mka psk
Use mka psk to set a preshared key as the CAK.
Use undo mka psk to restore the default.
Syntax
mka psk ckn name cak { cipher | simple } string
undo mka psk
Default
No preshared key exists.
Views
Ethernet interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ckn name: Specifies the preshared key name, a hexadecimal string with an even number of case-insensitive characters. The name length is in the range of 2 to 64 characters.
cak: Specifies the preshared key.
cipher: Specifies the preshared key in encrypted form.
simple: Specifies the preshared key in plaintext form. For security purposes, the preshared key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. The plaintext form of the key is a hexadecimal string with an even number of case-insensitive characters, and the key length is in the range of 2 to 64 characters. The encrypted form of the key is a case-sensitive string of 2 to 117 characters.
Usage guidelines
Make sure the connected MACsec ports are configured with the same key. If the connected ports are configured with different keys, they cannot successfully establish MKA sessions.
To delete the configured keys for MKA sessions that have been established, perform the following tasks:
Execute the undo mka psk command on the key server.
Execute the undo mka psk command on the non-key server.
The deletion operation deletes the established MKA sessions at the same time.
The MACsec cipher suite supported by the device requires that the CKN and CAK each must be 32 characters long. If the configured CKN or CAK is not 32 characters long, the system performs the following operations when it runs the cipher suite:
Automatically increases the length of the CKN or CAK by zero padding if the CKN or CAK contains less than 32 characters.
Uses only the first 32 characters if the CKN or CAK contains more than 32 characters.
To successfully establish an MKA session between two connected ports, make sure only the ports are configured with the same CKN in the network.
Examples
# Configure the CAK name as AB, and set the CAK to 1234 in plain text on Ten-GigabitEthernet 4/1/1.
<Sysname> system-view [Sysname] interface ten-gigabitethernet 4/1/1 [Sysname-Ten-GigabitEthernet4/1/1] mka psk ckn AB cak simple 1234