Feature Description; How System Configuration Files Are Secured; Create A Digital Signature - Cisco ASR 5500 System Administration Manual

Feature Description

Revision History
Revision Details
First Introduced.
Feature Description
A system configuration file contains crucial configuration information used to setup and operate the operator's
network. The configuration file must be properly authenticated before it is loaded to avoid unauthorized
changes to the file that could harm the network.
This feature enables the system configuration file to be signed with an RSA key to ensure the integrity and
authenticity of the configuration file before it is loaded. The operator can sign the configuration file with a
private key, and the system uses a public key to validate the signed configuration file before loading it.

How System Configuration Files are Secured

Create a Digital Signature

The operator can sign the configuration file using the following steps:
1 Perform an SHA512 hash on the configuration file to create a message digest.
Example (Linux/OpenSSL):
openssl dgst -sha512 -binary -out digest cfg_file
2 Create a digital signature by encrypting the message digest value with the RSA private key.
Example (Linux/OpenSSL):
openssl pkeyutl -sign -in digest -inkey pri_key.pem -out sig \
-pkeyopt digest:sha512 -pkeyopt rsa_padding_mode:pss \
-pkeyopt rsa_pss_saltlen:-2
3 Convert the digital signature to a base64 format (A '#' is added at the beginning, and a new line at the
end).
Example (Linux/OpenSSL):
echo -n "#" > sig_base64
base64 sig -w 0 >> sig_base64
echo "" >> sig_base64
4 Append the original configuration file with the digital signature.
Example (Linux/OpenSSL):
cat sig_base64 cfg_file > signed_cfg_file
ASR 5500 System Administration Guide, StarOS Release 21.5
82
Secure System Configuration File
Release
21.3