Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.
To maintain stable communications, each device that uses a protocol that is secured by key-based authentication must be able to store and use more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
The time interval within which the device accepts the key during a key exchange with another device.
The time interval within which the device sends the key during a key exchange with another device.
You define the send and accept lifetimes of a key using the following parameters:
The absolute time that the lifetime begins.
The end time can be defined in one of the following ways:
The absolute time that the lifetime ends
The number of seconds after the start time that the lifetime ends
Infinite lifetime (no end-time)
During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.
We recommend that you configure key lifetimes that overlap within every keychain. This practice avoids failure of neighbor authentication due to the absence of active keys.
Virtualization Support for Keychain Management
The following information applies to keychains used in virtual device contexts (VDCs):
Keychains are unique per VDC. You cannot use a keychain that you created in one VDC in a different VDC.
Because keychains are not shared by VDCs, you can reuse keychain names in different VDCs.
The device does not limit keychains on a per-VDC basis.
Licensing Requirements for Keychain Management
This table shows the licensing requirements for keychain management.
Keychain management requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.2.
Prerequisites for Keychain Management
Keychain management has no prerequisites.
Guidelines and Limitations for Keychain Management
Keychain management has the following configuration guideline and limitation:
Changing the system clock impacts when the keys are active.
Default Settings for Keychain Management
This table lists the default settings for Cisco NX-OS keychain management parameters.
Table 1 Default Keychain Management Parameters
No keychain exists by default.
No keys are created by default when you create a new keychain.
You can configure the text for a key. The text is the shared secret. The device stores the text in a secure format.
By default, accept and send lifetimes for a key are infinite, which means that the key is always valid. After you configure the text for a key, configure the accept and send lifetimes for the key.
Before You Begin
Determine the text for the key. You can enter the text as unencrypted text or in the encrypted form that Cisco NX-OS uses to display key text when you use the show key chain command. Using the encrypted form is particularly helpful if you are creating key text to match a key as shown in the show key chain command output from another device.
Configures the text string for the key. The text-string argument is alphanumeric, case-sensitive, and supports special characters.
The encryption-type argument can be one of the following values:
0—The text-string argument that you enter is unencrypted text. This is the default.
7—The text-string argument that you enter is encrypted. The encryption method is a Cisco proprietary method. This option is useful when you are entering a text string based on the encrypted output of a show key chain command that you ran on another Cisco NX-OS device.
show key chain name [mode decrypt]
switch(config-keychain-key)# show key chain glbp-keys
Shows the keychain configuration, including the key text configuration. The mode decrypt option, which can be used by a device administrator only, displays the keys in cleartext.
This example shows how to configure a keychain named glbp keys. Each key text string is encrypted. Each key has longer accept lifetimes than send lifetimes, to help prevent lost communications by accidentally configuring a time in which there are no active keys.
key chain glbp-keys
key-string 7 zqdest
accept-lifetime 00:00:00 Jun 01 2008 23:59:59 Sep 12 2008
send-lifetime 00:00:00 Jun 01 2008 23:59:59 Aug 12 2008
key-string 7 uaeqdyito
accept-lifetime 00:00:00 Aug 12 2008 23:59:59 Dec 12 2008
send-lifetime 00:00:00 Sep 12 2008 23:59:59 Nov 12 2008
key-string 7 eekgsdyd
accept-lifetime 00:00:00 Nov 12 2008 23:59:59 Mar 12 2009
send-lifetime 00:00:00 Dec 12 2008 23:59:59 Feb 12 2009