

The following examples show how to encrypt files using three of the many available options such as WinZip, Linux tar and openssl commands, and Linux Gzip and GnuPG. A strong encryption cipher such as AES-128 should be used to properly protect the data. If using ZIP, an application that supports AES encryption must be used. Older versions of ZIP applications support a symmetric encryption system that is not secure and should not be used.

Encrypting Files Using WinZip

For illustrative purposes, this section shows how to encrypt files using the WinZip application. Other applications should provide the same functionality and perform as well as WinZip.

Step 1 Create a ZIP Archive as shown in Figure 5.


Figure 5. Creating a ZIP Archive

Fig 5 Create a Zip

From the WinZip GUI select New and follow the menu prompts to create an appropriately named, new ZIP archive file. The newly created ZIP archive file will appear as shown in Figure 5.

Step 2 Add the file(s) to be uploaded to the ZIP Archive and select the Encrypt added files option as shown in Figure 6.


Figure 6. Encrypt Added Files

Fig 6 Encrypt Added Files

From the main WinZip window, select Add and then select the file(s) that will be uploaded. The Encrypt added files option must be selected as shown in Figure 6.

Step 3 Encrypt the file using the AES encryption cipher and a strong password.


Figure 7. Encrypt the File

Fig 7 Encrypt the File

Selecting Add from the file selection window will open the Encrypt window. An appropriate strong password should be created. This password will be shared with the Service Request Customer Support Engineer owner as discussed later in this document. One of the AES Encryption methods should be selected as shown above.

Step 4 Verify that the file is encrypted. Figure 8 shows the screen that will be displayed.


Figure 8. Verify Encryption

Fig 8 Verify Encryption


Selecting OK in the Encrypt window will encrypt the file(s) and display the main WinZip window. Encrypted files are marked with an asterisk following the file name or a lock icon in the Encryption column as shown above.

Encrypting Files Using Tar and OpenSSL

For illustrative purposes, this section shows how to encrypt files using the Linux command line tar and openssl commands. Other archive and encryption commands should provide the same functionality and perform just as well under Linux or Unix.

Step 1 Create a tar archive of the file and encrypt it through OpenSSL using the AES cipher and a strong password as shown in the example below.



[user@linux ~]$ tar cvzf - Data_for_TAC.dat | openssl aes-128-cbc -k Str0ng_passWo5D | 
                dd of=Data_for_TAC.aes128
Data_for_TAC.dat
60+1 records in
60+1 records out

The above command output shows the combined tar and openssl command syntax to encrypt the file(s) using the AES cipher.

Encrypting Files Using Gzip and GnuPG

For illustrative purposes, this section shows how to encrypt files using the Linux command line Gzip and GnuPG commands. Other archive and encryption commands should provide the same functionality and perform just as well under Linux or Unix. Step 1: Compress the file using Gzip as shown in the example below

Step 1 Compress the file using Gzip as shown in the example below
Step 2 Encrypt the file through GnuPG using the AES cipher and a strong password as shown in the example below
Step 3 Enter and confirm the strong password at the Enter passphrase prompt as shown in the example below


[user@linux ~]$ gzip -9 Data_for_TAC.dat     Step 1
[user@linux ~]$ gpg –cipher-algo AES –armor –output Data_for_TAC.dat.gz.asc 
               –symmetric Data_for_TAC.dat.gz     Step 2
Enter passphrase:     Step 3
Repeat passphrase:    Step 3

The above command output shows using the gzip and gpg command syntax to encrypt the file(s) using the AES cipher.

E-mail File Attachment Upload

Once the files are encrypted, if the customer is unable to utilize the TAC Service Request Tool or a TAC Cisco WebEx session, additional information can be added to the Service Request by sending the information via an e-mail message to attach@cisco.com with the Service Request number in the subject line of the message (for example, SUBJECT = SR xxxxxxxxx).  Attachments are limited to 20 MB per e-mail update. Attachments submitted using e-mail messages are not encrypted in transit, but are stored in an encrypted format when they are linked to the Service Request. It is incumbent upon the customer to explicitly encrypt the data before transit.

Send the file attached to the e-mail message to attach@cisco.com as shown in Figure 9.


Figure 9. Send the File

Fig 9 email the fie


For illustrative purposes, the above output shows a Microsoft Outlook e-mail with an encrypted ZIP file attachment, the correct To address, and a properly formatted Subject. Other email clients should provide the same functionality and perform just as well as Microsoft Outlook.

FTP File Upload

Once the files are encrypted, if the customer is unable to utilize the TAC Service Request Tool or a TAC Cisco WebEx session, additional information can be added to the Service Request by uploading it to Cisco via the File Transfer Protocol (FTP). Files transfer using FTP are size-constrained to 50 GB. Files submitted using FTP are not encrypted in transit and are not encrypted at rest on the ftp.cisco.com server. Because of the insecure nature of FTP, this is the least preferred method of file uploading. It is incumbent upon the customer to explicitly encrypt the data before transit. FTP client applications must support passive mode to upload files to ftp.cisco.com.

The Cisco Customer Support Engineer will need to be informed once the file is posted to this location. Submitted files are manually linked to the Service Request by the Customer Support Engineer owner.  Files are regularly purged from the FTP site and deleted from the FTP server file structure.

Step 1 Use the ftp command with the “n” option to connect to ftp.cisco.com as show in the example below. The “n” option prevents the FTP client from attempting an auto-login with the ftp.cisco.com server.


[user@linux ~]$ ftp -n ftp.cisco.com     Step 1          
Connected to download-rcdn1.cisco.com.
220-<}======[+]> FTP.CISCO.COM <[+]======={>
220-
220-  Welcome to Cisco Systems FTP server.
220-
220-  Cisco.com                       |        |      Cisco Systems, Inc.
220-                                 |||      |||     170 West Tasman Drive
220-  Phone: +1.800.553.2447      .:|||||:..:|||||:.  San Jose, CA 95134
220-
220-  Local time is Mon Jan 09 13:52:28 2012.
220-
220-  Please read the following restrictions before proceeding. For further instructions 
        please read the /README file.
220-
220-Note:
220-o   To download files you must run a *passive-mode* capable FTP client to download
         files from ftp.cisco.com.
220-o   You must use the TAC Service Request Tool (TSRT) to upload files.
220-
220-Available Software:
220-o    Only publicly distributed software is available on ftp.cisco.com
220-o    All the other software is available in the Download area on www.cisco.com.
220-
220-You must only login with:
220-o   "anonymous" as userid and password to access publicly distributable software.
220-
220-Note:
220-
220-Files can be uploaded using the TAC Service Request tool (TSRT) using  one of the 
          following options:
220-
220-    o Use the TSRT Java tool to attach any size file to an open SR
220-    o Use the TSRT Non-Java tool to attach files less than 20 MB to an open SR
220-    o Send an email with the SR number in the subject to attach@cisco.com with an 
          attachment of less than 20MB
220-
220-By downloading Cisco Software via Cisco File Transfer Protocol (FTP Tool) you agree 
          to the following:
220-
220-o   Cisco products, technology and services are subject to U.S. and local export control 
        laws and regulations.
220-o   Customer shall comply with such laws and regulations governing use, export, re-export, 
        and transfer of products, technology and services and will obtain all required U.S.  
        and local authorizations, permits, or licenses.
220-o   Customer certifies that they are not on the U.S. Department of Commerce's 
        Denied Persons List or affiliated lists, on the U.S. Department of Treasury's  
        Specially Designated Nationals List or on any U.S. Government export exclusion lists.
220-o   The export obligations under this clause shall survive the expiration or termination 
        of this Agreement.
220-
220-o   You are bound by the Cisco End User License Agreement ("EULA ") posted at 
        http://cisco.com/go/eula regarding the use of any software you download from this FTP Tool.
220-
220-If you encounter any problems please contact your local Technical Assistance Center (TAC)  
        if you are a Cisco Customer or open an Alliance case if you are a Cisco employee.
220 download-prod1-01.cisco.com FTP Server (Apache/2.2) ready.
504 AUTH mechanism not available
504 AUTH mechanism not available
KERBEROS_V4 rejected as an authentication type
ftp>

For illustrative purposes, this section shows how to connect to ftp.cisco.com using the Linux command line ftp client. Other command line and GUI ftp clients should provide the same functionality and perform just as well as under Linux or UNIX. Please note that there are several restrictions regarding the use of ftp.cisco.com which are listed in the login banner as shown above.

Step 2 Log in as the user anonymous and use a valid e-mail address as the password as shown in the example below.

Step 3 Change the ftp.cisco.com directory to incoming. All files to be uploaded to Cisco must be placed in the incoming directory as shown in the example below.

Step 4 Switch to BINARY data transfer mode. Because the files to be uploaded have been encrypted, the binary data transfer mode must be selected as shown in the example below.

Step 5 Upload the file using the ftp put command as shown in the example below.


ftp> user anonymous     Step 2
331 Guest login ok, type your email address as the password
Password: 
230 User anonymous logged in
ftp> bin     Step 3
200 Type set to I
ftp> cd incoming     Step 4
250 CWD command successful.
ftp> put Data_for_TAC.aes128     Step 5
local: Data_for_TAC.aes128 remote: Data_for_TAC.aes128
227 Entering Passive Mode (72,163,7,54,61,81)
150 Opening BINARY mode data connection for Data_for_TAC.aes128
226 Transfer complete.
30752 bytes sent in 0.0063 seconds (4.8e+03 Kbytes/s)
ftp>

For illustrative purposes, this example shows how to transfer the encrypted file to ftp.cisco.com/incoming using the Linux command line ftp client. Other command line and GUI ftp clients should provide the same functionality and perform just as well as under Linux or UNIX.

Communicate the Password to the TAC Customer Support Engineer

If encrypting attachments, the encrypting password must be shared with the Service Request Customer Support Engineer owner. As a best practice, a method other than that used to upload the file should be used. If an e-mail message or ftp is used to upload the file, the password should be communicated out-of-band by telephone or as a TSRT case update as discussed in the TAC Service Request Tool (TSRT) Java client File Upload section of this document.

Customer File Retention

For the duration a Service Request is open, and for a period up to 18 months following the final closure of a Service Request, all files are instantly accessible from within the Service Request tracking system to authorized Cisco personnel.  After a period of 18 months from final closure, the files may be moved to an archival storage instance to conserve space, but they are not purged (deleted) from the Service Request history.

At any time, an authorized customer contact can expressly request a specific file be purged from a Service Request. Cisco can then delete that file, and a case note is added to document the party who deleted the file, the time and date stamp, and the name of the deleted file. Once a file is purged in this manner, it cannot be recovered.

Summary

As shown above, multiple options exist for customers to upload information to Cisco TAC to assist in the resolution of Service Requests.Some of these options are less secure, leading to certain inherent risks. Each option has limitations that should be considered before deciding on an appropriate upload option.

  1. The preferred and most secure option is to use the TSRT Java client File Upload. Files transferred with this option are encrypted in transit and are size-constrained to 50 GB.  The communication channel between the customer’s computing device and Cisco is encrypted and the information is also immediately linked to the associated Service Request and stored in an encrypted format.
  2. A less preferred but most secure option is using TSRT Non Java File Upload. Files transferred via this option are encrypted in transit. TSRT Non Java File Upload is less preferred because the tool is limited to file transfers of 20 MB or less. The communication channel between the customer’s computing device and Cisco is encrypted and the information is also immediately linked to the associated Service Request and stored in an encrypted format.
  3. Another option is direct, point-to-point file transfer during a live TAC Cisco WebEx Support Center session or a TAC Cisco WebEx Meeting Center session. Cisco WebEx sessions must be initiated by a Cisco Customer Support Engineer. This option is less preferred because the files are not automatically linked to the Service Request and must be manually added to the Service Request and removed by the account owner.
  4. Another option is using file transfer via WebEx Personal Folders. A Cisco Customer Support Engineer will provide instructions on where to upload the file.  This transfer method does not require a live WebEx Support Center or Meeting Center session, so the Cisco Customer Support Engineer will need to be informed when the file is posted to this location. This option is less preferred because the files are not automatically linked to the Service Request and must be manually added to the Service Request and removed by the account owner.
  5. If customers cannot use TSRT or a TAC Cisco WebEx session, the least preferred information upload options are using an e-mail message sent to attach@cisco.com and through the use of FTP to ftp.cisco.com/incoming. These options do not inherently secure the communication channel between the customer’s computing device and Cisco, nor is the information stored securely until it is attached to the customer’s Service Request.
    • If either of these alternative options are used, it is incumbent upon the customer to explicitly encrypt the data before it is uploaded.
    • The customer should also communicate the strong password used to encrypt the information out-of-band, for example, over the telephone or via TSRT case update, to the Service Request Customer Support Engineer owner.
  6. For the duration a Service Request is open, and for a period up to 18 months following the final closure of a Service Request, all files are instantly accessible from within the Service Request tracking system to authorized Cisco personnel. 
    • After 18 months the files may be moved to archival storage
    • At any time, an authorized customer contact can expressly request a specific file be purged from a Service Request.

Additional Information

Accessing Cisco Technical Services
Cisco Worldwide Support Contacts
Cisco Technical Services Resource Guide
TAC Service Request Tool -- New Request
TAC Service Request Tool -- My Requests
TSRT System Requirements and Limitations
Cisco Blog > Security > NCSAM Tip #3: What You Should Consider to be a Secure Password
WebEx - Cisco Systems
The GNU Privacy Guard
The OpenSSL Project
WinZip

This document is part of Cisco Security Intelligence Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Intelligence Operations