Prerequisites For Signed Tcl Scripts - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Prerequisites for Signed Tcl Scripts
Prerequisites for Signed Tcl Scripts
For this feature to work, the Cisco public key infrastructure (PKI) configuration trustpoint commands must
be enabled.
For further details, see the
Restrictions for Signed Tcl Scripts
For this feature to work, you must be running the following:
• Cisco IOS Crypto image
• OpenSSL Version 0.9.7a or above
• Expect
Information About Signed Tcl Scripts
The Signed Tcl Scripts feature introduces security for the Tcl scripts. This feature allows you to create a
certificate to generate a digital signature and sign a Tcl script with that digital signature. This certificate
examines the Tcl scripts prior to running them. The script is checked for a digital signature from Cisco. In
addition, third parties may also sign a script with a digital signature. You may wish to sign your own internally
developed Tcl scripts or you could use a script developed by a third party. If the script contains the correct
digital signature, it is believed to be authentic and runs with full access to the Tcl interpreter. If the script does
not contain the digital signature, the script may be run in a limited mode, known as Safe Tcl mode, or may
not run at all.
To create and use signed Tcl scripts, you should understand the following concepts:
Cisco PKI
Cisco PKI provides certificate management to support security protocols such as IP security (IPsec), secure
shell (SSH), and secure socket layer (SSL). A PKI is composed of the following entities:
• Peers communicating on a secure network
• At least one certification authority (CA) that grants and maintains certificates
• Digital certificates, which contain information such as the certificate validity period, peer identity
• An optional registration authority (RA) to offload the CA by processing enrollment requests
• A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for
PKI provides you with a scalable, secure mechanism for distributing, managing, and revoking encryption and
identity information in a secured data network. Every routing device participating in the secured communication
is enrolled in the PKI in a process where the routing device generates a Rivest, Shamir, and Adelman (RSA)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1826
Prerequisites for Signed Tcl
information, encryption keys that are used for secure communication, and the signature of the issuing
CA
certificate revocation lists (CRLs)
Scripts.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
