Cisco Cisco Packet Data Gateway (PDG)
System Settings
▀ Configuring a Chassis Key
▄ ASR 5000 System Administration Guide, StarOS Release 18
72
Configuring a Chassis Key
A unique chassis key is configured at the factory for each system. This key is used to decrypt encrypted passwords
found in generated configuration files. The system administrator can create a unique chassis key that will be used to
encrypt passwords stored in configuration files.
found in generated configuration files. The system administrator can create a unique chassis key that will be used to
encrypt passwords stored in configuration files.
Important:
The Quick Setup Wizard also prompts the user to enter a chassis key value.
The Exec mode chassis key value key_string command identifies the chassis which can encrypt and decrypt encrypted
passwords in the configuration file. If two or more chassis are configured with the same chassis key value, the encrypted
passwords can be decrypted by any of the chassis sharing the same chassis key value. As a corollary to this, a given
chassis key value will not be able to decrypt passwords that were encrypted with a different chassis key value.
passwords in the configuration file. If two or more chassis are configured with the same chassis key value, the encrypted
passwords can be decrypted by any of the chassis sharing the same chassis key value. As a corollary to this, a given
chassis key value will not be able to decrypt passwords that were encrypted with a different chassis key value.
The key_string is an alphanumeric string of 1 through 16 characters. The chassis key is stored as a one-way encrypted
value, much like a password. For this reason, the chassis key value is never displayed in plain-text form.
value, much like a password. For this reason, the chassis key value is never displayed in plain-text form.
The Exec mode chassis keycheck key_string command generates a one-way encrypted key value based on the entered
key_string. The generated encrypted key value is compared against the encrypted key value of the previously entered
chassis key value. If the encrypted values match, the command succeeds and keycheck passes. If the comparison fails, a
message is displayed indicating that the key check has failed. If the default chassis key (no chassis key) is currently
being used, this key check will always fail since there will be no chassis key value to compare against.
key_string. The generated encrypted key value is compared against the encrypted key value of the previously entered
chassis key value. If the encrypted values match, the command succeeds and keycheck passes. If the comparison fails, a
message is displayed indicating that the key check has failed. If the default chassis key (no chassis key) is currently
being used, this key check will always fail since there will be no chassis key value to compare against.
Use the chassis keycheck command to verify whether multiple chassis share the same chassis key value.
Important:
Only a user with Security Administrator or Administrator privilege can execute the chassis key
value and chassis keycheck commands.
For additional information, refer to the Exec Mode Commands chapter in the Command Line Interface Reference.
Beginning with Release 15.0, the chassis ID will be generated from an input chassis key using the SHA2-256 algorithm
followed by base36 encoding. The resulting 44-character chassis ID will be stored in the same chassisid file in flash.
followed by base36 encoding. The resulting 44-character chassis ID will be stored in the same chassisid file in flash.
Release 14 and Release 15 chassis IDs will be in different formats. Release 15 will recognize a Release 14 chassis ID
and consider it as valid. Upgrading from 14.x to 15.0 will not require changing the chassis ID or configuration file
and consider it as valid. Upgrading from 14.x to 15.0 will not require changing the chassis ID or configuration file
However, if the chassis-key is reset in Release 15 through the setup wizard or chassis-key CLI command, a new chassis
ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will not recognize the 44-
character chassis ID. If the chassis is subsequently downgraded to Release 14, a new 16-character chassis ID will be
generated. To accommodate the old key format, you must save the configuration file in pre-v12.2 format before the
downgrade. If you attempt to load a v15 configuration file on the downgraded chassis, StarOS will not be able to
decrypt the password/secrets stored in the configuration file.
ID will be generated in Release 15 format (44 instead of 16 characters). Release14 builds will not recognize the 44-
character chassis ID. If the chassis is subsequently downgraded to Release 14, a new 16-character chassis ID will be
generated. To accommodate the old key format, you must save the configuration file in pre-v12.2 format before the
downgrade. If you attempt to load a v15 configuration file on the downgraded chassis, StarOS will not be able to
decrypt the password/secrets stored in the configuration file.