Configuring Keychain Management
Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains.
For more information, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide:
Configuring Classic Keychain
Configuring Classic Keychain
POST http://<mgmt_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"kcmgrEntity": {
"children": [
{
"kcmgrKeychains": {
"children": [
{
"kcmgrClassicKeychain": {
"attributes": {
"keychainName": "test"
},
"children": [
{
"kcmgrKey": {
"attributes": {
"cryptoAlgo": "MD5",
"encryptType": "type7",
"keyId": "1",
"keyString": "070e234f"
},
"children": [
{
"kcmgrSendlifetime": {
"attributes": {
"duration": "0",
"infinite": "enabled",
"local": "local",
"startDay": "6",
"startMonth": "Dec",
"startTime": "00:37:48",
"startYear": "2023"
}
}
},
{
"kcmgrAcceptlifetime": {
"attributes": {
"duration": "0",
"endDay": "6",
"endMonth": "Dec",
"endTime": "00:37:48",
"endYear": "2024",
"infinite": "disabled",
"local": "unspecified",
"startDay": "6",
"startMonth": "Dec",
"startTime": "00:37:48",
"startYear": "2023"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<kcmgr-items>
<keychains-items>
<classickeychain-items>
<ClassicKeychain-list>
<keychainName>test</keychainName>
<classickeyid-items>
<Key-list>
<keyId>1</keyId>
<encryptType>unencrypted</encryptType>
<keyString>abc</keyString>
<cryptoAlgo>MD5</cryptoAlgo>
<sendlifetime-items>
<startTime>00:37:48</startTime>
<startDay>6</startDay>
<startMonth>Dec</startMonth>
<startYear>2023</startYear>
<infinite>enabled</infinite>
</sendlifetime-items>
<acceptlifetime-items>
<startTime>00:37:48</startTime>
<startDay>6</startDay>
<startMonth>Dec</startMonth>
<startYear>2023</startYear>
<endTime>00:37:48</endTime>
<endDay>6</endDay>
<endMonth>Dec</endMonth>
<endYear>2024</endYear>
</acceptlifetime-items>
</Key-list>
</classickeyid-items>
</ClassicKeychain-list>
</classickeychain-items>
</keychains-items>
</kcmgr-items>
</System>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
key-chain macsec-psk
Note: The property information for this example was added in release 10.3(1)F.
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| kcmgrEntity | sys/kcmgr |
| kcmgrClassicKeychain | sys/kcmgr/keychains/classickeychain-{[ keychainName]} |
| kcmgrKey | sys/kcmgr/keychains/classickeychain-{[ keychainName]}/classickeyid-{keyId} |
| KcmgrAcceptlifetime | sys/kcmgr/keychains/classickeychain-{[keychainName]}/classickeyid-{keyId}/acceptlifetime |
| kcmgrSendlifetime | sys/kcmgr/keychains/classickeychain-{[keychainName]}/classickeyid-{keyId}/sendlifetime |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Macsec Keychain
Configuring Macsec Keychain
POST http://<mgmt_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"kcmgrEntity": {
"children": [
{
"kcmgrKeychains": {
"children": [
{
"kcmgrMacsecKeychain": {
"attributes": {
"keychainName": "test"
},
"children": [
{
"kcmgrMacsecKeyId": {
"attributes": {
"cryptographicAlgo": "AES_128_CMAC",
"encryptType": "unencrypted",
"keyHexString": "abcdef0123456789abcdef0123456789",
"keyId": "11"
},
"children": [
{
"kcmgrMacsecSendlifetime": {
"attributes": {
"duration": "20000",
"infinite": "disabled",
"local": "local",
"startDay": "6",
"startMonth": "Dec",
"startTime": "00:37:48",
"startYear": "2023"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<kcmgr-items>
<keychains-items>
<macseckeychain-items>
<MacsecKeychain-list>
<keychainName>test</keychainName>
<macseckeyid-items>
<MacsecKeyId-list>
<keyId>11</keyId>
<cryptographicAlgo>AES_128_CMAC</cryptographicAlgo>
<encryptType>unencrypted</encryptType>
<keyHexString>abcdef0123456789abcdef0123456789</keyHexString>
<macsecsendlifetime-items>
<duration>20000</duration>
<infinite>disabled</infinite>
<local>local</local>
<startDay>6</startDay>
<startMonth>Dec</startMonth>
<startTime>00:37:48</startTime>
<startYear>2023</startYear>
</macsecsendlifetime-items>
</MacsecKeyId-list>
</macseckeyid-items>
</MacsecKeychain-list>
</macseckeychain-items>
</keychains-items>
</kcmgr-items>
</System>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
key chain test macsec
Note: The property information for this example was added in release 10.3(1)F.
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| kcmgrEntity | sys/kcmgr |
| kcmgrMacsecKeychain | sys/kcmgr/keychains/macseckeychain-{[ keychainName]} |
| kcmgrMacsecKeyId | sys/kcmgr/keychains/macseckeychain-{[ keychainName]}/macseckeyid-{keyId} |
| kcmgrMacsecSendlifetime | sys/kcmgr/keychains/macseckeychain-{[keychainName]}/macseckeyid-{keyId}/sendlifetime |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide:
Configuring Tunnel Encryption Keychain
Configuring Tunnel Encryption Keychain
POST http://<mgmt_IP>/api/mo/sys.json
{
"topSystem": {
"children": [
{
"kcmgrEntity": {
"children": [
{
"kcmgrKeychains": {
"children": [
{
"kcmgrTunnelencryptKeychain": {
"attributes": {
"keychainName": "test"
},
"children": [
{
"kcmgrTunnelencryptKeyId": {
"attributes": {
"cryptographicAlgo": "AES_128_CMAC",
"encryptType": "unencrypted",
"keyHexString": "abcdef0123456789abcdef0123456789",
"keyId": "11"
},
"children": [
{
"kcmgrTunnelencryptSendlifetime": {
"attributes": {
"duration": "20000",
"infinite": "disabled",
"local": "local",
"startDay": "6",
"startMonth": "Dec",
"startTime": "00:37:48",
"startYear": "2023"
}
}
}
]
}
}
]
}
}
]
}
}
]
}
}
]
}
}
{
imdata:[]
}
<System>
<kcmgr-items>
<keychains-items>
<tunnelencryptkeychain-items>
<TunnelencryptKeychain-list>
<keychainName>test</keychainName>
<tunnelencryptkeyid-items>
<TunnelencryptKeyId-list>
<keyId>11</keyId>
<cryptographicAlgo>AES_128_CMAC</cryptographicAlgo>
<encryptType>unencrypted</encryptType>
<keyHexString>abcdef0123456789abcdef0123456789</keyHexString>
<tunnelencryptsendlifetime-items>
<duration>20000</duration>
<infinite>disabled</infinite>
<local>local</local>
<startDay>6</startDay>
<startMonth>Dec</startMonth>
<startTime>00:37:48</startTime>
<startYear>2023</startYear>
</tunnelencryptsendlifetime-items>
</TunnelencryptKeyId-list>
</tunnelencryptkeyid-items>
</TunnelencryptKeychain-list>
</tunnelencryptkeychain-items>
</keychains-items>
</kcmgr-items>
</System>
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
key-chain tunnelencrypt-psk tunnel-encryption
Note: The property information for this example was added in release 10.3(1)F.
Verifying a DME Configuration
The following table contains the distinguished name (DN) for each managed object (MO) in the DME payload. Issue a GET request using the DN to verify the configuration was posted or to get information about the configured properties of a particular object.
| MO | DN |
|---|---|
| topSystem | sys |
| kcmgrEntity | sys/kcmgr |
| kcmgrTunnelencryptKeychain | sys/kcmgr/keychains/tunnelencryptkeychain-{[ keychainName]} |
| kcmgrTunnelencryptKeyId | sys/kcmgr/keychains/tunnelencryptkeychain-{[ keychainName]}/tunnelencryptkeyid -{keyId} |
| kcmgrTunnelencryptSendlifetime | sys/kcmgr/keychains/tunnelencryptkeychain-{[keychainName]}/tunnelencryptkeyid-{keyId}/sendlifetime |
Related Documentation
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference:
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload:
https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide: