Configuring a MACsec Keychain and Keys

For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-installation-and-configuration-guides-list.html

Configuring a MACsec Keychain

Configuring a MACsec Keychain

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "SampleString_123"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>SampleString_123</keychainName>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.

key chain SampleString_123 macsec

Verifying a DME Configuration

The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-SampleString_123

kcmgrMacsecKeychain Properties

The following table contains information about the kcmgrMacsecKeychain properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a MACsec Keychain

Deleting a MACsec Keychain

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "SampleString_123",
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list nc:operation="delete">
          <keychainName>SampleString_123</keychainName>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

no key chain SampleString_123 macsec

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-SampleString_123

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Tunnel-Encryption Keychain

Configuring a Tunnel-Encryption Keychain

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "SampleString_123"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>SampleString_123</keychainName>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain SampleString_123 tunnel-encryption

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-SampleString_123

kcmgrTunnelencryptKeychain Properties

The following table contains information about the kcmgrTunnelencryptKeychain properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Tunnel-Encryption Keychain

Deleting a Tunnel-Encryption Keychain

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "SampleString_123",
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list nc:operation="delete">
          <keychainName>SampleString_123</keychainName>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

no key chain SampleString_123 tunnel-encryption

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-SampleString_123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Keychain Management

Configuring Keychain Management

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "SampleString_123"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>SampleString_123</keychainName>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain SampleString_123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-SampleString_123

kcmgrClassicKeychain Properties

The following table contains information about the kcmgrClassicKeychain properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Keychain Management

Deleting Keychain Management

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "SampleString_123",
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list nc:operation="delete">
          <keychainName>SampleString_123</keychainName>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

no key chain SampleString_123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-SampleString_123

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring MACsec Preshared Key as Do Not Show

Configuring MACsec Preshared Key as Do Not Show

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecpsk": {
          "attributes": {
            "pskNoshow": "enabled"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macsecpsk-items>
        <pskNoshow>enabled</pskNoshow>
      </macsecpsk-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key-chain macsec-psk no-show

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecpsk	sys/kcmgr/keychains/macsecpsk

kcmgrMacsecpsk Properties

The following table contains information about the kcmgrMacsecpsk properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
pskNoshow	kcmgr:adminSt (scalar:Enum8)	macsec-psk hide them in show	SELECTION: 0 - disabled 1 - enabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting MACsec Preshared Key as Do Not Show

Deleting MACsec Preshared Key as Do Not Show

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecpsk": {
          "attributes": {
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macsecpsk-items nc:operation="delete">
      </macsecpsk-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

no key-chain macsec-psk no-show

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecpsk	sys/kcmgr/keychains/macsecpsk

kcmgrMacsecpsk Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring Tunnel-Encryption Preshared Key as Do Not Show

Configuring Tunnel-Encryption Preshared Key as Do Not Show

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptpsk": {
          "attributes": {
            "pskNoshow": "enabled"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptpsk-items>
        <pskNoshow>enabled</pskNoshow>
      </tunnelencryptpsk-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key-chain tunnelencrypt-psk no-show

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptpsk	sys/kcmgr/keychains/tunnelencryptpsk

kcmgrTunnelencryptpsk Properties

The following table contains information about the kcmgrTunnelencryptpsk properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
pskNoshow	kcmgr:adminSt (scalar:Enum8)	tunnelencrypt-psk hide them in show	SELECTION: 0 - disabled 1 - enabled DEFAULT: disabled

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting Tunnel-Encryption Preshared Key as Do Not Show

Deleting Tunnel-Encryption Preshared Key as Do Not Show

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptpsk": {
          "attributes": {
            "status": "deleted"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptpsk-items nc:operation="delete">
      </tunnelencryptpsk-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

no key-chain tunnelencrypt-psk no-show

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptpsk	sys/kcmgr/keychains/tunnelencryptpsk

kcmgrTunnelencryptpsk Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Key

Configuring a Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

The following table contains information about the kcmgrTunnelencryptKeyId properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Tunnel-Encryption Key Chain

Configuring a Tunnel-Encryption Key Chain

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
}}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
no key 123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring HMAC-SHA-256 Authentication Algorithm

Configuring HMAC-SHA-256 Authentication Algorithm

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrKey": {
                "attributes": {
                  "cryptoAlgo": "HMAC-SHA-256",
                  "keyId": "1234"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <classickeyid-items>
            <Key-list>
              <keyId>1234</keyId>
              <cryptoAlgo>HMAC-SHA-256</cryptoAlgo>
            </Key-list>
          </classickeyid-items>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain>
key 1234
cryptographic-algorithm HMAC-SHA-256

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-
kcmgrKey	sys/kcmgr/keychains/classickeychain-/classickeyid-1234

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

kcmgrKey Properties

The following table contains information about the kcmgrKey properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
cryptoAlgo	kcmgr:cryptoAlgoClassic (scalar:Enum8)	cryptographic Algorithm used in key	SELECTION: 0 - NONE 1 - MD5 2 - HMAC-SHA-1 3 - HMAC-SHA-256 4 - HMAC-SHA-384 5 - HMAC-SHA-512 DEFAULT: NONE
keyId	kcmgr:key (scalar:Uint32)	keyId of classic key chain	RANGE: [0 , 65535]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting HMAC-SHA-256 Authentication Algorithm

Deleting HMAC-SHA-256 Authentication Algorithm

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrKey": {
                "attributes": {
                  "cryptoAlgo": "NONE",
                  "keyId": "1234"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <classickeyid-items>
            <Key-list>
              <keyId>1234</keyId>
              <cryptoAlgo>NONE</cryptoAlgo>
            </Key-list>
          </classickeyid-items>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain>
key 1234
no cryptographic-algorithm HMAC-SHA-256

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-
kcmgrKey	sys/kcmgr/keychains/classickeychain-/classickeyid-1234

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

kcmgrKey Properties

Property Name	Data Type	Description	Values
cryptoAlgo	kcmgr:cryptoAlgoClassic (scalar:Enum8)	cryptographic Algorithm used in key	SELECTION: 0 - NONE 1 - MD5 2 - HMAC-SHA-1 3 - HMAC-SHA-256 4 - HMAC-SHA-384 5 - HMAC-SHA-512 DEFAULT: NONE
keyId	kcmgr:key (scalar:Uint32)	keyId of classic key chain	RANGE: [0 , 65535]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Timezone for Accept Lifetime of the Key

Configuring the Timezone for Accept Lifetime of the Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrKey": {
                "attributes": {
                  "keyId": "1234"
                },
                "children": [
                  {
                    "kcmgrAcceptlifetime": {
                      "attributes": {
                        "duration": "0",
                        "endDay": "3",
                        "endMonth": "May",
                        "endTime": "3:2:1",
                        "endYear": "2007",
                        "infinite": "disabled",
                        "local": "local",
                        "startDay": "3",
                        "startMonth": "Apr",
                        "startTime": "1:2:3",
                        "startYear": "2006"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <classickeyid-items>
            <Key-list>
              <keyId>1234</keyId>
              <acceptlifetime-items>
                <duration>0</duration>
                <endDay>3</endDay>
                <endMonth>May</endMonth>
                <endTime>3:2:1</endTime>
                <endYear>2007</endYear>
                <infinite>disabled</infinite>
                <local>local</local>
                <startDay>3</startDay>
                <startMonth>Apr</startMonth>
                <startTime>1:2:3</startTime>
                <startYear>2006</startYear>
              </acceptlifetime-items>
            </Key-list>
          </classickeyid-items>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain>
key 1234
accept-lifetime local 1:2:3 Apr 3 2006 3:2:1 May 3 2007

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-
kcmgrKey	sys/kcmgr/keychains/classickeychain-/classickeyid-1234
kcmgrAcceptlifetime	sys/kcmgr/keychains/classickeychain-/classickeyid-1234/acceptlifetime

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

kcmgrKey Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:key (scalar:Uint32)	keyId of classic key chain	RANGE: [0 , 65535]

kcmgrAcceptlifetime Properties

The following table contains information about the kcmgrAcceptlifetime properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
duration	kcmgr:duration (scalar:Uint32)	duration period of lifetime	RANGE: [0 , 2147483646]
endDay	kcmgr:day (scalar:Uint16)	Ending date of lifetime for the keychain	RANGE: [1 , 31]
endMonth	kcmgr:month (scalar:Enum8)	Ending month of lifetime for the keychain	SELECTION: 0 - Unspecified 1 - Jan 2 - Feb 3 - Mar 4 - Apr 5 - May 6 - Jun 7 - Jul 8 - Aug 9 - Sep 10 - Oct 11 - Nov 12 - Dec DEFAULT: Unspecified
endTime	kcmgr:timestamp (string:Basic)	HH:MM:SS End Time of lifetime	A sequence of characters
endYear	kcmgr:year (scalar:Uint16)	Ending Year of lifetime for the keychain	RANGE: [1993 , 2035]
infinite	kcmgr:adminSt (scalar:Enum8)	Lifetime has no endtime	SELECTION: 0 - disabled 1 - enabled DEFAULT: disabled
local	kcmgr:timeZone (scalar:Enum8)	local timezone notification	SELECTION: 0 - unspecified 1 - local DEFAULT: unspecified
startDay	kcmgr:day (scalar:Uint16)	starting Day of Lifetime for the keychain	RANGE: [1 , 31]
startMonth	kcmgr:month (scalar:Enum8)	starting month of Lifetime for the keychain	SELECTION: 0 - Unspecified 1 - Jan 2 - Feb 3 - Mar 4 - Apr 5 - May 6 - Jun 7 - Jul 8 - Aug 9 - Sep 10 - Oct 11 - Nov 12 - Dec DEFAULT: Unspecified
startTime	kcmgr:timestamp (string:Basic)	HH:MM:SS Start Time of lifetime	A sequence of characters
startYear	kcmgr:year (scalar:Uint16)	starting Year of Lifetime for the keychain	RANGE: [1993 , 2035]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Timezone for Accept Lifetime of the Key

Deleting the Timezone for Accept Lifetime of the Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrKey": {
                "attributes": {
                  "keyId": "1234"
                },
                "children": [
                  {
                    "kcmgrAcceptlifetime": {
                      "attributes": {
                        "status": "deleted"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <classickeyid-items>
            <Key-list>
              <keyId>1234</keyId>
              <acceptlifetime-items nc:operation="delete">
              </acceptlifetime-items>
            </Key-list>
          </classickeyid-items>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain>
key 1234
no accept-lifetime local 1:2:3 Apr 3 2006 3:2:1 May 3 2007

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-
kcmgrKey	sys/kcmgr/keychains/classickeychain-/classickeyid-1234
kcmgrAcceptlifetime	sys/kcmgr/keychains/classickeychain-/classickeyid-1234/acceptlifetime

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

kcmgrKey Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:key (scalar:Uint32)	keyId of classic key chain	RANGE: [0 , 65535]

kcmgrAcceptlifetime Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Timezone for the Send Lifetime of the Key

Configuring the Timezone for the Send Lifetime of the Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrKey": {
                "attributes": {
                  "keyId": "1234"
                },
                "children": [
                  {
                    "kcmgrSendlifetime": {
                      "attributes": {
                        "duration": "1000",
                        "infinite": "disabled",
                        "local": "unspecified",
                        "startDay": "4",
                        "startMonth": "Mar",
                        "startTime": "3:2:1",
                        "startYear": "2004"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <classickeyid-items>
            <Key-list>
              <keyId>1234</keyId>
              <sendlifetime-items>
                <duration>1000</duration>
                <infinite>disabled</infinite>
                <local>unspecified</local>
                <startDay>4</startDay>
                <startMonth>Mar</startMonth>
                <startTime>3:2:1</startTime>
                <startYear>2004</startYear>
              </sendlifetime-items>
            </Key-list>
          </classickeyid-items>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain>
key 1234
send-lifetime 3:2:1 Mar 4 2004 duration 1000

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-
kcmgrKey	sys/kcmgr/keychains/classickeychain-/classickeyid-1234
kcmgrSendlifetime	sys/kcmgr/keychains/classickeychain-/classickeyid-1234/sendlifetime

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

kcmgrKey Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:key (scalar:Uint32)	keyId of classic key chain	RANGE: [0 , 65535]

kcmgrSendlifetime Properties

The following table contains information about the kcmgrSendlifetime properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
duration	kcmgr:duration (scalar:Uint32)	duration period of lifetime	RANGE: [0 , 2147483646]
infinite	kcmgr:adminSt (scalar:Enum8)	Lifetime has no endtime	SELECTION: 0 - disabled 1 - enabled DEFAULT: disabled
local	kcmgr:timeZone (scalar:Enum8)	local timezone notification	SELECTION: 0 - unspecified 1 - local DEFAULT: unspecified
startDay	kcmgr:day (scalar:Uint16)	starting Day of Lifetime for the keychain	RANGE: [1 , 31]
startMonth	kcmgr:month (scalar:Enum8)	starting month of Lifetime for the keychain	SELECTION: 0 - Unspecified 1 - Jan 2 - Feb 3 - Mar 4 - Apr 5 - May 6 - Jun 7 - Jul 8 - Aug 9 - Sep 10 - Oct 11 - Nov 12 - Dec DEFAULT: Unspecified
startTime	kcmgr:timestamp (string:Basic)	HH:MM:SS Start Time of lifetime	A sequence of characters
startYear	kcmgr:year (scalar:Uint16)	starting Year of Lifetime for the keychain	RANGE: [1993 , 2035]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Timezone for the Send Lifetime of the Key

Deleting the Timezone for the Send Lifetime of the Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrClassicKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrKey": {
                "attributes": {
                  "keyId": "1234"
                },
                "children": [
                  {
                    "kcmgrSendlifetime": {
                      "attributes": {
                        "status": "deleted"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <classickeychain-items>
        <ClassicKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <classickeyid-items>
            <Key-list>
              <keyId>1234</keyId>
              <sendlifetime-items nc:operation="delete">
              </sendlifetime-items>
            </Key-list>
          </classickeyid-items>
        </ClassicKeychain-list>
      </classickeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain>
key 1234
no send-lifetime 3:2:1 Mar 4 2004 duration 1000

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrClassicKeychain	sys/kcmgr/keychains/classickeychain-
kcmgrKey	sys/kcmgr/keychains/classickeychain-/classickeyid-1234
kcmgrSendlifetime	sys/kcmgr/keychains/classickeychain-/classickeyid-1234/sendlifetime

kcmgrClassicKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of classic keychain	A sequence of characters

kcmgrKey Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:key (scalar:Uint32)	keyId of classic key chain	RANGE: [0 , 65535]

kcmgrSendlifetime Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Key

Configuring a Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>123</keyId>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-123

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

The following table contains information about the kcmgrMacsecKeyId properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Key

Deleting a Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "keyId": "123",
                  "status": "deleted"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list nc:operation="delete">
              <keyId>123</keyId>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
no key 123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-123

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Timezone for the Send Lifetime

Configuring the Timezone for the Send Lifetime

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "keyId": "123"
                },
                "children": [
                  {
                    "kcmgrMacsecSendlifetime": {
                      "attributes": {
                        "duration": "0",
                        "infinite": "enabled",
                        "local": "local",
                        "startDay": "3",
                        "startMonth": "Feb",
                        "startTime": "1:2:3",
                        "startYear": "2003"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>123</keyId>
              <macsecsendlifetime-items>
                <duration>0</duration>
                <infinite>enabled</infinite>
                <local>local</local>
                <startDay>3</startDay>
                <startMonth>Feb</startMonth>
                <startTime>1:2:3</startTime>
                <startYear>2003</startYear>
              </macsecsendlifetime-items>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 123
send-lifetime local 1:2:3 Feb 3 2003 infinite

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-123
kcmgrMacsecSendlifetime	sys/kcmgr/keychains/macseckeychain-/macseckeyid-123/macsecsendlifetime

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

kcmgrMacsecSendlifetime Properties

The following table contains information about the kcmgrMacsecSendlifetime properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
duration	kcmgr:duration (scalar:Uint32)	duration period of lifetime	RANGE: [0 , 2147483646]
infinite	kcmgr:adminSt (scalar:Enum8)	Lifetime has no endtime	SELECTION: 0 - disabled 1 - enabled DEFAULT: disabled
local	kcmgr:timeZone (scalar:Enum8)	local timezone notification	SELECTION: 0 - unspecified 1 - local DEFAULT: unspecified
startDay	kcmgr:day (scalar:Uint16)	starting Day of Lifetime for the keychain	RANGE: [1 , 31]
startMonth	kcmgr:month (scalar:Enum8)	starting month of Lifetime for the keychain	SELECTION: 0 - Unspecified 1 - Jan 2 - Feb 3 - Mar 4 - Apr 5 - May 6 - Jun 7 - Jul 8 - Aug 9 - Sep 10 - Oct 11 - Nov 12 - Dec DEFAULT: Unspecified
startTime	kcmgr:timestamp (string:Basic)	HH:MM:SS Start Time of lifetime	A sequence of characters
startYear	kcmgr:year (scalar:Uint16)	starting Year of Lifetime for the keychain	RANGE: [1993 , 2035]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Timezone for the Send Lifetime

Deleting the Timezone for the Send Lifetime

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "keyId": "123"
                },
                "children": [
                  {
                    "kcmgrMacsecSendlifetime": {
                      "attributes": {
                        "status": "deleted"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>123</keyId>
              <macsecsendlifetime-items nc:operation="delete">
              </macsecsendlifetime-items>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 123
no send-lifetime local 1:2:3 Feb 3 2003 infinite

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-123
kcmgrMacsecSendlifetime	sys/kcmgr/keychains/macseckeychain-/macseckeyid-123/macsecsendlifetime

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

kcmgrMacsecSendlifetime Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Cryptographic-Algorithim AES-256-CMAC

Configuring the Cryptographic-Algorithim AES-256-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-256",
                  "encryptType": "unencrypted",
                  "keyHexString": "abcdefabcdef01234567891234567890abcdefabcdef01234567891234567890",
                  "keyId": "234"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>234</keyId>
              <cryptographicAlgo>GCM-AES-256</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString>abcdefabcdef01234567891234567890abcdefabcdef01234567891234567890</keyHexString>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 234
key-octet-string 0 abcdefabcdef01234567891234567890abcdefabcdef01234567891234567890 cryptographic-algorithm AES_256_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-234

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of macseckeychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeMacsec (scalar:Enum8)	Encryption type of macseckeychain	SELECTION: 0 - unencrypted 1 - type7 2 - type6 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	keystring of macseckeychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Cryptographic-Algorithim AES-256-CMAC

Deleting the Cryptographic-Algorithim AES-256-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "",
                  "keyId": "234"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>234</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString></keyHexString>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 234
no key-octet-string 0 abcdefabcdef01234567891234567890abcdefabcdef01234567891234567890 cryptographic-algorithm AES_256_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-234

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of macseckeychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeMacsec (scalar:Enum8)	Encryption type of macseckeychain	SELECTION: 0 - unencrypted 1 - type7 2 - type6 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	keystring of macseckeychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Cryptic Algorithim AES-128-CMAC

Configuring the Cryptic Algorithim AES-128-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "1234567890abcdefabcdef0123456789",
                  "keyId": "234"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>234</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString>1234567890abcdefabcdef0123456789</keyHexString>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 234
key-octet-string 0 1234567890abcdefabcdef0123456789 cryptographic-algorithm AES_128_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-234

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of macseckeychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeMacsec (scalar:Enum8)	Encryption type of macseckeychain	SELECTION: 0 - unencrypted 1 - type7 2 - type6 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	keystring of macseckeychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Cryptic Algorithim AES-128-CMAC

Deleting the Cryptic Algorithim AES-128-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrMacsecKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrMacsecKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "",
                  "keyId": "234"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <macseckeychain-items>
        <MacsecKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <macseckeyid-items>
            <MacsecKeyId-list>
              <keyId>234</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString></keyHexString>
            </MacsecKeyId-list>
          </macseckeyid-items>
        </MacsecKeychain-list>
      </macseckeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> macsec
key 234
no key-octet-string 0 1234567890abcdefabcdef0123456789 cryptographic-algorithm AES_128_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrMacsecKeychain	sys/kcmgr/keychains/macseckeychain-
kcmgrMacsecKeyId	sys/kcmgr/keychains/macseckeychain-/macseckeyid-234

kcmgrMacsecKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of macseckeychain	A sequence of characters

kcmgrMacsecKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of macseckeychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeMacsec (scalar:Enum8)	Encryption type of macseckeychain	SELECTION: 0 - unencrypted 1 - type7 2 - type6 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	keystring of macseckeychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of macseckeychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring a Key

Configuring a Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting a Key

Deleting a Key

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "keyId": "123",
                  "status": "deleted"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list nc:operation="delete">
              <keyId>123</keyId>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
no key 123

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Timezone for the Send Lifetime

Configuring the Timezone for the Send Lifetime

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "keyId": "123"
                },
                "children": [
                  {
                    "kcmgrTunnelencryptSendlifetime": {
                      "attributes": {
                        "duration": "0",
                        "infinite": "enabled",
                        "local": "local",
                        "startDay": "3",
                        "startMonth": "Feb",
                        "startTime": "1:2:3",
                        "startYear": "2003"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
              <tunnelencryptsendlifetime-items>
                <duration>0</duration>
                <infinite>enabled</infinite>
                <local>local</local>
                <startDay>3</startDay>
                <startMonth>Feb</startMonth>
                <startTime>1:2:3</startTime>
                <startYear>2003</startYear>
              </tunnelencryptsendlifetime-items>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123
send-lifetime local 1:2:3 Feb 3 2003 infinite

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123
kcmgrTunnelencryptSendlifetime	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123/tunnelencryptsendlifetime

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

kcmgrTunnelencryptSendlifetime Properties

The following table contains information about the kcmgrTunnelencryptSendlifetime properties in the DME payload. For more information about the properties and MOs, see the NX-API DME Model Reference linked in the Related Documentation section below.

Property Name	Data Type	Description	Values
duration	kcmgr:duration (scalar:Uint32)	duration period of lifetime	RANGE: [0 , 2147483646]
infinite	kcmgr:adminSt (scalar:Enum8)	Lifetime has no endtime	SELECTION: 0 - disabled 1 - enabled DEFAULT: disabled
local	kcmgr:timeZone (scalar:Enum8)	local timezone notification	SELECTION: 0 - unspecified 1 - local DEFAULT: unspecified
startDay	kcmgr:day (scalar:Uint16)	starting Day of Lifetime for the keychain	RANGE: [1 , 31]
startMonth	kcmgr:month (scalar:Enum8)	starting month of Lifetime for the keychain	SELECTION: 0 - Unspecified 1 - Jan 2 - Feb 3 - Mar 4 - Apr 5 - May 6 - Jun 7 - Jul 8 - Aug 9 - Sep 10 - Oct 11 - Nov 12 - Dec DEFAULT: Unspecified
startTime	kcmgr:timestamp (string:Basic)	HH:MM:SS Start Time of lifetime	A sequence of characters
startYear	kcmgr:year (scalar:Uint16)	starting Year of Lifetime for the keychain	RANGE: [1993 , 2035]

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Timezone for the Send Lifetime

Deleting the Timezone for the Send Lifetime

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "keyId": "123"
                },
                "children": [
                  {
                    "kcmgrTunnelencryptSendlifetime": {
                      "attributes": {
                        "status": "deleted"
}}}]}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
              <tunnelencryptsendlifetime-items nc:operation="delete">
              </tunnelencryptsendlifetime-items>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123
no send-lifetime local 1:2:3 Feb 3 2003 infinite

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123
kcmgrTunnelencryptSendlifetime	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123/tunnelencryptsendlifetime

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

kcmgrTunnelencryptSendlifetime Properties

Property Name	Data Type	Description	Values
status	mo:ModificationStatus (scalar:Bitmask32)	The upgrade status. This property is for internal use only.	SELECTION: 2 - created 4 - modified 8 - deleted 16 - replaced

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Configuring the Cryptic Algorithim AES-128-CMAC

Configuring the Cryptic Algorithim AES-128-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "1234567890abcdefabcdef0123456789",
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString>1234567890abcdefabcdef0123456789</keyHexString>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123
key-octet-string 0 1234567890abcdefabcdef0123456789 cryptographic-algorithm AES_128_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of Tunnel encrypt keychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeTunnelEncrypt (scalar:Enum8)	Encryption type of Tunnel encrypt keychain	SELECTION: 0 - unencrypted 1 - type7 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	key string of Tunnel encrypt keychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Cryptic Algorithim AES-128-CMAC

Deleting the Cryptic Algorithim AES-128-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "",
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString></keyHexString>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123
no key-octet-string 0 1234567890abcdefabcdef0123456789 cryptographic-algorithm AES_128_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of Tunnel encrypt keychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeTunnelEncrypt (scalar:Enum8)	Encryption type of Tunnel encrypt keychain	SELECTION: 0 - unencrypted 1 - type7 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	key string of Tunnel encrypt keychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Cryptic Algorithim AES-256-CMAC

Deleting the Cryptic Algorithim AES-256-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "",
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString></keyHexString>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123
no key-octet-string 0 abcdefabcdef01234567891234567890abcdefabcdef01234567891234567890 cryptographic-algorithm AES_256_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of Tunnel encrypt keychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeTunnelEncrypt (scalar:Enum8)	Encryption type of Tunnel encrypt keychain	SELECTION: 0 - unencrypted 1 - type7 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	key string of Tunnel encrypt keychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html

Deleting the Cryptic Algorithim AES-256-CMAC

Deleting the Cryptic Algorithim AES-256-CMAC

POST http://<mgmt0_IP>/api/mo/sys/kcmgr/keychains.json

{
  "kcmgrKeychains": {
    "children": [
      {
        "kcmgrTunnelencryptKeychain": {
          "attributes": {
            "keychainName": "<keychain>"
          },
          "children": [
            {
              "kcmgrTunnelencryptKeyId": {
                "attributes": {
                  "cryptographicAlgo": "GCM-AES-128",
                  "encryptType": "unencrypted",
                  "keyHexString": "",
                  "keyId": "123"
}}}]}}]}}

{
    imdata:[]
}

<System>
  <kcmgr-items>
    <keychains-items>
      <tunnelencryptkeychain-items>
        <TunnelencryptKeychain-list>
          <keychainName>&lt;keychain&gt;</keychainName>
          <tunnelencryptkeyid-items>
            <TunnelencryptKeyId-list>
              <keyId>123</keyId>
              <cryptographicAlgo>GCM-AES-128</cryptographicAlgo>
              <encryptType>unencrypted</encryptType>
              <keyHexString></keyHexString>
            </TunnelencryptKeyId-list>
          </tunnelencryptkeyid-items>
        </TunnelencryptKeychain-list>
      </tunnelencryptkeychain-items>
    </keychains-items>
  </kcmgr-items>
</System>

Note:

To keep a session alive when all keys with an active timer expires, configure no more than one key per keychain without a lifetime. As a best practice, we recommend configuring a lifetime for each key.
This example was added in Release 9.3(5).

CLI Commands

key chain <keychain> tunnel-encryption
key 123
no key-octet-string 0 abcdefabcdef01234567891234567890abcdefabcdef01234567891234567890 cryptographic-algorithm AES_256_CMAC

Verifying a DME Configuration

MO	DN
kcmgrKeychains	sys/kcmgr/keychains
kcmgrTunnelencryptKeychain	sys/kcmgr/keychains/tunnelencryptkeychain-
kcmgrTunnelencryptKeyId	sys/kcmgr/keychains/tunnelencryptkeychain-/tunnelencryptkeyid-123

kcmgrTunnelencryptKeychain Properties

Property Name	Data Type	Description	Values
keychainName	kcmgr:name (string:Basic)	Keychain name of tunnelencrypt keychain	A sequence of characters

kcmgrTunnelencryptKeyId Properties

Property Name	Data Type	Description	Values
cryptographicAlgo	kcmgr:cryptographicAlgoAes (scalar:Enum8)	cryptographicAlgo of Tunnel encrypt keychain	SELECTION: 1 - GCM-AES-128 2 - GCM-AES-256 DEFAULT: GCM-AES-128
encryptType	kcmgr:encryptionTypeTunnelEncrypt (scalar:Enum8)	Encryption type of Tunnel encrypt keychain	SELECTION: 0 - unencrypted 1 - type7 DEFAULT: unencrypted
keyHexString	kcmgr:keyString (string:Basic)	key string of Tunnel encrypt keychain	A sequence of characters
keyId	kcmgr:keyHexId (string:Basic)	keyId of Tunnel encrypt keychain	A sequence of characters

Related Documentation

For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:

http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html

See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:

https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/

For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:

https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html