- About this Guide
- Introduction to VPC-DI
- VPC-DI Installation Notes
- System Operation and Configuration
- Getting Started
- System Settings
- Config Mode Lock Mechanisms
- Management Settings
- Verifying and Saving Your Configuration
- System Interfaces and Ports
- System Security
- Secure System Configuration File
- Software Management Operations
- Smart Licensing
- Monitoring the System
- Bulk Statistics
- System Logs
- Troubleshooting
- Packet Capture (PCAP) Trace
- System Recovery
- Access Control Lists
- Congestion Control
- Routing
- VLANs
- BGP MPLS VPNs
- Content Service Steering
- Session Recovery
- Interchassis Session Recovery
- Support Data Collector
- Engineering Rules
- StarOS Tasks
- NETCONF and ConfD
- ICSR Checkpointing
- VPC-DI SDR CLI Command Strings
- VPC Commands
Secure System Configuration File
Feature Summary and Revision History
Summary Data
Revision History
Revision Details |
Release |
---|---|
First Introduced. |
21.3 |
Feature Description
A system configuration file contains crucial configuration information used to setup and operate the operator's network. The configuration file must be properly authenticated before it is loaded to avoid unauthorized changes to the file that could harm the network.
This feature enables the system configuration file to be signed with an RSA key to ensure the integrity and authenticity of the configuration file before it is loaded. The operator can sign the configuration file with a private key, and the system uses a public key to validate the signed configuration file before loading it.
How System Configuration Files are Secured
Create a Digital Signature
The operator can sign the configuration file using the following steps:
-
Perform an SHA512 hash on the configuration file to create a message digest.
Example (Linux/OpenSSL):
openssl dgst -sha512 -binary -out digest cfg_file
-
Create a digital signature by encrypting the message digest value with the RSA private key.
Example (Linux/OpenSSL):
openssl pkeyutl -sign -in digest -inkey pri_key.pem -out sig \ -pkeyopt digest:sha512 -pkeyopt rsa_padding_mode:pss \ -pkeyopt rsa_pss_saltlen:-2
-
Convert the digital signature to a base64 format (A ‘#’ is added at the beginning, and a new line at the end).
Example (Linux/OpenSSL):
echo -n “#” > sig_base64 base64 sig -w 0 >> sig_base64 echo “” >> sig_base64
-
Append the original configuration file with the digital signature.
Example (Linux/OpenSSL):
cat sig_base64 cfg_file > signed_cfg_file
Generating the Public and Private Keys
The RSA public key is stored in PEM format (.pem file), and can be generated using one of the following OpenSSL commands in the example below:
openssl rsa -in pri_key.pem - pubout -out pub_key.pem –-or-- openssl rsa -in pri_key.pem -RSAPublicKey_out -out pub_key.pem
An RSA private key in PEM format can be generated using the OpenSSL command in the following example:
openssl genrsa -out pri_key.pem 2048
For more information on the openssl rsa and openssl genrsa commands, refer their respective OpenSSL manual pages.
Validate the Digital Signature
When signature verification is enabled, validation of the digital signature occurs when the system boots up and loads the configuration file (or any time when the config file is loaded). The system determines if signature verification is enabled (or disabled) by looking for the .enable_cfg_pubkey file in the secure directory. For more information, refer Enable or Disable Signature Verification.
The system validates the signed configuration file using the following steps:
-
Extract the RSA public signing key from the flash.
-
Extract the configuration file’s digital signature (the first line).
-
Convert the signature from base64 to binary format.
-
Decrypt the signature using the RSA public key.
-
Calculate the SHA512 hash for the plain config file resulting in a message digest.
-
Compare the decrypted signature value and newly calculated message digest. If they match, the configuration file is successfully validated.
Configuring Signature Verification
Import RSA Public Key for Verification
To verify the signed configuration file, an RSA public key (in PEM format) must be imported. Use the following command to import the RSA public key:
This command can only be executed from the console.
cfg-security import public-key url url_address
Notes:
-
Any existing .pem file will be replaced with the new .pem file when the command is executed.
-
url_address may refer to a local or a remote file, and must be entered using the following format:
[file:]{/flash | /usb1 | /hd-raid | /sftp}[/directory]/filename
tftp://host[:port][/<directory>]/filename
ftp://[username[:password]@]host[:port][/directory]/filename
sftp://[username[:password]@]host[:port][/directory]/filename
http://[username[:password]@]host[:port][/directory]/filename
https://[username[:password]@]host[:port][/directory]/filename
Enable or Disable Signature Verification
Use the following command to enable (or disable) signature verification in the configuration file:
This command can only be executed from the console.
[ no ] cfg-security sign
Notes:
-
Enabling signature verification (cfg-security sign command) will create an empty file named .enable_cfg_pubkey in the same directory where the PEM file exists.
-
Use the no cfg-security sign command to disable verification of signature in the configuration file. Disabling signature verification (no cfg-security sign command) will remove the .enable_cfg_pubkey file.
-
The system looks for the .enable_cfg_pubkey file to determine if signature verification is enabled or disabled.