Keychain Manager Overview

Keychain Manager (KCM) creates and manages authentication keys in ExtremeXOS. In KCM, all keys are grouped into sets called keychains. KCM stores keychains and manages the activation, expiration, and rollover of keys.

When an ExtremeXOS application registers to use a keychain, KCM informs the application of key-related events and provides information about keys the application needs for authentication.

Keys and Keychains

A keychain contains up to 8 keys. Each key has a key identifier, or key ID, that is unique within the keychain, and a secret key string that is used for authentication of protocol packets.

Each key has a cryptographic algorithm, which is used with the key string to calculate the key's hash value. You select an algorithm for each key: either HMAC-SHA-1, HMACSHA-256 (the default), HMAC-SHA-384, or HMAC-SHA-512. All of the algorithms are NIST FIPS 180-4 compliant. Keys in the same keychain can have different algorithms.

Key Lifetimes

An active key is the key currently being used by the applications registered to a keychain. Within a keychain, only one key can be active at a time. When an active key expires, KCM attempts to roll over to a new active key. KCS selects the new active key based on key lifetimes you have defined.

You configure a key's lifetime -- the time period during which it is valid -- by specifying a start time (a date and time, either in UTC or local time) and an end time (the duration, in seconds, from the start time). The maximum lifetime for a key is 180 days. You need to define only one lifetime for each key, because ExtremeXOS uses the same value for a key's send lifetime, used for outgoing communication, and its accept lifetime, used for incoming communication.

There is no default lifetime. As a result, a key cannot become active until you configure its lifetime.

How KCM Manages Keys and Keychains

When an application is registered to use a keychain, and the active key expires, KCM selects a new active key from within the keychain. The new active key is the one with the earliest start time, unless its end time is in the past. If more than one key has the earliest start time, the key with the latest end time is selected. If there is still no clear choice, then the key with the lowest key ID is selected. (If all of the keys' end times are in the past, then no key is selected.)



Time changes, for example moving to daylight saving time, can affect KCM operations. When a time change occurs, active keys are cancelled and KCM attempts to assign new active keys. However, when a time zone is changed on a switch, KCM operation is not affected. Key lifetimes configured in local time are changed to reflect the new time zone.

When an active key expires and when a new key becomes active, KCM notifies the registered applications for that keychain. The notification includes the key string for the new active key.

We recommend that you configure keys in each keychain so that keys roll over at predetermined times. However, you can configure a grace period of up to 600 seconds so that a recently expired key can be accepted for incoming packets by applications that support the feature.

You can delete a key unless it is the active key for a keychain. However, you cannot change a key's key string.

Supported Platforms

All ExtremeSwitching Universal switches.



OSPFv3 is the only application that currently uses Keychain Manager.

Keychain Manager CLI Commands

configure keychain keychain_name accept-tolerance seconds

configure keychain keychain_name add key key_id key-string [text_string active-lifetime local start start_time [end end_time | [duration [seconds | maximum]]] | encrypted encrypted_string]

configure keychain keychain_name key key_id active-lifetime local start start_time [end end_time | [duration [seconds | maximum]]]

configure keychain keychain_name key key_id hash-algorithm algorithm

create keychain keychain_name

delete keychain keychain_name

show keychain keychain_name detail