[no] keychain keychain-name
config>system>security
This command enables the context to configure keychain parameters that are used to authenticate protocol communications. A keychain must be configured on the system before it can be applied to a protocol session.
The keychain must include at least one key entry to be valid.
The no form of the command removes the keychain and all commands configured in the keychain context. If the keychain is associated with a protocol when the no keychain command is entered, the command will be rejected and an error indicating that the keychain is in use will be displayed.
n/a
the keychain name, up to 32 characters
direction
config>system>security>keychain
This command specifies the stream direction on which the keys will be applied.
n/a
bi
config>system>security>keychain>direction
This command configures keys for both send and receive stream directions.
n/a
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
no entry entry-id
config>system>security>keychain>direction>bi
config>system>security>keychain>direction>uni>receive
config>system>security>keychain>direction>uni>send
This command defines a key in the keychain. A keychain must have at least one key entry to be valid.
The key and algorithm keywords are mandatory when the entry is first created.
The no form of the command removes the entry from the keychain. If the key is the active key for sending, this command will cause a new active key to be selected (if one is available). If the key is the only possible send key, the command will be rejected and an error indicating that the configured key is the only available send key will be displayed. If the key is one of the eligible keys for receiving, it will be removed. If the key is the only eligible key for receiving, the command will be rejected and an error indicating that this is the only eligible key will be displayed.
n/a
the ID of the key entry
the authentication key ID that is used along with keychain-name and direction to uniquely identify this particular key entry
the authentication key that will be used by the encryption algorithm, up to 20 characters in any combination of letters and numbers. The key is used to sign and authenticate a protocol packet.
the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and up to 96 for the hash2-key (encrypted). If spaces are used in the string, the entire string must be enclosed in double quotes.
This parameter is useful when a user must configure the parameter, but for security purposes, the actual unencrypted key value is not provided.
specifies that the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.
the encryption algorithm to be used by the key defined in the keychain
begin-time date hours-minutes [UTC]
begin-time {now | forever}
no begin-time
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
This command specifies the calendar date and time after which the key specified by the keychain authentication key entry is used to sign and authenticate the protocol stream.
Each entry within a bidirectional keychain or for a keychain direction (if unidirectional keys are used) must have a unique begin time.
If no date and time is set, the begin-time is represented by a date and time string with all NULLs and the key is not valid.
forever
the date (in YYYY/MM/DD format) and time (in hh:mm[:ss] format) at which the key becomes active
specifies that the date and time should be in UTC time rather than local time
specifies that the key should become active immediately (current system time)
specifies that the key is always inactive
option {basic | isis-enhanced}
no option
config>system>security>keychain>direction>bi>entry
This command enables options to be associated with the authentication key for IS-IS. The command is only applicable for IS-IS and will be ignored by other protocols associated with the keychain.
no option
specifies that IS-IS should use RFC 5304 encoding of the authentication information
specifies that IS-IS should use RFC 5310 encoding of the authentication information
tolerance {seconds | forever}
no tolerance
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
This command configures the amount of time that an eligible receive key overlaps with the currently active key. During that time, packets with either key will be accepted. Tolerance only applies to received packets. Transmitted packets always use the newest key, regardless of the tolerance value.
If a tolerance value is set for a key, the key is returned as part of the key set if the current time is within the key’s begin time, plus or minus the tolerance value. For example, if the begin time is 12:00 p.m. and the tolerance is 600 seconds, the new key should be included from 11:55 a.m. and the key to be replaced should be included until 12:05 p.m.
300
specifies the length of time that an eligible receive key overlaps with the active key
specifies that an eligible receive key will overlap with the active key forever
uni
config>system>security>keychain>direction
This command configures keys for send or receive stream directions.
n/a
receive
config>system>security>keychain>direction>uni
This command enables the receive context. Entries defined under this context are used to authenticate packets that are received by the router.
n/a
end-time date hours-minutes [UTC]
end-time {now | forever}
no end-time
config>system>security>keychain>direction>uni>receive>entry
This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to authenticate the protocol stream.
forever
the date (in YYYY/MM/DD format) and time (in hh:mm[:ss] format) after which the key is no longer eligible to sign and authenticate the protocol stream. If no year is specified, the system assumes the current year.
specifies that the date and time should be in UTC time rather than local time
specifies that the key should become inactive immediately (current system time)
specifies that the key is always active
send
config>system>security>keychain>direction>uni
This command enables the send context. Entries defined under this context are used to sign packets that are being sent by the router to another device.
n/a
tcp-option-number
config>system>security>keychain
This command enables the context to configure the TCP option number to be placed in the TCP packet header.
receive option-number
no receive
config>system>security>keychain>tcp-option-number
This command configures the TCP option number that will be accepted in the header of received TCP packets.
254
the TCP option number to be used in the TCP header
send option-number
no send
config>system>security>keychain>tcp-option-number
This command configures the TCP option number that will be inserted in the header of sent TCP packets.
254
the TCP option number to be used in the TCP header