Tcl Script-Failure Scenario
In the event the script has been modified, the signature will detect that there was a change and prevent it from executing.
The following example shows that the script was modified and consequently forbidden from being executed.
The first line of the script has been changed from "puts hello" to "puts hellox," and the file has been copied to the IOS device as myscript-changed1char.tcl. Attempting to run the script elicits the following response:
PE11#tclsh disk0:myscript-changed1char.tcl Invalid Signature PE11# *May 28 19:45:28.115: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl signing validation failed on script signed with trustpoint name TCLSecurity, cannot run the signed TCL script.
As you can see from the preceding output, the Tcl script security is a valuable feature for protecting the contents of a Tcl script. If any portion of the contents of the Tcl script has been modified by anyone, from the time the script was initially written to the time it is run on the router, the change will be detected and the script will be forbidden from executing.
For smaller company networks, it might be acceptable to have a network administrator manually install the certificate in all routers that need to run the script. The certificate is copied to a local storage such as slot0: or disk0: or any other valid file system attached to the router. In addition, copies of the Tcl script can also copied to these local storage devices attached to the router.
To deploy scripts in a larger network, take advantage of the capability of IOS software to use a TFTP server as a repository and allow all IOS devices to download Tcl scripts from the TFTP server.