Configuring Keychain Management; About Keychain Management; Lifetime Of A Key - Cisco Nexus 9000 Series Configuration Manual

Configuring Keychain Management

This chapter describes how to configure keychain management on a Cisco NX-OS device.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
•
•

About Keychain Management

Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes
called shared secrets). You can use keychains with features that secure communications with other devices
by using key-based authentication. The device allows you to configure multiple keychains.
Some routing protocols that support key-based authentication can use a keychain to implement a hitless key
rollover for authentication. For more information, see the Cisco Nexus 9000 Series NX-OS Unicast Routing
Configuration Guide.

Lifetime of a Key

To maintain stable communications, each device that uses a protocol that is secured by key-based authentication
must be able to store and use more than one key for a feature at the same time. Based on the send and accept
lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device
uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
About Keychain Management, on page 419
Licensing Requirements for Keychain Management, on page 420
Prerequisites for Keychain Management, on page 420
Guidelines and Limitations for Keychain Management, on page 420
Default Settings for Keychain Management, on page 421
Configuring Keychain Management, on page 421
Determining Active Key Lifetimes, on page 428
Verifying the Keychain Management Configuration, on page 428
Configuration Example for Keychain Management, on page 429
Where to Go Next, on page 429
Additional References for Keychain Management, on page 429
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
19
C H A P T E R
419