Configuring keychain support

Key chains are sequences of keys. Users can configure key chains and can use keys with features that secure communications with other devices by using key-based authentication and optionally perform periodic key rotations within the chain. The configured keychain can be used for any of the supported routing protocols.

Procedure

  1. Enter global configuration mode. 
    device# keychain ospfvlkc
  2. Enter keychain configuration mode. Up to 128 keychains can be configured. Valid name length is from 4 characters through 32 characters. No special characters are allowed, except for the underscore and hyphen. 
    device(config)# keychain  keychain1
device(config-keychain1)#
  3. Configure the acceptance tolerance for the key. 
    device(config-keychain1)# accept-tolerance 100
    The range of valid values is from 0 through 600 seconds.
  4. Enter key configuration mode. The range of valid values is from 1 through 65535. 
    device(config-keychain1)# key 100
device(config-key-100)#
    The keychain configurations contain only the default values until modified by other commands.
  5. Set the key-string using following command. 
    device(config-key-100)# key-string Mystring1
    The valid values are 0 and 7. configuration of key-string is required before key can be used.
  6. Configure the acceptance lifetime for the key. You can specify either the end-time or state infinite. You also have an option to use local or GMT, duration, or infinity. 
    device(config-key-100)# accept-lifetime local start-time 13:40:40|12/07/2018 end-time 11:40:40|14/07/2018
    Default value for this parameter is 0, which means that the key is not active until the lifetime is configured. By default this command is not set.
  7. Set the hash algorithm for the key. 
    device(config-key-100)# key-algorithm ?
    The valid algorithms are HMAC-SHA-1(1), HMAC-SHA-256(2), HMAC-SHA-384(3), and HMAC-SHA-512(4). The default algorithm is HMAC-SHA-256.

Example

The following is an example of configuring a single keychain and key. 

device# configure terminal
device(config)# keychain  keychain1
device(config-keychain1)# accept-tolerance 500
device(config-keychain1)# key 100
device(config-key-100)# key-string Mystring1 
device(config--key-100)# accept-lifetime local start-time 22:57:40|07/04/2018 end-time 23:59:59|12/04/2018
device(config--key-100)# do show running-config keychain keychain1
keychain keychain1
 accept-tolerance 500
 key 1
  key-string $9$XutLBELmbQ765dsLycIP/A== 
  accept-lifetime gmt start-time 23:00:50|07/04/2018 end-time 23:59:59|12/04/2018
  key-algorithm HMAC-SHA-256
 !
device(config-key-100)# exit
device(config)#
9037139-00 Rev AA