Configuring Keychains; Overview; Configuration Procedure - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Configuring keychains
Overview
A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication
by periodically changing the key and authentication algorithm without service interruption.
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving
lifetime. These settings can be different for the keys. When the system time is within the lifetime of a
key in a keychain, an application uses the key to authenticate incoming and outgoing packets. The
keys in the keychain take effect one by one according to the sequence of the configured lifetimes. In
this way, the authentication algorithms and keys are dynamically changed to implement dynamic
authentication.
A keychain operates in absolute time mode. In this mode, each time point during a key's lifetime is
the UTC time and is not affected by the system's time zone and daylight saving time.
Configuration procedure
Follow these guidelines when you configure a keychain:
•
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set
non-overlapping sending lifetimes for the keys in the keychain.
•
The keys used by the local device and the peer device must have the same authentication
algorithm and key string.
To configure a keychain:
Step
1.
Enter system view.
2.
Create a keychain and
enter keychain view.
3.
(Optional.) Set a
tolerance time for accept
keys in the keychain.
4.
Create a key and enter
key view.
5.
Specify an authentication
algorithm for the key.
6.
Configure a key string for
the key.
7.
Set the sending lifetime in
UTC mode for the key.
8.
Set the receiving lifetime
in UTC mode for the key.
9.
(Optional.) Specify the
key as the default send
key.
Command
system-view
keychain keychain-name [ mode
absolute ]
accept-tolerance { value | infinite }
key key-id
authentication-algorithm
hmac-sha-256
key-string { cipher | plain } string
send-lifetime utc start-time start-date
{ duration { duration-value | infinite } |
to end-time end-date }
accept-lifetime utc start-time
start-date { duration { duration-value |
infinite } | to end-time end-date }
default-send-key
521
Remarks
N/A
By default, no keychains exist.
By default, no tolerance time is
configured for accept keys in a
keychain.
By default, no keys exist.
By default, no authentication
algorithm is specified for a key.
By default, no key string is
configured.
By default, the sending lifetime
is not configured for a key.
By default, the receiving lifetime
is not configured for a key.
By default, no key in a keychain
is specified as the default send
key.
Advertisement
Table of Contents
Troubleshooting
