Downloading With Fips Security; Software Image Commands; Configuration Change Hashing - Enterasys Security Router X-PeditionTM User Manual

Utilizing the Command Line Interface
5. Set the operation to imageSetSelected:
set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.3.1 0100
6. Set the row to active:
set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.11.1 1
7. Reboot the XSR to load the new image by configuring the following:
• Create a row:
• Set operation to resetSoftwareset:
• Set the row to active:

Downloading with FIPS Security

In compliance with Federal Information Processing Standard (FIPS) security, XSR 1800/3000
Series routers require a different download procedure than usual. You must specify the
FIPScompliant
HMAC SHA-1 key using either the Bootrom key command or the sw-verification key command
on the CLI. Follow the prompts as instructed.
When FIPS is enabled, all .FLS files must be signed with the signing utility:
<20hexdigits><xsr1800.fls>
SNMP and CompactFlash. After FIPS is enabled, back revisioning is not permitted. To disable
FIPS, press the Default button (on the XSR 1800 Series) to clear all configuration settings including
the FIPS and master encryption keys.
For the XSR 3000 Series only, FIPS can be disabled by entering five invalid Bootrom password
entries. You will be prompted before the XSR reverts to the default factory configuration and
clears the FIPS key.

Software Image Commands

You can view the status of the software image including such data as the current firmware image
filename, software release version, timestamp, and size by issuing the
Use the
For more command details, refer to the XSR CLI Reference Guide.

Configuration Change Hashing

Transparently, the XSR hashes persistent configuration changes and stores them in an SNMP
accessible variable to assist you in assessing remote backups or device monitoring. Hashing by the
MD5 algorithm is conducted on the following files:
• startup-config
• private-config
• user.dat
2-36 Managing the XSR
Note: The primary image cflash:xsr3004.fls must already exist in the XSR, otherwise the
configuration will fail at this point.
set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.11.2 5
set 1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.11.2 1
Note: The Configuration Management MIB lets you add a delay (Etsysconfigmgmtchangedelaytime)
In Steps 3-6 and Step 7. Be aware that the Step 7 delay cannot be smaller than the delay set in
Steps 3-6.
boot system command to actively change the default file name of the software image.
1.1.1.1 .1.3.6.1.4.1.5624.1.2.16.2.7.1.3.2 8000
. Only signed incoming FLS files will be accepted from TFTP,
signEtsFls.exe -k
show version
command.