cc/td/doc/product/webscale/css/css_sca
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Release Note for the Cisco 11000 Series Secure Content Accelerator

Release Note for the Cisco 11000 Series Secure Content Accelerator

This release note applies to software version 3.2.0.22 for Cisco 11000 Series Secure Content Accelerators. The note supplements information found in the Cisco 11000 Series Secure Content Accelerator Configuration Guide distributed with version 3.1 of the firmware.

The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the Cisco LocalDirector, the Catalyst Content Switching Module, and the Cisco CSS 11000 Series Content Services Switches.

The following sections are presented in this note:

CD Contents

The CD-ROM contains the following resources:

The table below shows the configuration manager software versions appropriate for each operating system.

Operating System Software Version

Red Hat Linux

3.2

Windows NT 4

3.2

Windows 2000

3.2

Solaris Sparc

3.2

Firmware and Software Version Notes

The FW directory contains the firmware flash image for the Cisco 11000 Series Secure Content Accelerator. Use the flash image to update a 3.x version of the firmware.

Product Version Information

The CSS 11000 Secure Content Accelerator configuration utility, cscacfg, is only compatible with devices that have the same software version. Devices with a different firmware version must be configured using the configuration manager that matches the firmware on the device.

Release version refers to the CD software release and not to the firmware or configuration manager versions. Any reference to firmware or the configuration manager in these release notes or documentation is to CD software release version. The commands show version and show device display both the cscacfg (configuration manager) and firmware versions as well as the software release version. The end number of the text returned shows the build date and time stamp in the following format:

|Year|Month|Day|Time Stamp|

For example:

|2001|08|03|1046|

Loading New Firmware

The fw directory contains the firmware image of the Cisco 11000 Series Secure Content Accelerator. This file is described in the following table.

Filename Description

css-sca-2fe-k9.phz

Image of the 3.2.0.22 software release. This image is used only to reflash the device and update previous versions of the device.

Use the following instructions to upgrade the firmware on the device and the remote configuration manager software. Please read the entire document before proceeding with the flash upgrade.

Serial Console CLI Instructions

    1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferred.

    2. Connect to the Secure Content Accelerator via a serial management session at 9600 baud.

    3. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.1.0".

    4. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.

    enable copy to flash protocol://serverip/path/css-sca-2fe-k9.phz reload

    5. Wait for several minutes for the device to reload and reboot.

    6. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.2.0".

    7. Continue with configuration as desired.

Telnet CLI Instructions

    1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferred.

    2. Connect to the Secure Content Accelerator using the IP address previously assigned to it.

    3. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.1.0".

    4. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.

    enable copy to flash protocol://serverip/path/css-sca-2fe-k9.phz reload

    5. You will see a status message stating the connection to the device was lost. Wait for several minutes for the device to reload and reboot. The telnet connection to the device is lost.

    6. Reconnect to the device using a telnet management session.

    7. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.2.0".

    8. Continue with configuration as desired.

Remote CLI Instructions

Follow these instructions for downgrading using a remote CLI management session.

    1. Copy the firmware image to the computer from which you configure the Secure Content Accelerator.

    2. Open the existing configuration manager application (cscacfg) using the desktop shortcut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

    3. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

    4. The following commands assume only one device has been discovered by the configuration manager. If more than one Secure Content Accelerator is listed, use the on form of the command to specify the desired device.

Use these commands to attach to and enter Privileged mode:

    attach enable

    5. If only one Secure Content Accelerator is listed, use the show device command. If more than one device is listed, use the command on devname show device, where devname is the name of the device. The returned text should contain "MaxOS 3.1.0".

    6. Enter these commands to load the firmware image, where path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)

    copy to flash path/css-sca-2fe-k9.phz reload

    7. Quit the configuration manager. If you wish to continue with configuration via the remote configuration manager, you must remove the 3.1.0 version and install the 3.2.0 version as described in "Remote Configuration Manager Replacement" below. Make sure you upgrade all 3.1.0 devices before removing the 3.1 version of the configuration manager.

    8. To continue configuring the device with the 3.2.0 remote configuration manager, open the application (cscacfg) using the desktop short cut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

    9. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

    10. Attach to the device and check the firmware version using the show device command. The returned text should contain "MaxOS version 3.2.0".

    11. Continue with configuration as desired.

Remote Configuration Manager Replacement


Note   Make sure you upgrade all 3.1.0 devices before removing the 3.1.0 version of the remote configuration manager. The remote configuration manager version must match that of the device.

Linux

Use these instructions for installing the 3.2.0 remote configuration manager in Linux. Installing the 3.2.0 remote configuration manager will replace the 3.1.0 installation. If the 3.1.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.2.0 distribution directory has been downloaded onto the local file system. Enter the following commands at a Linux prompt:

mount -o map=off /mnt/cdrom cd /mnt/cdrom/fw/Linux/i386 ./install_cscacfg

Solaris

Use these instructions for removing the 3.1.0 remote configuration manager and installing the 3.2.0 remote configuration manager in Solaris. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.2.0 distribution directory has been downloaded onto the local file system.

    1. Remove the previous installation with pkgrm.

    2. Enter this command:

    pkgadd -d /cdrom/cdrom0/fw/Solaris/Sparc

    3. When the package is presented for installation, press Enter to install it.

    4. Type q after installation to exit.

Windows NT and Windows 2000

Use these instructions for removing the 3.1.0 remote configuration manager and installing the 3.2.0 remote configuration manager in Windows NT or Windows 2000.

    1. Remove the 3.1.0 Configuration manager using Add/Remove Programs in the Control Panel.When the Install Shield Wizard opens, select the Remove option button and click Next. Follow the screen prompts as they are displayed.

    2. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate icon, path, and file names if the 3.0.6 distribution directory has been downloaded onto the local file system.

    3. Double-click the CD icon.

    4. Double-click the MSWin icon.

    5. Double-click the WinNT icon (Windows NT) or Win2K icon. (Windows 2000).

    6. Double-click the setup.exe application icon.

    7. Follow the displayed Install Shield instructions.

GUI Instructions

Follow these instructions for upgrading the device using a GUI management session.

    1. Open a Web browser and connect to the Secure Content Accelerator.

    2. Ensure that the General>Status page is displayed.

    3. The Release panel should contain "3.1.0.N", where N is any number.

    4. Click Tools to activate the Tools tabs.

    5. Click the Firmware tab.

    6. Type the path and firmware image file name or URL in the Upload Firmware text box, or click Browse and navigate to and select the firmware image file from the local file system.

    7. Click Upload to load the firmware image into the GUI.

    8. Click Install Image next to the file information in the Installable Firmware Images panel.

    9. After the new firmware has uploaded, click the Restart tab.

    10. Click Reboot to reload the device. Wait several minutes for the device to reboot.

    11. Reconnect to the device using the GUI and the IP address assigned to it.

    12. Click General to activate the General tabs.

    13. The Release panel should contain "3.2.0".

    14. Continue with configuration as desired.

What's New in 3.2.0.22

Errors generated by using httpheader with Netscape 4.77 have been eliminated.

What's New in 3.2.0.20

What's New in 3.2

Using New Features

The following sections contain information for using the new and updated features in the 3.2 firmware release.

Secure URL Rewrite

The Secure URL Rewrite feature prevents URL redirects and references from breaking or circumventing SSL sessions. This example uses the CLI. The same options are available in the GUI.


Note   The command line in the examples reflects using a serial management session.

    1. Open a management session with the device.

    2. Enter Privileged, Configuration, and SSL Configuration modes:

    SCA> enable SCA# configure (config[SCA])# ssl (config-ssl[SCA])#

    3. Enter Server Configuration mode for the server you wish to configure URL rewrites.

    (config-ssl[SCA])# server myServer (config-ssl-server[myServer])#

    4. The urlrewrite command uses the following syntax:

    urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly>

domainName

The domain or file identifier as a domain name, IP address, or path and file name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., "*.company.com".

sslport

Keyword identifying the specified port to be used for SSL traffic.

portid

A port identification for SSL traffic.

clearport

Keyword identifying the specific port to be used for clear text traffic.

portid

A port identification for clear text traffic.

redirectonly

A keyword is used to indicate that only the "Location:" field in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects.



Enter a URL rewrite rule for the www.mybusiness.com.

    (config-ssl-server[myServer])# urlrewrite www.mybusiness1.com sslport 443 clearport 81
All references that pass through the device to http://www.mybusiness1.com:81 are rewritten to https://www.mybusiness1.com.

To securely rewrite only 30x-series redirects (i.e., 302 or 304) referencing http:// rather than all instances of https:// (such as those that appear intentionally in the application data), use the redirectonly option. (This command must be entered on a single line.)

    (config-ssl-server[myServer])# urlrewrite www.mybusiness2.com sslport 443 clearport 81 redirectonly

    5. A wildcard can be used to specify multiple SSL hosts in the same domain.

    (config-ssl-server[myServer])# urlrewrite *.mybusiness3.com sslport 443 clearport 81
Wildcards should be used with care to avoid any unwanted rewriting of references.

    6. To see the results of these URL rewrite rules in the server configuration, enter the following command. The results are presented below it.

    (config-ssl-server[myServer])# show ssl server myServer ... URL Rewrite: Name Clear Port SSL Port Redirect Only _________________________________________________________________________ www.mybusiness1.com 443 81 No www.mybusiness2.com 443 81 Yes *.mybusiness3.com 443 81 No

For more information about URL rewriting, contact your Cisco representative for a copy of the white paper SSL Offloaders and Contextual Consistency.

Additional SNTP Commands

The 3.2 firmware upgrade offers additional SNTP capabilities, including allowing up to four SNTP servers.


Note   To provide increased security, we recommend using an SNTP server on the internal network. Using an external SNTP server might compromise network security.

    1. Open a management session with the device.

    2. Enter Privileged and Configuration modes:

    SCA> enable SCA# configure (config[SCA])#

    3. Enter the IP addresses or host names of up to four SNTP servers. (Host names are resolved to IP addresses in the device configuration.)

    (config[SCA])# sntp server 10.1.24.2 (config[SCA])# sntp server 10.1.24.4 (config[SCA])# sntp server 10.2.22.2 (config[SCA])# sntp server 10.2.22.6 (config[SCA])#

    4. The default polling interval is 86400 seconds (one day). To change this interval to 43200 seconds (12 hours), enter use the sntp interval command.

    (config[SCA])# sntp interval 43200 (config[SCA])#

    5. To view the results of these commands, you can use either the show sntp or show device command. The show sntp command and an example of returned information are below.

    (config[SCA])# show sntp SNTP server sources: 10.1.24.2 (0/6 fails/tries, stratum 2) 10.1.24.4 (0/0 fails/tries, stratum 2) 10.2.22.2 (0/0 fails/tries, stratum 2) 10.2.22.6 (0/0 fails/tries, stratum 2) SNTP synchronization interval: 43200 (seconds) (config[SCA])#
The show device command and an example of returned information are presented below.

    (config[SCA])# show device ... SNTP sync'ing : every 43200 (s) from 10.1.24.2, 10.1.24.4, 10.2.22.2, 10.2.22.6 (0/6 fails/tries, stratum 2) (0/0 fails/tries, stratum 2) (0/0 fails/tries, stratum 2) (0/0 fails/tries, stratum 2) ...

Any errors resulting from polling and synchronization are written to the syslog messages.

Time and Date Commands

Time and date commands have been updated to be more consistent with other Cisco devices.

    1. Open a serial or telnet management session with the device.

    2. Enter Privileged and Configuration modes:

    SCA> enable SCA# configure (config[SCA])#

    3. Set the time by entering the following command. Press ENTER to accept the displayed time or type the new time and press ENTER.

    (config[SCA])# clock time Enter time [10:28:54]:

    4. Set the date by entering the following command. Press ENTER to accept the displayed date or type in the new date and press ENTER.

    (config[SCA])# clock date Enter date [02-15-2002]:

Use the show date command to display the device date and time settings.

Connecting the Device to a Terminal Server

The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01).

    1. Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.

    2. Using an octal cable with RJ45 connectors, attach the terminal server to the Secure Content Accelerator via the RJ45-DB9F adapter.

    3. Using the line interface on the terminal server, use these commands:

    line 1 autocommand connect transport input all
    Note   If you are using firmware older than 3.0.5 on the Secure Content Accelerator, also use the command speed 115200.

Upgrade Notes

The 3.2 version can only be upgraded from 3.0 and later releases. Upgrading from other versions can fail or cause the loss of certain configuration parameters. The CD includes a 3.0.6 directory containing firmware images and remote configuration software necessary for the incremental update. Please see the section "Upgrading from Previous Releases" section.

Downgrading from 3.2 to 3.1

Be aware that configurations for features not supported in 3.1 firmware cannot be used after the device has been downgraded. When the device reboots after downgrade, error messages might be displayed, reflecting unsupported portions of the configuration. These can be ignored safely.

Serial Console CLI Instructions

We recommend using the serial console for downgrading the Secure Content Accelerator. Follow these instructions for downgrading using a serial management session.

    1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferable.

    2. Connect to the Secure Content Accelerator via a serial management session at 9,600 baud.

    3. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.2.0".

    4. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.

    enable copy to flash protocol://serverip/path/css-sca-2fe-k9.phz reload

    5. Wait for several minutes for the device to reload and reboot.

    6. Reconnect to the Secure Content Accelerator.

    7. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.1.0".

    8. Continue with configuration as desired.

Telnet CLI Instructions

Follow these instructions for downgrading using a telnet management session.

    1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator.

    2. Connect to the Secure Content Accelerator using the IP address previously assigned to it.

    3. If desired, save the running configuration for reloading following the downgrade using the copy running-configuration command. Enter the URL, including the protocol, for the configuration file when prompted. An FTP URL is preferable. An HTTP URL can only be used with a server that accept posts (PUT).

    4. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.2.0".

    5. Enter these commands to load the firmware image, where prot is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.

    enable copy to flash prot://serverip/path/css-sca-2fe-k9.phz reload

    6. You will see a status message stating the connection to the device was lost. Wait for several minutes for the device to reload and reboot. The telnet connection to the device is lost.

    7. Connect to the device using a serial or telnet management session.

    8. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.1.0".

    9. Continue with configuration as desired.

Remote CLI Instructions

Follow these instructions for downgrading using a remote CLI management session.

    1. Copy the firmware image to the computer from which you configure the Secure Content Accelerator.

    2. Open the existing configuration manager application (cscacfg) using the desktop shortcut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

    3. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

    4. The following commands assume only one device has been discovered by the configuration manager. If more than one Secure Content Accelerator is listed, use the on form of the command to specify the desired device.

Use these commands to attach to and enter Privileged mode:

    attach enable

    5. If only one Secure Content Accelerator is listed, use the show device command. If more than one device is listed, use the command on devname show device, where devname is the name of the device. The returned text should contain "MaxOS 3.2.0".

    6. If desired, save the running configuration for reloading following the downgrade using the write file command. Enter the path and file name for the configuration file when prompted.

    7. Enter these commands to load the firmware image, where path is the path to the firmware image file.

    copy to flash path/css-sca-2fe-k9.phz reload

    8. Quit the configuration manager. If you wish to continue with configuration via the remote configuration manager, you must remove the 3.2 version and install the 3.1.0 version as described in "Remote Configuration Manager Replacement" below. Make sure you downgrade all 3.2.0 devices before removing the 3.2 version of the configuration manager.

    9. To continue configuring the device with the 3.1.0 remote configuration manager, open the application (cscacfg) using the desktop short cut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.

    10. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.

    11. Attach to the device and check the firmware version using the show device command. The returned text should contain "MaxOS version 3.1.0".

    12. Continue with configuration as desired.

Remote Configuration Manager Replacement


Note   Make sure you downgrade all 3.1.0 devices before removing the 3.1.0 version of the remote configuration manager.

Linux

Use these instructions for installing the 3.1.0 remote configuration manager in Linux. Installing the 3.1.0 remote configuration manager will replace the 3.2.0 installation. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.1.0 distribution directory has been downloaded onto the local file system. Enter the following commands at a Linux prompt:

mount -o map=off /mnt/cdrom cd /mnt/cdrom/310/Linux/i386 ./install_cscacfg

Solaris

Use these instructions for removing the 3.2.0 remote configuration manager and installing the 3.1.0 remote configuration manager in Solaris. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.1.0 distribution directory has been downloaded onto the local file system.

    1. Remove the previous installation with pkgrm.

    2. Enter this command:

    pkgadd -d /cdrom/cdrom0/310/Solaris/Sparc

    3. When the package is presented for installation, press Enter to install it.

    4. Type q after installation to exit.

Windows NT and Windows 2000

Use these instructions for removing the 3.2.0 remote configuration manager and installing the 3.1.0 remote configuration manager in Windows NT or Windows 2000.

    1. Remove the 3.2.0 Configuration manager using Add/Remove Programs in the Control Panel.When the Install Shield Wizard opens, select the Remove option button and click Next. Follow the screen prompts as they are displayed.

    2. If the 3.2.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate icon, path, and file names if the 3.1.0 distribution directory has been downloaded onto the local file system.

    3. Double-click the CD icon.

    4. Double-click the 310 icon.

    5. Double-click the MSWin icon.

    6. Double-click the WinNT icon (Windows NT) or Win2K icon. (Windows 2000).

    7. Double-click the setup.exe application icon.

    8. Follow the displayed Install Shield instructions.

GUI Instructions

Follow these instructions for downgrading using a GUI management session.

    1. Open a Web browser and connect to the Secure Content Accelerator.

    2. Ensure that the General>Status page is displayed.

    3. The Release panel should contain "3.2.0.N", where N is any number.

    4. If desired, save the running configuration for reloading following the downgrade using this procedure:

    5. Click Tools to activate the Tools tabs.

    6. Click the Firmware tab.

    7. Type the path and firmware image file name in the Upload Firmware text box, or click Browse and navigate to and select the firmware image file from the local file system.

    8. Click Upload to load the firmware image into the GUI.

    9. Click Install Image next to the file information in the Installable Firmware Images panel.

    10. After the new firmware has uploaded, click the Restart tab.

    11. Click Reboot to reload the device. Wait several minutes for the device to reboot.

    12. Reconnect to the device using the GUI and the IP address assigned to it.

    13. Click General to activate the General tabs.

    14. The Release panel should contain "3.1.0".

    15. Continue with configuration as desired.

Operational Notes for 3.2

Network Design and Command Notes for 3.2

Secure Server Notes for 3.1

GUI Notes for 3.2

    access-list 10 permit 127.0.0.1 0.0.0.0 web-mgmt access-list 10

CLI Notes for 3.2

SNMP Notes for 3.2

The factory-set default SNMP community is "public"; however, "public" is not listed in the configuration. The behavior of setting and resetting the SNMP community is demonstrated in the table below.

Command SNMP community is set to... SNMP community in configuration is...

snmp default community XYZ

XYZ

XYZ

no snmp default community

XYZ

No default community listed

snmp default community public

public

public

Syslog Usage Notes

The SSL device syslog implementation for firmware 3.2 and below supports only "kern" facility logging. A future release will offer "local" and custom facility support. The following are example syslogd.conf settings:

    kern.debug; /var/log/ssl-debug kern.info; /var/log/ssl-info kern.none; /var/log/ssl-none kern.crit; /var/log/ssl-crit kern.warn; /var/log/ssl-warn

Or you can use the settings displayed below:

    *.debug; /var/log/ssl-debug *.info; /var/log/ssl-info *.none; /var/log/ssl-none *.crit; /var/log/ssl-crit *.warn; /var/log/ssl-warn

Linux-Specific Issues for 3.2

Solaris-Specific Issues for 3.2

Windows NT 4.0-Specific Issues for 3.2

Windows 2000-Specific Issues for 3.2

In rare instances when using the Windows version of the configuration manager, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.

Version 3.2 Command Changes

Table 1 and Table 2 list CLI commands and options that have been added to or changed in version 3.2, respectively. Changed commands are listed in their current 3.2 format. Table 3 lists commands have been removed in this release. The command descriptions are a summary.


Table 1: CLI Commands Added in 3.2
Mode Command and Syntax Description

Top Level Mode (Non-Privileged Mode)

show flows

on <devname|groupname|all> show flows

Availability: Remote, Serial, Telnet

Displays IP connection information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices. Replaces the previous show flow command.

Top Level Mode (Privileged Mode)

show diagnostic-report

Availability: Serial, Telnet

Displays configuration and diagnostic information for a device. The reports shown are the following:

  • SSL Device Configuration (show device)

  • Startup Configuration (show startup-config)

  • Running Configuration (show running-config)

  • Processes (show processes)

  • Network Status (show netstat)

  • Memory Statistics (show memory)

  • Memory Zones (show memory zones)

  • SSL Statistics (show ssl statistics)

  • SSL Session Statistics (show ssl session stats)

  • SSL Errors (show ssl errors)

Individual reports can be generated using the command following each report name.

show sntp

Availability: Remote, Serial, Telnet

Displays SNTP configuration information, including the SNTP servers configured and the polling interval.

Configuration Mode

clock [date|time]

Availability: Serial

Allows the administrator to set the date or time, respectively. After entering the command, you are prompted to enter the appropriate date or time. The device date and time can be viewed by using the show date command.

sntp interval [seconds]

Availability: Remote, Serial, Telnet

Sets polling interval for all configured SNTP servers, where seconds is the number of seconds between polls. The default interval is 86400 seconds (one day), the minimum and maximum intervals are 60 and 2419200 (one month), respectively. The interval can be displayed using the commands show device, show snmp and write terminal.

sntp server [ipaddr|hostname]

no sntp server [ipaddr|hostname]

Availability: Remote, Serial, Telnet

Sets or removes a specified SNTP server in the device configuration. You are prompted to enter and verify the password. Use the no form of the command to clear the SNTP server. If more than one SNTP server has been configured, you must specify the IP address or hostname of the one to delete. Up to four SNTP servers can be configured. If the first SNTP server returns an error, the next SNTP server is polled. After the fourth SNTP poll returns an error, the first server is polled again. SNTP information can be displayed using the commands show device, show snmp and write terminal.

Note   When a hostname is used rather than an IP address, the hostname is resolved as an IP address when written to the configuration.

Server Configuration Mode

urlrewrite <domainName> [sslport <portid>] [clearport <portid>] <redirectonly>

no urlrewrite <domainName>

Availability: Remote, Serial, Telnet

Sets or remove a specified URL rewrite rule for the current secure server. The domainName is the domain or file identifier as a domain name, IP address, or path and file name. An * (asterisk) wild card character can be used to specify more than one server in a single domain, e.g., "*.company.com". The redirectonly keyword is used to indicate that only the "Location;" field in the HTTP 30x redirect header should be rewritten. This solves a common problem with Web servers using insecure HTTP 30x redirects. Up to 32 URL rewrite rules can be configured. Use the no form of the command to clear the specified rule. If more than one rule has been configured, you must specify the domain name of the rule to delete. URL rewrite information can be displayed by using the command show ssl server.


Table 2: CLI Commands Changed in 3.2
Mode Command and Syntax Description

Configuration Mode

rdate-server [ipaddr|hostname]

no rdate-server

Availability: Remote, Serial, Telnet

Sets or removes a specified RDATE server in the device configuration. You are prompted to enter and verify the password. Use the no form of the command to clear the access- or enable-level password for the current device. Only one RDATE server can be configured.

Note   When a hostname is used rather than an IP address, the hostname is resolved as an IP address when written to the configuration.

sntp-server [ipaddr|hostname]

no sntp-server [ipaddr|hostname]

Availability: Remote, Serial, Telnet

Sets or removes a specified SNTP server in the device configuration. You are prompted to enter and verify the password. Use the no form of the command to clear the access- or enable-level password for the current device. If more than one SNTP server has been configured, you must specify the IP address or hostname of the one to remove. Up to four SNTP servers can be configured. If the first SNTP server returns an error, the next SNTP server is polled. After the fourth SNTP poll returns an error, the first server is polled again.

Note   When a hostname is used rather than an IP address, the hostname is resolved as an IP address when written to the configuration.


Table 3: CLI Commands Deprecated in 3.2
Mode Command and Syntax Description

Configuration Mode

show flow

on <devname|groupname|all> show flow

Availability: Remote, Serial, Telnet

Displays IP connection information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

snmp trap-type enterprise ssl-cert-expire

no snmp trap-type enterprise ssl-cert-expire

Availability: Remote, Serial, Telnet

Specifies trapping for errors caused by expired certificates. Use the no form of the command to turn off SSL certificate expiration SNMP trapping.

snmp trap-type enterprise ssl-cert-invalid

no snmp trap-type enterprise ssl-cert-invalid

Availability: Remote, Serial, Telnet

Specifies trapping for errors caused by invalid certificates. Use the no form of the command to turn off SSL invalid certificate SNMP trapping.

snmp trap-type enterprise ssl-certify-failure

no snmp trap-type enterprise ssl-certify-failure

Availability: Remote, Serial, Telnet

Specifies trapping for errors caused by certificate authorization failures. Use the no form of the command to turn off SSL certificate authorization failure SNMP trapping.

snmp trap-type enterprise ssl-neg-failure

no snmp trap-type enterprise ssl-neg-failure

Availability: Remote, Serial, Telnet

Specifies trapping for SSL negotiation failures. Use the no form of the command to turn off SSL negotiation failure SNMP trapping.

Server Configuration Mode

redirect
no redirect

Availability: Remote, Serial, Telnet

Enables server redirection. Use the no form of the command to disable server redirection.

What's New in 3.1

Notes for 3.1

The following sections contain notes related to the 3.1 release.

Upgrading from Previous Releases

The 3.1 version can only be upgraded from 3.0 and later releases. Upgrading from other versions can fail or cause the loss of certain configuration parameters. The CD includes a 306 directory containing firmware images and remote configuration software necessary for the incremental update. Before continuing with the upgrade, please read the notes below. To install the 3.0.6 version from a previous firmware release, see the file RelNot_306.pdf in the 306 directory of the distribution CD.

Upgrade Notes

Table 4, below, presents device behaviors resulting from several upgrade scenarios as well as workarounds, if available.


Table 4: Upgrade Scenarios
Scenario Result Workaround

User-defined security policy "noexport56" is present. Reboot.

The user-defined security policy is over-written.

Recreate the existing user-defined security policy using a different name before updating the device.

User-defined certificate group "defaultCA" is present. Reboot.

The user-defined certificate group is over-written.

Recreate the existing user-defined certificate group with a different name before updating the device.

Prior to update, 251 user-defined security policies are present.

The security policy listed as index number 251 is deleted at reboot.

    1. Prior to updating, attach to the device using a CLI and use the show ssl command.

    2. Look at the list in the Security Policies block. The Id 251 security policy is deleted at reboot. You can delete another security policy to preserve that one.

    3. Identify the security policy used least.

    4. Use the following commands to delete it.

    enable configure ssl no secpolicy polname

Proceed with the update as instructed.

Prior to update, 64 user-defined certificate groups are present.

The certificate group listed as index number 64 is deleted at reboot.

    1. Prior to updating, attach to the device using a CLI and use the show ssl command.

    2. Look at the list in the Certificate Groups block. The Id 64 certificate group is lost when rebooting. You can delete another group to preserve that one.

    3. Identify the certificate group used least.

    4. Use the following commands to delete it.

    enable configure ssl no certgroup certgpname

Proceed with the update as instructed.

Prior to update, more than 495 user-defined certificates are present.

Certificates listed as index number 499 and above are deleted at reboot.

    1. Prior to updating, attach to the device using a CLI and use the show ssl command.

    2. Look at the list in the Certificates block. Certificates listed as Id 499 and above are lost when rebooting. You can delete any less-used certificates to preserve the user-defined certificates listed as Id 499 and above.

    3. Identify the certificates used least.

    4. Use the following commands to delete each certificate.

    enable configure ssl no cert certname

Proceed with the update as instructed.

Downgrading to 3.0.6

Devices flashed with version 3.1 firmware can be downgraded to version 3.0.6 firmware. The 310 directory contains an Adobe Acrobat file named DowngrdNote.pdf. This file has instructions for proceeding with the downgrade.

Operational Notes for 3.1

Network Design and Command Notes for 3.1

Secure Server Notes for 3.1

GUI Notes for 3.1

    access-list 10 permit 127.0.0.1 0.0.0.0 web-mgmt access-list 10

CLI Notes for 3.1

SNMP Notes for 3.1

Command SNMP community is set to... SNMP community in configuration is...

snmp default community XYZ

XYZ

XYZ

no snmp default community

XYZ

No default community listed

snmp default community public

public

public

Linux-Specific Issues for 3.1

Solaris-Specific Issues for 3.1

Windows NT 4.0-Specific Issues for 3.1

Windows 2000-Specific Issues for 3.1

In rare instances when using the Windows version of the configuration manager, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.

Version 3.1 Command Changes

Table 5 and Table 6 list CLI commands and options that have been added or changed to software version 3.1. Changed commands are listed in their current 3.1 format. No commands have been removed in this release. The command descriptions are a summary. Please see the Cisco 11000 Series Secure Content Accelerator Configuration Guide for more information.


Table 5: CLI Commands Added in 3.1
Mode Command and Syntax Description

Top Level: Non-Privileged and Privileged Modes

monitor <command>

on <devname|groupname|all> monitor <command>

Availability: Remote, Serial, Telnet

Displays the results of the specified show command at one second intervals, where command is the command. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

set monitor-interval <value>
no set monitor-interval

Availability: Remote, Serial, Telnet

Sets the number of seconds between monitor-prefixed command refreshes. Use the no form of the command to return the monitor interval to default value.

show flow

on <devname|groupname|all> show flow

Availability: Remote, Serial, Telnet

Displays IP connection information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show rdate-server

on <devname|groupname|all> show rdate-server

Availability: Remote, Serial, Telnet

Displays the IP address of the RDATE protocol server configuration for one or more devices.

show sntp-server

on <devname|groupname|all> show sntp-server

Availability: Remote, Serial, Telnet

Displays SNTP-server information for one or more devices. The SNTP server is used for date and time information.

show ssl session-stats [continuous] [interval <value>]

on <devname|groupname|all> show ssl session-stats [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays SSL session statistics summed over all secure logical servers on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Non-Privileged and Privileged Modes

(continued)

show telnet

on <devname|groupname|all> show telnet

Availability: Remote, Serial, Telnet

Displays telnet management information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show web-management

on <devname|groupname|all> show web-management

Availability: Remote, Serial, Telnet

Displays Web-based GUI management information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

terminal baud <1200|2400|4800|9600|19200|38400|115200>

Availability: Serial

Sets the baud for communicating with the Secure Content Accelerator.

Top Level: Privileged Mode

clear line <sessionId>

Availability: Serial

Closes a specified management session, where sessionId is the session identifier.

clear ssl session-stats

on <devname|groupname|all> clear ssl session-stats

Availability: Remote, Serial, Telnet

Resets all SSL session statistics for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

refresh

Availability: Remote, Serial, Telnet

Updates device information in the configuration manager.

Group Configuration Mode

finished

Availability: Remote

Exits Group Configuration Mode and returns to Top Level mode.

Configuration Mode

finished

Availability: Remote, Serial, Telnet

Leaves Configuration Mode and returns to Top Level mode.

registration-code <code>

Availability: Remote, Serial, Telnet

Stores the registration code of the device.

sntp-server <ipaddr>
no sntp-server

Availability: Remote, Serial, Telnet

Assigns an SNTP server, where ipaddr is the IP address of the server. Use the no form of the command to remove the SNTP server information.

Configuration Mode

(continued)

telnet port <portid>
no telnet port <
portid>

Availability: Remote, Serial, Telnet

Specifies the TCP service port to use for telnet management sessions, where portid is the TCP service port to be used when managing the device via a telnet session. Use the no form of the command to return the telnet management port to the default setting. The port assignment is used at the next attach.

web-mgmt port <portid>
no web-mgmt port <
portid>

Availability: Remote, Serial, Telnet

Specifies the TCP service port used for management with the Web-based GUI, where portid is the TCP service port to be used when managing the device via the GUI. Use the no form of the command to return the GUI management port to the default setting. The port assignment is used at the next attach.

Interface Configuration Mode

finished

Availability: Remote, Serial, Telnet

Leaves Interface Configuration Mode and returns to Top Level mode.

SSL Configuration Mode

backend-server <servname> [create]
no backend-server <
servname>

Availability: Remote, Serial, Telnet

Creates and/or configures the specified backend server, where servname is the name of the server, and enters Backend Server Configuration mode for that server. The no form of the command is used to remove the specified backend server. A device can have a total of 255 servers in any combination of backend, reverse-proxy, or standard secure servers.

finished

Availability: Remote, Serial, Telnet

Leaves SSL Configuration Mode and returns to Top Level mode.

gencsr <key <keyname>> [newhdr] [digest md5|sha1] [output <filename|url>]

Availability: Remote, Serial, Telnet

Generates a certificate signing request and/or self-signed certificate, where keyname is the name of the key to use for generation and filename and url are the location for the optional output file.

reverse-proxy-server <servname> [create]
no reverse-proxy-server <
servname>

Availability: Remote, Serial, Telnet

Creates and/or configures the specified reverse-proxy server, where servname is the name of the server, and enters Reverse-Proxy Server Configuration mode for that server. The no form of the command is used to remove the specified reverse-proxy server. A device can have a total of 255 servers in any combination of backend, reverse-proxy, or standard secure servers.

Backend Server Configuration Mode

activate

Availability: Remote, Serial, Telnet

Activates the current suspended backend server if enough information has been configured.

certgroup serverauth <certgroupname>
no certgroupchain

Availability: Remote, Serial, Telnet

Assigns a certificate group to be used for server certificate authentication, where certgroupname is the name of the existing certificate group. The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used.

end

Availability: Remote, Serial, Telnet

Exits Backend Server Configuration mode, activates all changes, and returns to SSL Configuration mode.

exit

Availability: Remote, Serial, Telnet

Exits Backend Server Configuration mode, activates all changes, and returns to SSL Configuration mode.

finished

Availability: Remote, Serial, Telnet

Leaves Backend Server Configuration Mode and returns to Top Level mode.

help [command]

Availability: Remote, Serial, Telnet

Displays help information for the specified command. If you do not specify a command, help information is displayed for all Backend Server Configuration Commands.

info

Availability: Remote, Serial, Telnet

Displays current information about the logical secure server being edited or created.

ip address <ipaddr> [netmask <mask>]
no ip address

Availability: Remote, Serial, Telnet

Sets the specified IP address for the backend server, where ipaddr is the IP address and mask is the valid netmask. Using the no form of the command clears the IP address for the backend server.

localport <port|default>

Availability: Remote, Serial, Telnet

Specifies the TCP service port through which non-secure connections are received, where port is the port specification. Using the keyword default sets the port specification to 80.

log-url <ipaddr>

Availability: Remote, Serial, Telnet

Specifies a host for logging of URL requests, where ipaddr is the IP address of the log host.

Backend Server Configuration Mode

(continued)

remoteport <port|default>

Availability: Remote, Serial, Telnet

Specifies the TCP service port through which redirected secure connections are sent, where port is the port specification. Using the keyword default sets the port specification to 443.

secpolicy <polname|all|default|strong|weak>

Availability: Remote, Serial, Telnet

Creates an association between this server and the specified security policy, where polname is the name of the existing security policy.

serverauth enable
no serverauth enable

Availability: Remote, Serial, Telnet

Enables server certificate authentication. Using the no form of the command disables server certificate authentication.

serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name
no serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name

Availability: Remote, Serial, Telnet

Specifies the server authentication errors to ignore. Any combination of options can be used currently. Use the no form of the command to cease ignoring the specific server authentication error.

session-cache enable
no session-cache enable

Availability: Remote, Serial, Telnet

Enables session caching. Use the no form of the command to disable session caching.

session-cache size <cachesize>

Availability: Remote, Serial, Telnet

Specifies the size of the session cache, where cachesize is the number of sessions to be cached. The default is 1024. The acceptable range is 1 to 5096.

session-cache timeout <seconds>

Availability: Remote, Serial, Telnet

Specifies the session cache length before being timed out, where seconds is the number of seconds before the cache times out.

suspend [now]

Availability: Remote, Serial, Telnet

Suspends the function of the backend server.

transparent
no transparent

Availability: Remote, Serial, Telnet

Enables the backend server to function as a transparent proxy (default). When transparent proxy behavior is disabled, the device accepts connections on the IP address of the Secure Content Accelerator rather than on the server address. The no form of the command is used to disable this behavior.

Certificate Configuration Mode

finished

Availability: Remote, Serial, Telnet

Leaves Certificate Configuration Mode and returns to Top Level mode.

Certificate Group Configuration Mode

finished

Availability: Remote, Serial, Telnet

Leaves Certificate Group Configuration Mode and returns to Top Level mode.

Key Configuration Mode

finished

Availability: Remote, Serial, Telnet

Leaves Key Configuration Mode and returns to Top Level mode.

genrsa [bits <512|1024>] [encrypt <des|des3>] [seed <seedstring>] [output <filename|url>]

Availability: Remote, Serial, Telnet

Generates an RSA key.

Reverse-Proxy Server Configuration Mode

activate

Availability: Remote, Serial, Telnet

Activates the current suspended reverse-proxy server if enough information has been configured.

certgroup serverauth <certgroupname>
no certgroupchain

Availability: Remote, Serial, Telnet

Assigns a certificate group to be used for server certificate authentication, where certgroupname is the name of the existing certificate group. The no form of the command is used to disable server authentication using the certificate group. When using the no form of the command, you need not specify any certificate group name. Only one certificate group can be used.

end

Availability: Remote, Serial, Telnet

Exits Reverse-Proxy Server Configuration mode, activates all changes, and returns to SSL Configuration mode.

exit

Availability: Remote, Serial, Telnet

Exits Reverse-Proxy Server Configuration mode, activates all changes, and returns to SSL Configuration mode.

finished

Availability: Remote, Serial, Telnet

Leaves Reverse-Proxy Server Configuration Mode and returns to Top Level mode.

help [command]

Availability: Remote, Serial, Telnet

Displays help information for the specified command. If you do not specify a command, help information is displayed for all Reverse-Proxy Server Configuration Commands.

info

Availability: Remote, Serial, Telnet

Displays current information about the logical secure server being edited or created.

ip address <ipaddr> [netmask <mask>]
no ip address

Availability: Remote, Serial, Telnet

Sets the specified IP address for the backend server, where ipaddr is the IP address and mask is the valid netmask. Using the no form of the command clears the IP address for the backend server.

Reverse-Proxy Server Configuration Mode

(continued)

localport <port|default>

Availability: Remote, Serial, Telnet

Specifies the TCP service port through which non-secure connections are received, where port is the port specification. Using the keyword default sets the port specification to 80.

log-url <ipaddr>

Availability: Remote, Serial, Telnet

Specifies a host for logging of URL requests, where ipaddr is the IP address of the log host.

remoteport <port|default>

Availability: Remote, Serial, Telnet

Specifies the TCP service port through which redirected secure connections are sent, where port is the port specification. Using the keyword default sets the port specification to 443.

secpolicy <polname|all|default|strong|weak>

Availability: Remote, Serial, Telnet

Creates an association between this server and the specified security policy, where polname is the name of the existing security policy.

serverauth enable
no serverauth enable

Availability: Remote, Serial, Telnet

Enables server certificate authentication. Using the no form of the command disables server certificate authentication.

serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name
no serverauth ignore all | none|signature-failure| expired-date|cert-not-yet-valid| invalid-ca|domain-name

Availability: Remote, Serial, Telnet

Specifies the server authentication errors to ignore. Any combination of options can be used currently. Use the no form of the command to cease ignoring the specific server authentication error.

session-cache enable
no session-cache enable

Availability: Remote, Serial, Telnet

Enables session caching. Use the no form of the command to disable session caching.

session-cache size <cachesize>

Availability: Remote, Serial, Telnet

Specifies the size of the session cache, where cachesize is the number of sessions to be cached. The default is 1024. The acceptable range is 1 to 5096.

session-cache timeout <seconds>

Availability: Remote, Serial, Telnet

Specifies the session cache length before being timed out, where seconds is the number of seconds before the cache times out.

suspend [now]

Availability: Remote, Serial, Telnet

Suspends the function of the reverse-proxy server.

Security Policy Configuration Mode

finished

Availability: Remote, Serial, Telnet

Leaves Security Policy Configuration Mode and returns to Top Level mode.

Server Configuration Command Mode

activate

Availability: Remote, Serial, Telnet

Activates the current logical secure server if enough information has been configured.

certgroup clientauth <certgroupname>
no clientauth

Availability: Remote, Serial, Telnet

Assigns a certificate group to be used as a certificate trust list for client certificate authentication. The no form of the command is used to disable client authentication using the certificate group. When using the no flag, you need not specify any certificate group name. Only one certificate chain can be used.

clientauth enable
no clientauth enable

Availability: Remote, Serial, Telnet

Enables client certificate authentication. Use the no form of the command to disable client certificate authentication.

clientauth error <cert-not-provided|
cert-not-yet-valid|
cert-has-expired| cert-revoked|cert-has-invalid-ca|
cert-has-signature-failure|
cert-other-error|all> <fail|failhtml|ignore|redirect <
url>>
no clientauth error <cert-not-provided| cert-not-yet-valid|
cert-has-expired|cert-revoked| cert-has-invalid-ca|
cert-has-signature-failure|
cert-other-error|all >

Availability: Remote, Serial, Telnet

Specifies the client certificate authentication errors to ignore. Any combination of options can be used currently. Use the no form of the command to cease ignoring the specific client authentication error.

clientauth verifydepth <depth>

Availability: Remote, Serial, Telnet

Specifies the level of certificate within the certificate group to use when verifying client certificates, where depth is the number of certificates within the certificate group to use for authentication.

ephrsa
no ephrsa

Availability: Remote, Serial, Telnet

When an export browser version connects to a server using 1024-bit keys, this allows the RSA key exchange (the SSL handshake) to be negotiated using a dynamically created 512-bit key. Using ephemeral RSA ensures the device complies with United States commerce laws. The default is no ephemeral RSA. Use the no form of the command to disable ephemeral RSA.

finished

Availability: Remote, Serial, Telnet

Leaves Server Configuration Mode and returns to Top Level mode.

Server Configuration Mode

(continued)

httpheader <session|server-cert|client-cert| pre-filter|prefix <prefixString>>
no httpheader <session|server-cert|client-cert| pre-filter|prefix>

Availability: Remote, Serial, Telnet

Specifies the header information to pass to backend HTTP servers. Any combination of options can be used currently. Use the no form of the command to cease using the specific option.

redirect
no redirect

Availability: Remote, Serial, Telnet

Enables server redirection. Use the no form of the command to disable server redirection.

session-cache enable
no session-cache enable

Availability: Remote, Serial, Telnet

Enables session caching. Use the no form of the command to disable session caching.

session-cache size <cachesize>

Availability: Remote, Serial, Telnet

Specifies the size of the session cache, where cachesize is the number of sessions. The default is 1024. The acceptable range is 1 to 5096.

session-cache timeout <seconds>

Availability: Remote, Serial, Telnet

Specifies the session cache length before being timed out, where seconds is the number of seconds.

suspend [now]

Availability: Remote, Serial, Telnet

Suspends the function of the server.


Table 6: CLI Commands Changed in 3.1
Mode Command and Syntax Description

Top Level: Non-Privileged and Privileged Modes

show profile [all]

Availability: Remote

Displays the monitor-interval and on-prefix settings of the if they have been changed from the default settings.

Top Level: Privileged Mode

copy running-configuration [filename|url]

on <devname> copy running-configuration [filename]

Availability: Remote, Serial, Telnet

Writes the running-configuration of a device to a file. If you do not specify a file name or URL, you are prompted for it. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

copy to flash [filename|url]

on <devname> copy to flash [filename]

Availability: Remote, Serial, Telnet

Uploads a Cisco Secure Content Accelerator image file to the device flash. If you do not specify a file name or URL, you are prompted for it. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

copy to running-configuration [filename|url]

on <devname> copy to running-configuration [filename]

Availability: Remote, Serial, Telnet

Uploads a saved configuration file and merges it to the running-configuration of a device. If you do not specify a file name or URL, you are prompted for it. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Configuration Mode

password <access|enable>
no password <access|enable>

Availability: Remote, Serial, Telnet

Sets the access- or enable-level password for the current Secure Content Accelerator. You are prompted to enter and verify the password. Use the no form of the command to clear the access- or enable-level password for the current device.

Backend Server Configuration Mode

secpolicy <polname|all|default| noexport56|strong|weak>

Availability: Remote, Serial, Telnet

Creates an association between the backend server and the specified security policy.

Reverse-Proxy Server Configuration Mode

secpolicy <polname|all|default| noexport56|strong|weak>

Availability: Remote, Serial, Telnet

Creates an association between the reverse-proxy server and the specified security policy.

Server Configuration Mode

secpolicy <polname|all|default| noexport56|strong|weak>

Availability: Remote, Serial, Telnet

Creates an association between the server and the specified security policy.

What's New in 3.0

The 3.0 release of the Cisco Secure Content Accelerator firmware and software adds additional features and functionality. Changes to individual commands are noted in "Version 3.0 Command Changes".

Known Issues in 3.0

The notes in this section apply to the Cisco CSS 11000 Secure Content Accelerator configuration manager application, version 3.0, for all operating systems.

    %%timeout waiting for response to my challenge %%Could not successfully attach to <device name>.

Linux-Specific Notes for 3.0

The notes in this section apply to the Cisco CSS 11000 Secure Content Accelerator configuration manager application, version 3.0, for RedHat Linux.

    /mnt/cdrom/RedHat/RPMS/compat-libstdc++-6.2-2.9.0.9.i386.rpm

Solaris-Specific Notes for 3.0

The notes in this section apply to the Cisco CSS 11000 Secure Content Accelerator configuration manager application, version 3.0, for Solaris.

Windows 2000-Specific Notes for 3.0

In rare instances, resizing the window while doing a continuous display of statistics can cause an exception in the configuration manager.

Windows NT-Specific Notes for 3.0

Version 3.0 Command Changes

Table 7 and Table 8 list CLI commands and options that have been added or changed to software version 3.0. Changed commands are listed in their current 3.0.5 format. Table 9 lists commands which have been removed in this release version. These descriptions are a summary. Please see the Cisco CSS 11000 Secure Content Accelerator Configuration Guide for more information.


Table 7: CLI Commands Added in 3.0
Mode Command and Syntax Description

Top Level: Non-Privileged and Privileged Modes

enable
no enable

on <devname|groupname|all> enable
on <
devname|groupname|all> no enable

Availability: Remote, Serial, Telnet

If an enable-level password has been defined, you must enter it when prompted. When using remote management, enters Privileged mode for a single, attached device. If more than one device is valid for this command, use the on form of the command to specify the device(s) to enable, where devname is the name of an individual device, groupname is the name of a user-defined group, and all represents all appropriate devices. Using the no form of this command leaves Privileged mode.

group <groupname> [create]
no group <
groupname>

Availability: Remote

Use the create flag to create the specified group and enter Group Configuration mode for it, where groupname is the name of the device group. Use the no form of the command to remove the specified group.

paws

Availability: Remote, Serial, Telnet

Pauses the configuration manager for a specified time or until a key is pressed.

set on-prefix <devname|groupname>
no set on-prefix

Availability: Remote

Sets the target device(s) to address as default when using the on prefix, where devname is the name of a single device and groupname is the name of a user-defined device group. Use the no form of the command to clear the default entity.

show cpu [continuous] [interval <value>]

on <devname|groupname|all> show cpu [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays CPU utilization information for one or more devices. Use the continuous option to display statistics continuously, updated every second. Use the interval option to specify an interval for display updates, where value is the interval in seconds. Press any key to stop displaying statistics. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show date

Availability: Serial, Telnet

Displays current date and time settings on the device.

Top Level: Non-Privileged and Privileged Modes

(continued)

show device list

Availability: Remote

Displays summary information for all Secure Content Accelerators in the same broadcast domain as the configuring computer or found by the configuration manager through the discover or discover port commands.

show dns

on <devname|groupname|all> show dns

Availability: Remote, Serial, Telnet

Displays DNS configuration information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show group [<groupname>]

Availability: Remote

Displays group summary information for the specified group, where groupname is the name of the user-defined group. You must specify a group unless only one group is defined.

show ip domain-name

on <devname|groupname|all> show ip domain-name

Availability: Remote, Serial, Telnet

Displays DNS configuration information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show interface errors [<network | server>] [continuous] [interval <value>]

on <devname|groupname|all> show interface errors [<network | server>] [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays a listing of interface errors for one or more devices. If an interface is not specified, errors for both interfaces are displayed. If continuous is specified, error statistics are updated every second. Use the interval option to specify an interval for display updates, where value is the interval in seconds. Press any key to stop displaying errors. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ip name-server

on <devname|groupname|all> show ip name-server

Availability: Remote, Serial, Telnet

Displays DNS configuration information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show profile

Availability: Remote

Displays current user preferences setting.

Top Level: Non-Privileged and Privileged Modes

(continued)

show route

on <devname|groupname|all> show route

Availability: Remote, Serial, Telnet

Displays the routing table stored in one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show sessions

Availability: Serial, Telnet

Displays current remote, serial, and telnet management connections to the device.

show ssl key [<keyname>]

on <devname|groupname|all> show ssl key [<keyname>]

Availability: Remote, Serial, Telnet

Displays summary data for the specified public/private key pair loaded on one or more devices, where keyname is the name of the key. If you do not specify a key name, all key information is displayed. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

terminal length

Availability: Remote, Serial, Telnet

Sets the number of lines in a terminal window.

terminal width <width>

Availability: Remote, Serial, Telnet

Sets the width of the terminal window.

Top Level: Privileged Mode

clear interface statistics

on <devname|groupname|all> clear interface statistics

Availability: Remote, Serial, Telnet

Resets all interface statistics for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

clear ip routes

on <devname|groupname|all> clear ip routes

Availability: Remote, Serial, Telnet

Clears the IP routing table on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

clear ip statistics

on <devname|groupname|all> clear ip statistics

Availability: Remote, Serial, Telnet

Resets all IP statistics on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Privileged Mode

(continued)

copy running-configuration [<filename>]

on <devname> copy running-configuration [<filename>]

Availability: Remote

Writes the running-configuration of a device. If you do not specify a file name, you are prompted for it. When using remote configuration, use the on form of the command to specify the target of the command, where devname is the device name.

copy running-configuration <url>

Availability: Serial, Telnet

Writes the running-configuration of a device to a file, where url is the name of the file.

copy running-configuration startup-configuration

Availability: Serial, Telnet

Writes the running-configuration of a device to its startup-configuration.

copy startup-configuration <url>

Availability: Serial, Telnet

Writes the startup-configuration of a device to a file, where url is the name of the file.

copy startup-configuration running-configuration

Availability: Serial, Telnet

Writes the startup-configuration of a device to its running-configuration.

copy to flash <url>

Availability: Serial, Telnet

Uploads a Cisco Secure Content Accelerator image file to the device flash, where url is the name of the file.

copy to flash [<filename>]

on <devname|groupname|all> copy to flash [<filename>]

Availability: Remote

Uploads a Cisco Secure Content Accelerator image file to the device flash. If you do not specify a file name, you are prompted for it. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

copy to running-configuration [<filename>]

on <devname> copy to running-configuration [<filename>]

Availability: Remote

Uploads a saved configuration file to the device flash. If you do not specify a file name, you are prompted for it. When using remote configuration, use the on form of the command to specify the target of the command, where devname is the device name.

copy to running-configuration <url>

Availability: Serial, Telnet

Uploads a saved configuration file and merges it to the running-configuration of a device, where url is the file name.

Top Level: Privileged Mode

(continued)

copy to startup-configuration <url>

Availability: Serial, Telnet

Uploads a saved configuration file and merges it to the startup-configuration of a device, where url is the file name.

disable

on <devname|groupname|all> disable

Availability: Remote, Serial, Telnet

Exits Privileged mode for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

erase running-configuration

on <devname|groupname|all> erase running-configuration

Availability: Remote, Serial, Telnet

Erases the running-configuration on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

erase startup-configuration

on <devname|groupname|all> erase startup-configuration

Availability: Remote, Serial, Telnet

Erases the startup-configuration on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices

show startup-configuration

Availability: Serial, Telnet

Displays the startup-configuration of a device.

write memory

Availability: Serial, Telnet

Writes the running-configuration to flash memory on a device.

write network <url>

Availability: Serial, Telnet

Writes the running-configuration to a file on a remote host, where url is the name of the file.

Group Configuration Mode

device <devname>
no device <
devname>

Availability: Remote

Adds the specified device to the group list, where devname is the name of the device.

end

Availability: Remote

Leaves Group Configuration Mode.

exit

Availability: Remote

Leaves Group Configuration Mode.

help [<command>]

Availability: Remote

Displays information for a specific command, where command is the name of the command. If no command is specified, help information is displayed for all Group Configuration commands.

Group Configuration Mode

(continued)

info

Availability: Remote

Displays current information about the device group being created or edited.

Configuration Mode

exit

Availability: Remote, Serial, Telnet

Leaves Configuration Mode and returns to Privileged Mode.

ip domain-name <name>

Availability: Remote, Serial, Telnet

Sets the default domain name for the device, where name is the domain name.

ip name-server <ipaddr>

Availability: Remote, Serial, Telnet

Sets the one or more name servers to use with the device, where ipaddr is the IP address of the Domain Name Server.

mode one-port
no mode one-port

Availability: Serial

Enables secure and non-secure traffic to pass through the single "Network" Ethernet port. Use the no form of the command to return the device to dual-port mode.

mode pass-thru
no mode pass-thru

Availability: Remote, Serial, Telnet

Enables pass through of non-SSL traffic. Pass through is the default. Use the no form of the command to block non-SSL traffic pass through.

rdate-server <ipaddr>
no rdate-server

Availability: Remote, Serial, Telnet

Specifies and RDATE-protocol server to be used for date and time information on the device, where ipaddr is the IP address of the RDATE server.

remote-management shared-secret <passphrase>
no remote-management shared-secret

Availability: Serial

Sets the secret passphrase used for encryption, where passphrase is the passphrase. Use the no form of the command to clear the passphrase.

telnet access-list <id>
no telnet access-list <
id>

Availability: Remote, Serial, Telnet

Assigns an existing access list to be used with telnet management requests, where id is the access list identifier. Use the no form of the command to remove the specified access list.

telnet enable
no telnet enable

Availability: Remote, Serial, Telnet

Allows telnet management sessions for the device. Use the no form of the command to disable telnet management access

timezone <zone>

Availability: Serial, Telnet

Specifies the time zone of the device's location, where zone is the time zone identifier.

Configuration Mode

(continued)

web-mgmt access-list <id>
no web-mgmt access-list <
id>

Availability: Remote, Serial, Telnet

Assigns an existing access list to be used with web browser-based management requests, where id is the access list identifier. Use the no form of the command to remove the specified access list.

web-mgmt enable
no web-mgmt enable

Availability: Remote, Serial, Telnet

Allows web browser-based management sessions for the device. Use the no form of the command to disable web browser-based management access.

SSL Configuration Mode

import pkcs12 <name> [<filename>]|<url>

Availability: Remote, Serial, Telnet

Imports and processes a pkcs12-format file to create certificate and key objects, where name is the user-defined name for the certificate and key objects, filename is the path and name of the file, and url is the location of the file (serial and telnet only).

import pkcs7 <name> <der|pem> [prefix <prefixText>] [<filename>]|<url>

Availability: Remote, Serial, Telnet

Imports and processes a pkcs7-format file to create a certificate object, where name is the user-defined name of the certificate group object, prefixText is the prefix assigned to the certificate names in the chain, filename is the path and name of the file, and url is the location of the file (serial and telnet only). You must specify whether the file is encoded in DER or PEM format and identify a prefix, if any.

key <keyname> [create]
no key <
keyname>

Availability: Remote, Serial, Telnet

Creates and/or configures the specified key object, where keyname is the name of the key and enters Key Configuration mode for the specified key. The create flag is used to create a new key. The no flag is used to remove a key. You may not delete a key referenced by a server. You can have up to 255 key objects.

Certificate Configuration Mode

binhex [<value>]

Availability: Remote, Serial, Telnet

Allows a binary hex-encoded X509 certificate to be pasted into the configuration manager. After the command is entered, you are prompted to paste the key from the cut buffer. You can use a text editor to copy the key from a file. After the key is pasted, you must press Enter twice to complete the command.

exit

Availability: Remote, Serial, Telnet

Exits Certificate Configuration mode, activates all valid changes, and returns to SSL Configuration mode.

Certificate Group Configuration Mode

exit

Availability: Remote, Serial, Telnet

Exits Certificate Group Configuration mode, activates all changes, and returns to SSL Configuration mode.

Key Configuration Mode

binhex [<value>]

Availability: Remote, Serial, Telnet

Allows a binary hex-encoded key to be pasted into the configuration manager. After the command is entered, you are prompted to paste the key from the cut buffer. You can use a text editor to copy the key from a file. After the key is pasted, you must press Enter twice to complete the command.

Security Policy Configuration Mode

exit

Availability: Remote, Serial, Telnet

Exits Security Policy Configuration mode, activates all changes, and returns to SSL Configuration mode.

Server Configuration Command Set

cert <certname | default | default-1024 | default 512>

Availability: Remote, Serial, Telnet

Sets the specified certificate for use by the server. Only one certificate is allowed per server. If you enter this command with a different certificate, that reference replaces the earlier one.

exit

Availability: Remote, Serial, Telnet

Exits Server Configuration mode, activates all changes, and returns to SSL Configuration mode.

key <keyname | default | default-1024 | default 512>

Availability: Remote, Serial, Telnet

Sets the specified key for use by the server. Only one key is allowed per server. If you enter this command with a different key, that reference replaces the earlier one.

log-url <ipaddr>

Availability: Remote, Serial, Telnet

Specifies a host for logging of URL requests, where ipaddr is the IP address of the host.


Table 8: CLI Commands Changed in 3.0
Mode Command and Syntax Description

Top Level: Non-Privileged and Privileged Modes

attach
no attach

on <devname|groupname|all> attach
on <
devname|groupname|all> no attach

Availability: Remote

Instructs the configuration manager to attach to one or more devices. Use the no form of the command to detach the configuration manager from one or more devices. If an access-level password has been defined, you must enter it when prompted before the configuration manager will attach to the device(s). If a shared secret passphrase has been assigned as part of remote management encryption, you are prompted for it. If more than one device is valid for this command, use the on form of the command to specify the device(s) to attach to or detach from (using the no form of the command), where devname is the name of an individual device, groupname is the name of a user-defined group, and all represents all appropriate devices.

discover [port <portid>]

Availability: Remote

Checks the network for new remote devices. Use the port option to specify a TCP service port to search for devices when using an alternate remote management port, where portid is the port number.

exit

Availability: Remote, Serial, Telnet

Quits the configuration manager. When executed from the remote configuration manager, closes the configuration manager. When executed from a serial connection, does not close the connection. If an access password has been configured, you are prompted for it. When executed from telnet, closes the telnet connection.

quit

Availability: Remote, Serial, Telnet

Quits the configuration manager. When executed from the remote configuration manager, closes the configuration manager. When executed from a serial connection, does not close the connection. If an access password has been configured, you are prompted for it. When executed from telnet, closes the telnet connection.

show arp
on <
devname|groupname|all> show arp

Availability: Remote, Serial, Telnet

Displays the arp device cache on a single device. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show device
on <
devname|groupname|all> show device

Availability: Remote, Serial, Telnet

Displays device information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Non-Privileged and Privileged Modes

(continued)

show interface [network | server]

on <devname|groupname|all> show interface [network | server]

Availability: Remote, Serial, Telnet

Displays information for the specified Ethernet interface for one or more devices. The information includes connection, duplex, speed, and autonegotiation settings. You must specify a device name unless only one Secure Content Accelerator is attached. If you do not specify network or server, information for all interfaces on the specified device is displayed. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show interface statistics [<network | server>] [continuous] [interval <value>]

on <devname|groupname|all> show interface statistics [<network | server>] [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays interface statistics for one or more devices. If an interface is not specified, statistics for both interfaces are displayed. If continuous is specified, statistics are updated every second. Use the interval option to specify an interval for display updates, where value is the interval in seconds. Press any key to stop displaying statistics. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ip routes

on <devname|groupname|all> show ip routes

Availability: Remote, Serial, Telnet

Displays the routing table for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ip statistics

on <devname|groupname|all> show ip statistics

Availability: Remote, Serial, Telnet

Displays diagnostic IP, ICMP, TCP, and UDP statistics for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show keepalive-monitor

on <devname|groupname|all> show keepalive-monitor

Availability: Remote, Serial, Telnet

Displays a list of keepalive-monitor IP addresses for one or more devices. SSL errors from IP addresses specified with the keepalive-monitor command are ignored. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Non-Privileged and Privileged Modes

(continued)

show memory [zones]

on <devname|groupname|all> show memory [zones]

Availability: Remote, Serial, Telnet

Displays memory usage on one or more devices. The zones flag is used to display information for each memory zone. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show messages

on <devname|groupname|all> show messages

Availability: Remote, Serial, Telnet

Displays the diagnostic message buffer for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show netstat

on <devname|groupname|all> show netstat

Availability: Remote, Serial, Telnet

Displays the current state of the IP connection for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show processes

on <devname|groupname|all> show processes

Availability: Remote, Serial, Telnet

Displays information, by thread, about processes running on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show remote-management

on <devname|groupname|all> show remote-management

Availability: Remote, Serial, Telnet

Displays remote management information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show rip

on <devname|groupname|all> show rip

Availability: Remote, Serial, Telnet

Displays the RIP status of one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Non-Privileged and Privileged Modes

(continued)

show snmp

on <devname|groupname|all> show snmp

Availability: Remote, Serial, Telnet

Displays SNMP configuration information for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ssl

on <devname|groupname|all> show ssl

Availability: Remote, Serial, Telnet

Displays SSL summary data for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ssl cert [<certname>]

on <devname|groupname|all> show ssl cert [<certname>]

Availability: Remote, Serial, Telnet

Displays summary data for the specified certificate entity loaded on one or more devices, where certname is the name of the certificate. If you do not specify a certificate entity name, all certificate entity information is displayed. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ssl certgroup [<certgroupname>]

on <devname|groupname|all> show ssl certgroup [<certgroupname>]

Availability: Remote, Serial, Telnet

Displays summary data for a certificate group loaded on one or more devices, where certgroupname is the name of the certificate group. If you do not specify a certificate group, all certificate group information is displayed. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ssl errors [continuous] [interval <value>]

on <devname|groupname|all> show ssl errors [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays SSL errors reported on one or more devices. Use the continuous option to update the statistics every second. Use the interval option to specify an interval for display updates, where value is the interval in seconds. Press any key to stop displaying errors. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Non-Privileged and Privileged Modes

(continued)

show ssl secpolicy [<polname>]

on <devname|groupname|all> show ssl secpolicy [<polname>]

Availability: Remote, Serial, Telnet

Displays summary data for the specified security policy on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ssl server [<servname>]
on <
devname|groupname|all> show ssl server [<servname>]

Availability: Remote, Serial, Telnet

Displays information for the specified configured logical secure server on one or more devices, where servname is the name of the logical secure server. If you do not specify a secure server name, all secure server information is displayed. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show ssl statistics [continuous] [interval <value>]

on <devname|groupname|all> show ssl statistics [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays SSL statistics summed over all secure logical servers on one or more devices. Use the continuous option to update the statistics every second. Use the interval option to specify an interval for display updates. Press any key to stop displaying information. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show syslog

on <devname|groupname|all> show syslog

Availability: Remote, Serial, Telnet

Displays the list of hosts to which diagnostic messages from one or more devices are sent. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show system-resources [continuous] [interval <value>]

on <devname|groupname|all> show system-resources [continuous] [interval <value>]

Availability: Remote, Serial, Telnet

Displays system memory and CPU usage for one or more devices. Use the continuous option to update the information every second. Use the interval option to specify an interval for display updates, where value is the interval in seconds. Press any key to stop displaying information. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Non-Privileged and Privileged Mode

(continued)

traceroute <ipaddr|name>

Availability: Remote, Serial, Telnet

Displays the router hops to the specified destination, where ipaddr is the IP address of the destination and name is the host name (serial/telnet only).

Top Level: Privileged Mode

clear messages

on <devname|groupname|all> clear messages

Availability: Remote, Serial, Telnet

Empties the diagnostic message buffer on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

clear ssl statistics

on <devname|groupname|all> clear ssl statistics

Availability: Remote, Serial, Telnet

Resets all SSL statistics for one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

quick-start

on <devname> quick-start

Availability: Remote, Serial, Telnet

Runs the QuickStart wizard for a device. You must specify a device unless only one device is appropriate. When using remote configuration, use the on form of the command to specify the target of the command, where devname is the name of a single device.

reload

on <devname|groupname|all> reload

Availability: Remote, Serial, Telnet

Reboots one or more devices. You must specify a device unless only one device is appropriate. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

show access-list [<listid>]

on <devname|groupname|all> show access-list [<listid>]

Availability: Remote, Serial, Telnet

Displays the specified access list for one or more devices, where listid is the access list identifier. If you do not specify an access list identifier, information for all access lists is displayed. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Top Level: Privileged Mode

(continued)

show running-configuration

on <devname|groupname|all> show running-configuration

Availability: Remote, Serial, Telnet

Displays the running-configuration on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

write file [<filename>]

on <devname> write file [<filename>]

Availability: Remote

Writes the running-configuration of a device to a file on the file system of the configuring computer, where filename is the name and path of the file. When using remote configuration, use the on form of the command to specify the target of the command, where devname is the name of a single device.

write flash

on <devname|groupname|all> write flash

Availability: Remote, Serial, Telnet

Writes the running-configuration to flash memory on one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

write messages [<filename>]

on <devname> write messages [<filename>]

Availability: Remote

Writes the diagnostic messages of a device to a file, where filename is the name and path of the file. If you do not supply a file name, you are prompted for it. When using remote configuration, use the on form of the command to specify the target of the command, where devname is the name of a single device.

write terminal

on <devname|groupname|all> write terminal

Availability: Remote, Serial, Telnet

Displays the running-configuration of one or more devices. When using remote configuration, use the on form of the command to specify the target(s) of the command, where devname is the name of a single device, groupname is the name of a user-defined device group, and all represents all appropriate devices.

Configuration Mode

password <access|enable>
no password <access|enable>

Availability: Remote, Serial, Telnet

Sets the access- or enable-level password for the current Secure Content Accelerator. You are prompted to enter the password. Use the no form of the command to clear the access- or enable-level password for the current device.

Certificate Configuration Mode

der [<cert-filename>]|<url>

Availability: Remote, Serial, Telnet

Loads a DER-encoded X509 certificate into the certificate entity, where cert-filename is the name of the file and url is the location of the file (serial and telnet only). If you do not enter the file name, you are prompted for it. You must enter the path if the file is not located in the current directory.

pem [<cert-filename>]|<url>

Availability: Remote, Serial, Telnet

Loads a PEM-encoded certificate into the certificate entity, where cert-filename is the name of the key file and url is the location of the file (serial and telnet only). If you do not enter the file name, you are prompted for it. You must enter the path if the file is not located in the current directory.

Key Configuration Mode

(was Key Association Configuration Mode)

der [<key-filename>]|<url>

Availability: Remote, Serial, Telnet

Loads a DER-encoded X509 private key into the key entity, where key-filename is the name of the file and url is the location of the file (serial and telnet only). If you do not enter the file name, you are prompted for it. You must enter the path if the file is not located in the current directory.

exit

Availability: Remote, Serial, Telnet

Exits Key Configuration mode, activates all changes, and returns to SSL Configuration mode.

net-iis [<key-filename>]|<url>

Availability: Remote, Serial, Telnet

Loads a private key exported from IIS4 into the key entity, where key-filename is the name of the key file and url is the location of the file (serial and telnet only). You must enter a private key password. If you do not enter the file name, you are prompted for it. You must enter the path if the file is not located in the current directory.

pem [<key-filename>]|<url>

Availability: Remote, Serial, Telnet

Loads a PEM-encoded X509 private key into the key object, where key-filename is the path and name of the file and url is the location of the file (serial and telnet only). If you do not enter the file names, you are prompted for them. Key names cannot contain spaces and must be compatible with the configuring computer's operating system. You must enter the path if the file is not located in the current directory.

Server Configuration Mode

sslport <port|default>

Availability: Remote, Serial, Telnet

Specifies the TCP service port to which non-secure connections is sent, where port is the port number. Use the default argument to return to the default setting of 443.


Table 9: CLI Commands Deprecated in 3.0
Mode Command and Syntax Description

Top Level

attach all
no attach all

Instructs the configuration manager to attach all non-attached remote devices on the network. Use the no form of the command to detach the configuration manager from all remote devices on the network.

copy file configuration [devname]

Loads a saved configuration for use as the active configuration for the device.

copy file flash [devname]

Updates a flash image on the specified device based upon the specified flash image file.

copy file flash all

Updates all flash images on all attached devices.

erase flash [devname]

Erases the configuration stored in the flash memory of the specified device.

erase flash all

Erases the configuration stored in the flash memory on all attached devices.

erase memory [devname]

Erases the configuration running on the specified device but does not erase the configuration stored in the flash memory.

reload all

Reboots all attached configuration-level devices.

show access-lists [devname]

Displays all defined access lists for a specified device.

show configuration [devname]

Displays the active configuration for the specified device.

show devices

Displays a list of all Secure Content Accelerator devices.

show routes [devname]

Displays the routing table stored in the device, where devname is the name of the device.

show ssl errors all [continuous]

Displays SSL errors for all attached Secure Content Accelerator devices.

show ssl keyassoc [keyname]

Displays summary data for the specified public/private key pair loaded on the device.

show ssl statistics all [continuous]

Displays SSL statistics summed over all secure logical servers on all attached Secure Content Accelerator devices.

su [devname]
no su [
devname]

Raises the security level on the specified attach-level device. Using the no form of the command lowers the security level on the specified config-level device.

su all
no su all

Raises the security level on all attach-level devices. Using the no form of the command lowers the security level on all config-level devices.

write flash all

Writes the active configuration to flash memory on all attached devices.

SSL Configuration Mode

keyassoc <keyname> [create]
no keyassoc <
keyname>

Creates and/or configures the specified key association and enters Key Association Configuration mode for the specified key association. The no form of the command is used to remove a key association.

mode one-port

Prompts the administrator to use the serial console to switch operation of the Secure Content Accelerator to use a single Ethernet port for both secure SSL traffic and non-secure clear or plain text traffic.

mode pass-thru
no mode pass-thru

Enables pass-through of non-SSL traffic. This is the default behavior. Use the no form of the command to disable pass-through.

Key Association Configuration Mode

cert <der|pem> [<cert-filename>]

Loads a X509 certificate file in the specified file format.

cert pem-paste

Allows a PEM-encoded X509 certificate to be pasted into the configuration manager.

key <der | netiis | pem> [<key-filename>]

Loads a key file in the specified file format.

key pem-paste

Allows a PEM-encoded key to be pasted into the configuration manager.

Server Configuration Mode

keyassoc <keyassocname>

Creates an association between this logical secure server and the specified key association.

CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R)

Copyright © 2002, Cisco Systems, Inc.
All rights reserved.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Nov 7 06:45:39 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.