Contents
- Implementing Keychain Management
- Prerequisites for Configuring Keychain Management
- Restrictions for Implementing Keychain Management
- Information About Implementing Keychain Management
- Lifetime of a Key
- How to Implement Keychain Management
- Configuring a Keychain
- Configuring a Tolerance Specification to Accept Keys
- Configuring a Key Identifier for the Keychain
- Configuring the Text for the Key String
- Determining the Valid Keys
- Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic
- Configuring the Cryptographic Algorithm
- Configuration Examples for Implementing Keychain Management
- Configuring Keychain Management: Example
- Additional References
Implementing Keychain Management
This module describes how to implement keychain management on. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.
- Prerequisites for Configuring Keychain Management
- Restrictions for Implementing Keychain Management
- Information About Implementing Keychain Management
- How to Implement Keychain Management
- Configuration Examples for Implementing Keychain Management
- Additional References
Prerequisites for Configuring Keychain Management
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Restrictions for Implementing Keychain Management
You must be aware that changing the system clock impacts the validity of the keys in the existing configuration.
Information About Implementing Keychain Management
The keychain by itself has no relevance; therefore, it must be used by an application that needs to communicate by using the keys (for authentication) with its peers. The keychain provides a secure mechanism to handle the keys and rollover based on the lifetime. Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain to implement a hitless key rollover for authentication. BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algorithm configured for the keychain. For information about BGP, OSPF, and IS-IS keychain configurations, see Cisco IOS XR Routing Configuration Guide for the Cisco CRS Router
To implement keychain management, you must understand the concept of key lifetime, which is explained in the next section.
Lifetime of a Key
If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A keychain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both.
Keychain management groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime.
Note
Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during configuration.
The lifetime of a key is defined by the following options:
Start-time—Specifies the absolute time.
End-time—Specifies the absolute time that is relative to the start-time or infinite time.
Each key definition within the keychain must specify a time interval for which that key is activated; for example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend that for a given keychain, key activation times overlap to avoid any period of time for which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail.
Multiple keychains can be specified.
How to Implement Keychain Management
This section contains the following procedures:
- Configuring a Keychain
- Configuring a Tolerance Specification to Accept Keys
- Configuring a Key Identifier for the Keychain
- Configuring the Text for the Key String
- Determining the Valid Keys
- Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic
- Configuring the Cryptographic Algorithm
Configuring a Keychain
SUMMARY STEPS3. Use one of the following commands:
4. show key chain key-chain-name
DETAILED STEPS
After completing keychain configuration, see the Configuring a Tolerance Specification to Accept Keys section.
Configuring a Tolerance Specification to Accept Keys
SUMMARY STEPSThis task configures the tolerance specification to accept keys for a keychain to facilitate a hitless key rollover for applications, such as routing and management protocols.
3. accept-tolerance value [infinite]
4. Use one of the following commands:
DETAILED STEPS
Command or Action Purpose Step 1 configure
Example:RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 key chain key-chain-name
Example:RP/0/RP0/CPU0:router(config)# key chain isis-keys
Creates a name for the keychain.
Step 3 accept-tolerance value [infinite]
Example:RP/0/RP0/CPU0:router(config-isis-keys)# accept-tolerance infinite
Configures a tolerance value to accept keys for the keychain.
Step 4 Use one of the following commands:
Example:RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Configuring a Key Identifier for the Keychain
SUMMARY STEPSThis task configures a key identifier for the keychain.
You can create or modify the key for the keychain.
4. Use one of the following commands:
DETAILED STEPSWhat to Do Next
Command or Action Purpose Step 1 configure
Example:RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 key chain key-chain-name
Example:RP/0/RP0/CPU0:router(config)# key chain isis-keys
Creates a name for the keychain.
Step 3 key key-id
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8
Creates a key for the keychain. The key ID number is translated from decimal to hexadecimal to create the command mode subprompt.
Step 4 Use one of the following commands:
Example:RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
After configuring a key identifier for the keychain, see the Configuring the Text for the Key String section.
Configuring the Text for the Key String
SUMMARY STEPS4. key-string [clear | password] key-string-text
5. Use one of the following commands:
DETAILED STEPSWhat to Do Next
Command or Action Purpose Step 1 configure
Example:RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 key chain key-chain-name
Example:RP/0/RP0/CPU0:router(config)# key chain isis-keys
Creates a name for the keychain.
Step 3 key key-id
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)#Creates a key for the keychain.
Step 4 key-string [clear | password] key-string-text
Example:RP/0/RP0/CPU0:router(config-isis-keys-0x8)# key-string password 8
Specifies the text string for the key.
Step 5 Use one of the following commands:
Example:RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
After configuring the text for the key string, see the Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic section.
Determining the Valid Keys
SUMMARY STEPS4. accept-lifetime start-time [duration duration-value | infinite | end-time]
5. Use one of the following commands:
DETAILED STEPS
Command or Action Purpose Step 1 configure
Example:RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 key chain key-chain-name
Example:RP/0/RP0/CPU0:router(config)# key chain isis-keys
Creates a a name for the keychain.
Step 3 key key-id
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)#Creates a key for the keychain.
Step 4 accept-lifetime start-time [duration duration-value | infinite | end-time]
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 october 24 2005 infinite(Optional) Specifies the validity of the key lifetime in terms of clock time.
Step 5 Use one of the following commands:
Example:RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic
SUMMARY STEPSThis task configures the keys to generate authentication digest for the outbound application traffic.
4. send-lifetime start-time [duration duration-value | infinite | end-time]
5. Use one of the following commands:
DETAILED STEPS
Command or Action Purpose Step 1 configure
Example:RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 key chain key-chain-name
Example:RP/0/RP0/CPU0:router(config)# key chain isis-keys
Creates a name for the keychain.
Step 3 key key-id
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)#Creates a key for the keychain.
Step 4 send-lifetime start-time [duration duration-value | infinite | end-time]
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 october 24 2005 infinite(Optional) Specifies the set time period during which an authentication key on a keychain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time.
In addition, you can specify a start-time value and one of the following values:
If you intend to set lifetimes on keys, Network Time Protocol (NTP) or some other time synchronization method is recommended.
Step 5 Use one of the following commands:
Example:RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Configuring the Cryptographic Algorithm
SUMMARY STEPS4. cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]
5. Use one of the following commands:
DETAILED STEPS
Command or Action Purpose Step 1 configure
Example:RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 key chain key-chain-name
Example:RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)#Creates a name for the keychain.
Step 3 key key-id
Example:RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)#Creates a key for the keychain.
Step 4 cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]
Example:RP/0/RP0/CPU0:router(config-isis-keys-0x8)# cryptographic-algorithm MD5
Specifies the choice of the cryptographic algorithm. You can choose from the following list of algorithms:
The routing protocols each support a different set of cryptographic algorithms:
Step 5 Use one of the following commands:
Example:RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:
Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
Configuration Examples for Implementing Keychain Management
This section provides the following configuration example:
Configuring Keychain Management: Example
The following example shows how to configure keychain management:
configure key chain isis-keys accept-tolerance infinite key 8 key-string mykey91abcd cryptographic-algorithm MD5 send-lifetime 1:00:00 june 29 2006 infinite accept-lifetime 1:00:00 june 29 2006 infinite end Uncommitted changes found, commit them? [yes]: yes show key chain isis-keys Key-chain: isis-keys/ - accept-tolerance -- infinite Key 8 -- text "1104000E120B520005282820" cryptographic-algorithm -- MD5 Send lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now] Accept lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now]Additional References
MIBs
MIBs
MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml