THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
16-Oct-15 |
Initial Release |
10.0 |
13-Oct-17 |
Migration to new field notice system |
10.1 |
18-Jan-19 |
Fixed Broken Image Link |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
IOS XR Software |
3 |
3.9.1 |
|
NON-IOS |
IOS XR Software |
4 |
4.0.1,4.0.3,4.1.1,4.1.2,4.2.1,4.2.3,4.3.0,4.3.1,4.3.2,4.3.4 |
|
NON-IOS |
IOS XR Software |
5 |
5.1.0,5.1.1,5.1.2,5.1.3,5.1.4,5.2.0,5.2.2,5.2.4,5.3.0 |
|
NON-IOS |
IOS XR XML Perl Scripting Toolkit and Data Objects |
4 |
4.2.4 |
|
NON-IOS |
IOS XR XML Schemas |
4 |
4.2.4 |
Defect ID | Headline |
---|---|
CSCut30136 | Mandatory SMU SAM changeset for certificate expiration. |
CSCut52232 | Production SMU for SAM post Oct 2015. |
On October 17, 2015, the previously implemented Code Signing Server (CSS) certificates used in classic Cisco IOS-XR will expire. These CSS certificates are used by Cisco IOS-XR software (SW) in order to verify upgrades, downgrades, Software Maintenance Upgrades (SMUs), and Packages Installation Envelope (PIEs) before installation.
As of October 17, 2015 the pre-expiry SMU phase of this CSS Certificate expiration program is now complete and should no longer be used.
Post-expiry SMU's should now be used going forward.
Descriptions:
Cisco IOS-XR currently uses CSS certificates in order to sign and verify upgrades, downgrades, SMUs, and PIEs in the installation process.
Cisco IOS-XR SW, SMUs, and PIEs are signed by these certificates.
Cisco IOS-XR SW, SMUs, and PIEs are allowed to install only if the system can validate the certificate and signature carried in the SMU/PIE.
Important Note: The issue described in this Field Notice only affects select Cisco IOS-XR Classic SW (refer to: Other Considerations below). Customers that run Cisco IOS-XR NG-based SW (for example, releases that only support NCS6k) are not affected.
On October 17, 2015, the previously implemented CSS certificates used in classic Cisco IOS-XR will expire.
After the October 17, 2015 expiration date, attempts to install a new Cisco IOS-XR image, SMU, or PIE without the mandatory SMU installed first will fail.
Symptom:
When trying to install or add a SMU/PIE post October 17 2015, you will run into the below error due to the expiration of the CSS certificate on Oct 17, 2015.
Error: Cannot proceed with the add operation because the code signing
Error: certificate has expired.
Error: Suggested steps to resolve this:
Error: - check the system clock using 'show clock' (correct with 'clock set' if necessary).
Error: - check the pie file was built within the last 5 years using '(admin) show install pie-info
Error: /tftp://202.153.144.25/auto/tftp-sjc-users3/jamohamm/IMAGES/asr9k-mcast-px.pie-4.3.2'.
Post this expiration date, provided no new image, SMU or pie installs are required, existing customer installations will continue to operate as expected even if the customer reboots a presently installed image with existing SMUs.
Customers have two primary options to apply an SMU in order to extend the certificate expiration:
If the mandatory post-expiry SMU is not installed on affected nodes, the next attempt by the customer to install SW, SMU, or PIE on those systems will fail due to the expired CSS certificate. The customer can still download and install a temporary certificate file to the target node as a workaround and then apply the mandatory post-expiry SMU.
Refer to the "How to Install Mandatory SMUs" section for the impact chart, Method of Procedure (MOP) Install document, and SMU locations.
How to Install Mandatory SMUs
Refer to Install MOP - CSS to Abraxas Migration for MOP installation instructions.
Use this table to determine SMU availability on the different Cisco IOS-XR images and HW platforms:
The post-expiry SMUs are now available on cisco.com. From the "Download Software" landing page, click Service Provider Core Routers or Service Provider Edge Routers and drill down into the product family SMU pages in order to obtain the correct "Hitless/Recommended, Post-Expire-Cert Expiration Mandatory SAM SMU".
A full path example for a CRS 8 slot 5.2.2 download is shown here:
Notes:
NCS 4000/6000 Series (Cisco IOS-XR NG)
Releases unaffected are used in NCS 4000/6000 Series router solely, Cisco IOS-XR NG based images: 5.0.0, 5.0.1, 5.2.1, 5.2.3, 5.2.5
No action needs to be taken for these NG-based releases.
Cisco IOS-XR Releases Deployed with the CSS Certificate Workaround Integrated
5.3.1
Cisco IOS-XR Releases Deployed with the Abraxas Code Signing
5.3.2, 5.3.3, 6.0 and later
End of Life SW Versions
Customers that do not have a supported Cisco IOS-XR SW version (SW is beyond Last Day of Support) and want to upgrade will need to purchase the SW version they need and address the CSS certificates accordingly.
Frequently asked Questions (FAQs)
These questions were consolidated from customer feedback collected after the original Field Notice Announcement in June 2015.
Yes, it is mandatory to install the 5.1.3 post-expiry SMU as well AFTER you upgrade.
Yes, it is mandatory to install the post-expiry SMU on the router after you turboboot unless you turboboot to a release that contains the new Abraxas signing code Cisco IOS-XR 5.3.2 or later, or to Cisco IOS-XR 5.3.1 which contains the CSS certificate workaround code.
Yes, unless you merely perform a turboboot to 6.0.0.
Yes, but only if the Service Pack was installed correctly with Cisco bug ID CSCul58246 (SP version handling). The SMU is installed first before the Service Pack is installed. Otherwise, the installation of the post-expiry SMU results in a router reload.
All Service Packs released after September 16, 2015 will have the post-expiry SMU integrated within them.
The IRC is included in the post-expiry SMU tar bundle.
Additional questions, can be posted/asked on the following Cisco support forum
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance