-
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1
-
Preface
-
Authentication, Authorization, and Accounting Commands
-
IPSec Commands
-
Keychain Management Commands
-
Lawful Intercept Commands
-
Management Plane Protection Commands
-
Public Key Infrastructure Commands
-
Software Authentication Manager Commands
-
Secure Shell Commands
-
Secure Socket Layer Protocol Commands
-
Index
-
Feedback
Contents
Keychain Management Commands
This module describes the commands used to configure keychain management.
For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Keychain Management on the Cisco IOS XR Software configuration module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
- accept-lifetime
- accept-tolerance
- key (key chain)
- key chain (key chain)
- key-string (keychain)
- send-lifetime
- show key chain
accept-lifetime
To set the time period during which the authentication key on a keychain is received as valid, use the accept-lifetime command in key configuration mode. To revert to the default value, use the no form of this command.
accept-lifetime start-time [ duration duration value | infinite | end-time ]
no accept-lifetime start-time [ duration duration value | infinite | end-time ]
Syntax Description
start-time
Start time, in hh:mm:ss day month year format, in which the key becomes valid. The range is from 0:0:0 to 23:59:59.
The range for the number of days of the month is from 1 to 31.
The range for the years is from 1993 to 2035.
duration duration value
(Optional) Determines the lifetime of the key in seconds. The range is from 1-2147483646.
infinite
(Optional) Specifies that the key never expires after it becomes valid.
end-time
(Optional) Time, in hh:mm:ss day month year format, after which the key expires. The range is from 0:0:0 to 23:59:59.
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Release 3.6.0
The range values were added for the start-time argument.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to use the accept-lifetime command:
RR/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 June 29 2006 infiniteaccept-tolerance
To specify the tolerance or acceptance limit, in seconds, for an accept key that is used by a peer, use the accept-tolerance command in keychain configuration mode. To disable this feature, use the no form of this command.
Syntax Description
value
(Optional) Tolerance range, in seconds. The range is from 1 to 8640000.
infinite
(Optional) Specifies that the tolerance specification is infinite. The accept key never expires. The tolerance limit of infinite indicates that an accept key is always acceptable and validated when used by a peer.
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If you do not configure the accept-tolerance command, the tolerance value is set to zero.
Even though the key is outside the active lifetime, the key is deemed acceptable as long as it is within the tolerance limit (for example, either prior to the start of the lifetime, or after the end of the lifetime).
Task ID
Examples
The following example shows how to use the accept-tolerance command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# accept-tolerance infinitekey (key chain)
To create or modify a keychain key, use the key command in keychain-key configuration mode. To disable this feature, use the no form of this command.
Syntax Description
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
For a Border Gateway Protocol (BGP) keychain configuration, the range for the key-id argument must be from 0 to 63. If the range is above the value of 63, the BGP keychain operation is rejected.
Task ID
Examples
The following example shows how to use the key command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)#key chain (key chain)
To create or modify a keychain, use the key chain command in global configuration mode. To disable this feature, use the no form of this command.
Syntax Description
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Release 3.4.1
The maximum number of characters allowed in the keychain name was changed from 32 to 48.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
You can configure a keychain for Border Gateway Protocol (BGP) as a neighbor, session group, or neighbor group. BGP can use the keychain to implement a hitless key rollover for authentication.
Task ID
Examples
The following example shows that the name of the keychain isis-keys is for the key chain command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)#key-string (keychain)
To specify the text string for the key, use the key-string command in keychain-key configuration mode. To disable this feature, use the no form of this command.
Syntax Description
clear
Specifies the key string in clear-text form.
password
Specifies the key in encrypted form.
key-string-text
Text string for the key, which is encrypted by the parser process before being saved to the configuration. The text string has the following character limitations:
Command History
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
For an encrypted password to be valid, the following statements must be true:
- String must contain an even number of characters, with a minimum of four.
- The first two characters in the password string must be decimal numbers and the rest must be hexadecimals.
- The first two digits must not be a number greater than 53.
Either of the following examples would be valid encrypted passwords:
1234abcd
or
50aefd
Task ID
Examples
The following example shows how to use the keystring command:
RP/0/RP0/CPU0:router:# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# key-string password 850aefdsend-lifetime
To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime command in keychain-key configuration mode. To disable this feature, use the no form of this command.
send-lifetime start-time [ duration duration value | infinite | end-time ]
no send-lifetime start-time [ duration duration value | infinite | end-time ]
Syntax Description
start-time
Start time, in hh:mm:ss day month year format, in which the key becomes valid. The range is from 0:0:0 to 23:59:59.
The range for the number of days of the month to start is from 1 to 31.
The range for the years is from 1993 to 2035.
duration duration value
(Optional) Determines the lifetime of the key in seconds.
infinite
(Optional) Specifies that the key never expires once it becomes valid.
end-time
(Optional) Time, in hh:mm:ss day month year format, after which the key expires. The range is from 0:0:0 to 23:59:59
Command History
Release
Modification
Release 3.3.0
This command was introduced.
Release 3.6.0
The range values were added for the start-time argument.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
The following example shows how to use the send-lifetime command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# key 8 RP/0/RP0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 June 29 2006 infiniteshow key chain
Syntax Description
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
Examples
When a secure key storage becomes available, it is desirable for keychain management to alternatively prompt you for a master password and display the key label after decryption. The following example displays only the encrypted key label for the show key chain command:
RP/0/RP0/CPU0:router# show key chain isis-keys Key-chain: isis-keys/ - accept-tolerance -- infinite Key 8 -- text "8" cryptographic-algorithm -- MD5 Send lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now] Accept lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now]