Regenerating the session keys, Manually regenerating the session keys, Dynamically regenerating the session keys – Brocade Virtual ADX Global Server Load Balancing Guide (Supporting ADX v03.1.00) User Manual
Page 68
58
Brocade Virtual ADX Global Server Load Balancing Guide
53-1003245-01
Secure GSLB
1
The never option, after the initial public key exchange, configures the peer public keys to never
automatically expire. They are assumed to be valid until and unless the administrators manually
intervene and perform the public key exchange. The keys will be saved and reused for new TCP
connections. Network administrators do not need to be involved after initial key exchange.
The timeout parameter configures the peer public keys to be valid for a specific duration of
seconds independent of how many TCP connection setup and tear down events occur during this
time. If the TCP connection is not established for the user-configured period of time, or if the
connection to the peer is lost for this duration of time, these keys time out (expire). In this case, the
key exchange and authentication procedure detailed earlier is required to set up a new connection.
Regenerating the session keys
To prevent the encryption key and authentication keys from being compromised, the system
supports dynamic or manual session key regeneration.
Manually regenerating the session keys
To manually clear the session keys and force the regeneration of session keys, enter the following
command.
Secure-GSLB-Virtual ADX#clear gslb session-keys
Syntax: clear gslb session-keys
Dynamically regenerating the session keys
The system dynamically regenerates the encryption and authentication keys (session keys) either
at a specified regenerate-key-interval or at random.
The configure the system to dynamically regenerate the session keys at a specified interval, enter
commands such as the following.
Secure-GSLB-Virtual ADX(config)#gslb site sfo
Secure-GSLB-Virtual ADX(config-gslb-site-sfo)#si slb-1 10.1.1.3
regenerate-key-interval 30
To configure the system to randomly decide when to regenerate the key within 1 - 30 minutes, enter
commands such as the following.
Secure-GSLB-Virtual ADX(config)#gslb site sfo
Secure-GSLB-Virtual ADX(config-gslb-site-sfo)#si slb-1 10.1.1.3
regenerate-key-interval 30 random
Syntax: [no] si si-name si-ip-address regenerate-key-interval duration [random]
The si-name parameter specifies the name of the peer site ADX device to regenerate the session
keys for.
The si-ip-address parameter specifies the IP address of the peer site ADX device.
The regenerate-key-interval duration parameter configures the ADX device to periodically
regenerate session keys for the peer site ADX device. Each time a connection is set up, this key is
regenerated and negotiated.
The duration specifies the duration in minutes after which new session keys will be regenerated.