Cisco Cisco Packet Data Gateway (PDG)
System Security
▀ Per-Chassis Key Identifier
▄ ASR 5000 System Administration Guide, StarOS Release 18
122
Per-Chassis Key Identifier
A user can set a unique chassis key which will work only for a chassis or for any set of chassis that will share the same
configuration information.
configuration information.
The chassis key consists of 1 to 16 alphanumeric ASCII characters. The chassis key plain-text value is never displayed
to the user; it is entered interactively and not echoed to the user.
to the user; it is entered interactively and not echoed to the user.
On the ASR5000 the encrypted chassis key is stored in the Compact Flash card on each SMC.
If the chassis key identifier stored in the header comment line of the configuration file does not match the chassis key,
an error message is displayed to the user. The user can change the chassis key value simply by entering the chassis key
again. The previous chassis key is replaced by a new chassis key. The user is not required to enter a chassis key.
an error message is displayed to the user. The user can change the chassis key value simply by entering the chassis key
again. The previous chassis key is replaced by a new chassis key. The user is not required to enter a chassis key.
If the user does not configure a chassis key, the system generates a unique value for that chassis.
Important:
Changing a chassis key may invalidate previously generated configurations. This is because any
secret portions of the earlier generated configuration will have used a different encryption key. For this reason the
configuration needs to be recreated and restored.
configuration needs to be recreated and restored.
Important:
To make password configuration easier for administrators, the chassis key should be set during the
initial chassis set-up.
The configuration file contains a one-way encrypted value of the chassis key (the chassis key identifier) and the version
number in a comment header line. These two pieces of data determine if the encrypted passwords stored within the
configuration will be properly decrypted.
number in a comment header line. These two pieces of data determine if the encrypted passwords stored within the
configuration will be properly decrypted.
While a configuration file is being loaded, the chassis key used to generate the configuration is compared with the
stored chassis key. If they do not match the configuration is not loaded.
stored chassis key. If they do not match the configuration is not loaded.
The user can remove the chassis key identifier value and the version number header from the configuration file. Also,
the user may elect to create a configuration file manually. In both of these cases, the system will assume that the same
chassis key will be used to encrypt the encrypted passwords. If this is not the case, the passwords will not be decrypted
due to resulting non-printable characters or memory size checks. This situation is only recoverable by setting the chassis
key back to the previous value, editing the configuration to have the encrypted values which match the current chassis
key, or by moving the configuration header line lower in the configuration file.
the user may elect to create a configuration file manually. In both of these cases, the system will assume that the same
chassis key will be used to encrypt the encrypted passwords. If this is not the case, the passwords will not be decrypted
due to resulting non-printable characters or memory size checks. This situation is only recoverable by setting the chassis
key back to the previous value, editing the configuration to have the encrypted values which match the current chassis
key, or by moving the configuration header line lower in the configuration file.
Beginning with Release 15.0, the chassis ID will be generated from an input chassis key using the SHA2-256 algorithm
followed by base36 encoding. The resulting 44-character chassis ID will be stored in the same chassisid file in flash.
followed by base36 encoding. The resulting 44-character chassis ID will be stored in the same chassisid file in flash.
Release 14 and Release 15 chassis IDs will be in different encryption formats. Release 15 will recognize a Release 14
chassis ID and consider it as valid. Upgrading from 14.x to 15.0 will not require changing the chassis ID or
configuration file.
chassis ID and consider it as valid. Upgrading from 14.x to 15.0 will not require changing the chassis ID or
configuration file.
However, if the chassis key is reset in Release 15 through the setup wizard or chassis-key CLI command, a new chassis
ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will not recognize the 44-
character chassis ID. If the chassis is subsequently downgraded to Release 14, a new 16-character chassis ID will be
generated. To accommodate the old key format, you must save the configuration file in pre-v12.2 format before the
downgrade. If you attempt to load a v15 configuration file on the downgraded chassis, StarOS will not be able to
decrypt the password/secrets stored in the configuration file.
ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will not recognize the 44-
character chassis ID. If the chassis is subsequently downgraded to Release 14, a new 16-character chassis ID will be
generated. To accommodate the old key format, you must save the configuration file in pre-v12.2 format before the
downgrade. If you attempt to load a v15 configuration file on the downgraded chassis, StarOS will not be able to
decrypt the password/secrets stored in the configuration file.