This chapter describes how to configure keychain management on a Cisco NX-OS device.
The Cisco NX-OS release that is running on a managed device may not support all the features or settings described in this chapter. For the latest feature information and caveats, see the documentation and release notes for your platform and software release.
Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.
To maintain stable communications, each device that uses a protocol that is secured by key-based authentication must be able to store and use more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
The time interval within which the device accepts the key during a key exchange with another device.
The time interval within which the device sends the key during a key exchange with another device.
You define the send and accept lifetimes of a key using the following parameters:
The absolute time that the lifetime begins.
The end time can be defined in one of the following ways:
The absolute time that the lifetime ends
The number of seconds after the start time that the lifetime ends
Infinite lifetime (no end-time)
During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.
We recommend that you configure key lifetimes that overlap within every keychain. This practice avoids failure of neighbor authentication due to the absence of active keys.
Virtualization Support for Keychain Management
The following information applies to keychains used in virtual device contexts (VDCs):
Keychains are unique per VDC. You cannot use a keychain that you created in one VDC in a different VDC.
Because keychains are not shared by VDCs, you can reuse keychain names in different VDCs.
The device does not limit keychains on a per-VDC basis.
Licensing Requirements for Keychain Management
This table shows the licensing requirements for keychain management.
Keychain management requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.2.
Prerequisites for Keychain Management
Keychain management has no prerequisites.
Guidelines and Limitations for Keychain Management
Keychain management has the following configuration guideline and limitation:
Changing the system clock impacts when the keys are active.
You can configure the text for a key. The text is the shared secret. The device stores the text in a secure format.
By default, accept and send lifetimes for a key are infinite, which means that the key is always valid. After you configure the text for a key, configure the accept and send lifetimes for the key.
Before You Begin
Determine the text for the key. The text string can be up to 63 alphanumeric, case-sensitive characters, including special characters.
From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.
The available devices appear in the Summary pane.
From the Summary pane, double-click the device that has the key that you want to configure.
Keychains on the device appear in the Summary table.
Double-click the keychain that has the key that you want to configure.
Keys in the keychain appear in the Summary table.
Double-click the Key String entry for the key that you want to configure.
The field becomes a drop-down list.
Use the drop-down list to configure the text string, including whether the text string that you enter is unencrypted or encrypted. The text string can be up to 63 alphanumeric, case-sensitive characters. It also supports special characters.
(Optional) From the menu bar, choose File > Deploy to apply your changes to the device.
Name assigned to the keychain. Valid names are 1 to 63 alphanumeric characters.
Keychain Entry Object
Table 2 Keychain Entry Object
Key Chain Name/ID
Identification number assigned to the keychain. Valid identifier numbers are whole numbers from 0 to 65535.
Text string that is the shared secret of the key. Entries in this field are masked for security. Valid entries are alphanumeric, case-sensitive text strings, including special characters. The minimum length is one character. The maximum length is 63 characters.
Accept Life Time
Date and time, in UTC, that the accept lifetime becomes active. If you specify no start date and time, the accept lifetime is always valid.
When the accept lifetime becomes inactive. You can specify the end of the accept lifetime in one of the following ways:
Specific—The date and time when the accept lifetime becomes inactive.
Duration—The length in seconds of the accept lifetime. The maximum length is 2147483646 seconds (approximately 68 years).
Infinite—After the start time, the accept lifetime is always active.
Send Life Time
Date and time, in UTC, that the send lifetime becomes active. If you specify no start date and time, the send lifetime is always active.
When the send lifetime becomes inactive. You can specify the end of the send lifetime in one of the following ways:
Specific—The date and time when the send lifetime becomes inactive.
Duration—The length in seconds of the send lifetime. The maximum length is 2147483646 seconds (approximately 68 years).
Infinite—After the start time, the send lifetime is always active.