Security Configuration Guide, Cisco DCNM for LAN, Release 6.x
Configuring Keychain Management
Downloads: This chapterpdf (PDF - 431.0KB) The complete bookPDF (PDF - 4.66MB) | The complete bookePub (ePub - 1.6MB) | Feedback

Configuring Keychain Management

Configuring Keychain Management

This chapter describes how to configure keychain management on a Cisco NX-OS device.


Note


The Cisco NX-OS release that is running on a managed device may not support all the features or settings described in this chapter. For the latest feature information and caveats, see the documentation and release notes for your platform and software release.


This chapter includes the following sections:

Information About Keychain Management

Keychains and Keychain Management

Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.

Some routing protocols that support key-based authentication can use a keychain to implement a hitless key rollover for authentication. For more information, see the Unicast Configuration Guide, Cisco DCNM for LAN, Release 5.xCisco DCNM Unicast Routing Configuration Guide, Release 5.x.

Lifetime of a Key

To maintain stable communications, each device that uses a protocol that is secured by key-based authentication must be able to store and use more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a keychain are active.

Each key in a keychain has two lifetimes, as follows:

Accept lifetime

The time interval within which the device accepts the key during a key exchange with another device.

Send lifetime

The time interval within which the device sends the key during a key exchange with another device.

You define the send and accept lifetimes of a key using the following parameters:

Start-time

The absolute time that the lifetime begins.

End-time

The end time can be defined in one of the following ways:

  • The absolute time that the lifetime ends
  • The number of seconds after the start time that the lifetime ends
  • Infinite lifetime (no end-time)

During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.

We recommend that you configure key lifetimes that overlap within every keychain. This practice avoids failure of neighbor authentication due to the absence of active keys.

Licensing Requirements for Keychain Management

This table shows the licensing requirements for keychain management.

Product

License Requirement

Cisco DCNM

Keychain management requires a LAN Enterprise license. For an explanation of the Cisco DCNM licensing scheme and how to obtain and apply licenses, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

Keychain management requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme for your platform, see the licensing guide for your platform.

Platform Support for Keychain Management

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring Keychain Management

Creating a Keychain

You can create a keychain on the device. A new keychain contains no keys.

Procedure
    Step 1   From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.

    The available devices appear in the Summary pane.

    Step 2   From the Summary pane, click the device that you want to configure with a keychain.
    Step 3   From the menu bar, choose Actions > Key Chain.

    A new row appears in the Summary pane.

    Step 4   Enter a name for the keychain. Valid keychain names are alphanumeric and can be up to 63 characters long.
    Step 5   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

    Related Tasks

    Removing a Keychain

    You can remove a keychain on the device.


    Note


    Removing a keychain removes any keys within the keychain.


    Before You Begin

    If you are removing a keychain, ensure that no feature uses it. If a feature is configured to use a keychain that you remove, that feature is likely to fail to communicate with other devices.

    Procedure
      Step 1   From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.

      The available devices appear in the Summary pane.

      Step 2   From the Summary pane, double-click the device that has a keychain that you want to delete.

      Keychains on the device appear in the Summary table.

      Step 3   Click the keychain you want to delete.
      Step 4   From the menu bar, choose Actions > Delete.

      The keychain disappears from the Summary table.

      Step 5   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

      Related Tasks

      Configuring a Key

      You can configure a key for a keychain. A new key contains no text (shared secret). The default accept and send lifetimes for a new key are infinite.

      Procedure
        Step 1   From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.

        The available devices appear in the Summary pane.

        Step 2   From the Summary pane, double-click the device that you want to configure with a key.

        Keychains on the device appear in the Summary table.

        Step 3   Double-click the keychain that you want to configure with a key.
        Step 4   (Optional) To create a new key, from the menu bar, choose Actions > Key Chain Entry.

        A new row appears below the keychain.

        Step 5   Double-click the Key Chain Name/ID entry for the key that you want to configure. If you are creating a new key, the entry is blank.
        Step 6   Enter an identifier for the key. The identifier must be a whole number between 0 and 65535.
        Step 7   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

        Configuring Text for a Key

        You can configure the text for a key. The text is the shared secret. The device stores the text in a secure format.

        By default, accept and send lifetimes for a key are infinite, which means that the key is always valid. After you configure the text for a key, configure the accept and send lifetimes for the key.

        Before You Begin

        Determine the text for the key. The text string can be up to 63 alphanumeric, case-sensitive characters, including special characters.

        Procedure
          Step 1   From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.

          The available devices appear in the Summary pane.

          Step 2   From the Summary pane, double-click the device that has the key that you want to configure.

          Keychains on the device appear in the Summary table.

          Step 3   Double-click the keychain that has the key that you want to configure.

          Keys in the keychain appear in the Summary table.

          Step 4   Double-click the Key String entry for the key that you want to configure.

          The field becomes a drop-down list.

          Step 5   Use the drop-down list to configure the text string, including whether the text string that you enter is unencrypted or encrypted. The text string can be up to 63 alphanumeric, case-sensitive characters. It also supports special characters.
          Step 6   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

          Configuring Accept and Send Lifetimes for a Key

          You can configure the accept lifetime and send lifetime for a key.


          Note


          We recommend that you configure the keys in a keychain to have overlapping lifetimes. This practice prevents loss of key-secured communication due to moments where no key is active.


          Before You Begin

          By default, accept and send lifetimes for a key are infinite, which means that the key is always valid.

          Procedure
            Step 1   From the Feature Selector pane, choose Routing > Gateway Redundancy > Key Chain.

            The available devices appear in the Summary pane.

            Step 2   From the Summary pane, double-click the device that has the key that you want to configure.

            Keychains on the device appear in the Summary table.

            Step 3   Double-click the keychain that has the key that you want to configure.

            Keys in the keychain appear in the Summary table.

            Step 4   Under Accept Life Time, double-click the Start entry for the key that you want to configure.

            The field becomes a drop-down list.

            Step 5   Use the drop-down list to configure the start date and time for the accept lifetime.
            Step 6   Under Accept Life Time, double-click the End entry.

            The field becomes a drop-down list.

            Step 7   Use the drop-down list to configure when the accept lifetime ends.

            You can specify the end of the accept lifetime as a specific date and time, as the duration in seconds of the lifetime, or as unending (infinite).

            Step 8   Under Send Life Time, double-click the Start entry for the key that you want to configure.

            The field becomes a drop-down list.

            Step 9   Use the drop-down list to configure the start date and time for the send lifetime.
            Step 10   Under Send Life Time, double-click the End entry.

            The field becomes a drop-down list.

            Step 11   Use the drop-down list to configure when the send lifetime ends.

            You can specify the end of the send lifetime as a specific date and time, as the duration in seconds of the lifetime, or as unending (infinite).

            Step 12   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

            Related Concepts

            Where to Go Next

            For information about routing features that use keychains, see the Unicast Configuration Guide, Cisco DCNM for LAN, Release 5.xCisco DCNM Unicast Routing Configuration Guide, Release 5.x.

            Field Descriptions for Keychain Management

            Keychain Object

            Table 1 Keychain Object

            Field

            Description

            Key Chain Name/ID

            Name assigned to the keychain. Valid names are 1 to 63 alphanumeric characters.

            Keychain Entry Object

            Table 2 Keychain Entry Object

            Field

            Description

            Key Chain Name/ID

            Identification number assigned to the keychain. Valid identifier numbers are whole numbers from 0 to 65535.

            Key String

            Text string that is the shared secret of the key. Entries in this field are masked for security. Valid entries are alphanumeric, case-sensitive text strings, including special characters. The minimum length is one character. The maximum length is 63 characters.

            Accept Life Time

            Start

            Date and time, in UTC, that the accept lifetime becomes active. If you specify no start date and time, the accept lifetime is always valid.

            End

            When the accept lifetime becomes inactive. You can specify the end of the accept lifetime in one of the following ways:

            • Specific—The date and time when the accept lifetime becomes inactive.
            • Duration—The length in seconds of the accept lifetime. The maximum length is 2147483646 seconds (approximately 68 years).
            • Infinite—After the start time, the accept lifetime is always active.

            Send Life Time

            Start

            Date and time, in UTC, that the send lifetime becomes active. If you specify no start date and time, the send lifetime is always active.

            End

            When the send lifetime becomes inactive. You can specify the end of the send lifetime in one of the following ways:

            • Specific—The date and time when the send lifetime becomes inactive.
            • Duration—The length in seconds of the send lifetime. The maximum length is 2147483646 seconds (approximately 68 years).
            • Infinite—After the start time, the send lifetime is always active.

            Related Fields

            For information about fields that configure key chains, see the Unicast Configuration Guide, Cisco DCNM for LAN, Release 5.xCisco DCNM Unicast Routing Configuration Guide, Release 5.x.

            Additional References for Keychain Management

            Related Documents

            Related Topic

            Document Title

            Gateway Load Balancing Protocol

            Unicast Configuration Guide, Cisco DCNM for LAN, Release 5.xCisco DCNM Unicast Routing Configuration Guide, Release 5.x

            Standards

            Standards

            Title

            No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

            Feature History for Keychain Management

            This table lists the release history for this feature.

            Table 3 Feature History for Keychain Management

            Feature Name

            Releases

            Feature Information

            Keychain management

            5.2(1)

            No change from Release 5.1.

            Keychain management

            5.1(1)

            No change from Release 5.0.

            Keychain management

            5.0(2)

            No change from Release 4.2.

            Keychain management

            4.2(1)

            No change from Release 4.1.