Running Configuration File; Backup And Mirror Configuration File - Cisco Small Business 200 Series Administration Manual

Security: Secure Sensitive Data Management
Configuration Files
• The device configures the passphrase, passphrase control, and file integrity, if any, from the SSD
Control Block in the source configuration file to the Startup Configuration file. It configures the
Startup Configuration file with the passphrase that is used to generate the key to decrypt the
sensitive data in the source configuration file. Any SSD configurations that are not found are reset to
the default.
• If there is an SSD control block in the source configuration file and the file contains plaintext, sensitive
data excluding the SSD configurations in the SSD control block, the file is accepted.

Running Configuration File

A Running Configuration file contains the configuration currently being used by the device. A user can
retrieve the sensitive data encrypted or in plaintext from a running configuration file, subject to the SSD
read permission and the current SSD read mode of the management session. The user can change the
Running Configuration by copying the Backup or Mirror Configuration files through other management
actions via CLI, XML,SNMP, and so on.
A device applies the following rules when a user directly changes the SSD configuration in the Running
Configuration:
• If the user that opened the management session does not have SSD permissions (meaning read
permissions of either Both or Plaintext Only), the device rejects all SSD commands.
• When copied from a source file, File SSD indicator, SSD Control Block Integrity, and SSD File Integrity
are neither verified nor enforced.
• When copied from a source file, the copy will fail if the passphrase in the source file is in plaintext. If
the passphrase is encrypted, it is ignored.
• When directly configuring the passphrase, (non file copy), in the Running Configuration, the
passphrase in the command must be entered in plaintext. Otherwise, the command is rejected.
• Configuration commands with encrypted sensitive data, that are encrypted with the key generated
from the local passphrase, are configured into the Running Configuration. Otherwise, the
configuration command is in error, and is not incorporated into the Running Configuration file.

Backup and Mirror Configuration File

A device periodically generates its Mirror Configuration file from the Startup Configuration file if auto mirror
configuration service is enabled. A device always generates a Mirror Configuration file with encrypted
sensitive data. Therefore, the File SSD Indicator in a Mirror Configuration file always indicates that the file
contains encrypted sensitive data.
By default, auto mirror configuration service is enabled. To configure auto mirror configuration to be enabled
or disabled, click Administration > File Management > Configuration File Properties.
Cisco Small Business 200 Series Smart Switch Administration Guide
22
300