11-Security Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsCommandCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30011-Security Command Reference
06-Keychain commands
Title Size Download
06-Keychain commands 89.96 KB

Keychain commands

accept-lifetime

Use accept-lifetime to set the receiving lifetime for a key of a keychain.

Use undo accept-lifetime to restore the default.

Syntax

accept-lifetime daily start-day-time to end-day-time

accept-lifetime date { month-day&<1-31> | start-month-day to end-month-day }

accept-lifetime day { week-day | start-week-day to end-week-day }

accept-lifetime month { month | start-month to end-month }

accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }

undo accept-lifetime

Default

The receiving lifetime is not configured for a key of a keychain.

Views

Key view

Predefined user roles

network-admin

Parameters

daily: Specifies the key to be effective in the specified time range of each day.

start-day-time to end-day-time: Specifies the time range of each day. Both the start time and the end time are in the HH:MM:SS format. The value range for the start-day-time argument and the end-day-time argument is 0:0:0 to 23:59:59. You can omit the SS parameter to set a whole number of minutes, or omit both the SS and MM parameters to set a whole number of hours.

date: Specifies the key to be effective on the specified dates of each month.

month-day&<1-31>: Specifies a space-separated list of up to 31 dates of a month. The value range for the month-day argument is 1 to 31.

start-month-day to end-month-day: Specifies the date range of each month. The end date must be greater than the start date.

day: Specifies the key to be effective on the specified days of each week.

week-day: Specifies a day in a week. Values include mon, tue, wed, thu, fri, sat, and sun. You can specify this argument multiple times with different values.

start-week-day to end-week-day: Specifies the day range of each week. The end day must be greater than the start day.

month: Specifies the key to be effective in the specified months of each year.

month: Specifies a month in a year. Values include jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, and dec. You can specify this argument multiple times with different values.

start-month to end-month: Specifies the month range of each year. The end month must be greater than the start month.

utc: Specifies the receiving lifetime in absolute time mode. The key takes effect in the specified time range, for example, from 08:00 2015/9/1 to 18:00 2015/9/3.

start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59. You can omit the SS parameter to set a whole number of minutes, or omit both the SS and MM parameters to set a whole number of hours.

start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.

duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646 seconds.

duration infinite: Specifies that the key never expires after it becomes valid.

to: Specifies the end time and date.

end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.

end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.

Usage guidelines

A key becomes a valid accept key when the following requirements are met:

·     A key string has been configured.

·     An authentication algorithm has been specified.

·     The system time is within the specified receiving lifetime.

If an application receives a packet that carries a key ID, and the key is valid, the application uses the key to authenticate the packet. If the key is not valid, packet authentication fails.

If the received packet does not carry a key ID, the application uses all valid keys in the keychain to authenticate the packet. If the packet does not pass any authentication, packet authentication fails.

An application can use multiple valid keys to authenticate packets received from a peer.

Examples

# Set the receiving lifetime for key 1 of keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21

# Set the receiving lifetime for key 1 of keychain 123 in weekly periodic time mode.

<Sysname> system-view

[Sysname] keychain 123 mode periodic weekly

[Sysname-keychain-123] key 1

[Sysname-keychain-123-key-1] accept-lifetime day fri

Related commands

display keychain

accept-tolerance

Use accept-tolerance to set a tolerance time for accept keys in a keychain.

Use undo accept-tolerance to restore the default.

Syntax

accept-tolerance { value | infinite }

undo accept-tolerance

Default

No tolerance time is configured for accept keys in a keychain.

Views

Keychain view

Predefined user roles

network-admin

Parameters

value: Specifies a tolerance time in the range of 1 to 8640000 seconds.

infinite: Specifies that the accept keys never expire.

Usage guidelines

After a tolerance time is configured, the start time and the end time configured in the accept-lifetime utc command are extended for the period of the tolerance time.

If authentication information is changed, information mismatch occurs on the local and peer devices, and the service might be interrupted. Use this command to ensure continuous packet authentication.

Examples

# Set the tolerance time to 100 seconds for accept keys in keychain abc.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] accept-tolerance 100

# Configure the accept keys in keychain abc to never expire.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] accept-tolerance infinite

Related commands

display keychain

authentication-algorithm

Use authentication-algorithm to specify an authentication algorithm for a key.

Use undo authentication-algorithm to restore the default.

Syntax

authentication-algorithm{ hmac-md5 | hmac-sha-1 | hmac-sha-256 | hmac-sm3 | md5 | sm3 }

undo authentication-algorithm

Default

No authentication algorithm is specified for a key.

Views

Key view

Predefined user roles

network-admin

Parameters

hmac-md5: Specifies the HMAC-MD5 authentication algorithm.

hmac-sha-1: Specifies the HMAC-SHA-1 authentication algorithm.

hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm.

hmac-sm3: Specifies the HMAC-SM3 authentication algorithm.

md5: Specifies the MD5 authentication algorithm.

sm3: Specifies the SM3 authentication algorithm.

Usage guidelines

If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.

Examples

# Specify the MD5 authentication algorithm for key 1 of keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] authentication-algorithm md5

Related commands

display keychain

default-send-key

Use default-send-key to specify a key in a keychain as the default send key.

Use undo default-send-key to restore the default.

Syntax

default-send-key

undo default-send-key

Default

No key in a keychain is specified as the default send key.

Views

Key view

Predefined user roles

network-admin

Usage guidelines

When send keys in a keychain are inactive, the default send key can be used for packet authentication.

A keychain can have only one default send key. The default send key must be configured with an authentication algorithm and a key string.

Examples

# Specify key 1 in keychain abc as the default send key.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] default-send-key

Related commands

display keychain

display keychain

Use display keychain to display keychain information.

Syntax

display keychain [ name keychain-name [ key key-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. If you do not specify a keychain, this command displays information about all keychains.

key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify a key, this command displays information about all keys in a keychain.

Examples

# Display information about all keychains.

<Sysname> display keychain

 

 Keychain name          : abc

   Mode                 : absolute

   Accept tolerance     : 0

   TCP kind value       : 254

   TCP algorithm value

     HMAC-MD5           : 5

     HMAC-SHA-256       : 7

     MD5                : 3

   Default send key ID  : None

   Active send key ID   : 1

   Active accept key IDs: 1 2

 

   Key ID               : 1

     Key string         : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==

     Algorithm          : md5

     Send lifetime      : 01:00:00 2015/01/22 to 01:00:00 2015/01/25

     Send status        : Active

     Accept lifetime    : 01:00:00 2015/01/22 to 01:00:00 2015/01/27

     Accept status      : Active

 

   Key ID               : 2

     Key string         : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==

     Algorithm          : md5

     Send lifetime      : 01:00:01 2015/01/25 to 01:00:00 2015/01/27

     Send status        : Inactive

     Accept lifetime    : 01:00:00 2015/01/22 to 01:00:00 2015/01/27

     Accept status      : Active

Table 1 Command output

Field

Description

Mode

Time mode for the keychain:

·     Absolute.

·     Periodic daily.

·     Periodic weekly.

·     Periodic monthly.

·     Periodic yearly.

Accept tolerance

Tolerance time (in seconds) for accept keys of the keychain.

TCP kind value

Value for the TCP kind field. The default value is 254.

TCP algorithm value

ID of the TCP authentication algorithm. The default algorithm ID is 5 for HMAC-MD5, 7 for HMAC-SHA-256, and 3 for MD5.

Default send key ID

ID of the default send key. The status for the key is displayed in parentheses.

Key string

Key string in encrypted form.

Algorithm

Authentication algorithm for the key:

·     hmac-md5

·     hmac-sha-1

·     hmac-sha-256

·     hmac-sm3

·     md5

·     sm3

Send lifetime

Sending lifetime for the key.

Send status

Status of the send key: Active or Inactive.

Accept lifetime

Receiving lifetime for the key.

Accept status

Status of the accept key: Active or Inactive.

 

key

Use key to create a key for a keychain and enter its view, or enter the view of an existing key.

Use undo key to delete a key and all its configurations for a keychain.

Syntax

key key-id

undo key key-id

Default

No keys exist.

Views

Keychain view

Predefined user roles

network-admin

Parameters

key-id: Specifies a key ID in the range of 0 to 281474976710655.

Usage guidelines

The keys in a keychain must have different key IDs.

Examples

# Create key 1 and enter its view.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1]

Related commands

display keychain

keychain

Use keychain to create a keychain and enter its view, or enter the view of an existing keychain.

Use undo keychain to delete a keychain and all its configurations.

Syntax

keychain keychain-name [ mode { absolute | periodic { daily | monthly | weekly | yearly } } ]

undo keychain keychain-name

Default

No keychains exist.

Views

System view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters.

mode: Specifies a time mode.

absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is the UTC time and is not affected by the system's time zone or daylight saving time.

periodic: Specifies the periodic time mode. In this mode, a key's lifetime is calculated based on the local time and is affected by the system's time zone and daylight saving time.

daily: Specifies the daily periodic time mode.

monthly: Specifies the monthly periodic time mode.

weekly: Specifies the weekly periodic time mode.

yearly: Specifies the yearly periodic time mode.

Usage guidelines

You must specify the time mode when you create a keychain. You cannot change the time mode for an existing keychain.

The time mode is not required when you enter the view of an existing keychain.

Examples

# Create keychain abc, specify the absolute time mode for it, and enter keychain view.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc]

Related commands

display keychain

key-string

Use key-string to configure a key string for a key.

Use undo key-string to restore the default.

Syntax

key-string { cipher | plain } string

undo key-string

Default

No key string is configured for a key.

Views

Key view

Predefined user roles

network-admin

Parameters

cipher: Specifies a key in encrypted form.

plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 33 o 373 characters.

Usage guidelines

If the length of a plaintext key exceeds the length limit supported by an application, the application uses the supported length of the key to authenticate packets.

Examples

# Set the key string to 123456 in plaintext form for key 1.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] key-string plain 123456

Related commands

display keychain

send-lifetime

Use send-lifetime to set the sending lifetime for a key of a keychain.

Use undo send-lifetime to restore the default.

Syntax

send-lifetime daily start-day-time to end-day-time

send-lifetime date { month-day&<1-31> | start-month-day to end-month-day }

send-lifetime day { week-day | start-week-day to end-week-day }

send-lifetime month { month | start-month to end-month }

send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }

undo send-lifetime

Default

The sending lifetime is not configured for a key of a keychain.

Views

Key view

Predefined user roles

network-admin

Parameters

daily: Specifies the key to be effective in the specified time range of each day.

start-day-time to end-day-time: Specifies the time range of each day. Both the start time and the end time are in the HH:MM:SS format. The value range for the start-day-time argument and the end-day-time argument is 0:0:0 to 23:59:59. You can omit the SS parameter to set a whole number of minutes, or omit both the SS and MM parameters to set a whole number of hours.

date: Specifies the key to be effective on the specified dates of each month.

month-day&<1-31>: Specifies a space-separated list of up to 31 dates of a month. The value range for the month-day argument is 1 to 31.

start-month-day to end-month-day: Specifies the date range of each month. The end date must be greater than the start date.

day: Specifies the key to be effective on the specified days of each week.

week-day: Specifies a day in a week. Values include mon, tue, wed, thu, fri, sat, and sun. You can specify this argument multiple times with different values.

start-week-day to end-week-day: Specifies the day range of each week. The end day must be greater than the start day.

month: Specifies the key to be effective in the specified months of each year.

month: Specifies a month in a year. Values include jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, and dec. You can specify this argument multiple times with different values.

start-month to end-month: Specifies the month range of each year. The end month must be greater than the start month.

utc: Specifies the sending lifetime in absolute time mode. The key takes effect in the specified time range, for example, from 08:00 2015/9/1 to 18:00 2015/9/3.

start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59. You can omit the SS parameter to set a whole number of minutes, or omit both the SS and MM parameters to set a whole number of hours.

start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.

duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646 seconds.

duration infinite: Specifies that the key never expires after it becomes valid.

to: Specifies the end time and date.

end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.

end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.

Usage guidelines

A key becomes a valid send key when the following requirements are met:

·     A key string has been configured.

·     An authentication algorithm has been specified.

·     The system time is within the specified sending lifetime.

To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.

Examples

# Set the sending lifetime for key 1 of keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21

# Set the sending lifetime for key 1 of keychain 123 in weekly periodic time mode.

<Sysname> system-view

[Sysname] keychain 123 mode periodic weekly

[Sysname-keychain-123] key 1

[Sysname-keychain-123-key-1] send-lifetime day fri

Related commands

display keychain

tcp-algorithm-id

Use tcp-algorithm-id to set an algorithm ID for a TCP authentication algorithm.

Use undo tcp-algorithm-id to restore the default.

Syntax

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sm3 | md5 | sm3 } algorithm-id

undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sm3 | md5 | sm3 }

Default

The algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5 authentication algorithm, 7 for the HMAC-SHA-256 authentication algorithm, 52 for the HMAC-SM3 authentication algorithm, and 51 for the SM3 authentication algorithm.

Views

Keychain view

Predefined user roles

network-admin

Parameters

hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16 bytes.

hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm, which provides a key length of 16 bytes.

hmac-sm3: Specifies the HMAC-SM3 authentication algorithm, which provides a key length of 32 bytes.

md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes.

sm3: Specifies the SM3 authentication algorithm, which provides a key length of 32 bytes.

algorithm-id: Specifies an algorithm ID in the range of 1 to 63.

Usage guidelines

If an application uses keychain authentication during TCP connection establishment, the incoming and outgoing TCP packets will carry the TCP Enhanced Authentication Option. The algorithm-id field in the option represents the authentication algorithm ID. The algorithm IDs are not assigned by IANA. They are vendor-specific.

To communicate with a peer device from another vendor, the local device must have the same algorithm ID as the peer device. For example, if the algorithm ID is 3 for the HMAC-MD5 algorithm on the peer device, you must execute the tcp-algorithm-id hmac-md5 3 command on the local device.

Examples

# Create keychain abc and set the algorithm ID to 1 for the HMAC-MD5 authentication algorithm.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] tcp-algorithm-id hmac-md5 1

Related commands

display keychain

tcp-kind

Use tcp-kind to set the kind value in the TCP Enhanced Authentication Option.

Use undo tcp-kind to restore the default.

Syntax

tcp-kind kind-value

undo tcp-kind

Default

The kind value is 254 in the TCP Enhanced Authentication Option.

Views

Keychain view

Predefined user roles

network-admin

Parameters

kind-value: Specifies the kind value in the range of 28 to 255.

Usage guidelines

If an application uses keychain authentication during TCP connection establishment, the incoming and outgoing TCP packets will carry the TCP Enhanced Authentication Option. For a successful packet authentication, the local device and the peer device must have the same kind value setting in the TCP Enhanced Authentication Option.

Examples

# Set the kind value to 252 for keys in keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] tcp-kind 252

Related commands

display keychain