- Preface
- New and Changed Information
- Overview
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH and Telnet
- Configuring PKI
- Configuring User Accounts and RBAC
- Configuring 802.1X
- Configuring NAC
- Configuring Cisco TrustSec
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring VLAN ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Configuring Keychain Management
- Configuring Traffic Storm Control
- Configuring Unicast RPF
- Configuring Control Plane Policing
- Configuring Rate Limits
- Index
- Information About Keychain Management
- Licensing Requirements for Keychain Management
- Prerequisites for Keychain Management
- Guidelines and Limitations for Keychain Management
- Default Settings for Keychain Management
- Configuring Keychain Management
- Determining Active Key Lifetimes
- Verifying the Keychain Management Configuration
- Configuration Example for Keychain Management
- Where to Go Next
- Additional References for Keychain Management
- Feature History for Keychain Management
Configuring Keychain Management
This chapter describes how to configure keychain management on a Cisco NX-OS device.
This chapter includes the following sections:
- Information About Keychain Management
- Licensing Requirements for Keychain Management
- Prerequisites for Keychain Management
- Guidelines and Limitations for Keychain Management
- Default Settings for Keychain Management
- Configuring Keychain Management
- Determining Active Key Lifetimes
- Verifying the Keychain Management Configuration
- Configuration Example for Keychain Management
- Where to Go Next
- Additional References for Keychain Management
- Feature History for Keychain Management
- Keychains and Keychain Management
- Lifetime of a Key
- Virtualization Support for Keychain Management
- Creating a Keychain
- Removing a Keychain
- Configuring a Key
- Configuring Text for a Key
- Configuring Accept and Send Lifetimes for a Key
Information About Keychain Management
Keychains and Keychain Management
Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.
Some routing protocols that support key-based authentication can use a keychain to implement a hitless key rollover for authentication. For more information, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.2.
Lifetime of a Key
To maintain stable communications, each device that uses a protocol that is secured by key-based authentication must be able to store and use more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
- Accept lifetime
-
The time interval within which the device accepts the key during a key exchange with another device.
- Send lifetime
-
The time interval within which the device sends the key during a key exchange with another device.
You define the send and accept lifetimes of a key using the following parameters:
- Start-time
-
The absolute time that the lifetime begins.
- End-time
-
The end time can be defined in one of the following ways:
During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.
We recommend that you configure key lifetimes that overlap within every keychain. This practice avoids failure of neighbor authentication due to the absence of active keys.
Virtualization Support for Keychain Management
The following information applies to keychains used in virtual device contexts (VDCs):
Licensing Requirements for Keychain Management
This table shows the licensing requirements for keychain management.
Product |
License Requirement |
---|---|
Cisco NX-OS |
Keychain management requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.2. |
Prerequisites for Keychain Management
Keychain management has no prerequisites.
Guidelines and Limitations for Keychain Management
Keychain management has the following configuration guideline and limitation:
Default Settings for Keychain Management
Parameters |
Default |
---|---|
Key chains |
No keychain exists by default. |
Keys |
No keys are created by default when you create a new keychain. |
Accept lifetime |
Always valid. |
Send lifetime |
Always valid. |
Key-string entry encryption |
Unencrypted. |
Configuring Keychain Management
- Creating a Keychain
- Removing a Keychain
- Configuring a Key
- Configuring Text for a Key
- Configuring Accept and Send Lifetimes for a Key
Creating a Keychain
You can create a keychain on the device. A new keychain contains no keys.
3.
(Optional) show key chain name
4.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | key chain name Example: switch(config)# key chain glbp-keys switch(config-keychain)# |
Creates the keychain and enters keychain configuration mode. |
Step 3 | show key chain name Example: switch(config-keychain)# show key chain glbp-keys |
(Optional) Displays the keychain configuration. |
Step 4 | copy running-config startup-config Example: switch(config-keychain)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Removing a Keychain
You can remove a keychain on the device.
Note |
Removing a keychain removes any keys within the keychain. |
If you are removing a keychain, ensure that no feature uses it. If a feature is configured to use a keychain that you remove, that feature is likely to fail to communicate with other devices.
3.
(Optional) show key chain name
4.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | no key chain name Example: switch(config)# no key chain glbp-keys |
Removes the keychain and any keys that the keychain contains. |
Step 3 | show key chain name Example: switch(config-keychain)# show key chain glbp-keys |
(Optional) Confirms that the keychain no longer exists in running configuration. |
Step 4 | copy running-config startup-config Example: switch(config-keychain)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Configuring a Key
You can configure a key for a keychain. A new key contains no text (shared secret). The default accept and send lifetimes for a new key are infinite.
4.
(Optional) show key chain name
5.
(Optional) copy running-config startup-config
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure terminal Example: switch# configure terminal switch(config)# |
Enters global configuration mode. |
Step 2 | key chain name Example: switch(config)# key chain glbp-keys switch(config-keychain)# |
Enters keychain configuration mode for the keychain that you specified. |
Step 3 | key key-ID Example: switch(config-keychain)# key 13 switch(config-keychain-key)# |
Enters key configuration mode for the key that you specified. The key-ID argument must be a whole number between 0 and 65535. |
Step 4 | show key chain name Example: switch(config-keychain-key)# show key chain glbp-keys |
(Optional) Shows the keychain configuration, including the key configuration. |
Step 5 | copy running-config startup-config Example: switch(config-keychain)# copy running-config startup-config |
(Optional) Copies the running configuration to the startup configuration. |
Configuring Text for a Key
You can configure the text for a key. The text is the shared secret. The device stores the text in a secure format.
By default, accept and send lifetimes for a key are infinite, which means that the key is always valid. After you configure the text for a key, configure the accept and send lifetimes for the key.
Determine the text for the key. You can enter the text as unencrypted text or in the encrypted form that Cisco NX-OS uses to display key text when you use the show key chain command. Using the encrypted form is particularly helpful if you are creating key text to match a key as shown in the show key chain command output from another device.
4.
key-string [encryption-type] text-string
5.
(Optional) show key chain name [mode decrypt]
6.
(Optional) copy running-config startup-config
DETAILED STEPS
Configuring Accept and Send Lifetimes for a Key
You can configure the accept lifetime and send lifetime for a key. By default, accept and send lifetimes for a key are infinite, which means that the key is always valid.
Note |
We recommend that you configure the keys in a keychain to have overlapping lifetimes. This practice prevents loss of key-secured communication due to moments where no key is active. |
4.
accept-lifetime [local] start-time duration duration-value | infinite | end-time]
5.
send-lifetime [local] start-time duration duration-value | infinite | end-time]
6.
(Optional) show key chain name [mode decrypt]
7.
(Optional) copy running-config startup-config
DETAILED STEPS
Determining Active Key Lifetimes
To determine which keys within a keychain have active accept or send lifetimes, use the command in this table. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2.
Command |
Purpose |
---|---|
show key chain |
Displays the keychains configured on the device. |
Verifying the Keychain Management Configuration
To display keychain management configuration information, perform the following task. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2.
Command |
Purpose |
---|---|
show key chain |
Displays the keychains configured on the device. |
Configuration Example for Keychain Management
This example shows how to configure a keychain named glbp keys. Each key text string is encrypted. Each key has longer accept lifetimes than send lifetimes, to help prevent lost communications by accidentally configuring a time in which there are no active keys.
key chain glbp-keys key 0 key-string 7 zqdest accept-lifetime 00:00:00 Jun 01 2008 23:59:59 Sep 12 2008 send-lifetime 00:00:00 Jun 01 2008 23:59:59 Aug 12 2008 key 1 key-string 7 uaeqdyito accept-lifetime 00:00:00 Aug 12 2008 23:59:59 Dec 12 2008 send-lifetime 00:00:00 Sep 12 2008 23:59:59 Nov 12 2008 key 2 key-string 7 eekgsdyd accept-lifetime 00:00:00 Nov 12 2008 23:59:59 Mar 12 2009 send-lifetime 00:00:00 Dec 12 2008 23:59:59 Feb 12 2009
Where to Go Next
For information about routing features that use keychains, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.2.
Additional References for Keychain Management
Related Documents
Related Topic |
Document Title |
---|---|
Gateway Load Balancing Protocol |
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.2 |
Border Gateway Protocol |
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.2 |
Keychain management commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco Nexus 7000 Series NX-OS Security Command Reference, Release 4.2 |
Standards
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Feature History for Keychain Management
Feature Name |
Releases |
Feature Information |
---|---|---|
Keychain management |
4.2(1) |
No change from Release 4.1. |