show security

show security [fips-mode | python | tpm]

Description

Use this command to show FIPS mode, Trusted Platform Module (TPM), and external Python scripting support status.

Syntax Description

fips-mode Shows specifically FIPS mode status.
python Shows specifically external Python scripting support status.
tpm Shows specifically X.509 certificates sorted in the switch's TPM chip.

Default

N/A

Usage Guidelines

If you select neither keyword option (FIPS/Python), you see status information for both.

For both FIPS mode or Python, two values appear:
  • Current—shows the current active setting.
  • Configured—show the setting that only takes effect after reboot.

If you select keyword tpm and the available certificate option, you will be presented with X.509 certificates that are provisioned in the TPM hardware: the Endorsement Key (EK), the Initial Attestation Key (IAK) and the Initial Device Identifier (IDevID) certificates. The EK is provisioned and signed by the TPM manufacturer, and the IAK and IDevID are provisioned and signed by Extreme Networks.

If the text option is not specified, then the certificate's PEM data will be displayed. If the text option is specified, then a human readable version of the certificate will be displayed.

Note

Note

These certificates are informational only and currently not used.

Example

The following example shows both FIPS and Python scripting status:

# show security 
FIPS Mode (current)    : Off
FIPS Mode (configured) : On
Python (current)       : Off
Python (configured)    : On
The following example shows only Python scripting status:
# show security python 
Python (current)       : Off
Python (configured)    : Off

Example

The following example shows the TPM certificate options:

# show security tpm certificate 
  ek              Endorsement Key certificate
  iak             Initial Attestation Key certificate
  idevid          Initial Device Identifier certificate

Example

The following is an example EK certificate with both RSA and ECC keys:

# show security tpm certificate ek 

[Endorsement Key RSA Certificate]

-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgIEJfR5OjANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJE
RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApP
UFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQTSAyLjAg
UlNBIENBIDA0MjAeFw0xOTA5MDMwODM5MTNaFw0zNDA5MDMwODM5MTNaMAAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0mU058b7ZYZkgAs1djeoYVeFU
GBQi1Ce0x3bjAQql7SW6YbeJtZZ8mj8mWENoUO7X31mBNABf040IOBRq+fhqaSlK
M0UAiwzgSZjqFuQGLdZsv3aK1g89eKFaBRzZUfqH4bHcqzU6dNBQ+Zj6IpTd0KuS
xl1zPqCwBEO39SnUtjalOee72qaHeXqS6GPioNseJSnHOYMI36zM4JVzJ4rTr17J
f+js1VnpaghCOzN1bypL7DyzgnbWn2slLxvoN/+0+0g1kzEclPoS/nffT2q4Gnov
pmGwPHN8i0OerCKwXkuo7pAjvZ9Q0++06igMiAeEHhui62CxU8bkdEfdINf5AgMB
AAGjggGZMIIBlTBbBggrBgEFBQcBAQRPME0wSwYIKwYBBQUHMAKGP2h0dHA6Ly9w
a2kuaW5maW5lb24uY29tL09wdGlnYVJzYU1mckNBMDQyL09wdGlnYVJzYU1mckNB
MDQyLmNydDAOBgNVHQ8BAf8EBAMCACAwWAYDVR0RAQH/BE4wTKRKMEgxFjAUBgVn
gQUCAQwLaWQ6NDk0NjU4MDAxGjAYBgVngQUCAgwPU0xCIDk2NzAgVFBNMi4wMRIw
EAYFZ4EFAgMMB2lkOjA3NTUwDAYDVR0TAQH/BAIwADBQBgNVHR8ESTBHMEWgQ6BB
hj9odHRwOi8vcGtpLmluZmluZW9uLmNvbS9PcHRpZ2FSc2FNZnJDQTA0Mi9PcHRp
Z2FSc2FNZnJDQTA0Mi5jcmwwFQYDVR0gBA4wDDAKBggqghQARAEUATAfBgNVHSME
GDAWgBRdCBWVH19gY4pp5yUvPsS+zXVUsjAQBgNVHSUECTAHBgVngQUIATAiBgNV
HQkEGzAZMBcGBWeBBQIQMQ4wDAwDMi4wAgEAAgIAijANBgkqhkiG9w0BAQsFAAOC
AQEAT7fhElXcMITmsF6pC2xtryszIu2Gq76l8+fDoiOIm8Qvvc2pD4BK5i+UtjCW
UwfJxB9v86tSs9Fvh2PWmC36k58+Gkz/04yBlr15vLcgnkEr38dFKr4PkQULkbiK
t1FATPMbbj9NY4xJlLxwOcTsrzn0EkCqLUiVDUH3ohMpjQMpIKL/zS/t/aiAUsOQ
8po3cNkuPv/hUgKzhPPEtKUpIVzlNLatmz052N5kqabjd4EwDLkXrDVoOIR8SRWa
8xHBGBxTkwqAgv/UVgl6kDF0JsteDvH//oU5+MbAx9PWQv3cddQgcZiKeO1qNHMb
0Tj4FREumRw7Ll1Qb3/hUkIH0Q==
-----END CERTIFICATE-----


[Endorsement Key ECC Certificate]

-----BEGIN CERTIFICATE-----
MIIDBDCCAqmgAwIBAgIERslzNTAKBggqhkjOPQQDAjB2MQswCQYDVQQGEwJERTEh
MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApPUFRJ
R0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQTSAyLjAgRUND
IENBIDA0MjAeFw0xOTA5MDMwODM4NTNaFw0zNDA5MDMwODM4NTNaMAAwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQC24h7AgT0ZL/wOgwN+47R8NJhTddRnyroa1sk
/x/m4mLdEXqGD7913Tt/d9QhGAfOoUkgIsOVLNfw4fy0ZNPvo4IBmTCCAZUwWwYI
KwYBBQUHAQEETzBNMEsGCCsGAQUFBzAChj9odHRwOi8vcGtpLmluZmluZW9uLmNv
bS9PcHRpZ2FFY2NNZnJDQTA0Mi9PcHRpZ2FFY2NNZnJDQTA0Mi5jcnQwDgYDVR0P
AQH/BAQDAgAIMFgGA1UdEQEB/wROMEykSjBIMRYwFAYFZ4EFAgEMC2lkOjQ5NDY1
ODAwMRowGAYFZ4EFAgIMD1NMQiA5NjcwIFRQTTIuMDESMBAGBWeBBQIDDAdpZDow
NzU1MAwGA1UdEwEB/wQCMAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL3BraS5p
bmZpbmVvbi5jb20vT3B0aWdhRWNjTWZyQ0EwNDIvT3B0aWdhRWNjTWZyQ0EwNDIu
Y3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQBFAEwHwYDVR0jBBgwFoAUsR8zzKYGVrol
nC6QWjtUP1JEl5EwEAYDVR0lBAkwBwYFZ4EFCAEwIgYDVR0JBBswGTAXBgVngQUC
EDEOMAwMAzIuMAIBAAICAIowCgYIKoZIzj0EAwIDSQAwRgIhAL//3+inIwQg/gOh
cWotTy2FaQ8NdpYDi4LYPtFwIpXpAiEAx2m6Q4oIvf0EIwKqzD684kkezcoubrm/
KbaiagUA4x8=
-----END CERTIFICATE-----

Example

The following is an example EK certificate with the human-readable text option with both RSA and ECC keys:

# show security tpm certificate ek text 

[Endorsement Key RSA Certificate]

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 636778810 (0x25f4793a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM), CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 042
        Validity
            Not Before: Sep  3 08:39:13 2019 GMT
            Not After : Sep  3 08:39:13 2034 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:99:4d:39:f1:be:d9:61:99:20:02:cd:5d:8d:
                    ea:18:55:e1:54:18:14:22:d4:27:b4:c7:76:e3:01:
                    0a:a5:ed:25:ba:61:b7:89:b5:96:7c:9a:3f:26:58:
                    43:68:50:ee:d7:df:59:81:34:00:5f:d3:8d:08:38:
                    14:6a:f9:f8:6a:69:29:4a:33:45:00:8b:0c:e0:49:
                    98:ea:16:e4:06:2d:d6:6c:bf:76:8a:d6:0f:3d:78:
                    a1:5a:05:1c:d9:51:fa:87:e1:b1:dc:ab:35:3a:74:
                    d0:50:f9:98:fa:22:94:dd:d0:ab:92:c6:5d:73:3e:
                    a0:b0:04:43:b7:f5:29:d4:b6:36:a5:39:e7:bb:da:
                    a6:87:79:7a:92:e8:63:e2:a0:db:1e:25:29:c7:39:
                    83:08:df:ac:cc:e0:95:73:27:8a:d3:af:5e:c9:7f:
                    e8:ec:d5:59:e9:6a:08:42:3b:33:75:6f:2a:4b:ec:
                    3c:b3:82:76:d6:9f:6b:25:2f:1b:e8:37:ff:b4:fb:
                    48:35:93:31:1c:94:fa:12:fe:77:df:4f:6a:b8:1a:
                    7a:2f:a6:61:b0:3c:73:7c:8b:43:9e:ac:22:b0:5e:
                    4b:a8:ee:90:23:bd:9f:50:d3:ef:b4:ea:28:0c:88:
                    07:84:1e:1b:a2:eb:60:b1:53:c6:e4:74:47:dd:20:
                    d7:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crt

            X509v3 Key Usage: critical
                Key Encipherment
            X509v3 Subject Alternative Name: critical
                DirName:/2.23.133.2.1=id:49465800/2.23.133.2.2=SLB 9670 TPM2.0/2.23.133.2.3=id:0755
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crl

            X509v3 Certificate Policies: 
                Policy: 1.2.276.0.68.1.20.1

            X509v3 Authority Key Identifier: 
                keyid:5D:08:15:95:1F:5F:60:63:8A:69:E7:25:2F:3E:C4:BE:CD:75:54:B2

            X509v3 Extended Key Usage: 
                2.23.133.8.1
            X509v3 Subject Directory Attributes: 
                0.0...g....1.0...2.0.......
    Signature Algorithm: sha256WithRSAEncryption
         4f:b7:e1:12:55:dc:30:84:e6:b0:5e:a9:0b:6c:6d:af:2b:33:
         22:ed:86:ab:be:a5:f3:e7:c3:a2:23:88:9b:c4:2f:bd:cd:a9:
         0f:80:4a:e6:2f:94:b6:30:96:53:07:c9:c4:1f:6f:f3:ab:52:
         b3:d1:6f:87:63:d6:98:2d:fa:93:9f:3e:1a:4c:ff:d3:8c:81:
         96:bd:79:bc:b7:20:9e:41:2b:df:c7:45:2a:be:0f:91:05:0b:
         91:b8:8a:b7:51:40:4c:f3:1b:6e:3f:4d:63:8c:49:94:bc:70:
         39:c4:ec:af:39:f4:12:40:aa:2d:48:95:0d:41:f7:a2:13:29:
         8d:03:29:20:a2:ff:cd:2f:ed:fd:a8:80:52:c3:90:f2:9a:37:
         70:d9:2e:3e:ff:e1:52:02:b3:84:f3:c4:b4:a5:29:21:5c:e5:
         34:b6:ad:9b:3d:39:d8:de:64:a9:a6:e3:77:81:30:0c:b9:17:
         ac:35:68:38:84:7c:49:15:9a:f3:11:c1:18:1c:53:93:0a:80:
         82:ff:d4:56:09:7a:90:31:74:26:cb:5e:0e:f1:ff:fe:85:39:
         f8:c6:c0:c7:d3:d6:42:fd:dc:75:d4:20:71:98:8a:78:ed:6a:
         34:73:1b:d1:38:f8:15:11:2e:99:1c:3b:2e:5d:50:6f:7f:e1:
         52:42:07:d1

   
[Endorsement Key ECC Certificate]

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1187607349 (0x46c97335)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM), CN=Infineon OPTIGA(TM) TPM 2.0 ECC CA 042
        Validity
            Not Before: Sep  3 08:38:53 2019 GMT
            Not After : Sep  3 08:38:53 2034 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:02:db:88:7b:02:04:f4:64:bf:f0:3a:0c:0d:fb:
                    8e:d1:f0:d2:61:4d:d7:51:9f:2a:e8:6b:5b:24:ff:
                    1f:e6:e2:62:dd:11:7a:86:0f:bf:75:dd:3b:7f:77:
                    d4:21:18:07:ce:a1:49:20:22:c3:95:2c:d7:f0:e1:
                    fc:b4:64:d3:ef
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:http://pki.infineon.com/OptigaEccMfrCA042/OptigaEccMfrCA042.crt

            X509v3 Key Usage: critical
                Key Agreement
            X509v3 Subject Alternative Name: critical
                DirName:/2.23.133.2.1=id:49465800/2.23.133.2.2=SLB 9670 TPM2.0/2.23.133.2.3=id:0755
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://pki.infineon.com/OptigaEccMfrCA042/OptigaEccMfrCA042.crl

            X509v3 Certificate Policies: 
                Policy: 1.2.276.0.68.1.20.1

            X509v3 Authority Key Identifier: 
                keyid:B1:1F:33:CC:A6:06:56:BA:25:9C:2E:90:5A:3B:54:3F:52:44:97:91

            X509v3 Extended Key Usage: 
                2.23.133.8.1
            X509v3 Subject Directory Attributes: 
                0.0...g....1.0...2.0.......
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:bf:ff:df:e8:a7:23:04:20:fe:03:a1:71:6a:
         2d:4f:2d:85:69:0f:0d:76:96:03:8b:82:d8:3e:d1:70:22:95:
         e9:02:21:00:c7:69:ba:43:8a:08:bd:fd:04:23:02:aa:cc:3e:
         bc:e2:49:1e:cd:ca:2e:6e:b9:bf:29:b6:a2:6a:05:00:e3:1f

History

This command was first available in ExtremeXOS 21.1.

External Python scripting support status was added in ExtremeXOS 32.2.

The tpm option was added in ExtremeXOS 31.5.

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.