Gracefully change the key steps

About this task

Use the following steps to gracefully change the key. Chassis A and chassis B both have configured transport-encryption where chassis A is active and chassis B is standby.

Procedure

On Chassis B, change the configuration to add a new keychain, entry-y, with a new key:
- entry-x (the old entry)
  
  For tolerance, use forever (this step can be performed without administratively disabling the entry).
- entry-y:
  - For algorithm, use aes-128-gcm-16.
  - For begin-time: t1, add enough time to ensure the there is enough time to complete the next step (for example, if the current time is 2019/4/18 10:00 UTC, then add one hour to complete step 2, begin-time 2019/4/18 11:00 UTC).
At this point, both A and B are still configured to use the old key (entry-x) for transport, so A successfully synchronizes states to B.
On chassis A, change the configuration to add a new keychain, entry-y, with new key:
- entry-x (the old entry)
  
  For tolerance, use forever (this can be performed without shutting down the entry).
- entry-y:
  - For algorithm, use aes-128-gcm-16.
  - For begin-time: t1, use the same value as in step 1. begin-time 2019/4/18 11:00 UTC.
After t1, both A and B begin to use entry-y. Remove entry-x from both chassis using the configure system security keychain direction bi no entry x command.