Configuring Keychains; Overview; Configuration Procedure - HPE FlexNetwork 10500 Series Security Configuration Manual

Configuring keychains

Overview

A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication
by periodically changing the key and authentication algorithm without service interruption.
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving
lifetime. These settings can be different for the keys. When the system time is within the lifetime of a
key in a keychain, an application uses the key to authenticate incoming and outgoing packets. The
keys in the keychain take effect one by one according to the sequence of the configured lifetimes. In
this way, the authentication algorithms and keys are dynamically changed to implement dynamic
authentication.
A keychain operates in absolute time mode. In this mode, each time point during a key's lifetime is
the UTC time and is not affected by the system's time zone or daylight saving time.

Configuration procedure

Follow these guidelines when you configure a keychain:
•
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set
non-overlapping sending lifetimes for the keys in the keychain.
•
The keys used by the local device and the peer device must have the same authentication
algorithm and key string.
To configure a keychain:
Step
1. Enter system view.
2. Create a keychain and
enter keychain view.
3. (Optional.) Set the kind
value in the TCP
Enhanced Authentication
Option.
Command
system-view
keychain keychain-name [ mode
absolute ]
tcp-kind kind-value
276
Remarks
N/A
By default, no keychains exist.
By default, the kind value is 254.
When the local device uses TCP
to communicate with a peer
device from another vendor,
make sure both devices have the
same kind value setting. If they
do not have the same value, use
this command to modify the kind
value on the local device.