Keychain Manager (KCM) creates and manages authentication keys in ExtremeXOS. In KCM, all keys are grouped into sets called keychains. KCM stores keychains and manages the activation, expiration, and rollover of keys.
When an ExtremeXOS application registers to use a keychain, KCM informs the application of key-related events and provides information about keys the application needs for authentication.
A keychain contains up to 8 keys. Each key has a key identifier, or key ID, that is unique within the keychain, and a secret key string that is used for authentication of protocol packets.
Each key has a cryptographic algorithm, which is used with the key string to calculate the key's hash value. You select an algorithm for each key: either HMAC-SHA-1, HMACSHA-256 (the default), HMAC-SHA-384, or HMAC-SHA-512. All of the algorithms are NIST FIPS 180-4 compliant. Keys in the same keychain can have different algorithms.
An active key is the key currently being used by the applications registered to a keychain. Within a keychain, only one key can be active at a time. When an active key expires, KCM attempts to roll over to a new active key. KCS selects the new active key based on key lifetimes you have defined.
When an application is registered to use a keychain, and the active key expires, KCM selects a new active key from within the keychain.
When an active key expires and when a new key becomes active, KCM notifies the registered applications for that keychain. The notification includes the key string for the new active key.
We recommend that you configure keys in each keychain so that keys roll over at predetermined times. However, you can configure a grace period of up to 600 seconds so that a recently expired key can be accepted for incoming packets by applications that support the feature.
You can delete a key unless it is the active key for a keychain. However, you cannot change a key's key string.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5420, and 5520 series switches.
Note
Keychain Manager is only supported on the OSPFv3 application and user VR.create keychain keychain_name
configure keychain keychain_name accept-tolerance seconds
configure keychain keychain_name add key key_id key-string [text_string active-lifetime local start start_time [end end_time | [duration [seconds | maximum]]] | encrypted encrypted_string]
configure keychain keychain_name key key_id active-lifetime local start start_time [end end_time | [duration [seconds | maximum]]]
configure keychain keychain_name key key_id hash-algorithm algorithm
delete keychain keychain_name
show keychain keychain_name detail