KB.15.15

13 Key Management System

Configuring key chain management

KMS has three configuration steps:

1. Create a key chain entry.

2. Assign a time-independent key or set of time-dependent keys to the Key Chain entry. The

choice of key type is based on the level of security required for the protocol to which the key

entry will be assigned.

3. Assign the key chain to a KMS-enabled protocol.

This procedure is protocol-dependent. For information on a specific protocol, see the Management

and Configuration Guide for your switch.

Creating and deleting key chain entries

To use KMS, you must create one or more key chain entries. An entry can be the pointer to a single

time-independent key or a chain of time-dependent keys.

NOTE: The key chain information is copied to the standby management module (if redundancy

is enabled and the standby module has passed self-test).

Syntax:

[ no ] key-chain chain_name

Generate or delete a key chain entry. Using the optional no form of the command

deletes the key chain. The chain_name parameter can include up to 32

characters.

show key-chain

Displays the current key chains on the switch and their overall status.

For example, to generate a new key chain entry:

Figure 309 Adding a new key chain entry

After adding an entry, assign keys to it for use by a KMS-enabled protocol.

Assigning a time-independent key to a chain

A time-independent key has no Accept or Send time constraints. It is valid from boot-up until you

change it. If you use a time-independent key, then it is the only key needed for a key chain entry.

Syntax:

[no] key-chain chain_name key key_id

Configuring key chain management 423