- New and Changed Information
- Index
- Preface
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Information About Keychain Management
- Licensing Requirements for Keychain Management
- Prerequisites for Keychain Management
- Guidelines and Limitations
- Configuring Keychain Management
- Where to Go Next
- Field Descriptions for Keychain Management
- Additional References
- Feature History for Keychain Management
Configuring Keychain Management
This chapter describes how to configure keychain management on an NX-OS device.
This chapter includes the following sections:
•Information About Keychain Management
•Licensing Requirements for Keychain Management
•Prerequisites for Keychain Management
•Configuring Keychain Management
•Field Descriptions for Keychain Management
•Feature History for Keychain Management
Information About Keychain Management
This section includes the following topics:
•Keychains and Keychain Management
Keychains and Keychain Management
Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.
Some routing protocols that support key-based authentication can use a keychain to implement a hitless key rollover for authentication. For more information, see the Cisco DCNM Unicast Routing Configuration Guide, Release 4.1.
Lifetime of a Key
To maintain stable communications, each device that uses a protocol that is secured by key-based authentication must be able to store and use more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
•Accept lifetime—The time interval within which the device accepts the key during key exchange with another device.
•Send lifetime—The time interval within which the device sends the key during key exchange with another device.
You define the send and accept lifetimes of a key using the following parameters:
•Start-time—The absolute time that the lifetime begins.
•End-time—The end time can be defined in one of the following ways:
–The absolute time that the lifetime ends
–The number of seconds after the start time that the lifetime ends
–Infinite lifetime (no end-time)
During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.
We recommend that you configure key lifetimes that overlap within every keychain. This practice avoids failure of neighbor authentication due to the absence of active keys.
Virtualization Support
The following information applies to keychains used in Virtual Device Contexts (VDCs):
•Keychains are unique per VDC. You cannot use a keychain that you created in one VDC in a different VDC.
•Because keychains are not shared by VDCs, you can reuse keychain names in different VDCs.
•The device does not limit keychains on a per-VDC basis.
Licensing Requirements for Keychain Management
The following table shows the licensing requirements for this feature:
Prerequisites for Keychain Management
Keychain management has no prerequisites.
Guidelines and Limitations
Keychain management has the following configuration guideline and limitation:
•Changing the system clock impacts the when keys are active.
Configuring Keychain Management
Figure 14-1 shows the Key Chain content pane.
Figure 14-1 Key Chain Content Pane
This section includes the following topics:
•Configuring Accept and Send Lifetimes for a Key
Creating a Keychain
You can create a keychain on the device.
BEFORE YOU BEGIN
A new keychain contains no keys. For information about adding a key, see the "Configuring a Key" section.
DETAILED STEPS
To create a keychain, follow these steps:
Step 1 From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, click the device that you want to configure with a keychain.
Step 3 From the menu bar, choose Actions > Key Chain.
A new row appears in the Summary pane.
Step 4 Enter a name for the keychain. Valid keychain names are alphanumeric and can be up to 63 characters long.
Step 5 From the menu bar, choose File > Deploy to apply your changes to the device.
Removing a Keychain
You can remove a keychain on the device.
Note Removing a keychain removes any keys within the keychain.
BEFORE YOU BEGIN
If you are removing a keychain, ensure that no feature uses it. If a feature is configured to use a keychain that you remove, that feature is likely to fail to communicate with other devices.
DETAILED STEPS
To remove a keychain, follow these steps:
Step 1 From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that has a keychain that you want to delete.
Keychains on the device appear in the Summary table.
Step 3 Click the keychain you want to delete.
Step 4 From the menu bar, choose Actions > Delete.
The keychain disappears from the Summary table.
Step 5 From the menu bar, choose File > Deploy to apply your changes to the device.
Configuring a Key
You can configure a key for a keychain.
A new key contains no text (shared secret). For information about adding text to a key, see the "Configuring Text for a Key" section.
BEFORE YOU BEGIN
The default accept and send lifetimes for a new key are infinite. For more information, see the "Configuring Accept and Send Lifetimes for a Key" section.
DETAILED STEPS
To configure a key, follow these steps:
Step 1 From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that you want to configure with a key.
Keychains on the device appear in the Summary table.
Step 3 Double-click the keychain that you want to configure with a key.
Keys in the keychain, if any, appear in the Summary table.
Step 4 (Optional) To create a new key, from the menu bar, choose Actions > Key Chain Entry.
A new row appears below the keychain.
Step 5 Double-click the Key Chain Name/ID entry for the key that you want to configure. If you are creating a new key, the entry is blank.
Step 6 Enter an identifier for the key. The identifier must be a whole number between 0 and 65535.
Step 7 From the menu bar, choose File > Deploy to apply your changes to the device.
Configuring Text for a Key
You can configure the text for a key. The text is the shared secret. The device stores the text in a secure format.
BEFORE YOU BEGIN
Determine the text for the key.
By default, accept and send lifetimes for a key are infinite, which means that the key is always valid. After you configure the text for a key, configure the accept and send lifetimes for the key. For more information, see the "Configuring Accept and Send Lifetimes for a Key" section.
DETAILED STEPS
To configure text for a key, follow these steps:
Step 1 From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that has the key that you want to configure.
Keychains on the device appear in the Summary table.
Step 3 Double-click the keychain that has the key that you want to configure.
Keys in the keychain appear in the Summary table.
Step 4 Double-click the Key String entry for the key that you want to configure.
The field becomes a drop-down list.
Step 5 Use the drop-down list to configure the text string, including whether the text string that you enter is unencrypted or encrypted. The text string can be up to 63 alphanumeric, case-sensitive characters. It also supports special characters.
Step 6 From the menu bar, choose File > Deploy to apply your changes to the device.
Configuring Accept and Send Lifetimes for a Key
You can configure the accept lifetime and send lifetime for a key.
Note We recommend that you configure the keys in a keychain to have overlapping lifetimes. This practice prevents loss of key-secured communication due to moments where no key is active.
BEFORE YOU BEGIN
By default, accept and send lifetimes for a key are infinite, which means that the key is always valid.
For more information about accept and send lifetimes, see the "Lifetime of a Key" section.
DETAILED STEPS
To configure text for a key, follow these steps:
Step 1 From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.
The available devices appear in the Summary pane.
Step 2 From the Summary pane, double-click the device that has the key that you want to configure.
Keychains on the device appear in the Summary table.
Step 3 Double-click the keychain that has the key that you want to configure.
Keys in the keychain appear in the Summary table.
Step 4 Under Accept Life Time, double-click the Start entry for the key that you want to configure.
The field becomes a drop-down list.
Step 5 Use the drop-down list to configure the start date and time for the accept lifetime.
Step 6 Under Accept Life Time, double-click the End entry.
The field becomes a drop-down list.
Step 7 Use the drop-down list to configure when the accept lifetime ends.
You can specify the end of the accept lifetime as a specific date and time, as the duration in seconds of the lifetime, or as unending (infinite).
Step 8 Under Send Life Time, double-click the Start entry for the key that you want to configure.
The field becomes a drop-down list.
Step 9 Use the drop-down list to configure the start date and time for the send lifetime.
Step 10 Under Send Life Time, double-click the End entry.
The field becomes a drop-down list.
Step 11 Use the drop-down list to configure when the send lifetime ends.
You can specify the end of the send lifetime as a specific date and time, as the duration in seconds of the lifetime, or as unending (infinite).
Step 12 From the menu bar, choose File > Deploy to apply your changes to the device.
Where to Go Next
For information about routing features that use keychains, see the Cisco DCNM Unicast Routing Configuration Guide, Release 4.1.
Field Descriptions for Keychain Management
This section includes the following topics:
Keychain Object
|
|
---|---|
Key Chain Name/ID |
Name assigned to the keychain. Valid names are 1 to 63 alphanumeric characters. |
Keychain Entry Object
Related Fields
For information about fields that configure key chains, see the Cisco DCNM Unicast Routing Configuration Guide, Release 4.1.
Additional References
For additional information related to implementing keychain management, see the following sections:
Related Documents
|
|
---|---|
Gateway Load Balancing Protocol |
Cisco DCNM Unicast Routing Configuration Guide, Release 4.1 |
Standards
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for Keychain Management
Table 14-3 lists the release history for this feature.
|
|
|
---|---|---|
Keychain management |
4.1(2) |
No change from Release 4.0. |