C H A P T E R
19
Configuring Keychain Management
This chapter describes how to configure keychain management on a Cisco NX-OS device.
This chapter includes the following sections:
•
About Keychain Management, on page 419
•
Licensing Requirements for Keychain Management, on page 420
•
Prerequisites for Keychain Management, on page 420
•
Guidelines and Limitations for Keychain Management, on page 420
•
Default Settings for Keychain Management, on page 421
•
Configuring Keychain Management, on page 421
•
Determining Active Key Lifetimes, on page 428
•
Verifying the Keychain Management Configuration, on page 428
•
Configuration Example for Keychain Management, on page 429
•
•
Additional References for Keychain Management, on page 429
About Keychain Management
Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes
called shared secrets). You can use keychains with features that secure communications with other devices
by using key-based authentication. The device allows you to configure multiple keychains.
Some routing protocols that support key-based authentication can use a keychain to implement a hitless key
rollover for authentication. For more information, see the
Cisco Nexus 9000 Series NX-OS Unicast Routing
Configuration Guide
.
Lifetime of a Key
To maintain stable communications, each device that uses a protocol that is secured by key-based authentication
must be able to store and use more than one key for a feature at the same time. Based on the send and accept
lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device
uses the lifetimes of keys to determine which keys in a keychain are active.
Each key in a keychain has two lifetimes, as follows:
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
419