Release Note for the Cisco 11000 Series Secure Content Accelerator: SCA2
This release note applies to the Cisco 11000 Series Secure Content Accelerator, SCA2 version. The note supplements information found in the Cisco 11000 Series Secure Content Accelerator Configuration Guide distributed with version 4.0 of the firmware. The SCA2 offers significatly higher performance than the previous SCA device.
The Cisco 11000 Series Secure Content Accelerator is compatible with all Cisco content switches—the CSS 11500, the Cisco LocalDirector, the Content Switching Module for the Catalyst 6500, and the Cisco CSS 11000 Series Content Services Switches.
The following sections are presented in this note:
Electronic versions of this document and the Cisco 11000 Series Secure Content Accelerator Configuration Guide
The table below shows the configuration manager software versions appropriate for each operating system.
Operating System
Software Version
Red Hat Linux
4.0
Windows NT 4
4.0
Windows 2000
4.0
Solaris Sparc
4.0
Firmware and Software Version Notes
The FW directory contains the firmware flash image for the SCA2. Use the flash image to replace the firmware image on the device.
Product Version Information
The CSS 11000 Secure Content Accelerator configuration utility, cscacfg, is only compatible with devices that have the same software version. Devices with a different firmware version must be configured using the configuration manager that matches the firmware on the device.
Release version refers to the CD software release and not to the firmware or configuration manager versions. Any reference to firmware or the configuration manager in these release notes or documentation is to CD software release version. The commands show version and show device display both the cscacfg (configuration manager) and firmware versions as well as the software release version. The end number of the text returned shows the build date and time stamp in the following format:
|Year|Month|Day|Time Stamp|
For example:
|2001|08|03|1046|
Reflashing the Firmware
The fw directory contains the firmware image of the SCA2. This file is described in the following table.
Filename
Description
css-sca2-2fe-k9.phz
Image of the 4.0 software release. This image is used only to reflash the device.
Use the following instructions to reflash the firmware on the device and install the remote configuration manager software. Please read the entire document before proceeding with the flash procedure.
Serial Console CLI Instructions
1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferable.
2. Connect to the Secure Content Accelerator via a serial management session at 9600 baud.
3. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)
enable
copy to flash protocol://serverip/path/css-sca-2fe-k9.phz
reload
4. Wait for several minutes for the device to reload and reboot.
5. Check the firmware version by using the show device command. The returned text should contain "MaxOS 4.0".
6. Continue with configuration as desired.
Telnet CLI Instructions
1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferable.
2. Connect to the Secure Content Accelerator using the IP address previously assigned to it.
3. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)
enable
copy to flash protocol://serverip/path/css-sca-2fe-k9.phz
reload
4. You will see a status message stating the connection to the device was lost. Wait for several minutes for the device to reload and reboot. The telnet connection to the device is lost.
5. Reconnect to the device using a telnet management session.
6. Check the firmware version by using the show device command. The returned text should contain "MaxOS 4.0".
7. Continue with configuration as desired.
Remote CLI Instructions
1. Copy the firmware image to the computer from which you configure the SCA2.
2. Open the existing configuration manager application (cscacfg) using the desktop shortcut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.
3. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.
4. The following commands assume only one device has been discovered by the configuration manager. If more than one Secure Content Accelerator is listed, use the on form of the command to specify the desired device.
Note You can set the on-prefix to direct commands to a single device.
Use these commands to attach to and enter Privileged mode:
attach
enable
5. Enter these commands to load the firmware image, where path is the path to the firmware image file. (If using a Windows operating system, use back slashes instead of forward slashes.)
copy to flash path/css-sca-2fe-k9.phz
reload
6. Quit the configuration manager. If you wish to continue with configuration via the remote configuration manager, you must install the 4.0 version as described in the Configuration Guide.
7. To continue configuring the device with the remote configuration manager, open the application (cscacfg) using the desktop short cut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.
8. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.
9. Attach to the device and check the firmware version using the show device command. The returned text should contain "MaxOS version 4.0".
10. Continue with configuration as desired.
GUI Instructions
1. Open a Web browser and connect to the Secure Content Accelerator.
2. Ensure that the General>Status page is displayed.
3. Click Tools to activate the Tools tabs.
4. Click the Firmware tab.
5. Type the path and firmware image file name or URL in the Upload Firmware text box, or click Browse and navigate to and select the firmware image file from the local file system.
6. Click Upload to load the firmware image into the GUI.
7. Click Install Image next to the file information in the Installable Firmware Images panel.
8. After the new firmware has uploaded, click the Restart tab.
9. Click Reboot to reload the device. Wait several minutes for the device to reboot.
10. Reconnect to the device using the GUI and the IP address assigned to it.
11. Click General to activate the General tabs.
12. The Release panel should contain "4.0".
13. Continue with configuration as desired.
Operational Notes
To negotiate a connection with FIPS 104-2-compliant servers configured on the SCA2, some client browsers must be configured with TLS only. SSL must be disabled, and data is still encrypted.
The commands erase running-config and erase startup-config are not available in FIPS Mode.
The 4.x and previous versions of Netscape can "hang" when client authentication fails. If this happens, the server must be rebooted.
If using IIS authentication, the basic form of Secure URL Rewrite cannot be used. The redirectonly option should be used.
The Cisco CSS 11000 Series Secure Content Accelerator Configuration Guide states the AC voltage as 100-240 VAC, 50-60 KHz. The correct voltage is 100-240 VAC, 50-60 Hz.
Configuring a device using multiple sessions or methods simultaneously can cause undesirable results. We recommend only one session be used at a time to make configuration changes.
If you change the IP address of a device with the remote configuration manager, the connection is lost to that device and must be re-established by restarting the remote configuration manager or using the discover command to find the device.
After changing a device from one-port to two-port mode (and vice versa), write the configuration to flash and reload (reboot) the device for proper functioning.
Copying to a device a configuration that changes the IP address or resets the interface settings can have unexpected results. If a configuration file was saved using the remote configuration manager or the onboard CLI, we recommend the same configuration manager be used to copy the configuration back to the device.
Changing terminal settings in variance with the actual window size can affect the readline capabilities of the device: the displayed cursor position might not be indicative of its actual position.
No error message is displayed when deleting an access list that is referenced by certain subsystems. Access is denied.
Although you can set the encryption method for the remote management using the GUI, the encryption is not enabled until a shared secret (passphrase) is set and remote management encryption is enabled. Use the serial console to set the shared secret; use any CLI to enable remote management encryption.
When using the Secure Content Accelerator with a CSS, do not set the keep-alive monitor on the CSS to use TCP service port 2932. This port is reserved for communication with the SSL appliance using the remote configuration manager. If you set the remote management port to a different TCP service port, ensure that the CSS keep-alive monitor does not use that port.
Network Design and Command Notes
If your firewall or router filters traffic based upon MAC address, you must allow multiple MAC addresses per IP address on the interface connected to the device.
Changing the interface speed and duplex from autonegotiation does not display forced configuration if open connections are present. Forced speed and duplex settings are displayed only if a non-autonegotiated speed is specified.
Adding a static route entry for duplicating a previously RIP-discovered route is not supported.
Deleting a RIP-discovered route is not supported.
A RIP-discovered default route cannot be cleared with the command clear ip routes or by disabling RIP alone. To remove this type of route, disable RIP and reload the device.
The command ip route does not allow a change to an existing entry. To change an entry, delete the old entry first and then add the new one.
When changing TCP service ports in the remote management and Web management subsystems, the device must be reloaded (rebooted) for the change to take effect. When changing TCP service ports in the telnet subsystem, the reassignment is immediate. Subsequent telnet connections must be made with the newly assigned port.
In two-port mode services such as syslog, RIP, RDATE server, SNTP server, and SNMP are available only through the "Server" port.
Multiple subsystems can be set to use the same access port. However, this causes undesirable results. Please ensure each subsystem "listening" port is unique on the device.
To use the syslog ability, the configured syslog server must be set to listen for remote entries.
Secure Server Notes
If you edit an object referenced by a server, the server must be restarted before the changes will take effect. To restart the server, enter Privileged and Configuration modes, and use the suspend and activate commands.
Non-transparent server objects are not updated if the device IP address is changed. Reloading the device or accessing the configuration of each server object resets the IP address assignment.
Older browsers do not support chained certificates. We recommend upgrading to a newer browser version if chained certificate support is desired.
A saved configuration file does not contain private keys or passwords. Private keys must be loaded separately with names exactly matching those referenced by the secure server. Additionally, old private keys are not removed from the startup-configuration by copying a new configuration to the device. To remove the old private keys, delete each private key, and write the running-configuration to the startup configuration or erase the startup-configuration.
When using client authentication, individual Web browsers behave very differently in the way they filter requests for client certificates and how they cache certain aspects of the session.
GUI Notes
When setting up the device with SSL client-side GUI access, do not configure a non-transparent secure server to use the same localport.
Erasing the running-configuration of a device using the GUI disconnects the Web browser from the device. To continue configuration, reconnect to the device.
Setting the localport in a secure server entry to the listening TCP port of the Web management subsystem renders the GUI is inaccessible. You must use a different listening TCP port for each entity.
When writing a configuration via the GUI, the existing configuration is erased first; therefore, all configurations written using the GUI should be complete configurations. Incremental configuration updates are only possible by adding the changes to a complete configuration, and then writing this configuration. An option for overwriting or incrementally updating a configuration using a written configuration will be added at a future date.
The administrative timeout in the GUI does not limit access from the same browser. Disconnect the browser when not at the workstation.
In certain situations the GUI does not report errors when trying to delete an object referenced by another object. This situation usually results in silent failure. However, be aware that the GUI allows you to delete a certificate referenced by a certificate group.
The GUI caches certain items and can misrepresent the state of the actual device in certain circumstances, such as if the device is rebooted without saving changes. To obtain the current device state, refresh the page. This can be accomplished by holding the SHIFT-clicking the Refresh button.
Once Web management is enabled, it is always accessible via the "Server" port (two-port mode) or the "Network" port (one-port mode) even if SSL client-side access has been configured. Use an access list to prevent unwanted access.
Assigning a Web management access list to the device completely prevents HTTPS access from the GUI. Setting the following access list allows HTTPS access to the GUI from any IP address:
access-list 10 permit 127.0.0.1 0.0.0.0
web-mgmt access-list 10
CLI Notes
The copy to startup-configuration command replaces the startup-configuration. The keys and passwords still exist unless they have been deleted or erased.
Erasing the running-configuration of a device using the CLI disconnects any remote configuration manager, GUI, or telnet sessions from the device. To continue configuration, reconnect to the device.
The custom completer completes previously created objects with the word "create" if TAB is pressed after the full name is typed. To edit an existing object, ensure "create" is not part of the command.
When writing configuration files to the running configuration, the new configuration file appends to the existing configuration rather than replacing it. In the process of recreating existing configuration information, some errors will be displayed. These can be ignored safely.
When trying to clear a current management session, an appropriate error message is displayed. However, the message sent to the message buffer might be misleading and can be safely ignored.
The on prefix will not change if you change the hostname of the referenced device. You must change the on prefix manually.
SNMP Notes
The factory-set default SNMP community is "public"; however, "public" is not listed in the configuration. The behavior of setting and resetting the SNMP community is demonstrated in the table below.
Command
SNMP community is set to...
SNMP community in configuration is...
snmp default community XYZ
XYZ
XYZ
no snmp default community
XYZ
No default community listed
snmp default community public
public
public
Syslog Usage Notes
The SSL device syslog implementation for firmware 3.2 and below supports only "kern" facility logging. A future release will offer "local" and custom facility support. The following are example syslogd.conf settings:
kern.debug; /var/log/ssl-debug
kern.info; /var/log/ssl-info
kern.none; /var/log/ssl-none
kern.crit; /var/log/ssl-crit
kern.warn; /var/log/ssl-warn
Or you can use the settings displayed below:
*.debug; /var/log/ssl-debug
*.info; /var/log/ssl-info
*.none; /var/log/ssl-none
*.crit; /var/log/ssl-crit
*.warn; /var/log/ssl-warn
Linux-Specific Issues
Using ^C to abort the QuickStart wizard may not work if the intr char is not set to ^C. Check the intr char using the command stty -a at the Linux prompt, and use this key combination to abort the QuickStart wizard.
While using the monitor command only the Enter key will abort the display.
Solaris-Specific Issues
The remote configuration manager will not run using the sh shell.
While using the monitor command only the Enter key will abort the display.
Windows NT 4.0-Specific Issues
The arrow keys on the Windows NT 4.0 default telnet client when accessing the CLI do not behave as expected. To scroll through the command history, use CTRL-N and CTRL-P.
Pasting certificates or keys using the default Windows NT telnet client may fail. This may be the result of the Return character at the end of each line in the file. If you open the file with Notepad and see black boxes at the end of each line, delete them and replace them with carriage returns using the Enter key. The file should load after this.
CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R)
