[no] keychain keychain-name
config>system>security
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.
The no form of this command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command will not be accepted and an error indicating that the keychain is in use will be printed.
Specifies a keychain name, up to 32 characters, which identifies this particular keychain entry.
direction
config>system>security>keychain
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the context to specify the data type that indicates the TCP stream direction to apply the keychain.
bi
config>system>security>keychain>direction
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures keys for both send and receive stream directions.
uni
config>system>security>keychain>direction
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures keys for send or receive stream directions.
receive
config>system>security>keychain>direction>uni
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.
send
config>system>security>keychain>direction>uni
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.
entry entry-id [key authentication-key | hash-key | hash2-key] [hash | hash2] algorithm algorithm
no entry entry-id
config>system>security>keychain>direction>bi
config>system>security>keychain>direction>uni>receive
config>system>security>keychain>direction>uni>send
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP Enhanced Authentication mechanism to work.
The no form of this command removes the entry from the keychain. If the entry is the active entry for sending, this will cause a new active key to be selected (if one is available using the youngest key rule). If it is the only possible send key, the system will reject the command with an error indicating that the configured key is the only available send key.
If the key is one of the eligible keys for receiving, it will be removed. If the key is the only possible eligible key, the command will not be accepted, and an error message indicating that this is the only eligible key will be generated.
The no form of this command deletes the entry.
Specifies an entry that represents a key configuration to be applied to a keychain.
Specifies a key ID which is used along with keychain-name and direction to uniquely identify this particular key entry.
Specifies the authentication-key that will be used by the encryption algorithm. The key is used to sign and authenticate a protocol packet.
The authentication-key can be any combination of letters or numbers.
Specifies an enumerated integer that indicates the encryption algorithm to be used by the key defined in the keychain.
Specifies the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and 96 characters for the hash2-key in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (‟ ”).
This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.
Specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
Specifies that the key is entered in a more complex encrypted form.
begin-time [date] [hours-minutes] [UTC] [now] [forever]
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and authenticate the protocol stream.
If no date and time is set, the begin-time is represented by a date and time string with all nulls and the key is not valid by default.
Specifies the date and time for the key to become active.
Specifies that the date and time should be in UTC time rather than local time.
Specifies that the key should become active immediately.
Specifies that the key should always be active.
end-time [date] [hours-minutes] [UTC] [now] [forever]
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream.
forever
Specifies the calendar date after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream in the YYYY/MM/DD format. When no year is specified the system assumes the current year.
Specifies the time after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream in the hh:mm[:ss] format. Seconds are optional, and if not included, assumed to be 0.
Indicates that time is given with reference to Coordinated Universal Time in the input.
Specifies a time equal to the current system time.
Specifies a time beyond the current epoch.
tolerance [seconds | forever]
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.
Specifies the duration that an eligible receive key overlaps with the active send key, in seconds.
Specifies that an eligible receive key overlaps with the active send key forever.
tcp-option-number
config>system>security>keychain
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
Commands in this context configure the TCP option number to be placed in the TCP packet header.
receive option-number
config>system>security>keychain>tcp-option-number
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the TCP option number accepted in received TCP packets.
receive 254
Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.
send option-number
config>system>security>keychain>tcp-option-number
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command configures the TCP option number accepted in TCP packets sent.
send 254
Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.
dst-port [tcp/udp port-number] [mask]
no dst-port
config>sys>sec>cpm>entry>match
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command specifies the TCP/UDP port to match the destination port of the packet. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the L4 information.
The no form of this command removes the destination port match criterion.
Specifies the destination port number to be used as a match criteria expressed as a decimal integer.
Specifies the 16 bit mask to be applied when matching the destination port.
lockout all
lockout user user-name
admin>clear
Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.
This command is used to clear a lockout for a specific user.
Specifies the locked user name, up to 32 characters.
Clears lockouts for all users.