1, why cisco change the

Hongju Jung · ‎06-08-2015

Dear on duty

I read field notice 63979 that is IOS-XR SW, SMU PIE application will expired issue as a summary of their history

1, Currently Cisco IOS-XR plaform device running with (Code Signing Sever) CSS certficate that is preinstalled on the device and make sure check verify for upgrades and downgrades, SMU, PIE before installation

2, if the certifcate is not update with a pre-expriry SMU before Oct 17th, 2015 or post-expriry SMU after OCT 17,2015 ==> all Cisco IOS-XR Software, SMU, PIE will be failure occured

[Question]

1, what is CSS certificate ?

2, CSS certificate will be remove the device let me know what happen ?

3, Currently all Cisco IOS-XR imgae running with CSS cerrifcate or now if yes how to check running on the device ?

Please refer field notice information as a bleow link

http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63979.html

thanks

smilstea · ‎06-08-2015

1. Code Sign Server certificate. This is a way to digitally sign our packages (.pie and .vm) so that they can be recognized as genuine and installed properly.

2. The certificate is set to expire in Oct. Your existing installation will continue working, you simply won't be able to perform an install add. The SMU will simply extend the life of the certificate (until 2042). After Oct 17 we will be able to add a temporary certificate and install a different SMU with the full fix.

3. This runs on all XR images.

Thanks,

Sam

Hongju Jung · ‎06-10-2015

Dear smilstea and other expert team

I have still question regarding this matter.

1, why cisco change the certificate code

2, CSS certificate work for veirfy installation SMU, SW, PIE corret but we don't know about how to working this process , if you know about how to interworking this process please let me know specifically

3, CSS and Abrxas new code certificate will check License status too ? such as how many volume, feature etc

4, After 2015, Oct, 17 will be change the new Code type (Abrxas) that will be change the working process befer than CSS type ?

thanks

Eddie Chami · ‎06-10-2015

1, why cisco change the certificate code

Eddie: Because it expired.

2, CSS certificate work for veirfy installation SMU, SW, PIE corret but we don't know about how to working this process , if you know about how to interworking this process please let me know specifically

Eddie: Can you explain why you need to understand the interworking? What is in the field notice is what we are prepared to share at this stage.

3, CSS and Abrxas new code certificate will check License status too ? such as how many volume, feature etc

Eddie: This impacts the install operation of Pie/SMU/SP/FP only. Not feature licenses, that is separate.

4, After 2015, Oct, 17 will be change the new Code type (Abrxas) that will be change the working process befer than CSS type ?

Nothing is changing as far as the user is concerned, how we sign our certificates is. No impact to end user, these are changes in our signature infrastructure off system.

1, why cisco change the certificate code

2, CSS certificate work for veirfy installation SMU, SW, PIE corret but we don't know about how to working this process , if you know about how to interworking this process please let me know specifically

3, CSS and Abrxas new code certificate will check License status too ? such as how many volume, feature etc

4, After 2015, Oct, 17 will be change the new Code type (Abrxas) that will be change the working process befer than CSS type ?

- See more at: https://supportforums.cisco.com/discussion/12527551/ios-xr-filed-notice-63979-asr9k-crs-device#sthash.BJEWT0TE.dpuf

DIEGO ZORRILLA · ‎06-10-2015

Question

I dont found the SMU for 4.0.1, do you know if it will be release?

Eddie Chami · ‎06-10-2015

Diego, 4.0.1 has passed its engineering maintenance date, need to upgrade to 4.3.4/5.1.3/5.2.4 before the cert expires. be quick.. We will not be releasing a SMU for 4.0.1.

DIEGO ZORRILLA · ‎06-10-2015

Tks

Echami, we can still do turboboot from 4.0.1 to 4.3.4 or 5.1.3 after Oct. 17 right?

Eddie Chami · ‎06-10-2015

You can do turboboot, but you will then have to reinstall the certificate and install the post upgrade SMU, so your paying a turboboot tax and opex tax. It's just better to upgrade before the 17th and install the pre 17th SMU, you won't have to worry about this again.

Turboboot is not something we want our customers do, its for disaster recovery.

Regards

Eddie.

DIEGO ZORRILLA · ‎06-11-2015

OOOooooo thats right Eddie, i dont see that comming, needing to install the post upgrade SMU.

Great!!!

[IOS-XR] filed notice 63979 for ASR9k, CRS device