Install MOP – CSS to Abraxas Migration
First Published: May 3, 2015
NOTE: Works with document’s Advanced Properties “First Published” property. Click File | Properties | Advanced Properties | Custom.
Last Updated: May 15, 2015
This document describes how to prepare for the CSS to Abraxas code signing migration for IOS XR images.NOTE: Works with document’s Advanced Properties “Last Updated” property. Click File | Properties | Advanced Properties | Custom.
NOTE: Available paragraph styles are listed in the Quick Styles Gallery in the Styles group on the Home tab. Alternatively, they can be accessed via the Styles window (press Alt + Ctrl + Shift + S).
CSS-to-Abraxas Code Migration Overview
IOS-XR uses certificates to sign and verify SMUs and packages that are installed on it to ensure only valid packages are installed.
Validity of the root certificate in all XR images expires on October 17, 2015. Post this expiry date any verification done using this certificate will fail. Users cannot install any new SMU, pie files, or perform a system upgrade/downgrade after the expiry date. However, existing installations will continue to work fine.
Currently the CSS server is used to sign the SMUs when they are built. In view of upgraded security standards, the Product Security Baseline (PSB) and the Infosec team recommend using the Abraxas server to the sign the images.
All the SMUs will be signed using the Abraxas server, starting from XR5.3.2, XR6.0 and beyond. In order to comply to the Abraxas-based SMU signing, users must install a pre-expiry SMU on the existing images before October 17, 2015. The pre-expiry SMU extends the validity of the root certificate on the existing image and ensures the newer SMUs can be signed using the Abraxas server. If the pre-expiry SMU is not installed before October 17, 2015, users must perform the following two steps:
1. Add the root certificate.
2. Install a post-expiry SMU. The post-expiry SMU ensures the newer SMUs can be signed using the Abraxas server.
Users can install SMU or pie files only after installing either the pre-expiry or post-expiry SMU, as appropriate.
The following procedures provide the steps required to prepare for the CSS to Abraxas migration.
How to Prepare for CSS to Abraxas Code Signing Migration
Installing a pre-expiry SMU
If you are still within October 17, 2015, you must install a pre-expiry SMU corresponding to your image. Installing the pre-expiry SMU ensures that the validity of the root certificate on the XR image is extended. You can install additional SMUs or pie files only after adding the pre-expiry SMU.
Important: If you do not install a pre-expiry SMU before October 17, 2015, then you must follow steps provided in Installing a post-expiry SMU.
Pre-requisites
Be sure to install the pre-expiry SMU before October 17, 2015.
Steps to install a pre-expiry SMU
Perform the following steps to install a pre-expiry SMU:
1. Pick the pre-expiry SMU for your image from here.
2. Add the pre-expiry SMU to your router using the install add command.
3. Activate the SMU using the install activate command.
Note: You can continue installing other SMUs using the install add and install activate commands, after installing the pre-expiry SMU, even after the expiry date.
Example
The following example shows how to install a pre-expiry SMU for XR5.1.3:
RP/0/RSP0/CPU0:Router(admin)#
install add tftp://10.10.1.1/tftpboot-location/asr9k-px-5.1.3.CSCut30136-1.0.0 sync
Tue Apr 21 04:00:03.727 UTC
Install operation 13 '(admin) install add
/tftp://10.10.10.1/auto/tftpboot-location/asr9k-px-5.1.3.CSCut30136-1.0.0
.pie synchronous' started by user 'cisco' via CLI at 04:00:04 UTC Tue Apr 21
2015.
Info: The following package is now available to be activated:
Info:
Info: disk0:asr9k-px-5.1.3.CSCut30136-1.0.0
Info:
Info: The package can be activated across the entire router.
Info:
Install operation 13 completed successfully at 04:00:12 UTC Tue Apr 21 2015.
RP/0/RSP0/CPU0:Router(admin)#
install activate disk0:asr9k-px-5.1.3.CSCut30136-1.0.0 sync
Tue Apr 21 04:00:24.621 UTC
Install operation 14 '(admin) install activate
disk0:asr9k-px-5.1.3.CSCut30136-1.0.0 synchronous' started by user 'cisco' via
CLI at 04:00:24 UTC Tue Apr 21 2015.
Info: Install Method: Parallel Process Restart
| 15% complete: The operation can still be aborted (ctrl-c for options)RP/0/RSP0/CPU0:Apr 21 04:01:36.180 : sam_server[384]: %SECURITY-SAM-4-CAUGHT_SIGNAL : server terminating..
RP/0/RSP0/CPU0:Apr 21 04:01:36.494 : sam_server[384]: %SECURITY-SAM-4-SYSDB_INTEGRITY : Cannot guarantee the integrity of SAM SysDB name space, SAM internal tables had been discarded, and will try to recover from backup files.
Info: The changes made to software configurations will not be persistent
Info: across system reloads. Use the command '(admin) install commit' to
Info: make changes persistent.
Info: Please verify that the system is consistent following the software
Info: change using the following commands:
Info: show system verify
Info: install verify packages
Install operation 14 completed successfully at 04:01:59 UTC Tue Apr 21 2015.
RP/0/RSP0/CPU0:Router(admin)#
You must install a post-expiry SMU along with the new root certificate, if you have crossed October 17, 2015. You can install additional SMUs or pie files after adding the post-expiry SMU.
Pre-requisites
— Be sure to add the root certificate before installing the post-expiry SMU.
— The post-expiry SMU can be installed at any time after October 17, 2015.
Steps to install a post-expiry SMU
1. Copy the root certificate to the disk on your router. The root certificate is available here.
2. Install the certificate using the sam add certificate command from the privileged EXEC mode, if you have logged in to the router from the console.
OR
Install the certificate using the samcmd sam add certificate command from the shell.
3. Download the post-expiry SMU for your image from here.
a. Add the SMU to your router using the install add command.
b. Activate the SMU using the install activate command.
Note: You can continue installing other SMUs using the install add and install activate commands, after installing the post-expiry SMU.
Example
The following example shows how to install a post-expiry SMU for XR5.1.3:
RP/0/RSP0/CPU0:ROUTER#
copy tftp://10.10.1.1/tftpboot-location/css-root.cer disk0:
Wed Dec 21 06:01:16.464 UTC
Destination filename [/disk0:/css-root.cer]?
Accessing tftp://10.10.1.1/tftp-location/Location/css-root.cer
C
1217 bytes copied in 0 sec
RP/0/RSP0/CPU0:ROUTER#
sam add certificate /disk0:/css-root.cer root trust
Wed Dec 21 06:09:43.207 UTC
SAM: Successful adding certificate /disk0:/css-root.cer
OR
RP/0/RSP0/CPU0:ROUTER#
run
Wed Dec 21 06:19:43.207 UTC
#
samcmd sam add certificate /disk0:/css-root.cer root trust
SAM: Successful adding certificate /disk0:/css-root.cer
RP/0/RSP0/CPU0:ROUTER(admin)#
install add tftp://10.10.1.1/tftpboot-location/asr9k-px-5.1.3.CSCut52232-1.0.0 sync
Wed Dec 21 06:12:33.087 UTC
Install operation 20 '(admin) install add
/tftp://10.10.1.1/tftpboot-location/asr9k-px-5.1.3.CSCut52232-1.0.0
synchronous' started by user 'cisco' via CLI at
06:12:33 UTC Wed Dec 21 2016.
Info: The following package is now available to be activated:
Info:
Info: disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
Info:
Info: The package can be activated across the entire router.
Info:
Install operation 20 completed successfully at 06:12:40 UTC Wed Dec 21 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
install activate disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
sync
Wed Dec 21 06:41:02.086 UTC
Install operation 7 '(admin) install activate
disk0:asr9k-px-5.1.3.CSCut52232-1.0.0
synchronous' started by user 'cisco'
via CLI at 06:41:02 UTC Wed Dec 21 2016.
Info: Install Method: Parallel Process Restart
/ 15% complete: The operation can still be aborted (ctrl-c for options)
Info: The changes made to software configurations will not be persistent
Info: across system reloads. Use the command '(admin) install commit' to
Info: make changes persistent.
Info: Please verify that the system is consistent following the software
Info: change using the following commands:
Info: show system verify
Info: install verify packages
\ 100% complete: The operation can still be aborted (ctrl-c for options)RP/0/RSP0/CPU0:Wed 21 06:42:37.856 : instdir[253]: %INSTALL-INSTMGR-4-ACTIVE_SOFTWARE_COMMITTED_INFO : The currently active software is not committed. If the system reboots then the committed software will be used. Use 'install commit' to commit the active software.
Install operation 7 completed successfully at 06:42:37 UTC Wed Dec 21 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
Appendix
Upgrading/Downgrading Images before the expiry date
Pre-requisites
— Be sure to check the upgrade/downgrade matrix available for your image.
Perform the following steps if you are still within October 17, 2015, and want to upgrade/downgrade to a different image after the expiry date:
1. Pick the pre-expiry SMU for your image from here.
2. Add the pre-expiry SMU to your router using the install add command.
3. Activate the SMU using the install activate command.
4. Add the mini-px.pie file of the upgrade/downgrade image as required, using the install add command.
Note: You can add the mini-px.pie file even after the expiry date since the pre-expiry SMU is added to your router.
5. Deactivate all the SMUs/pie files on the router. The existing SMUs/pie files will not be compatible with the new image.
6. Activate the pie file of the new image using the install activate command. Your router should be upgraded/downgraded as required.
Note: You must install the pre-expiry or post-expiry SMU of the new image as appropriate depending on the current date.
Example
The following example shows how to upgrade from XR5.1.3 to XR5.1.4 after installing the pre-expiry SMU:
RP/0/RSP0/CPU0:ROUTER(admin)#
install add tftp://10.10.1.1/tftpboot-location/asr9k-px-5.1.3.CSCut30136-0.0.4.i.pie sync
Sun Mar 15 04:00:06.953 UTC
Install operation 7 '(admin) install add
/tftp://10.10.1.1/tftp-location/asr9k-px-5.1.3.CSCut30136-0.0.4
.i.pie synchronous' started by user 'cisco' via CLI at 04:00:07 UTC Sun Mar 15
2015.
Info: The following package is now available to be activated:
Info:
Info: disk0:asr9k-px-5.1.3.CSCut30136-0.0.4.i
Info:
Info: The package can be activated across the entire router.
Info:
Install operation 7 completed successfully at 04:00:15 UTC Sun Mar 15 2015.
RP/0/RSP0/CPU0:ROUTER(admin)#
RP/0/RSP0/CPU0:ROUTER(admin)#
install activate disk0:asr9k-px-5.1.3.CSCut30136-0.0.4.i sync
Sun Mar 15 04:00:27.882 UTC
Install operation 8 '(admin) install activate
disk0:asr9k-px-5.1.3.CSCut30136-0.0.4.i synchronous' started by user 'cisco'
via CLI at 04:00:28 UTC Sun Mar 15 2015.
Info: Install Method: Parallel Process Restart
| 15% complete: The operation can still be aborted (ctrl-c for options)RP/0/RSP0/CPU0:Mar 15 04:01:38.775 : sam_server[378]: %SECURITY-SAM-4-CAUGHT_SIGNAL : server terminating..
RP/0/RSP0/CPU0:Mar 15 04:01:39.197 : sam_server[378]: %SECURITY-SAM-4-SYSDB_INTEGRITY : Cannot guarantee the integrity of SAM SysDB name space, SAM internal tables had been discarded, and will try to recover from backup files.
Info: The changes made to software configurations will not be persistent
Info: across system reloads. Use the command '(admin) install commit' to
Info: make changes persistent.
Info: Please verify that the system is consistent following the software
Info: change using the following commands:
Info: show system verify
Info: install verify packages
\ 100% complete: The operation can still be aborted (ctrl-c for options)RP/0/RSP0/CPU0:Mar 15 04:02:01.867 : instdir[253]: %INSTALL-INSTMGR-4-ACTIVE_SOFTWARE_COMMITTED_INFO : The currently active software is not committed. If the system reboots then the committed software will be used. Use 'install commit' to commit the active software.
Install operation 8 completed successfully at 04:02:01 UTC Sun Mar 15 2015.
RP/0/RSP0/CPU0:ROUTER(admin)#
install add tftp://10.10.1.1/auto/tftpboot-location/asr9k-mini-px.pie-5.1.4 sync
Tue Mar 15 04:00:07.258 UTC
Install operation 9 '(admin) install add
/tftp://10.10.1.1/auto/tftpboot-location/asr9k-mini-px.pie-5.1.4
synchronous' started by user 'cisco' via CLI at 04:00:08 UTC Tue Mar 15 2016.
Info: The following package is now available to be activated:
Info:
Info: disk0:asr9k-mini-px-5.1.4
Info:
Info: The package can be activated across the entire router.
Info:
Install operation 9 completed successfully at 04:19:09 UTC Tue Mar 15 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
RP/0/RSP0/CPU0:ROUTER(admin)#
install deactivate disk0:asr9k-mcast-px-5.1.3 sync
Tue Mar 15 04:19:50.790 UTC
Install operation 8 '(admin) install deactivate disk0:asr9k-mcast-px-5.1.3
synchronous' started by user 'cisco' via CLI at 04:19:51 UTC Tue Mar 15 2016.
Info: Install Method: Parallel Process Restart
| 15% complete: The operation can still be aborted (ctrl-c for options)RP/0/RSP0/CPU0:Mar 15 04:21:01.097 : placed[350]: %OS-PLACED-3-ZERO_LEVEL : Zero level-started placeable processes from Proc-table
Info: The changes made to software configurations will not be persistent
Info: across system reloads. Use the command '(admin) install commit' to
Info: make changes persistent.
Info: Please verify that the system is consistent following the software
Info: change using the following commands:
Info: show system verify
Info: install verify packages
Install operation 8 completed successfully at 04:21:27 UTC Tue Mar 15 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
RP/0/RSP0/CPU0:ROUTER(admin)#
install activate disk0:asr9k-mini-px-5.1.4
Tue Mar 15 04:57:53.104 UTC
Install operation 10 '(admin) install activate disk0:asr9k-mini-px-5.1.4'
started by user 'cisco' via CLI at 04:57:53 UTC Tue Mar 15 2016.
Abort the operation, continue operating synchronously or operate asynchronously
(abort/sync/async)? [sync] sync
Further user input may be required. The operation will fail if the user input
is required after the operation goes asynchronous and the prompt is returned.
Do you want to wait to until all user input has been obtained before going
asynchronous (yes/no)? [yes] no
The install operation will continue asynchronously.
RP/0/RSP0/CPU0:ROUTER(admin)#Info: This operation will reload the following nodes in parallel:
Info: 0/RSP0/CPU0 (RP) (SDR: Owner)
Info: 0/0/CPU0 (LC) (SDR: Owner)
Proceed with this install operation (y/n)? [y] y
[0xab26995d20] Record Reboot History, reboot cause = 0x4000047, descr = Cause: dSC node reload is required by install operation Process:
<output trimmed>
Upgrading/Downgrading Images after the expiry date
Pre-requisites
Be sure to check the upgrade/downgrade matrix available for your image.
Perform the following steps if you have crossed October 17, 2015:
1. Copy the root certificate to your disk. The root certificate is available here.
2. Install the certificate using the sam add certificate command in privileged EXEC mode, if you have logged in to the router from the console.
OR
Install the certificate using the samcmd sam add certificate command from the shell.
3. Pick the post-expiry SMU for your image from here.
4. Add the post-expiry SMU to your router using the install add command.
5. Activate the SMU using the install activate command.
6. Add the mini-px.pie of the upgrade/downgrade image as required, using the install add command.
7. Deactivate all the SMUs/pie files on the router. The existing SMUs/pie files will not be compatible with the new image.
8. Activate the new image using the install activate command. Your image should be upgraded/downgraded as required.
Example
The following example shows how to upgrade from XR5.1.3 to XR5.1.4 after installing the post-expiry SMU:
RP/0/RSP0/CPU0:ASR-9K#
copy tftp://10.10.1.1/tftpboot-location/css-root.cer
Wed Dec 21 06:01:16.464 UTC
Destination filename [/disk0:/css-root.cer]?
Accessing tftp://10.10.1.1/tftpboot-location/css-root.cer
C
1217 bytes copied in 0 sec
RP/0/RSP0/CPU0:ROUTER#
sam add certificate /disk0:/css-root.cer root trust
Wed Dec 21 06:09:43.207 UTC
SAM: Successful adding certificate /disk0:/css-root.cer
OR
RP/0/RSP0/CPU0:ROUTER#
run
Wed Dec 21 06:05:16.464 UTC
#
samcmd sam add certificate /disk0:/css-root.cer root trust
SAM: Successful adding certificate /disk0:/css-root.cer
sam add certificate /disk0:/css-root.cer root trust
Wed Dec 21 06:09:43.207 UTC
SAM: Successful adding certificate /disk0:/css-root.cer
RP/0/RSP0/CPU0:ROUTER(admin)#
install add tftp://10.10.1.1/tftpboot-location/asr9k-px-5.1.3. CSCut52232-0.0.4.i.pie sync
Mon Mar 21 04:40:41.322 UTC
Install operation 6 '(admin) install add
/tftp://10.10.1.1/tftpboot-location/asr9k-px-5.1.3.CSCut52232-0.0.4.i.pie
synchronous' started by user 'cisco' via CLI at 04:40:41 UTC Mon Mar 21
2015.
Info: The following package is now available to be activated:
Info:
Info: disk0:asr9k-px-5.1.3.CSCut52232-0.0.4.i
Info:
Info: The package can be activated across the entire router.
Info:
Install operation 6 completed successfully at 04:40:54 UTC Mon Mar 21 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
install activate disk0:asr9k-px-5.1.3.CSCut52232-0.0.4.i sync
Mon Mar 21 06:41:02.086 UTC
Install operation 7 '(admin) install activate
disk0:asr9k-px-5.1.3.CSCut52232-0.0.4.i.pie
synchronous' started by user 'cisco'
via CLI at 06:41:02 UTC Mon Mar 21 2016.
Info: Install Method: Parallel Process Restart
/ 15% complete: The operation can still be aborted (ctrl-c for options)
Info: The changes made to software configurations will not be persistent
Info: across system reloads. Use the command '(admin) install commit' to
Info: make changes persistent.
Info: Please verify that the system is consistent following the software
Info: change using the following commands:
Info: show system verify
Info: install verify packages
\ 100% complete: The operation can still be aborted (ctrl-c for options)RP/0/RSP0/CPU0:Mon 21 06:42:37.856 : instdir[253]: %INSTALL-INSTMGR-4-ACTIVE_SOFTWARE_COMMITTED_INFO : The currently active software is not committed. If the system reboots then the committed software will be used. Use 'install commit' to commit the active software.
Install operation 7 completed successfully at 06:42:37 UTC Mon Mar 21 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
RP/0/RSP0/CPU0:ROUTER(admin)#
install add tftp://10.10.1.1/tftpboot-location/asr9k-mini-px.pie-5.1.4
sync
Mon Mar 21 07:00:35.564 UTC
Install operation 50 '(admin) install add
/tftp://10.10.1.1/tftpboot-location/asr9k-mini-px.pie-5.1.4
synchronous' started by user 'cisco' via CLI at 07:00:36 UTC Sat Mon 21 2016.
Info: The following package is now available to be activated:
Info:
Info: disk0:asr9k-mini-px-5.1.4
Info:
Info: The package can be activated across the entire router.
Info:
Install operation 50 completed successfully at 07:20:57 UTC Mon Mar 21 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
RP/0/RSP0/CPU0:ROUTER(admin)#
install deactivate disk0:asr9k-px-5.1.3.CSCut52232-0.0.4.i
Fri Mar 25 14:50:40.131 UTC
Install operation 32 '(admin) install deactivate synchronous' started by user 'cisco' via CLI at 04:19:51 UTC Tue Mar 15 2016.
RP/0/RSP0/CPU0:ROUTER(admin)#
install activate disk0:asr9k-mini-px-5.1.4 sync
Mon Mar 21 14:52:19.622 UTC
Install operation 33 '(admin) install activate disk0:asr9k-mini-px-5.1.4
synchronous' started by user 'cisco' via CLI at 14:52:19 UTC Fri Mar 21 2016.
Warning: The autoboot bit (0x2) has been set in the config-register on the
Warning: following node:
Warning: 0/RSP0/CPU0
Info: This operation will reload the following nodes in parallel:
Info: 0/RSP0/CPU0 (RP) (SDR: Owner)
Info: 0/0/CPU0 (LC) (SDR: Owner)
Proceed with this install operation (y/n)? [y]
Info: Install Method: Parallel Reload
Feedback