IOS-XR Certificate Expiration CSCut52232 - ASR9K

From DocWiki

Jump to: navigation, search

Contents

Problem Description

On October 17, 2015, the previously implemented Code Signing Server (CSS) certificates used in classic Cisco IOS®-XR will expire. These CSS certificates are used by Cisco IOS-XR software (SW) in order to verify upgrades, downgrades, Software Maintenance Upgrades (SMUs), and Packages Installation Envelope (PIEs) before installation.

Background

  • Cisco IOS-XR currently uses CSS certificates in order to sign and verify upgrades, downgrades, SMUs, and PIEs in the installation process.
  • Cisco IOS-XR SW, SMUs, and PIEs are signed by these certificates.
  • Cisco IOS-XR SW, SMUs, and PIEs are allowed to install only if the system can validate the certificate and signature carried in the SMU/PIE.

Affected Releases

  • 3.8.x
  • 3.9.x
  • 4.0.x
  • 4.1.x
  • 4.2.x
  • 4.3.x
  • 5.0.x
  • 5.1.x
  • 5.2.x
  • 5.3.0

Any release specific only to NCS6K Platform are not needed as NCS6K is not impacted due to this issue.


How to install CSCut52232

The root certificate is inside of the .tar file.

Longer instructions can be found here:

  • Download the appropriate package for the target release
    • Example ... asr9k-px-4.3.4.CSCut52232.tar
  • Untar the file
    • Use a program like 7zip
  • Copy the certificate (the .cer file) inside of the .tar file to the router
RP/0/RSP0/CPU0:ASR9006-L# copy tftp://10.0.0.1/css-root.cer harddisk:                    
Destination filename [/harddisk:/css-root.cer]?
Accessing tftp://10.0.0.1/css-root.cer
C
1217 bytes copied in      0 sec
  • Enter the K Shell
RP/0/RSP0/CPU0:ASR9006-L# run
  • Install the certificate
#  samcmd sam add certificate /harddisk:/css-root.cer root trust
SAM: Successful adding certificate /harddisk:/css-root.cer
# exit

  • Add and activate the Post Expiry .pie
  • NOTE: This should not be service impacting however, there is a known issue on releases prior to 5.1.2 where a Service Pack is active that may result in the activation of this SMU requiring a reload. This is due to releases prior to 5.1.2 not having native support for service packs and if the pre-requisiste SMUs were not applied prior to the service pack then activation of the SAM Cert SMU may require a reload.
RP/0/RSP0/CPU0:ASR9006-L# admin install add tftp:/10.0.0.1/asr9k-px-4.3.4.CSCut52232.pie 
Install operation 52 '(admin) install add /tftp:/10.0.0.1/asr9k-px-4.3.4.CSCut52232.pie' started by user 'thaske' via
CLI at 17:36:37 UTC Mon Nov 02 2015.
The install operation will continue asynchronously.
RP/0/RSP0/CPU0:ASR9006-L#Info:     The following package is now available to be activated:
Info:     
Info:         disk0:asr9k-px-4.3.4.CSCut52232-1.0.0
Info:     
Info:     The package can be activated across the entire router.
Info:     
Install operation 52 completed successfully at 17:36:57 UTC Mon Nov 02 2015.
  • Activate the SMU
RP/0/RSP0/CPU0:ASR9006-L# admin install activate disk0:asr9k-px-4.3.4.CSCut52232-1.0.0 
  • Commit the .pie
RP/0/RSP0/CPU0:ASR9006-L# admin install commit
Install operation 53 '(admin) install commit' started by user 'thaske' via CLI at 17:37:25 UTC Mon Nov 02 2015.
Install operation 53 completed successfully at 17:37:30 UTC Mon Nov 02 2015.

Rating: 5.0/5 (14 votes cast)

Personal tools