Table Of Contents

Key Chain Management Commands on Cisco IOS XRSoftware

accept-lifetime

key (key chain)

key chain

key-string (key chain)

send-lifetime

show key chain

Key Chain Management Commands on Cisco IOS XRSoftware

---

This module describes the Cisco IOS XR software commands used to configure key chain management.

For detailed information about key chain management concepts, configuration tasks, and examples, see the Implementing Key Chain Management on Cisco IOS XR Software configuration module.

accept-lifetime

To set the time period during which the authentication key on a key chain is received as valid, use the accept-lifetime command in key configuration mode. To revert to the default value, use the no form of this command

accept-lifetime start-time [duration duration value | infinite | end-time]

no accept-lifetime start-time [duration duration value | infinite | end-time]

Syntax Description

start-time	Start time, in hh:mm:ss day month year format, in which the key becomes valid. The range is from 0:0:0 to 23:59:59.
duration duration value	Determines the lifetime of the key in seconds. The range is from 1-2147483646.
infinite	Specifies that the key never expires after it becomes valid.
end-time	End time, in hh:mm:ss day month year format, after which the key expires. The range is from 0:0:0 to 23:59:59.

Defaults

No default behavior or values

Command Modes

Key configuration

Command History

Release	Modification
Release 3.3.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to use the accept-lifetime command:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# key chain isis-keys

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 october 24 2005 
infinite

Related Commands

Command	Description
key (key chain)	Creates or modifies a key chain key.
key chain	Creates or modifies a key chain.
key-string (key chain)	Specifies the text for the key string.
send-lifetime	Sends the valid key.
show key chain	Displays the key chain.

key (key chain)

To create or modify a key chain key, use the key command in keychain-key configuration mode. To disable, use the no form of this command.

key key-id

no key key-id

Syntax Description

key-id

Key identifier. The range is from 0 to 2147483647.

Defaults

No default behavior or values

Command Modes

Keychain-key configuration

Command History

Release	Modification
Release 3.3.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to use the key command:

RP/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# key chain isis-keys

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Related Commands

Command	Description
accept-lifetime	Accepts the valid key.
key chain	Creates or modifies a key chain.
key-string (key chain)	Specifies the text for the key string.
send-lifetime	Sends the valid key.
show key chain	Displays the key chain.

key chain

To create or modify a key chain, use the key chain command in global configuration mode. To disable, use the no form of this command.

key chain key-chain-name

no key chain key-chain-name

Syntax Description

key-chain-name

Specifies the name of the key chain. The maximum number of characters is 32.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
Release 3.3.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows that the name of the key chain isis-keys is for the key chain command:

RP/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# key chain isis-keys

RP/0/RP0/CPU0:router(config-isis-keys)#

Related Commands

Command	Description
accept-lifetime	Accepts the valid key.
key (key chain)	Creates or modifies a key chain key.
key-string (key chain)	Specifies the text for the key string.
send-lifetime	Sends the valid key.
show key chain	Displays the key chain.

key-string (key chain)

To specify the text string for the key, use the key-string command in keychain-key configuration mode. To disable, use the no form of this command.

key-string [clear | password] key-string-text

no key-string [clear | password] key-string-text

Syntax Description

clear	Specifies the key string in clear text form.
password	Specifies the key in encrypted form.
key-string-text	Text string for the key and is encrypted by the parser process before it is saved to the configuration.

Defaults

The default value is clear.

Command Modes

Keychain-key configuration

Command History

Release	Modification
Release 3.3.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to use the key-string command:

RP/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# key chain isis-keys

RP/0/RP0/CPU0:myhost(config-isis-keys)# key 8

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# key-string password 8

Related Commands

Command	Description
accept-lifetime	Accepts the valid key.
key (key chain)	Creates or modifies a key chain key.
key chain	Creates or modifies a key chain.
send-lifetime	Sends the valid key.
show key chain	Displays the key chain.

send-lifetime

To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime command in keychain-key configuration mode. To disable, use the no form of this command.

send-lifetime start-time [duration duration value | infinite | end-time]

no send-lifetime start-time [duration duration value | infinite | end-time]

Syntax Description

start-time	Start time, in hh:mm:ss day month year format, in which the key becomes valid. The range is from 0:0:0 to 23:59:59
duration duration value	Determines the lifetime of the key in seconds.
infinite	Specifies that the key never expires once it becomes valid.
end-time	Start time, in hh:mm:ss day month year format, after which the key expires. The range is from 0:0:0 to 23:59:59

Defaults

No default behavior or values

Command Modes

Keychain-key configuration

Command History

Release	Modification
Release 3.3.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to use the send-lifetime command:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# key chain isis-keys

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 october 24 2005 infinite

Related Commands

Command	Description
accept-lifetime	Accepts the valid key.
key (key chain)	Creates or modifies a key chain key.
key chain	Creates or modifies a key chain.
key-string (key chain)	Specifies the text for the key string.

show key chain

To display the key chain, use the show key chain command in EXEC mode.

show key chain key-chain-name

Syntax Description

key-chain-name

Names of the keys in the specified key chain. The maximum number of characters is 32.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.3.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read

Examples

When a secure key storage becomes available, it is desirable for key chain management to alternatively prompt you for a master password and display the key label after decryption. The following example displays only the encrypted key label for the show key chain command:

RP/0/RP0/CPU0:router# show key chain isis-keys

Key-chain: isis-keys/ -

Key 8 -- text "8"

  Send lifetime:   01:00:00, 24 Oct 2005 - Always valid  [Valid now]

  Accept lifetime: 01:00:00, 24 Oct 2005 - Always valid [Valid now]

Related Commands

Command	Description
accept-lifetime	Accepts the valid key.
key (key chain)	Creates or modifies a key chain key.
key chain	Creates or modifies a key chain.
key-string (key chain)	Specifies the text for the key string.
send-lifetime	Sends the valid key.