Download verification and validation tools. Free.
Integrity Verification (IV) is now available as an application for the APIC-EM. This application installs into the APIC-EM (v1.5). The IV application verifies integrity and then continues to monitor the device for any integrity status changes. The IV application is capable of monitoring any device that can be managed by the APIC-EM.
The Integrity Verification application currently can verify and monitor the following categories for integrity:
Not all devices are supported by the APIC-EM.
Not all devices support all features of the Integrity Verification Application.
Download KGV JSON
In order to provide a level of security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices in the field have no point of reference to determine whether the software they are running is authentic Cisco software. The Cisco IV application uses a system to compare collected image integrity data to Known Good Values (KGV) for Cisco software.
Cisco produces and publishes a Known Good Value Data file that contains KGV's for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a KGV Combo Bundle that can be retrieved from Cisco.
The contents of the KGV Combo Bundle can also be used with "home grown" or customer developed scripts or applications. The KGV values are standard JSON objects and elements and can be used by any software that can parse JSON data.
The current Cisco produced KGV Data File includes measurements for the following component categories:
Always verify the signature of the KGV data before using the contents to assign integrity to your network elements. If the signature on the KGV data can not be verified, then the contents of the KGV data can not be trusted.
Cisco's Integrity Verification application verifies the signature on the KGV data automatically, but any "home grown" or customized scripts would need to implement this step prior to using the KGV Combo Bundle data.
The Bulk Hash file provides a mechanism to re-verify images downloaded from the Cisco Software Downloads page.
This newer SHA512 hash value is generated on all software images, creating a unique output that is more secure than the MD5 algorithm.
Cisco is providing both the MD5 and SHA512 hashes for all the images made available to customers in a ".csv" file. The compressed ".csv" file is digitally signed by Cisco. Cisco provides a X.509 certificate for validating the contents of the Bulk Hash File. This end-entity certificate is chained to Cisco SubCA and Root certificate. Authenticity of X.509 certificate chain is validated prior to ".csv" file signature verification.
Within the Bulk Hash File archive that you can download below, you will find:
How Can I Use It?
The SHA512 hash value of each file on Cisco.com is contained in the .csv file that you can download.
Generate a hash value for the Cisco downloaded images that you have in your network.
Make sure that there is an exact match between the hash values you have generated on your network images and a hash value in the ".csv" Bulk Hash file.