Overview
Support Case Manager File Upload
Uploading a File at Case Submission
Uploading a File to an Existing Case
Case File Uploader
Customer eXperience Drive
Service Summary
Supported Protocols
CXD Upload Token
Retrieving the Upload Token for an SR
Using SCM
Using the ServiceGrid API
Uploading Files to CXD
Using Desktop Clients
Directly from a Cisco Device
File Upload API
Sample Python Code to use the PUT API
Email File Attachment Uploads
Encrypting Files
Encrypting Files Using WinZip
Encrypting Files Using Tar and OpenSSL
Encrypting Files Using Gzip and GnuPG
Communicating the Password to the TAC Customer Support Engineer
Customer File Retention
Summary
Additional Information
Customers are of prime importance to Cisco, which is why we like to address and resolve customers' problems in a timely manner. One way a customer can assist the process is by providing the relevant files to the Cisco Technical Assistance Center (TAC) for review. The TAC customer support engineers use these files to help resolve customer issues and Cisco provides multiple options for uploading information to the Cisco TAC to match a customer's requirements. Some of these options are less secure, leading to certain inherent risks, and each option has limitations that customers should consider before deciding on an appropriate upload option. Table 1 summarizes the available upload options with details on file encryption capabilities, recommended files size limits, and other relevant information.
Table 1. Available Upload Options
Available Option (In Order of Preference) | Files are Encrypted in Transit | Files are Encrypted at Rest | Recommended File Size Limit | |
---|---|---|---|---|
Support Case Manager (SCM) | Yes |
Yes |
250 GB | |
Case File Uploader | Yes |
Yes |
250 GB | |
Customer eXperience Drive | Yes* |
Yes |
No limit | |
Email to attach@cisco.com | No** |
Yes |
20 MB or less based on customer mail server limits |
|
*Applies to all protocols except FTP. When using FTP, Cisco highly recommends the data is encrypted before being uploaded. **Customer must encrypt prior to transit. Transmission from the customer’s network/email provider may or may not be encrypted in transit. Secure transit is guaranteed only from the point where the email/attachment reaches the Cisco network. |
The Support Case Manager (SCM) file upload method is the preferred and most secure option for uploading files to cases. Files transferred by using this option are encrypted in transit and constrained to a size of 250 GB. The communication channel between the customer’s computing device and Cisco is encrypted. Files uploaded through SCM are immediately linked to the associated case and stored in an encrypted format.
Follow these steps from the Case Confirmation screen. For more detailed instructions on how to create or manage a case on SCM, see SCM Help.
Step 1 Select the Add files to your case button (Figure 1).
Figure 1. SCM: Add Files to Your Case
Step 2 From the Attachments tab, select the Add Files button (Figure 2).
Figure 2. SCM: Attachments Tab
You will be navigated to the Case File Uploader tool. The case you created will be pre-populated in the tool (Figure 3). Continue to section Case File Uploader step 3.
Figure 3. Case File Uploader: File Drag and Drop Screen
After a case is submitted, you may update or change the optional information.
Step 1 Log in to SCM.
Step 2 To open and edit a case, click the case number or case title in the list. The case details page opens.
Step 3 At the top of the case details page, there are three tabs: Summary, Notes, and Attachments. Beside the tabs is a set of toolbar buttons: Attach Files, Add Notes, and Save as PDF. Click Add Files to select a file and upload it as an attachment to the case (Figure 4).
Figure 4. SCM Attachments Screen
You will be navigated to the Case File Uploader tool. The case you created will be pre-populated in the tool (Figure 3). Continue to section Case File Uploader step 3.
Another secure method of uploading files to a case is the Case File Uploader. This tool is similar to SCM in that files transferred by using this option are encrypted in transit and constrained to a size of 250 GB. The communication channel between the customer's computing device and Cisco is encrypted. Files uploaded through the Case File Uploader are immediately linked to the associated case and stored in an encrypted format. Complete the following steps to attach a file by using this tool.
Note: If you discover that the tool is not letting you upload a file to your case, either the case number you entered is invalid or you do not have the required permissions to add files. To upload files to a case, your cisco.com profile must be associated with the contract for which the case was opened. You can add a service contract to your profile using the Cisco Profile Manager or have your service access management administrator do it for you. If you need further assistance, call the Cisco Technical Assistance Center.
Step 1 Log in to Case File Uploader.
Step 2 Enter your Case Number in the provided field (Figure 5).
Figure 5. Case File Uploader: Case Number Input Screen
Step 3 When choosing a file to attach, either drag and drop or click inside the dash-edged box to select the file to upload (Figure 6).
Figure 6. Case File Uploader: File Drag and Drop Screen
Step 4 After choosing a file, if you do not need to specify a description, click Upload. Otherwise, you can choose to add more detail using the other options. (Figure 7). The Category and Description fields enable you to add more information about the file:
Figure 7. Case File Uploader: File Description Input
Step 5 Click Upload to upload the file.
Step 6 The next screen shows the status of the file. After the file uploads, click Upload More (Figure 8) to upload any additional attachments.
Figure 8. Case File Uploader: Upload Status Screen
The Customer eXperience Drive (CXD) is a multi-protocol file upload service with no limitation on the uploaded file size. It allows Cisco customers with active Service Requests (SRs) to upload data directly to a case using a unique set of credentials created per SR. The protocols supported by CXD are natively supported by Cisco products which allows for uploading directly from Cisco devices to SRs.
Table 2 summarizes the protocols supported by CXD. It is worth noting that regardless of the protocol used, there is no limit set on the uploaded file size.
Table 2. CXD Supported Protocols
Name | Protocol/Port | Encrypted | Data Channel Ports | Notes |
---|---|---|---|---|
Secure File Transfer Protocol (SFTP) | TCP/22 | Yes | N/A | |
Secure Copy Protocol (SCP) | TCP/22 | Yes | N/A | |
Hyper Text Transfer Protocol over SSL (HTTPS) | TCP/443 | Yes | N/A | User and Application interfaces available* |
File Transfer Protocol of SSL (FTPS) Implicit | TCP/990 | Yes | 30000-40000 | Firewalls cannot inspect FTPS, as the control channel is encrypted. Hence, the firewall needs to allow outbound connectivity to the entire data channel port range. |
File Transfer Protocol of SSL (FTPS) Explicit | TCP/21 | Yes** | 30000-40000 | |
File Transfer Protocol (FTP) | TCP/21 | No | 30000-40000 |
|
* Details on using the PUT API and sample python code is shared later in this document. ** FTPS Explicit mode requires the client to explicitly request TLS negotiations using the “AUTH TLS” command, before attempting to log in. |
CXD creates unique upload tokens per SR. The SR number and the token are used as the username and password to authenticate to the service and subsequently upload files to the SR.
Note: The token is for upload only and will not allow the user to access case files, or even files currently being uploaded. If the user would like to view case files, that can only be done in SCM.
When an SR is opened, CXD will automatically generate an upload token and insert a note in the SR which contains the token and some details on how to use the service.
In order to retrieve the upload token, complete these steps:
Step 1 Log in to SCM.
Step 2 Open the case you would like to get the upload token for.
Step 3 Click the Attachments tab.
Step 4 Click Generate Token. Once the token is generated it will be displayed next to the Generate Token button.
Notes:
Customers utilizing the ServiceGrid API can retrieve the token programmatically using the GetUploadCredentials API.
Note: An Auth Token is required to call any Cisco ServiceGrid API. For details on obtaining an Auth Token, consult the Cisco ServiceGrid documentation.
HTTP Method: POST
URL: https://apx.cisco.com/custcare/tachwy/v1.0/credentials/case/<SR Number>
Header:
Table 3: ServiceGrid GetUploadCredentials API Header
Key | Type | Value | Mandatory |
---|---|---|---|
Content-Type |
String |
application/json |
Yes |
Authorization |
String |
Bearer <Auth Token> |
Yes |
Body:
Table 4: ServiceGrid GetUploadCredentials API Body
Key | Type | Value | Mandatory |
---|---|---|---|
username |
String |
Cisco.com username authorized to perform a file upload to the SR |
Yes |
email |
String (Email Format) |
Email address of the cisco.com username |
Yes |
In general, all the user needs to do is use a client, depending on the protocol desired, to connect to cxd.cisco.com, authenticate using the SR number as the username and the upload token as the password, and eventually upload a file, or files.
Depending on the protocol and the client, user steps might be different. It is always recommended to refer to the client’s documentation for more details.
All Cisco devices have built-in file transfer clients, usually utilized using a “copy” or “redirect” command. Cisco equipment running on a Linux distribution usually supports one or more of “scp”, “sftp”, and “curl” for SCP, SFTP, and HTTPS integrations.
The file upload API utilizes the HTTP PUT verb to upload files to CXD. For the purpose of maximum compatibility and simplicity of integration, the API is kept simple.
HTTP Method: PUT
URL: https://cxd.cisco.com/home/<destination file name>
Headers:
Table 5: CXD File Upload API Headers
Key | Type | Value | Mandatory |
---|---|---|---|
Authorization |
String |
Basic HTTP Auth String |
Yes |
The body is the file data itself. There are no fields or forms here, which makes the request very simple.
Note that the following code assumes the file is stored in the same path you are running it from.
import requests from requests.auth import HTTPBasicAuth url = 'https://cxd.cisco.com/home/' username = 'SR Number' password = 'Upload Token' auth = HTTPBasicAuth(username, password) filename = 'showtech.txt' f = open(filename, 'rb') r = requests.put(url + filename, f, auth=auth, verify=False) r.close() f.close() if r.status_code == 201: print("File Uploaded Successfully")
If SCM, Case File Uploader, and Customer eXperience Drive do not work for you, another alternate file upload method is email file attachment upload. Note that this method is fundamentally insecure and does not encrypt the file or the communication session used to transport the file between the customer and Cisco. It is incumbent upon the customer to explicitly encrypt files before the files are uploaded through email file attachments. As an additional security best practice, any sensitive information such as passwords should be obfuscated or removed from any configuration file or log that is sent over an unsecure channel. For more information, see Encrypting Files.
After the files are encrypted, upload additional information and files to the case by sending the information via an email message to attach@cisco.com with the case number in the subject line of the message, for example, subject = Case xxxxxxxxx.
Attachments are limited to 20 MB per email update. Attachments submitted by using email messages are not encrypted in transit, but are immediately linked to the specified case and stored in an encrypted format.
Attach the file to an email message and send the message to attach@cisco.com as shown in Figure 10.
Figure 9. Send the File
The previous screen shot shows a Microsoft Outlook email that has an encrypted ZIP file attachment, the correct To address, and a properly formatted Subject. Other email clients should provide the same functionality and perform just as well as Microsoft Outlook.
The following examples show how to encrypt files by using three of the many available options such as WinZip, Linux tar and openssl commands, and Linux Gzip and GnuPG. A strong encryption cipher such as AES-128 should be used to properly protect the data. If you are using ZIP, an application that supports AES encryption must be used. Older versions of ZIP applications support a symmetric encryption system that is not secure and should not be used.
This section shows how to encrypt files by using the WinZip application. Other applications should provide the same functionality and perform as well as WinZip.
Step 1 Create a ZIP archive file as shown in Figure 11. In the WinZip GUI, click New and follow the menu prompts to create an appropriately named, new ZIP archive file. The newly created ZIP archive file appears.
Figure 10. Creating a ZIP Archive
Step 2 Add the file(s) to be uploaded to the ZIP archive file and select the Encrypt added files option as shown in Figure 12. From the main WinZip window, click Add and then select the file(s) to upload. The Encrypt added files option must be selected.
Figure 11. Encrypt Added Files
Step 3 Encrypt the file by using the AES encryption cipher and a strong password as shown in Figure 13:
Figure 12. Encrypt the File
Step 4 Verify that the file is encrypted as shown in Figure 14. Encrypted files are marked with an asterisk following the file name or a lock icon in the Encryption column.
Figure 13. Verify Encryption
This section shows how to encrypt files by using the Linux command-line tar and openssl commands. Other archive and encryption commands should provide the same functionality and perform just as well under Linux or Unix.
Step 1 Create a tar archive of the file and encrypt it through OpenSSL using the AES cipher and a strong password as shown in the following example. The command output shows the combined tar and openssl command syntax to encrypt the file(s) using the AES cipher.
[user@linux ~]$ tar cvzf - Data_for_TAC.dat | openssl aes-128-cbc -k
Str0ng_passWo5D |
dd of=Data_for_TAC.aes128 Data_for_TAC.dat
60+1 records in
60+1 records out
This section shows how to encrypt files by using the Linux command-line Gzip and GnuPG commands. Other archive and encryption commands should provide the same functionality and perform just as well under Linux or Unix. The command output shows how to use the gzip and gpg command syntax to encrypt the file(s) using the AES cipher.
Step 1 Compress the file by using Gzip:
[user@linux ~]$ gzip -9 Data_for_TAC.dat
Step 2 Encrypt the file through GnuPG using the AES cipher and a strong password:
user@linux ~]$ gpg –cipher-algo AES –armor –output Data_for_TAC.dat.gz.asc –symmetric Data_for_TAC.dat.gz
Step 3 Enter and confirm the strong password at the passphrase prompt:
Enter passphrase:
Repeat passphrase:
When encrypting attachments, share the encrypting password with the case Customer Support Engineer owner. As a best practice, use a method other than the one used to upload the file. If you used an email message or FTPS to upload the file, communicate the password out-of-band such as by telephone or SCM case update.
For the duration that a case is open and for a period up to 18 months following final closure of a case, all files are instantly accessible from within the case tracking system to authorized Cisco personnel. After a period of 18 months from final closure, the files may be moved to an archival storage instance to conserve space, but they are not purged (deleted) from the case history.
At any time, an authorized customer contact can expressly request that a specific file be purged from a case. Cisco can then delete that file and add a case note to document the party who deleted the file, the time and date stamp, and the name of the deleted file. After a file is purged in this manner, it cannot be recovered.
Files uploaded to the TAC FTP folder are retained for four days. The case Customer Support Engineer owner needs to be informed when a file is uploaded to this folder. The Customer Support Engineer should back up the files within four days by attaching them to the case.
Multiple options exist for uploading information to Cisco TAC to help them resolve cases. SCM and Cisco’s HTML5 Upload tool both offer secure uploads through a browser, while the CXD offers uploads through a browser, Web API, and multiple protocols that are supported by different types of clients and Cisco devices.
If you cannot use SCM, Cisco HTML 5 File Upload Tool, or a protocol supported by CXD that is not FTP as your file upload method, the least preferred file upload options are FTP, using CXD, or an email message sent to attach@cisco.com. If you use either of these options, it is strongly advised that you encrypt your files before transit. For more information, see Encrypting Files. You should employ a strong password and communicate the password to the case Customer Support Engineer out-of-band such as by telephone or SCM case update.
For the duration that a case is open and for a period up to 18 months following final closure of a case, all files are instantly accessible from within the case tracking system to authorized Cisco personnel.
This document is part of the Cisco Security Research & Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.