- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Portal commands
- 03-User profile commands
- 04-Password control commands
- 05-Keychain commands
- 06-Public key management commands
- 07-PKI commands
- 08-IPsec commands
- 09-Group domain VPN commands
- 10-SSH commands
- 11-SSL commands
- 12-SSL VPN commands
- 13-ASPF commands
- 14-APR commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Object group commands
- 18-Object policy commands
- 19-Attack detection and prevention commands
- 20-ARP attack protection commands
- 21-ND attack defense commands
- 22-uRPF commands
- 23-Crypto engine commands
- 24-FIPS commands
- 25-SMA commands
- Related Documents
-
Title | Size | Download |
---|---|---|
05-Keychain commands | 50.57 KB |
Contents
Keychain commands
accept-lifetime utc
Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode.
Use undo accept-lifetime to restore the default.
Syntax
accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
undo accept-lifetime
Default
The receiving lifetime is not configured for a key of a keychain.
Views
Key view
Predefined user roles
network-admin
mdc-admin
Parameters
start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646 seconds.
duration infinite: Specifies that the key never expires after it becomes valid.
to: Specifies the end time and date.
end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
Usage guidelines
A key becomes a valid accept key when the following requirements are met:
· A key string has been configured.
· An authentication algorithm has been specified.
· The system time is within the specified receiving lifetime.
If an application receives a packet that carries a key ID, and the key is valid, the application uses the key to authenticate the packet. If the key is not valid, packet authentication fails.
If the received packet does not carry a key ID, the application uses all valid keys in the keychain to authenticate the packet. If the packet does not pass any authentication, packet authentication fails.
An application can use multiple valid keys to authenticate packets received from a peer.
Examples
# Set the receiving lifetime for key 1 of the keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21
authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for a key.
Use undo authentication-algorithm to restore the default.
Syntax
authentication-algorithm { hmac-md5 | md5 }
undo authentication-algorithm
Default
No authentication algorithm is specified for a key.
Views
Key view
Predefined user roles
network-admin
mdc-admin
Parameters
hmac-md5: Specifies the HMAC-MD5 authentication algorithm.
md5: Specifies the MD5 authentication algorithm.
Usage guidelines
If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.
Examples
# Specify the MD5 authentication algorithm for key 1 of the keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] authentication-algorithm md5
display keychain
Use display keychain to display keychain information.
Syntax
display keychain [ name keychain-name [ key key-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. If you do not specify a keychain, this command displays information about all keychains.
key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify a key, this command displays information about all keys in a keychain.
Examples
# Display information about all keychains.
<Sysname> display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1 2
Key ID : 1
Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==
Algorithm : md5
Send lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/25
Send status : Active
Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27
Accept status : Active
Key ID : 2
Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==
Algorithm : md5
Send lifetime : 01:00:01 2015/01/25 to 01:00:00 2015/01/27
Send status : Inactive
Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27
Accept status : Active
Table 1 Command output
Field |
Description |
Mode |
Time mode for the keychain. |
Accept tolerance |
Tolerance time (in minutes) for accept keys of the keychain. |
TCP kind value |
Value for the TCP kind field. The default value is 254. |
TCP algorithm value |
ID of the TCP authentication algorithm. The default algorithm ID for HMAC-MD5 is 5 and for MD5 is 3. |
Default send key ID |
ID of the default send key. The status for the key is displayed in parentheses. This field is not supported in the current software version. |
Key string |
Key string in cipher text. |
Algorithm |
Authentication algorithm for the key: hmac-md5 or md5. |
Send lifetime |
Sending lifetime for the key. |
Send status |
Status of the send key: Active or Inactive. |
Accept lifetime |
Receiving lifetime for the key. |
Accept status |
Status of the accept key: Active or Inactive. |
key
Use key to create a key for a keychain and enter its view, or enter the view of an existing key.
Use undo key to delete a key and all its configurations for a keychain.
Syntax
key key-id
undo key key-id
Default
No keys exist.
Views
Keychain view
Predefined user roles
network-admin
mdc-admin
Parameters
key-id: Specifies a key ID in the range of 0 to 281474976710655.
Usage guidelines
The keys in a keychain must have different key IDs.
Examples
# Create key 1 and enter its view.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1]
keychain
Use keychain to create a keychain and enter its view, or enter the view of an existing keychain.
Use undo keychain to delete a keychain and all its configurations.
Syntax
keychain keychain-name [ mode absolute ]
undo keychain keychain-name
Default
No keychains exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters.
mode: Specifies a time mode.
absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is the UTC time and is not affected by the system's time zone or daylight saving time.
Usage guidelines
You must specify the time mode when you create a keychain. You cannot change the time mode for an existing keychain.
The time mode is not required when you enter the view of an existing keychain.
Examples
# Create the keychain abc, specify the absolute time mode for it, and enter keychain view.
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc]
key-string
Use key-string to configure a key string for a key.
Use undo key-string to restore the default.
Syntax
key-string { cipher | plain } string
undo key-string
Default
No key string is configured for a key.
Views
Key view
Predefined user roles
network-admin
mdc-admin
Parameters
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 33 o 373 characters.
Usage guidelines
If the length of a plaintext key exceeds the length limit supported by an application, the application uses the supported length of the key to authenticate packets.
Examples
# Set the key to 123456 in plaintext form for key 1.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] key-string plain 123456
send-lifetime utc
Use send-lifetime utc to set the sending lifetime for a key of a keychain in absolute time mode.
Use undo send-lifetime to restore the default.
Syntax
send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
undo send-lifetime
Default
The sending lifetime is not configured for a key of a keychain.
Views
Key view
Predefined user roles
network-admin
mdc-admin
Parameters
start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646 seconds.
duration infinite: Specifies that the key never expires after it becomes valid.
to: Specifies the end time and date.
end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
Usage guidelines
A key becomes a valid send key when the following requirements are met:
· A key string has been configured.
· An authentication algorithm has been specified.
· The system time is within the specified sending lifetime.
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.
Examples
# Set the sending lifetime for key 1 of the keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21