Prerequisites for Signed Tcl Scripts
For this feature to work, the Cisco public key infrastructure (PKI) configuration trustpoint commands must
be enabled.
For further details, see the Prerequisites for Signed Tcl Scripts.
Restrictions for Signed Tcl Scripts
For this feature to work, you must be running the following:
•
Cisco IOS Crypto image
•
OpenSSL Version 0.9.7a or above
•
Expect
Information About Signed Tcl Scripts
The Signed Tcl Scripts feature introduces security for the Tcl scripts. This feature allows you to create a
certificate to generate a digital signature and sign a Tcl script with that digital signature. This certificate
examines the Tcl scripts prior to running them. The script is checked for a digital signature from Cisco. In
addition, third parties may also sign a script with a digital signature. You may wish to sign your own internally
developed Tcl scripts or you could use a script developed by a third party. If the script contains the correct
digital signature, it is believed to be authentic and runs with full access to the Tcl interpreter. If the script does
not contain the digital signature, the script may be run in a limited mode, known as Safe Tcl mode, or may
not run at all.
To create and use signed Tcl scripts, you should understand the following concepts:
Cisco PKI
Cisco PKI provides certificate management to support security protocols such as IP security (IPsec), secure
shell (SSH), and secure socket layer (SSL). A PKI is composed of the following entities:
•
Peers communicating on a secure network
•
At least one certification authority (CA) that grants and maintains certificates
•
Digital certificates, which contain information such as the certificate validity period, peer identity
information, encryption keys that are used for secure communication, and the signature of the issuing
CA
•
An optional registration authority (RA) to offload the CA by processing enrollment requests
•
A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for
certificate revocation lists (CRLs)
PKI provides you with a scalable, secure mechanism for distributing, managing, and revoking encryption and
identity information in a secured data network. Every routing device participating in the secured communication
is enrolled in the PKI in a process where the routing device generates a Rivest, Shamir, and Adelman (RSA)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1826
Prerequisites for Signed Tcl Scripts
To Next Page
Loading...
Need help?
General
