Regenerating the session keys, Manually regenerating the session keys, Dynamically regenerating the session keys – Brocade Communications Systems ServerIron ADX 12.4.00 User Manual

ServerIron ADX Global Server Load Balancing Guide

63

53-1002437-01

Secure GSLB

1

The one-time option configures the peer public keys for a one-time usage, which is the highest level
of security. They expire after each TCP session to the peer device is disconnected. To set up a new
connection between the devices to forward GSLB messages, you must redo the key exchange steps
detailed previously. When you enable the gslb auth-encrypt-communication secure-only option on a
site, the ServerIron ADX will communicate only with the controller that is Secure GSLB enabled.

Consider issuing the command gslb auth-encrypt-communication peer-pub-key-expire one-time
before exchanging keys using crypto key-exchange passive. If you exchange the keys first, the
one-time usage will not take affect until the next exchange.

The never option, after the initial public key exchange, configures the peer public keys to never
automatically expire. They are assumed to be valid until and unless the administrators manually
intervene and perform the public key exchange. The keys will be saved and reused for new TCP
connections. Network administrators do not need to be involved after initial key exchange.

The <timeout> parameter configures the peer public keys to be valid for a specific duration of
seconds independent of how many TCP connection setup and tear down events occur during this
time. If the TCP connection is not established for the user-configured period of time, or if the
connection to the peer is lost for this duration of time, these keys time out (expire). In this case, the
key exchange and authentication procedure detailed earlier is required to set up a new connection.

Regenerating the session keys

To prevent the encryption key and authentication keys from being compromised, the system
supports dynamic or manual session key regeneration.

Manually regenerating the session keys

To manually clear the session keys and force the regeneration of session keys, enter the following
command.

Secure-GSLB-ServerIronADX# clear gslb session-keys

Syntax: clear gslb session-keys

Dynamically regenerating the session keys

The system dynamically regenerates the encryption and authentication keys (session keys) either
at a specified regenerate-key-interval or at random.

The configure the system to dynamically regenerate the session keys at a specified interval, enter
commands such as the following:

Secure-GSLB-ServerIronADX(config)# gslb site sfo



Secure-GSLB-ServerIronADX(config-gslb-site-sfo)# si slb-1 100.1.1.3

regenerate-key-interval 30

To configure the system to randomly decide when to regenerate the key within 1-30 minutes, enter
commands such as the following:

Secure-GSLB-ServerIronADX(config)# gslb site sfo



Secure-GSLB-ServerIronADX(config-gslb-site-sfo)# si slb-1 100.1.1.3

regenerate-key-interval 30 random

Syntax: [no] si <si-name> <si-ip-address> regenerate-key-interval <duration> [random]