Public key infrastructure (PKI) services provide a scalable and trusted method of authentication. UCS Manager supports PKI only for the web sessions(https) to establish secure communication between the Client’s browser and UCS Manager for management purposes. To 885know more about UCS Manager Communication Services, refer to the “Cisco UCS Manager Administration Management Guide”.
350-601 DCCOR blueprint includes Keychain Authentication under Compute Security, whereas it should be part of Network Security. We are placing this section here to reflect the blueprint flow of topics. This section discusses Keychain management on NX-OS and not UCS.
NX-OS Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.
Some routing protocols that support key-based authentication can use a keychain to implement a hitless key rollover for authentication.
To maintain stable communications, each device that uses a protocol that is secured by key-based authentication must be able to store and use more than one key for a feature at the same time. Based on the send and accept lifetimes of a key, keychain management provides a secure mechanism to handle key rollover. The device uses the lifetimes of keys to determine which keys in a keychain are active. Each key in a keychain has two lifetimes, as follows:
Accept lifetime: The time interval within which the device accepts the key during key exchange with another device.
Send lifetime: The time interval within which the device sends the key during key exchange with another device.
You define the send and accept lifetimes of a key by using the following parameters:
Start-time: The absolute time that the lifetime begins.
End-time: The end time can be defined in one of the following ways:
The absolute time that the lifetime ends
The number of seconds after the start time that the lifetime ends
Infinite lifetime (no end-time)
During a key send lifetime, the device sends routing update packets with the key. The device does not accept communication from other devices when the key sent is not within the accept lifetime of the key on the device.
It is recommended that you configure key lifetimes that overlap within every keychain. This practice avoids failure of neighbor authentication due to the absence of active keys.