Installation guide
Chapter 7
Connecting the Switch to the Network
7 - 10
Redundant switches must use the same master key because they share the
same users, groups, and passwords. In the case of of a DR configuration, all
four ARXs must be configured with a common master key.
At the switch that is currently installed, use the
show master-key command
to create an encrypted copy of the master key.
The CLI prompts you for two passwords:
•
System Password is a password entered at initial-boot time (see Sample:
Booting a Non-Replacement Switch, on page 7-4). It is 12-32 characters
long. This validates that you have permission to access the master key.
•
Wrapping Password is set with this command. The security software uses
this to encrypt (and later decrypt) the master-key string.
Enter 12-32 characters. At least one character in this password must be a
number (0-9) or a symbol (!, @, #, $, and so on).
Save this password: you will need it to decrypt the master key later, on
the new switch.
This command outputs a base64-encoded string that is the encrypted master
key. Save this string and the wrapping password that you set in the
command.
For example, this shows the master key on a switch named “minturnB:”
minturnB#showmaster‐key
MasterKeySystemPassword:%uper$ecretpw
WrappingPassword:an0ther$ecretpw
ValidateWrappingPassword:an0ther$ecretpw
Encryptedmasterkey:
2oftVCwAAAAgAAAApwazSRFd2ww/H1pi7R7JMDZ9SoIg4WGA/XsZP+HcXjsIAAAADDRbM
CxE/bc=
minturnB#...
Applying the Master Key
As shown in an example earlier, there is a prompt for the master key in the
initial-boot script. You can answer this prompt with the encrypted master
key; the script then prompts for the wrapping password. For example,
...
Themasterkeyisusedtoencryptcriticalsecurityparameters.
15.Enterthemasterkey
intheformatbase64‐encodedkeyorkeyword'generate'.(default=generate)#
2oftVCwAAAAgAAAApwazSRFd2ww/H1pi7R7JMDZ9SoIg4WGA/XsZP+HcXjsIAAAADDRbMCxE/bc=
Thewrappingpasswordinusetoencryptanddecryptthemasterkey.
16.Enterthewrappingpassword
intheformattext(6‐28characters).#an0ther$ecretpw
Confirmthewrappingpassword#an0ther$ecretpw
...