Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

key-manager

Syntax

Hierarchy Level

Description

You can use Junos Key Manager (JKM) to configure the static keys or dynamics keys to protect the data plane and control plane.

The JKM process acts as a key store and a proxy between the client or crypto application. The client or crypto application requires a key to establish an encrypted and authenticated quantum safe session with peer or application. The quantum safe uses the out-of-band key retrieval mechanism that lets two peers have the key. Different out-of-band mechanisms will have different protocols or methods to communicate. The JKM provides a common uniform interface for client or crypto applications to communicate.

Options

Options Descriptions
default-key-size default-key-size

Define default size of keys (in bits).

Set the default key size that will be used when Key Management Entity (KME) server is requested for quantum key distribution (QKD) keys. If not configured, all GET_KEYS requests must have the key size parameter set.

  • Range: 256 to 4096.

  • Default: 256
local-certificate-id local-certificate-id

Define local certificate identifier for client authentication.

The certificate ID for the corresponding certificate retrieved from PKID during client authentication with the KME server. If the parameter is not configured, client authentication data is not provided during TLS connection setup with the KME server. If the configured URL uses HTTP, this parameter is ignored.

Range: 1 to 32.

If local certificate ID is not configured, the client certificate is not sent to the KME server for client authentication.
local-sae-id local-sae-id

Define local SAE identifier.

The KME server must generate the Secure Application entity (SAE) ID for the local application and send the QKD key(s). The KME server uses the SAE ID along with peer-sae-ids to identify the entity responsible for generating the keys.

Range: 1 to 250
peer-sae-ids [peer-sae-id1, peer-sae-id2..]

Define a list of SAE identifiers.

The Key Management Entity (KME) server uses the SAE IDs for the remote applications, along with local-sae-id, as identifiers to determine the recipients of the generated quantum key distribution (QKD) keys. The server generates and transmits these keys based on the SAE IDs.

Range:

  • Length of list : 1 to 20

  • Length of string : 1 to 250

If the configuration does not include peer SAE IDs, the application requesting the keys must provide the peer SAE IDs, or the key request fails.

When you use the Quantum Key Manager-based key profile for VPN, you do not need to configure this parameter.
trusted-cas [trusted-cas1, trusted-cas2..]

Define a list of CA cert(s) for server certificate verification.

The device considers CA(s) as valid when it performs server certification verification. If you do not configure this parameter, the system will establish an HTTPS connection with the KME Server, but it will not verify the server certificate. The device does not support wildcard-based server certificates. To verify the server certificate, ensure that the server certificate uses either a domain name or an IP address as the Common Name in the certificate.

Configure the URL parameter to match the server certificate. If the server certificate is domain-name based, configure the URL with a domain name. If the server certificate is IP-address based, ensures that the URL includes the IP address.

Range:

  • Length of list : 1 to 10

  • Length of string : 1 to 32
key (ascii-text ascii-text | hexadecimal hexadecimal)

A static PPK is used during IKEv2 SA quantum-safe SA negotiation as specified in RFC 8784.

  • ascii-text–Enter key format in text.

    Range: 32 to 512

  • hexadecimal–Enter key format in hexadecimal.

    Range: 64 to 1024
key-id (ascii-text ascii-text | hexadecimal hexadecimal)

A static PPK ID is used during IKEv2 quantum safe SA negotiation as per RFC 8784.

  • ascii-text–Enter key ID format as text.

    Range: 1 to 200

  • hexadecimal–Enter key ID format as hexadecimal.

    Range: 64 to 1024
url URL

Define URL of KME server.

An external HTTPS server manages Quantum Key Distribution (QKD) devices as the Key Management Entity (KME) server. A third-party vendor must provide the KME-QKD infrastructure. The server must follow ETSI specifications during its implementation.

Range: 9 to 250
file filename <files files> <match match> <size bytes> <(world-readable | no-world-readable)

file—Configure the trace file options.

  • filename—Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. By default, the name of the file is the name of the process being traced.

  • files number—Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed to trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten.

    If you specify a maximum number of files, you also must specify a maximum file size with the size option and a filename.

    Range: 2 through 1000 files

    Default: 10 files

  • match regular-expression—Refine the output to include lines that contain the regular expression.

  • size maximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.

    If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and a filename.

    Syntax: x K to specify KB, x m to specify MB, or x g to specify GB

    Range: 10 KB through 1 GB

    Default: 128 KB

  • world-readable | no-world-readable—By default, log files can be accessed only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option.

  • no-remote-trace—Set remote tracing as disabled.
level (critical | detail | error | extensive | terse | warning)

  • critical–Log single point failures.

  • detail–Log object CRUD, protocol operational information.

  • error– Log fatal application errors.

  • extensive–Log all functionality.

  • terse–Log syslogs.

  • warning–Log recoverable errors.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 22.4R1.