Manuals / Brocade Communications Systems / TV and Video / Home Theater Server

Brocade Communications Systems 12.4.00 manual Regenerating the session keys

Models: 12.4.00

1 267
Download 267 pages 21.85 Kb
Page 75
Image 75

Secure GSLB

1

The one-timeoption configures the peer public keys for a one-timeusage, which is the highest level of security. They expire after each TCP session to the peer device is disconnected. To set up a new connection between the devices to forward GSLB messages, you must redo the key exchange steps detailed previously. When you enable the gslb auth-encrypt-communicationsecure-onlyoption on a site, the ServerIron ADX will communicate only with the controller that is Secure GSLB enabled.

Consider issuing the command gslb auth-encrypt-communication peer-pub-key-expire one-time before exchanging keys using crypto key-exchange passive. If you exchange the keys first, the one-time usage will not take affect until the next exchange.

The never option, after the initial public key exchange, configures the peer public keys to never automatically expire. They are assumed to be valid until and unless the administrators manually intervene and perform the public key exchange. The keys will be saved and reused for new TCP connections. Network administrators do not need to be involved after initial key exchange.

The <timeout> parameter configures the peer public keys to be valid for a specific duration of seconds independent of how many TCP connection setup and tear down events occur during this time. If the TCP connection is not established for the user-configured period of time, or if the connection to the peer is lost for this duration of time, these keys time out (expire). In this case, the key exchange and authentication procedure detailed earlier is required to set up a new connection.

Regenerating the session keys

To prevent the encryption key and authentication keys from being compromised, the system supports dynamic or manual session key regeneration.

Manually regenerating the session keys

To manually clear the session keys and force the regeneration of session keys, enter the following command.

Secure-GSLB-ServerIronADX# clear gslb session-keys

Syntax: clear gslb session-keys

Dynamically regenerating the session keys

The system dynamically regenerates the encryption and authentication keys (session keys) either at a specified regenerate-key-interval or at random.

The configure the system to dynamically regenerate the session keys at a specified interval, enter commands such as the following:

Secure-GSLB-ServerIronADX(config)# gslb site sfo Secure-GSLB-ServerIronADX(config-gslb-site-sfo)# si slb-1 100.1.1.3 regenerate-key-interval 30

To configure the system to randomly decide when to regenerate the key within 1-30 minutes, enter commands such as the following:

Secure-GSLB-ServerIronADX(config)# gslb site sfo Secure-GSLB-ServerIronADX(config-gslb-site-sfo)# si slb-1 100.1.1.3 regenerate-key-interval 30 random

Syntax: [no] si <si-name><si-ip-address>regenerate-key-interval <duration> [random]

ServerIron ADX Global Server Load Balancing Guide

63

53-1002437-01

 

Page 74 Page 76
Page 75
Image 75
Brocade Communications Systems 12.4.00 manual Regenerating the session keys, Manually regenerating the session keys
Page 74 Page 76