|
Table Of Contents
Keychain Management Commands on Cisco IOS XR Software
Keychain Management Commands on Cisco IOS XR Software
This module describes the commands used to configure keychain Cisco IOS XR Software.
For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Keychain Management on Cisco IOS XR Software configuration module of Cisco IOS XR System Security Configuration Guide.
accept-lifetime
To set the time period during which the authentication key on a keychain is received as valid, use the accept-lifetime command in key configuration mode. To revert to the default value, use the no form of this command
accept-lifetime start-time [duration duration value | infinite | end-time]
no accept-lifetime start-time [duration duration value | infinite | end-time]
Syntax Description
Defaults
No default behavior or values
Command Modes
Key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following example shows how to use the accept-lifetime command:
RR/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# key chain isis-keys
RP/0/0/CPU0:router(config-isis-keys)# key 8
RP/0/0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 June 29 2006 infinite
Related Commands
Command DescriptionCreates or modifies a keychain key.
Creates or modifies a keychain.
Specifies the text for the key string.
Sends the valid key.
Displays the keychain.
accept-tolerance
To specify the tolerance or acceptance limit, in seconds, for an accept key that is used by a peer, use the accept-tolerance command in keychain configuration mode. To disable this feature, use the no form of this command.
accept-tolerance [value | infinite]
no accept-tolerance [value | infinite]
Syntax Description
Defaults
The default value is 0, which is no tolerance.
Command Modes
Keychain configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
If you do not configure the accept-tolerance command, the tolerance value is set to zero.
Even though the key is outside the active lifetime, the key is deemed acceptable as long as it is within the tolerance limit (for example, either prior to the start of the lifetime, or after the end of the lifetime).
Task ID
Examples
The following example shows how to use the accept-tolerance command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# key chain isis-keys
RP/0/0/CPU0:router(config-isis-keys)# accept-tolerance infinite
Related Commands
cryptographic-algorithm
To specify the choice of the cryptographic algorithm to be applied to the packets using the key string configured for the key ID, use the cryptographic-algorithm command in keychain-key configuration mode. To disable this feature, use the no form of this command.
cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]
no cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1]
Syntax Description
Defaults
No default behavior or values
Command Modes
Keychain-key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
If you do not specify the cryptographic algorithm, MAC computation and API verification would be invalid.
These protocols support the following cryptographic algorithms:
•Border Gateway Protocol (BGP) supports only HMAC-MD5 and HMAC-SHA1-12.
•Intermediate System-to-Intermediate System (IS-IS) supports only HMAC-MD5.
•Open Shortest Path First (OSPF) supports only MD5.
Task ID
Examples
The following example shows how to use the cryptographic-algorithm command:
RP/0/RSP00/CPU0:router# configure
RP/0/RSP00/CPU0:router(config)# key chain isis-keys
RP/0/RSP00/CPU0:router(config-isis-keys)# key 8
RP/0/RSP00/CPU0:router(config-isis-keys-0x8)# cryptographic-algorithm HMAC-MD5
Related Commands
key (key chain)
To create or modify a keychain key, use the key command in keychain-key configuration mode. To disable this feature, use the no form of this command.
key key-id
no key key-id
Syntax Description
Defaults
No default behavior or values
Command Modes
Keychain-key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
For a Border Gateway Protocol (BGP) keychain configuration, the range for the key-id argument must be from 0 to 63. If the range is above the value of 63, the BGP keychain operation is rejected.
Task ID
Examples
The following example shows how to use the key command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# key chain isis-keys
RP/0/0/CPU0:router(config-isis-keys)# key 8
RP/0/0/CPU0:router(config-isis-keys-0x8)#Related Commands
Command DescriptionAccepts the valid key.
Creates or modifies a keychain.
Specifies the text for the key string.
Sends the valid key.
Displays the keychain.
key chain (key chain)
To create or modify a keychain, use the key chain command in global configuration mode. To disable this feature, use the no form of this command.
key chain key-chain-name
no key chain key-chain-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
You can configure a keychain for Border Gateway Protocol (BGP) as a neighbor, session group, or neighbor group. BGP can use the keychain to implement a hitless key rollover for authentication.
Task ID
Examples
The following example shows that the name of the keychain isis-keys is for the key chain command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# key chain isis-keys
RP/0/0/CPU0:router(config-isis-keys)#Related Commands
key-string (keychain)
To specify the text string for the key, use the key-string command in keychain-key configuration mode. To disable this feature, use the no form of this command.
key-string [clear | password] key-string-text
no key-string [clear | password] key-string-text
Syntax Description
Defaults
The default value is clear.
Command Modes
Keychain-key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
For an encrypted password to be valid, the following statements must be true:
•String must contain an even number of characters, with a minimum of four.
•The first two characters in the password string must be decimal numbers and the rest must be hexadecimals.
•The first two digits must not be a number greater than 53.
Either of the following examples would be valid encrypted passwords:
1234abcd
or
50aefdTask ID
Examples
The following example shows how to use the keystring command:
RP/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# key chain isis-keys
RP/0/0/CPU0:myhost(config-isis-keys)# key 8
RP/0/0/CPU0:myhost(config-isis-keys-0x8)# key-string password 50aefdRelated Commands
Command DescriptionAccepts the valid key.
Creates or modifies a keychain key.
Creates or modifies a keychain.
Sends the valid key.
Displays the keychain.
send-lifetime
To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime command in keychain-key configuration mode. To disable this feature, use the no form of this command.
send-lifetime start-time [duration duration value | infinite | end-time]
no send-lifetime start-time [duration duration value | infinite | end-time]
Syntax Description
Defaults
No default behavior or values
Command Modes
Keychain-key configuration
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
The following example shows how to use the send-lifetime command:
RR/0/0/CPU0:router# configure
RP/0/0/CPU0:router(config)# key chain isis-keys
RP/0/0/CPU0:router(config-isis-keys)# key 8
RP/0/0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 June 29 2006 infinite
Related Commands
Command DescriptionAccepts the valid key.
Creates or modifies a keychain key.
Creates or modifies a keychain.
Specifies the text for the key string.
show key chain
To display the keychain, use the show key chain command in EXEC mode.
show key chain key-chain-name
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.
Task ID
Examples
When a secure key storage becomes available, it is desirable for keychain management to alternatively prompt you for a master password and display the key label after decryption. The following example displays only the encrypted key label for the show key chain command:
RP/0/0/CPU0:router# show key chain isis-keysKey-chain: isis-keys/ -accept-tolerance -- infiniteKey 8 -- text "8"cryptographic-algorithm -- MD5Send lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now]Accept lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now]Related Commands