HP StorageWorks Secure Key Manager users guide (AJ087-96011, November 2008)

ManualsBrandsHP ManualsStorageEncryption and Key Management

HP StorageWorks

Secure Key Manager

users guide

AJ087-96011

Part number: AJ087–96011

nd edition: November 2008

Summary of content (327 pages)

PAGE 1
HP StorageWorks Secure Key Manager users guide AJ087-96011 Part number: AJ087–96011 2nd edition: November 2008
PAGE 2
Legal and notice information © Copyright 2007-2008 Hewlett-Packard Development Company, I.E. © Copyright 2000, 2008 Ingrian Networks, Inc. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.
PAGE 3
Contents 1 Installing and replacing hardware . . . . . . . . . . . . . . . . . Preparing for the installation . . . . . . . . . . . . . Tools for installation . . . . . . . . . . . . . . Taking ESD precautions . . . . . . . . . . . . . Grounding methods to prevent electrostatic discharge Rack planning resources . . . . . . . . . . . . . . Rack requirements . . . . . . . . . . . . . . . Rack warnings . . . . . . . . . . . . . . . . Optimum environment . . . . . . . . . . . . . . .
PAGE 4
Creating a user . . . . . . . . . . . . . . . . . . . Creating a group . . . . . . . . . . . . . . . . . . Adding a user to a group . . . . . . . . . . . . . . . Removing a user from a group . . . . . . . . . . . . . Deleting a user . . . . . . . . . . . . . . . . . . . Deleting a group . . . . . . . . . . . . . . . . . . LDAP server procedures . . . . . . . . . . . . . . . . . . Setting up the LDAP user directory . . . . . . . . . . . Testing the LDAP user directory connection . . . . . . . .
PAGE 5
Configuring SNMPv3 on the SKM . . . . . . . . . . . . . . Administrator procedures . . . . . . . . . . . . . . . . . . . . Creating an administrator . . . . . . . . . . . . . . . . . . Deleting an administrator . . . . . . . . . . . . . . . . . . LDAP Administrator server procedures . . . . . . . . . . . . . . . Setting up the LDAP administrator server . . . . . . . . . . . Testing the LDAP administrator server connection . . . . . . . . Setting up the LDAP schema . . . . . . . . . . . . . . . . .
PAGE 6
Rolling back software System Health page . . . . . Refresh page . . . . . . Power Supply Status . . . Cooling Fan Status . . . . Network Diagnostics page . . Ping Information . . . . . Traceroute Information . . Host Information . . . . . Netstat Information . . . . Reading Netstat Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
LDAP Groups . . . . . . . . . . . . . . . . User List . . . . . . . . . . . . . . . . . . Certificate and CA Configuration Page . . . . . . . . . Certificate List . . . . . . . . . . . . . . . . . . Certificate Information . . . . . . . . . . . . . . Certificate Installation . . . . . . . . . . . . . . Self Signed Certificate . . . . . . . . . . . . . . Create Certificate Request . . . . . . . . . . . . . Using the Import Certificate screen . . . . . . . . .
PAGE 8
Cluster Settings . . . . . . . . . . . . . Create Cluster . . . . . . . . . . . . . . Join Cluster . . . . . . . . . . . . . . . Configuring the Date & Time . . . . . . . . . . . Network Time Protocol overview . . . . . . . . Date & Time Configuration Page . . . . . . . . Date and Time Settings . . . . . . . . . . NTP Settings . . . . . . . . . . . . . . Configuring the network . . . . . . . . . . . . . Network Interfaces sections . . . . . . . . . . Network Interface List . . . . . . . . . .
PAGE 9
Remote Administration Settings overview . . . Remote Administration Settings sections . . . . Remote Administration Settings . . . . . LDAP Administrator Server . . . . . . . . . . . LDAP Administrator server and FIPS compliance LDAP Administrator Server Properties section . . LDAP Schema Properties . . . . . . . . . . LDAP Failover Server Properties . . . . . . . Viewing logs and statistics . . . . . . . . . . . Logging overview . . . . . . . . . . . . . Log rotation . . . . . . . . . . . . . .
PAGE 10
CRL commands . . . . . . . . . . Client event log commands . . . . . Device reset and restore commands . Diagnostic commands . . . . . . . FIPS commands . . . . . . . . . . Health check configuration commands Help commands . . . . . . . . . . History commands . . . . . . . . . Log commands . . . . . . . . . . Mode commands . . . . . . . . . Network commands . . . . . . . . Services commands . . . . . . . . SNMP commands . . . . . . . . . SSL commands . . . . . . . . . . Statistics commands . . . . . . . .
PAGE 11
Italian notice . . . . Latvian notice . . . . Lithuanian notice . . Polish notice . . . . Portuguese notice . . Slovakian notice . . . Slovenian notice . . . Spanish notice . . . Swedish notice . . . Battery replacement notices Dutch battery notice . French battery notice . German battery notice Italian battery notice . Japanese battery notice Spanish battery notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Figures 1 Identify the contents of the shipping carton . . . . . . . . . . . . . . . . . . . . . 26 2 Connect the power supplies to AC power sources . . . . . . . . . . . . . . . . . . 29 3 Viewing the Certificate Response Field . . . . . . . . . . . . . . . . . . . . . . . 52 4 Filtering the list of keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 5 Exporting the key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
34 Back of SKM appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 35 Viewing the Administrator Authentication screen . . . . . . . . . . . . . . . . . . . 103 36 Viewing the Logout window . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 37 Viewing the Security Summary section . . . . . . . . . . . . . . . . . . . . . . . 104 38 Viewing the System Summary section . . . . . . . . . . . . . . . . . . . . . . . 104 . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
71 Viewing the LDAP Schema Properties section . . . . . . . . . . . . . . . . . . . . 132 72 Viewing the LDAP Failover Server Properties section . . . . . . . . . . . . . . . . . 133 73 Viewing the LDAP Users section . . . . . . . . . . . . . . . . . . . . . . . . . . 134 74 Viewing the LDAP Groups section . . . . . . . . . . . . . . . . . . . . . . . . . 135 75 Viewing the User List section . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 76 Viewing the Certificate List section . . . .
PAGE 15
108 Viewing the Date and Time Settings section . . . . . . . . . . . . . . . . . . . . . 181 109 Viewing the NTP Settings section . . . . . . . . . . . . . . . . . . . . . . . . . 182 110 Viewing the Network Interface List section . . . . . . . . . . . . . . . . . . . . . 183 111 Viewing the Default Gateway List section . . . . . . . . . . . . . . . . . . . . . . 184 112 Viewing the Static Route List section . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
145 Viewing the Activity Log section . . . . . . . . . . . . . . . . . . . . . . . . . . 233 146 Viewing the Current Activity Log section . . . . . . . . . . . . . . . . . . . . . . 234 147 Viewing the Client Event Log section . . . . . . . . . . . . . . . . . . . . . . . . 235 148 Viewing the Current Client Event Log section . . . . . . . . . . . . . . . . . . . . 235 149 Viewing the Refresh Statistics section . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 17
Tables 1 Create Backup: Security Items section components . . . . . . . . . . . . . . . . . . 87 2 Create Backup: Device Items section components . . . . . . . . . . . . . . . . . . 88 3 Create Backup: Backup Settings section components . . . . . . . . . . . . . . . . . 89 4 Restore Backup section components . . . . . . . . . . . . . . . . . . . . . . . . 90 5 Internal Backup List section components . . . . . . . . . . . . . . . . . . . . . . 91 6 Internal Backup List section components . . . .
PAGE 18
34 Saved Queries section components . . . . . . . . . . . . . . . . . . . . . . . . 117 35 Modify Query section components . . . . . . . . . . . . . . . . . . . . . . . . 118 36 Create Key section components . . . . . . . . . . . . . . . . . . . . . . . . . . 119 37 Clone Key section components . . . . . . . . . . . . . . . . . . . . . . . . . . 120 38 Import Key section components . . . . . . . . . . . . . . . . . . . . . . . . . . 121 39 Authorization Policies section components . . . . . . .
PAGE 19
72 FIPS Compliance section components . . . . . . . . . . . . . . . . . . . . . . . 157 73 High Security Settings section components . . . . . . . . . . . . . . . . . . . . . 158 74 Security Settings Configured Elsewhere section components . . . . . . . . . . . . . . 159 75 FIPS Status Server tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 76 FIPS Status Report components . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 20
110 Grant a Credential section components . . . . . . . . . . . . . . . . . . . . . . 111 Remote Administration Settings section components 215 . . . . . . . . . . . . . . . . . 217 112 LDAP Administrator Server Properties section components . . . . . . . . . . . . . . . 219 113 LDAP Schema Properties section components . . . . . . . . . . . . . . . . . . . . 220 114 LDAP Failover Server Properties section components . . . . . . . . . . . . . . . . . 221 115 Log file naming conventions . . . .
PAGE 21
1 Installing and replacing hardware This section details the steps to install or replace the SKM hardware: • • • • • • • Preparing for the installation Rack planning resources Optimum environment Unpacking Identifying the shipping carton contents Removing the existing appliance Install rails in the rack Preparing for the installation Tools for installation • • • • Two people #2 Phillips screwdriver Box cutting knife Laptop or PC that can be attached to the appliance using the null modem cable for the ini
PAGE 22
• Use a portable field service kit with a folding static-dissipating work mat. If you do not have any of the suggested equipment for proper grounding, have an authorized reseller install the part. For more information on static electricity or assistance with product installation, contact your authorized reseller. Rack planning resources The rack resource kit ships with all HP or Compaq branded 9000, 10000, and H9 series racks.
PAGE 23
WARNING! To reduce the risk of personal injury or equipment damage when unloading a rack: • At least two people are needed to safely unload a rack from a pallet. An empty 42U rack can weigh as much as 115 kg (253 lb), can stand more than 2.1 m (7 ft) tall, and may become unstable when being moved on its casters. • Never stand in front of a rack when it is rolling down the ramp from the pallet. Always handle a rack from both sides.
PAGE 24
The maximum recommended ambient operating temperature (TMRA) for the SKM system is 35° C (95° F). The temperature in the room where the rack is located must not exceed 35° C (95° F). CAUTION: To reduce the risk of damage to the equipment when installing third-party options: • Do not permit optional equipment to impede airflow around the SKM or to increase the internal rack temperature beyond the maximum allowable limits. • Do not exceed the TMRA.
PAGE 25
Unpacking Place the shipping carton as close to the installation site as possible. Before unpacking the SKM, inspect the shipping carton for damage that may have occurred during shipment. If you detect any damage, notify the carrier and HP before unpacking the unit. To unpack the SKM: 1. Open the top of the shipping cartons. 2. Carefully lift the units out of the boxes and remove the packing materials. 3. Place the units on a stable work surface.
PAGE 26
Figure 1 Identify the contents of the shipping carton Item Description 1 Appliance 2 Power cords (2 — 1 black, 1 gray) 3 Null modem cable 4 1U rack mounting hardware kit and documentation 5 Keys to the bezel (2 sets of 2 keys) 6 Documentation CD 7 1U spacer 8 USB key 9 Completed appliance information sheet, Pre-installation survey and checklist, and Installation poster NOTE: If this is a replacement appliance, note how the unit is packed in the shipping carton.
PAGE 27
Removing an existing SKM (appliance) from the system Skip this step if you are installing a new appliance. 1. Zeroize the original appliance. To do so, sign into the command line interface and enter the following commands: hostname# configure hostname# reset factory settings zeroize Confirm that you wish to perform the zeroize operation. Allow the system to zeroize the contents of the appliance. During this process the appliance reboots automatically several times. The process may take several minutes. 2.
PAGE 28
11776 5. Repeat these steps with the other side rail. Attaching rails to the appliance 1. Align one of the rails with the left side of the appliance (as you face the front of the appliance) so that the word “FRONT” on the rail is seen right-side-up and at the front of the node. 11184 2. Align the holes in the rail with the round tabs on the side of the appliance. 3.
PAGE 29
2. Connect the appliance power supplies’ AC power connectors to two separate AC power sources using the power cables provided (see Figure 2). Figure 2 Connect the power supplies to AC power sources 3. Use the strain relief clip from the hardware kit to secure the power cord to the rack. 4. If this is a replacement appliance, pack the old appliance in the shipping materials for the replacement appliance. You may need to remove the slide rails and null modem cable from the old appliance to fit it in the box.
PAGE 30
Installing and replacing hardware
PAGE 31
2 Configuring the system Starting the SKM appliance NOTE: To prepare to configure the system, have ready all information listed on the pre-install survey. This information was gathered by your site Security Officer and the HP installation team before the system was shipped; if it has been lost, obtain the form from www.hp.com (on the SKM product page, under Support for your Product, Manuals) and complete it now.
PAGE 32
c. Date d. Time. The time is based on a 24–hour clock. There is no a.m. or p.m. designation. For example, 1:20 p.m. is 13:20:00. e. IP address of the SKM appliance. The appliance must have a static network address, it cannot obtain an IP address through DHCP. f. Subnet mask g. Default gateway h. Hostname, including the domain. For example, skm.example.com. The screen displays the information you entered and the message "Is this correct? (y/n): i.
PAGE 33
6. Configure the default settings for the key replication interval and retry attempts. NOTE: These commands require firmware version 1.1 or greater. a. Log in to the appliance as admin using the password specified during configuration. b. Type configure to enter configuration mode. #config (config)# c. Type the following commands to set both the key replication and key replication retry intervals.
PAGE 34
Where • is the hostname or IP address you provided in Starting the SKM appliance, step 4. • is 9443 by default. If you changed the port number in Starting the SKM appliance, step 4, use that number instead. Setting up the local Certificate Authority (CA) To create and install local CAs, perform the following steps: 1. Logon to the SKM management web console using the admin password you supplied in Starting the SKM appliance. 2. Select the Security tab. 3.
PAGE 35
6. Add the Local CA to the Trusted CAs list. a. In Certificates & CAs, click Trusted CA Lists to display the Trusted Certificate Authority List Profiles. b. Click on the Default Profile Name (not the radio button). c. In the Trusted Certificate Authority List, click Edit. d. From the list of Available CAs in the right panel, select the CA you created in step 4. For example, SKM Local CA. e. Click Add. f. Click Save. 7. If appropriate, add known, third-party CAs to the Trusted CAs list. a.
PAGE 36
4. Click Create Certificate Request. 5. Click on the newly created certificate from Certificate List, for example SKM Server. 6. Copy the certificate data, from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST--––– lines. Be careful to exclude extra carriage returns or spaces after the data. This information will be used in step 10 of this section. 7. In the Certificates & CAs menu, click Local CAs. 8.
PAGE 37
11. Click Sign Request. 12. Copy the signed certificate data, from -----BEGIN to END…----- lines. Be careful to exclude extra carriage returns or spaces after the data. This information will be used in step 16 of this section. 13. In the Certificates & CAs menu, click on Certificates. 14. Click on the certificate name created in steps 3 – 4 of this section. For example, SKM Server. 15. Click Install Certificate. 16. Paste the signed certificate data from step 12 and click Save.
PAGE 38
• In Creating the cluster, the cluster is created on one SKM appliance. Skip this section if you already have an SKM cluster. • In Copying the Local CA certificate, the Local CA certificate from an existing cluster member is copied into the copy buffer in preparation for pasting it into the management console of each of the SKM appliances that will be added to the cluster in Adding SKM appliances to the cluster. Start here if you are replacing an SKM or expanding an existing cluster.
PAGE 39
5. Copy the certificate data from the CA Certificate Information, from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST--–––. Be careful to exclude extra carriage returns or spaces after the data. This certificate data will be transferred to the other SKM appliances in Copying the Local CA certificate. 6. Keep this browser window open while adding appliances to the cluster in the next section.
PAGE 40
5. Add the first member’s CA to the Trusted CAs list. a. In the Certificates & CA menu, click Trusted CA Lists. b. Click on the Default Profile Name. c. Click Edit. d. Select the name of the CA from the list of Available CAs in the right panel. For example, SKM Local CA. e. Click Add. f. Click Save. 6. Join the appliance to the cluster. a. Select the Device tab. b. In the Device Configuration menu, click on Cluster. c. In the Cluster, click on Join Cluster. d.
PAGE 41
4. Click Create Certificate Request. 5. Click on the newly created certificate SKM Server from Certificate List. 6. Copy the certificate data, from lines -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Be careful to exclude extra carriage returns or spaces after the data. 7. In the Certificates & CAs menu, click Local CAs. 8. Click on the SKM Local CA. 9. Click Sign Request. 10. Enter information required in the Sign Certificate Request section of the window as shown: a.
PAGE 42
3. Click Select None. 4. Select Certificates then Choose from list and select SKM Server. 5. Click Continue. 6. Click Select None. 7. Click Continue. 8. In the Create Backup screen, type a name, description, and password for the certificate backup. 9. Select Download to Browser. 10. Click Backup and save the backup to your desktop. Installing the certificates To install the certificates, perform the following steps on each of the additional cluster members: 1.
PAGE 43
3 Performing configuration and operation tasks Key and policy procedures Creating a key To create a key: 1. Log in to the Management Console as an administrator with Keys and Authorization Policies access control. 2. Navigate to the Create Key section on the Key and Policy Configuration page (Security > Keys). 3. Enter a unique key name in the Key Name field. 4. Enter a value in the Owner Username field to assign a specific owner or leave this value blank to create a global key.
PAGE 44
7. To make the key exportable on from non-FIPS SKM, select Exportable. An exportable key can be exported by its owner and by members of a group with “Export” permission for the key. An exportable global key is exportable by all users. 8. Paste the key bytes in the Key field. Asymmetric keys must be imported in PEM-encoded ASN.1 DER-encoded PKCS #1 format, and both the public and private keys must be imported.
PAGE 45
Authorization policy procedures Creating an authorization policy To create an authorization policy: 1. Log in to the Management Console as an administrator with Keys and Authorization Policies access control. 2. Navigate to the Authorization Policies section of the Authorization Policy Configuration page (Security > Authorization Policies). 3. Click Add. 4. Enter a Policy Name. 5. Click Save. 6. Select the Policy to access the Authorization Policy Configuration page. 7.
PAGE 46
6. To give this user the ability to change his or her own password via the XML interface, select Change Password Permission. Users with User Administration Permission selected automatically have this ability. 7. Click Save. Creating a group To create a group: 1. Log in to the Management Console as an administrator with Users, Groups, and LDAP access control. 2. Navigate to the Local Groups section of the User & Group Configuration page (Security > Local Users & Groups). 3. Click Add. 4.
PAGE 47
3. Select the Username and click Delete. Deleting a group To delete a group: 1. Log in to the Management Console as an administrator with Users, Groups, and LDAP access control. 2. Navigate to the Local Groups section of the User & Group Configuration page (Security > Local Users & Groups). 3. Select the Group and click Delete. LDAP server procedures Setting up the LDAP user directory To set up the LDAP user directory: 1.
PAGE 48
Setting up an LDAP failover server To set up an LDAP failover server: 1. Log in to the Management Console as an administrator with Users, Groups, and LDAP access control. 2. Navigate to the LDAP Failover Server Properties section of the LDAP Server Configuration page (Security > LDAP > LDAP Server). 3. Click Edit. 4. Enter the Failover Server IP or Hostname and Failover Server Port. 5. Click Save. Testing the LDAP failover server connection To test the LDAP failover server connection: 1.
PAGE 49
NOTE: To generate a valid certificate, you must have a certificate authority sign a certificate request. You can create local CAs on the SKM, and use those CAs to sign certificate requests. Otherwise, you must use an external CA to sign certificate requests. The following steps assume that you have already created a local CA. To create a server certificate for the SKM: 1. Log in to the Management Console as an administrator with Certificates access control. 2.
PAGE 50
10. Copy the certificate text. 11. Navigate back to the Certificate List section. 12. Select the certificate request and click Properties to access the Certificate Request Information section. 13. Click Install Certificate. 14. Paste the text of the signed certificate into the Certificate Response field. 15. Click Save. When you return to the main Certificate Configuration page, the certificate request is now an active certificate. It can be used in to establish SSL connections with client applications.
PAGE 51
9. Paste the certificate request into the Certificate Request field. Select Client as the Certificate Purpose, specify a Certificate Duration and click Sign Request. The newly-activated certificate displays on a new page. 10. Copy the certificate text. 11. Navigate back to the Certificate List section. 12. Select the certificate request and click Properties to access the Certificate Request Information section. 13. Click Install Certificate. 14.
PAGE 52
To install a certificate: 1. Log in to the Management Console as an administrator with Certificates access control. 2. Navigate to the Certificate List section of the Certificate and CA Configuration page (Security > Certificates). 3. Select the certificate request and click Properties to access the Certificate Request Information section. 4. Click Install Certificate. 5. Paste the certificate response from the CA into the Certificate Response field on the Certificate Installation page. 6. Click Save.
PAGE 53
2. Navigate to the Certificate List section of the Certificate and CA Configuration page (Security > Certificates). 3. Select the Certificate Name and click Properties to access the Certificate Information section. 4. Click Download. Certificate Authority (CA) procedures Adding a CA certificate to the trusted CA list To add a CA certificate to the trusted CA list: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2.
PAGE 54
Deleting a trusted CA list profile To delete a trusted certificate authority list profile: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2. Navigate to the Trusted Certificate Authority List Profiles section of the Certificate and CA Configuration page (Security > Trusted CA Lists). 3. Select a profile and click Delete. NOTE: You cannot delete the default profile.
PAGE 55
Deleting a local CA To delete a local CA: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2. Navigate to the Local Certificate Authority List section of the Certificate and CA Configuration page (Security > Local CAs). 3. Select a certificate authority and click Delete. Creating a local CA To create a local certificate authority: 1. Log in to the Management Console as an administrator with Certificate Authorities access control. 2.
PAGE 56
8. Copy the CA certificate request text. The certificate text looks similar, but not identical, to the following text.
PAGE 57
FIPS status server procedures Enabling the FIPS status server To enable the FIPS Status Server: 1. Log in to the Management Console as an administrator with SSL, Advanced Security, and KMS Server access controls. 2. Navigate to the FIPS Status Server page (Security > FIPS Status Server). 3. Click Edit. 4. Select Enable FIPS Status Server. 5. Select the Local IP address from the list or select [All]. 6. Enter the Local Port the FIPS Status Server listens on or, accept the default port value of 9081. 7.
PAGE 58
Enabling key and policy configuration by client applications Enabling key and policy configuration by client applications permits the following actions: • create and delete key. • export and import key. • create, delete and modify operations of users and groups. To enable key and policy configuration by client applications: 1. Log in to the Management Console as an administrator with KMS Server access control. 2.
PAGE 59
6. Use the Username Field in Client Certificate field to specify which field in the client certificate must contain a valid username. This setting is optional. 7. Select Require Client Certificate to Contain Source IP to specify that the client certificate must contain the client’s IP address in the subjectAltName field. This setting is optional. 8. Click Save. Configuring the user account lockout settings To configure the user account lockout settings: 1.
PAGE 60
5. Click Join Cluster. NOTE: After joining the cluster, you will be prompted to synchronize with an existing cluster member. We recommend that you synchronize your device. For more information about this process, please see Synchronizing With a Cluster Member. 6. Delete the cluster key from the local file system on your workstation. Synchronizing with a cluster member To synchronize with a cluster member: 1.
PAGE 61
Removing a device from a cluster To remove a device from a cluster: 1. Log in the Management Console of the device that will be removed from the cluster as an administrator with Cluster access control. 2. Navigate to the Cluster Settings section of the Cluster Configuration page (Device > Cluster). 3. Click Remove From Cluster. Upgrading a cluster A cluster can be upgraded by upgrading one device at a time.
PAGE 62
Configuring an NTP server connection To configure an NTP server connection: 1. Log in to the Management Console as an administrator with Network and Date/Time access control. 2. Navigate to the NTP Settings section of the Date & Time Configuration page (Device > Date & Time). 3. Click Edit. 4. Select Enable NTP. 5. Enter the IP addresses of the NTP in the NTP Server fields. 6. Specify the frequency with which the SKM will poll the NTP server(s).
PAGE 63
9. For each service select either Allow All Connections to grant access to all clients or Only Allow IPs Specified Below to grant access to only the clients listed in the Allowed Client IP Addresses section with that service selected. 10. Click Save. NOTE: When updating this feature from the Management Console, the system ensures that the current administrator IP address maintains its web administration permissions.
PAGE 64
Administrator procedures Creating an administrator To create an administrator account: 1. Log in the Management Console as an administrator with Administrators access control. 2. Navigate to the Create Administrator section on the Administrator Configuration page (Device > Administrators > Administrators). 3. Enter values in the Username, Full Name, Description, and Password fields. 4. Confirm the password in the Confirm Password field. 5. Select the access controls for the administrator account. 6.
PAGE 65
3. Click LDAP Test. Setting up the LDAP schema To set up the LDAP Schema: 1. Log in to the SKM appliance as a Local administrator with High Access Administrator access control. 2. Navigate to the LDAP Schema Properties section of the Administrator Configuration page (Device > Administrators > LDAP Administrator Server). 3. Click Edit. 4. Enter the values for your LDAP schema. All fields are required except User List Filter. 5. Click Save.
PAGE 66
2. Navigate to the Password Settings for Local Administrators section of the Administrator Configuration page (Device Configuration > Administrators > Password Management). 3. Click Edit. 4. To enable password expiration, enter the Maximum Password Age in the Password Expiration field. When an administrator’s password reaches this age, the administrator will be forced to create a new password. 5. To enable password history, enter the Num Passwords to Remember in the Password History field.
PAGE 67
2. Navigate to the Multiple Credentials for Key Administration section on the Administrator Configuration page (Device > Administrators > Multiple Credentials). 3. Click Edit. 4. Select Require Multiple Credentials. 5. Specify the number of administrators required to perform configuration operations. There must be at least as many administrators with High Access Administrator access control as are required by this field. 6.
PAGE 68
1. Open the certificate request in a text editor. 2. Copy the text of the certificate request. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and the footer (-----END CERTIFICATE REQUEST-----). 3. Log in to the Management Console as an administrator with Certificates access control. 4. Navigate to the Local Certificate Authority List (Security > Certificates & CAs > Local CAs). Select the local CA and click Sign Request to access the Sign Certificate Request section. 5.
PAGE 69
2. Navigate to the Remote Administration Settings section (Device > Administrators > Remove Administration). 3. Click Edit. 4. Select Web Admin User Authentication. 5. Click Save. NOTE: This feature is immediately enabled when you select Web Admin User Authentication. You will be logged out of the Management Console and will need a valid client certificate to return. If needed, you can use the edit ras settings command from the CLI to disable this feature without presenting a certificate.
PAGE 70
2. Determine the Key Sharing Group. a. From the filtered list of keys, choose the one with the most recent timestamp (the number sequence at the end of the key name) and click Properties. (See Figure 4). Figure 4 Filtering the list of keys b. Select the Permissions tab to display the name of the Group, listed in the Group Permissions panel. c. Note the name of the Group. 3. Export (backup) the key. a.
PAGE 71
NOTE: Steps c. through f. above ensure the backup file contains only the single key. g. In the Backup Summary section of the panel, verify that no settings, certificates, or local CAs are included. In the Keys field, verify that the desired key is listed. (See Figure 6). Figure 6 Verifying the Backup Summary section to export and import the key h. Enter the Backup Name, Backup Description, and Backup Password, then select the Destination (as shown in Figure 7). Figure 7 Entering backup information i.
PAGE 72
4. Send the tape and the Destination (backup) file to the Cluster #2 admin. Also transmit the Group name and the backup password. NOTE: For security reasons, HP recommends these communications occur separately, via different communication paths.
PAGE 73
5. Import (restore) the backup file to Cluster #2 a. On the SKM, from the Device Tab, in the Maintenance menu on the left, select Backup & Restore, then Restore Backup. The Backup Restore Information screen displays. b. Specify the source of the file, and the backup password. c. On the next screen, Backup Restore Information (see Figure 8), in the All Items field, select Select None. Figure 8 Completing the Backup Restore Information screen d.
PAGE 74
6. Restart the SKM software. NOTE: Following a restore, the SKM must be restarted. a. From the SKM Device tab, in the Maintenance menu, select Services. b. In the Restart/Halt pane, in the Restart/Halt field, select Restart. c. Click Commit. d. Select Confirm to initiate the restart request. Restart will take approximately 5 minutes. e. 74 When the restart is complete, login to the SKM again.
PAGE 75
7. Force replication of the key across Cluster #2. a. From the SKM Security tab, in the Keys menu on the left, select Keys. b. Use filtering from the Keys section of the panel (for example: Filtered by Key Name where value contains , as shown in Figure 9) to find the key. Figure 9 Finding the key to force replication c. Select the Key Name, then click Properties. d. From the Key and Policy Configuration screen, select the Properties tab. e. Click Edit. f.
PAGE 76
8. Ensure that the key sharing group has been added. a. From the SKM interface, Security tab, Users and LDAP Menu, select Local Users and Groups. b. Verify that the Group name from Cluster #1 is listed in the Local Groups section under Group. c. If the Group name from Cluster #1 is not listed, add it now. i. Under Local Groups pane, select Add. ii. Enter the Group name, provided from Cluster #1. The name must match exactly. iii. Click the name of the new group. iv. In the User List section, select Add.
PAGE 77
1. From the SKM interface on the Device tab in the Maintenance menu on the left, select Backup & Restore, then select Create Backup. Figure 11 Creating the backup of configurations and certificates 2. In the Create Backup pane, Security Items field, click Select All. 3. In the Keys field, select No keys. 4. Click Continue. 5. In the Device Items field, click Select All. 6. Click Continue.
PAGE 78
7. In the Backup Summary section of the panel, verify that all of the settings, certificates, and local certificate authorities are included in the backup. Also verify that [None] is selected in the Keys field. (See Figure 12.) Figure 12 Verifying the Backup Summary section to backup the configurations and certificates 8. Enter the Backup Name, Backup Description, and Backup Password, and select the Destination. The destination can be the browser or a location on an SCP (secure copy) server. 9.
PAGE 79
1. From the SKM interface on the Device tab, in the Maintenance menu, select Backup Restore, then Create Backup. 2. In the Create Backup pane, in the Security Items field, click Select None. 3. In the Keys field, select All keys. 4. Click Continue. 5. In the Device Items field, click Select None. 6. Click Continue. 7. In the Backup Summary section of the panel, review the backup summary to ensure only keys are being backed up. Repeat steps 2 - 5 if needed. (See Figure 13.
PAGE 80
Log configuration procedures Configuring log rotation To configure log rotation: 1. Log in to the Management Console as an administrator with Logging access control. 2. Navigate to the Log Configuration page (Device > Log Configuration) and click the Rotation & Syslog tab. 3. Select a log in the Rotation Schedule section and click Properties to access the Log Rotation Properties section. 4. Click Edit. 5. Use the Rotation Schedule and Rotation Time fields to specify when the log will be rotated. 6.
PAGE 81
2. Change the file extension on the log file to .eml. The file will now be recognized by Windows as an E-mail file. 3. Double-click on the file. Outlook Express will open and display a help screen with a security header that reads: “Digitally signed - signing digital ID is not trusted.” 4. Click Continue. A security warning will appear. 5. Click View Digital ID. The Signing Digital ID Properties dialog will appear. 6. Click the Details tab and scroll down to the Thumbprint field. 7.
PAGE 82
Recreating the log signing certificate Prior to creating a new log signing certificate, backup the old certificate so you can verify previously signed logs. To recreate the log signing certificate: 1. Log in to the Management Console as an administrator with Logging access control. 2. Navigate to the Log Configuration page (Device > Log Configuration) and click the Rotation & Syslog tab. 3. Click Recreate Log Signing Cert in the Audit Log Settings section. 4. Enter a Certificate Duration. 5.
PAGE 83
2. Navigate to the Log Viewer page (Device > Log Viewer) and click the tab for the log you would like to download. 3. Choose a log in the Log File field. 4. Click Display Log. 5. Click Clear.
PAGE 84
Performing configuration and operation tasks
PAGE 85
4 Maintaining the SKM Backup and restore overview Clustering SKM nodes is an effective way of exchanging keys and configuration data to allow for failover, but it is not the complete solution for protecting the SKM environment. Perform regular backups of the SKM nodes to ensure that your encryption solution is protected in a disaster-recovery scenario.
PAGE 86
Backup and restore page The Backup and restore page enables you to create and restore backups. This page contains the following sections: • • • • Create Backup Restore Backup Restore Backup Information Internal Backup List Create backup Use the Create Backup section of the Backup and Restore page to create a backup configuration. When creating a backup, you can choose which components to back up. Create backup: security items Use this section to select the security items to include in your backup.
PAGE 87
Table 1 Create Backup: Security Items section components Components Description Security Items Click Select All to include all of the key management items in your backup. Click Select None to deselect all key management items. Keys Select the method for backing up keys. Select to backup all, none, or a specific key. Authorization Policies Select to backup all authorization policies on the server. Local Users & Groups Select to backup all local users and groups on the server.
PAGE 88
Table 2 Create Backup: Device Items section components Components Description Device Items Click Select All to include all of the device configuration items in your backup. Click Select None to deselect all device configuration items. NTP, Network, IP Authorization, Administrators and Remote Administration, SNMP, Logging, SSL, KMS Server, Services, Log Signing Certificate Select the corresponding check box to include this configuration information in the backup.
PAGE 89
Table 3 Create Backup: Backup Settings section components Components Description Backup Name Enter a name for the backup file. For backups stored externally, the backup filename is created by appending _0_bkp to the backup name. For large backups, the zero is incremented by 1 for each additional file. For example, backup foo could consist of two files: foo_0_bkp and foo_1_bkp. Backup Description Enter a short description for the backup. Enter a password for your backup configuration.
PAGE 90
Figure 17 Viewing the Restore Backup section The following table describes the components of the Restore Backup section. Table 4 Restore Backup section components Components Source Description Specify the source of the backup configuration. When restoring a backup that spans multiple files, specify the zero-th file here (for example, internal _0_bkp). Specifying the zero-th file indicates to the Key Manager that the backup contains multiple files.
PAGE 91
Figure 18 Viewing the Backup Restore Information section The following table describes the components of the Internal Backup List section. Table 5 Internal Backup List section components Components Description Backup Name Displays the backup name. Description Displays a description of the backup file. Archive Date Displays the date on which the backup was created. All Items Click Select All to select all of the items included in the backup. Click Select None to deselect all of the items.
PAGE 92
Table 6 Internal Backup List section components Components Description Backup Name Displays the backup name. Date Displays the date on which the backup was created. Size Displays the size of the backup file. Download Click Download to download an internal backup file to your browser. The Download button enables you to move a previously created internal backup file to a secondary system. Delete Click Delete to remove the backup from the SKM.
PAGE 93
Table 7 Services List section components Components Description Name • KMS Server: the “brains” of the SKM, which manages all incoming and outgoing connections (both secure and clear text). When disabled, the SKM cannot be used to fulfill requests. • Web Administration: When enabled, the SKM can be configured through a web browser. • SSH Administration: the remote Command Line Interface (CLI) administration tool. When enabled, the SKM can be configured using the remote CLI using SSH.
PAGE 94
System Information page Use the System Information page to perform software upgrades and examine information about the system and software currently installed. This page contains the following sections: • Device Information • License Information • Software Upgrade/Install Device Information The first section of the page shows the device information, which includes the model of SKM you are using and the Unit ID.
PAGE 95
The following table describes the components of the License Information section. Table 10 License Information section components Components Description Licenses Displays the number of client connections available. Licenses in Use Displays the number of client connections currently in use. Software Upgrade/Install The software upgrade and installation mechanism can be used to install new features, upgrade core software, and apply security patches.
PAGE 96
Upgrading to a patch release Patch releases are lightweight; customers do not have to re-qualify an entire release. All patches are cumulative, which means that the functionality in patch one exists in patch two, and so on. Because patches are cumulative, we recommend that you always install the most recent patch. IMPORTANT: You must be running the base release upon which the patch is built before upgrading to the patch release. You cannot upgrade directly from a previous base release to a patch.
PAGE 97
Figure 25 Viewing the Refresh Page section The following table describes the components of the Refresh Page section. Table 12 Refresh Page section components Component Refresh Every Description Specify the refresh rate of the System Statistics page. Available refresh intervals are: • Never (default value) • 5 seconds • 15 seconds • 30 seconds • 60 seconds • 2 minutes • 5 minutes NOTE: This value is only valid while you are viewing the System Statistics page.
PAGE 98
Cooling Fan Status The Cooling Fan Status section provides information on the status all of the SKM’s cooling fans. The following table describes the different states that are represented in the Cooling Fan Status section. Figure 27 Viewing the Cooling Fan Status section The following table describes the components of the Cooling Fan Status section. Table 14 Cooling Fan Status section components Component Description Fan Status Displays the status of the cooling fan.
PAGE 99
Traceroute Information Use the Traceroute Information section to examine the path between the SKM and a destination. Figure 29 Viewing the Traceroute Information section The following table describes the components of the Traceroute Information section. Table 16 Traceroute Information section components Component Description Traceroute Specify the host name or IP Address of the destination system for performing a traceroute.
PAGE 100
Table 18 Netstat Information section components Component Description Run Click Run to see a list of all active network connections on the SKM. Reading Netstat Results The Netstat diagnostic feature provides information about the active network connections on the SKM in the form of a columnar report, which looks like the following: Figure 32 Viewing the Netstat Results The following table describes the headings that appear in the Netstat report.
PAGE 101
A SKM appliance information sheet The information on this sheet is specific to the HP StorageWorks Secure Key Manager (SKM) appliance to which it is attached. There is one data sheet per appliance. See the figures below for the location and descriptions of the items in this information sheet. IMPORTANT: Keep this information in a secure location, along with the external USB token, for access by the Security Officer only. It is needed for the successful installation and management of this SKM appliance.
PAGE 102
Figure 34 Back of SKM appliance Item Description 1 Serial number of the appliance 2 Product ID number (PID) of the appliance Pull-out panel that also shows the appliance Serial Number. 3 NOTE: The PID on this panel may not be correct. Do not use the PID that appears on this panel.
PAGE 103
B Using the Management Console Logging in and out Use the Administrator Authentication screen to log into the Management Console. Figure 35 Viewing the Administrator Authentication screen The following table describes the components of the Administrator Authentication page. Table 20 Administrator Authentication screen components Components Description Username When logging in for the first time, type the default username admin. Thereafter, type the name assigned by the system administrator.
PAGE 104
Figure 37 Viewing the Security Summary section Click the High Security page link to access the High Security page. You can enable FIPS compliance from there. You can select the Do not show this message again checkbox and click Submit to remove the Security Summary section from the Home page. NOTE: Once you remove the Security Summary section from the Home page, you cannot restore that section. System Summary Use this section to view system summary information for your SKM.
PAGE 105
Table 21 System Summary section components Component Description Product Displays your platform. Unit ID Displays your Unit ID. Software Version Displays the version of the software currently running on the SKM. Date Displays the current date. Time Displays the current time. Time Zone Displays the current time zone setting. System Uptime Shows the length of time that the system has been running. Licenses Shows the number of licenses available.
PAGE 106
Figure 40 Viewing the Search Criteria section The following table describes the components of the Search Criteria section. Table 23 Search Criteria section components Component Description Query Keys Select the link to access the Query Key section, then create and/or run a query to return a specific set of keys. Search Select the values to search for. Possible values are Keys, Local Users, and Local Groups. Which Select the search criteria.
PAGE 107
Filtering sections Some sections of the Management Console normally hold many rows of data. Key and Local Users sections may span multiple pages. Use the search fields on these screens or sections to filter the values that are displayed. The Management Console stores the filter selection upon exiting the screen and reapplies the filter when you return. Figure 42 Viewing the Filter fields The following table describes the section search fields.
PAGE 108
Figure 44 Locating button to launch context-sensitive help Clicking this icon opens the documentation for the specific section in a new window. (Subsequent clicks open additional windows.) Figure 45 Viewing the context-sensitive help window Use the left and right arrow icons to scroll through the help system. Select the home icon to access the table of contents. The help link on the top right side of the Management Console header launches the help system on the SKM.
PAGE 109
The Key and Policy Configuration page enables you to create, import, and manage keys. This page contains the following sections: • • • • • • • Keys Key Properties Group Permissions Custom Attributes RSA Public Key Create Keys Import Keys Keys The SKM can create and store cryptographic keys (DES, AES, RSA, etc.). A key is composed of two main parts: the key bytes and the key metadata.
PAGE 110
Figure 47 Viewing the Key section The following table describes the components of the Keys section.
PAGE 111
Table 27 Keys section components Component Description Query Select the query to apply to the page Run Query Select this button to run a query. This Management Console displays a subset of the available keys and their corresponding columns. Key Name This is the name that the server uses to refer to the key. Owner The owner is typically the user who created the key.
PAGE 112
key. Instead it gives a new name to the existing metadata and key bytes. To create a copy of an existing key, use the Clone Key section. Figure 48 Viewing the Key Properties section The following table describes the components of the Key Properties section. Table 28 Key Properties section components Component Description Key Name Name of key described in the current row. Name of the user that owns the key. If blank, the key is a global key and therefore accessible to all users.
PAGE 113
key version’s state permits the operation, and the request comes from a member of the permitted group. A key can have a maximum of 4000 versions. Group Permissions Use the Group Permissions section to modify the permissions for a key. Key permissions are granted at the group level. To assign permissions to a specific user, you must include that user in a group and then assign permissions to the group. To assign an authorization policy to a key, you must first define the policy.
PAGE 114
For non-global keys, if a user is not the owner and is not a member of a group with permissions to use the key, the user cannot access the key. The owner of a key implicitly has permissions to perform all applicable operations using the key, even if that user belongs to a group for which permissions are restricted. In the example above, the key owner can export even if she is not a member of group1 or group2. Custom Attributes Use this section to assign custom attributes to the key.
PAGE 115
Figure 51 Viewing the Key Versions and Available Usage section Table 31 Key Versions and Available Usage section components Component Description Version Displays the version of the key. This number is automatically assigned. You can have a maximum of 4000 versions of a key. The latest version is automatically the default version - this will be the key used when cryptographic and information requests do not specify a version number. Key State Describes how the key can be used.
PAGE 116
Create Query Use this section to create key queries. A key query enables you to view a subset of the keys that exist on the SKM. This section enables you to create very specific queries using multiple and/or statements and using the results of other saved queries. You can also tailor your query to show specific columns. Figure 53 Viewing Create Query section Table 33 Create Query section components Component Description Query Name The name of the query. This field is only required when saving the query.
PAGE 117
Figure 54 Viewing Saved Queries section Table 34 Saved Queries section components Component Description Query Name Displays the name of the query. Description Displays a description of the query. Modify Click Modify to access the Modify Query section and alter the saved query. Once you’ve made your changes, you can save and run the query, save the query, or run the query without saving Delete Click Delete to remove the query from the Appliance. Run Click Run to execute the query.
PAGE 118
Table 35 Modify Query section components Component Description Query Name The name of the query. This field is only required when saving the query. You can run a query without saving, but you can only save a query before running it. Description A description of the query. Choose Keys Where Use this field, in combination with the AND and OR buttons to create your query. You can query on key metadata, combine query strings, and use the results of previously saved queries.
PAGE 119
Table 36 Create Key section components Component Description Key Name This is the name that the server uses to refer to the key. The key name must begin with a letter, must be between 1 and 64 characters (inclusive), and can consist of only letters, numbers, underscores (_), periods (.), and hyphens (-). Owner Username You do not have to specify an owner for the key; if you leave that field blank, the imported key is a global key and therefore accessible to all users.
PAGE 120
Figure 57 Viewing the Clone Key section Table 37 Clone Key section components Component Description New Key Name This is the name that the server uses to refer to the new key. The key name must begin with a letter, it must be between 1 and 64 characters (inclusive), and it can consist of letters, numbers, underscores (_), periods (.), and hyphens (-). Key Cloned From This is the key that will be copied.
PAGE 121
Figure 58 Viewing the Import Key section The following table describes the components of the Import Key section. Table 38 Import Key section components Component Description Key Name This is the name that the server uses to refer to the key. The key name must begin with a letter, it must be between 1 and 64 characters (inclusive), and it can consist of letters, numbers, underscores (_), periods (.), and hyphens (-).
PAGE 122
Authorization Policy Configuration Page An authorization policy enables you to limit how a group may use a key. You implement an authorization policy when establishing a key’s group permissions. The policies are applied to a key separately for each group; groups that share a key do not necessarily share the same authorization policy. NOTE: The key owner is never limited by the key’s policy restrictions.
PAGE 123
Figure 59 Viewing the Authorization Policies section The following table describes the components of the Authorization Policies section. Table 39 Authorization Policies section components Component Description Policy Name Click the name to view the details of a policy. Add Click Add to add a new policy. Delete Click Delete to delete a policy. Properties Click Properties to view the details of a policy.
PAGE 124
• User1 can make only 100 more requests between 11:31 AM and 11:59 AM NOTE: Had the limit been lowered to 75, User1 would only be allowed to make 25 more requests. Authorized Usage Periods Use the Authorize Usage Periods section to define, view, change or delete usage periods in which users within a group can use a key. A usage period can span up to 7 days of the week or any portion of those days.
PAGE 125
Active Versions Use this section to configure the number of active versions allowed for a versioned key. Active versions of a key can be used for both encryption and decryption (or Sign/SignVerify, or MAC/MACVerify depending on the algorithm). Figure 62 Viewing the Active Versions section Table 42 Active Versions section components Component Description Number of Active Versions Allowed for a Key Displays the number of active versions allowed for a versioned key.
PAGE 126
Figure 63 Viewing the Custom Key Attributes section Table 43 Custom Key Attributions section components Components Description Enter a unique attribute name. NOTE: Attribute Name Attribute names can contain alphanumeric characters, hyphens, underscores, and periods. You cannot include whitespaces in the name. In addition, the first character of the name must be a letter. Maximum length is 255 characters. Attribute Value Enter the value of the attribute.
PAGE 127
Local Users Use the Local Users section to add or modify local users. Once a user has been created, you can change the password but you cannot change the username. Figure 64 Viewing the Local Users section The following table describes the components of the Local Users section. Table 44 Local Users section components Component Description Username This is the name of the user.
PAGE 128
NOTE: The User Administration Permission and Change Password Permission apply only to local users. LDAP users cannot be managed through the SKM; they must be managed through the LDAP server. Selected Local User Use the Selected Local User section to views information about an individual user. Figure 65 Viewing the Selected Local User section The following table describes the components of the Selected Local User section.
PAGE 129
Figure 66 Viewing the Custom Attributes section The following table describes the components of the Custom Attributes section. Table 46 Custom Attributes section components Component Description Enter the name of the attribute. NOTE: Attribute Name Attribute names must contain alphanumeric characters only. You cannot include special characters or whitespaces in the name. In addition, the first character of the name must be a letter. Maximum length is 64 characters.
PAGE 130
Table 47 Local Groups section components Component Description Group Displays the local groups on the SKM. Add Click Add to add a group to the group list. Delete Click Delete to delete a group from the group list. Properties Click Properties to access the User List section and view the users in the selected group. Local Group Properties The Local Group Properties section displays the group name.
PAGE 131
LDAP Server Configuration Lightweight Directory Access Protocol (LDAP) is a protocol that allows you to enable authentication of your KMS Server based on a central directory of users, rather than the local users and groups defined on each device. To use LDAP with the KMS Server, you need an LDAP server available such as MS Active Directory, Netscape Directory Server or OpenLDAP. You should also be familiar with the schema defined by that server.
PAGE 132
Table 50 LDAP User Directory Properties section components Component Description Server IP or Hostname The IP address or hostname of the primary LDAP server. Server Port The port on which the LDAP server is listening. LDAP servers typically use port 389. For SSL connections, LDAP servers typically use port 636. Use SSL By default the SKM connects directly to the LDAP server over TCP. Check this box to use SSL between the device and the LDAP server.
PAGE 133
Table 51 LDAP Schema Properties section components Component Description User Base DN The base distinguished name (DN) from which to begin the search for usernames. User ID Attribute The attribute type for the user on which to search. The attribute type you choose must result in globally unique users.
PAGE 134
Table 52 LDAP Failover Server Properties section components Component Description Failover Server IP or Hostname The IP address or hostname of the LDAP server to use as the failover. Failover Server Port The port on which the LDAP server is listening. Edit Click Edit to modify the properties. Clear Click Clear to remove the current properties. LDAP Test Click LDAP Test to test the LDAP connection after you have defined an LDAP server.
PAGE 135
Table 53 LDAP Users section components Component Description Username Displays the users that can access the SKM from the LDAP server. LDAP Groups The LDAP Groups section displays the groups available in the LDAP user directory. Figure 74 Viewing the LDAP Groups section The following table describes the components of the LDAP Groups section. Table 54 LDAP Groups section components Component Description Group Displays the groups that can access the SKM from the LDAP server.
PAGE 136
Figure 75 Viewing the User List section The following table describes the components of the User List section. Table 55 LDAP Groups section components Component Description Username Displays the users that can access the SKM from the LDAP. Certificate and CA Configuration Page Certificates identify one entity to another. In this case, when making SSL connections between a client application and the KMS Server, the server must provide its server certificate to the client application.
PAGE 137
Figure 76 Viewing the Certificate List section The following table describes the components of the Certificate List section. Table 56 Certificate List section components Component Description Certificate Name The name of the certificate; this name is used internally by the SKM. Click the certificate name to view properties and access the certificate information.
PAGE 138
CAUTION: If you are copying the certificate text into an application such as Microsoft Word, it is important to ensure that no carriage returns/line feeds are lost. Such a loss would corrupt the certificate and prevent you from getting the certificate signed by a CA. Figure 77 Viewing the Certificate Information section The following table describes the components of the Certificate Information section.
PAGE 139
Table 57 Certificate Information section components Component Description Certificate Name Name of the certificate. This name is only used internally. Key Size Size of the key associated with this certificate. Start Date The activation date for the certificate. The certificate cannot be used before the activation date. Expiration The expiration date for the certificate. The certificate cannot be used after the expiration date. Issuer Full information about the CA who issued the certificate.
PAGE 140
Figure 78 Viewing the Certificate Installation section NOTE: When multiple certificates are nested in one certificate, the certificate is installed as a certificate chain. The following table describes the components of the Certificate Installation section. Table 58 Certificate Installation section components Component Description Certificate Name Displays the name assigned to this certificate. Key Size Displays the key size associated with this certificate.
PAGE 141
Figure 79 Viewing the Self Signed Certificate section The following table describes the components of the Self Signed Certificate section. Table 59 Self Signed Certificate section components Component Description Certificate Name The name of the certificate; this name is used internally by the SKM. Key Size The size of the key that will be generated. Subject Displays the values that will be used to create the certificate.
PAGE 142
Table 60 Create Certificate Request section components Component Description Certificate Name Internal name of a newly generated CR. This name will be used when referring to this CR in other parts of the administrative interface. This field is required. Common Name Name of the application using this certificate. This field is required. Organization Name Name of the organization that owns this certificate. This field is optional.
PAGE 143
Table 61 Import Certificate section components Component Source Description Specify the method for importing the certificate to the SKM. If you are uploading the certificate through the browser, select Upload from browser, then click Browse and locate the file on the local drive or network. If you are using FTP or SCP to copy the file to the SKM, select the appropriate option and enter the following information: • Host: the source host. • Filename: the name of the file on the source host.
PAGE 144
Figure 82 Viewing the Trusted Certificate Authority List Profiles section The following table describes the components of the Trusted Certificate Authority List Profiles section. Table 62 Trusted Certificate Authority List Profiles section components Component Description Profile Name Displays the profiles available on this SKM. Edit Click Edit to change the name of a profile. Add Click Add to create a profile. A newly created profile is initially empty.
PAGE 145
Figure 84 Viewing the Trusted Certificate Authority List (Edit Mode) The following table describes the components of the Trusted Certificate Authority List section. Table 64 Trusted Certificate Authority List Components Component Description Trusted CAs The Trusted CAs window displays the list of CAs that are trusted. You can remove a CA from the list of Trusted CAs by selecting it in the Trusted CAs window, and click Remove. You can select multiple CAs by holding down the Shift key while selecting.
PAGE 146
Table 65 Local Certificate Authority List section components Component Description CA Name Displays the internal name of a certificate authority. CA Information Displays the common name, issuer, and expiration date of a CA. CA Status Displays the status of the CA. Edit Click Edit to edit the values of a CA. Delete Click Delete to remove a CA certificate from the list. Click Download to download the CA certificate onto your local machine.
PAGE 147
Figure 86 Viewing the CA Certificate Information section The following table describes the components of the CA Certificate Information section. Table 66 CA Certificate Information section components Component Description Certificate Name Name of the certificate. This name is only used internally. Key Size Size of the key associated with this certificate. Start Date The activation date for the certificate. The certificate cannot be used before the activation date.
PAGE 148
Figure 87 Viewing the Sign Certificate Request section The following table describes the components of the Sign Certificate Request section. Table 67 Sign Certificate Request section components Component Description Sign with Certificate Authority Select the CA that will sign the certificate request. Certificate Purpose Select where the certificate will be used, either on the client or the server. Certificate Duration (days) Specify the period during which the certificate is valid.
PAGE 149
Table 68 Signed Certificates section components Component Description Serial Number The Serial Number, which is expressed in Base 16 notation, is assigned by the SKM and used internally to refer to a certificate signed by a local CA. There is only one counter on the SKM, which means that all serial numbers for certificates signed by local CAs will be in numerical order regardless of which local CA signed the certificate. For example, a certificate signed by one local CA might get the serial number 0x7.
PAGE 150
Create Local CA The Create Local CA section allows you to create a new local CA on the SKM. The fields are similar to those used to create a certificate on the Certificates page. When creating a local CA, you must provide a value for each field shown in the following graphic; you get an error otherwise. Figure 90 Viewing the Create Local Certificate Authority section The following table describes the components of the Create Local Certificate Authority section.
PAGE 151
Table 69 Create Local Certificate Authority section components Component Description Certificate Authority Name Internal name of newly generated certificate authority. This name will be used when referring to this CA in other parts of the administrative interface. Common Name Common name of new CA. Organization Name Name of the organization that owns this certificate authority. Organizational Unit Name Name of unit within the organization generating the certificate authority.
PAGE 152
Figure 91 Viewing the CA Certificate List section The following table describes the components of the CA Certificate List section. Table 70 CA Certificate List section components Component Description Certificate Name Displays the certificate name. Click this link to view the CA certificate information. Certificate Information Displays the certificate issuer and expiration date.
PAGE 153
Figure 92 Viewing the Install CA Certificate section The following table describes the components of the Install CA Certificate section. Table 71 Install CA Certificate section components Component Description Certificate Name Enter the certificate name. Certificate Paste the contents of the certificate. Install Click Install to install the CA. Support for Certificate Revocation Lists Certificate Authorities regularly publish a list of certificates that have been revoked by that CA.
PAGE 154
certificates revoked by local CAs. The format of CRLs exported by the SKM is in PEM-encoded X.509 format. Auto-Update Each CA promises to update its CRL at the day and time specified in the Next Update field for that CA. When you enable the Auto–Update feature, at 5:00 AM every day the SKM inspects the Next Update value for the CRL associated with each CA on the SKM.
PAGE 155
Using advanced security features Advanced security features provide the highest level of secure operation on the SKM. This section discusses the following topics: • • • • • Advanced Security Overview High Security Configuration Page FIPS Status Server Page SSL Overview SSL Sections Advanced Security overview Use the Advanced Security settings on the SKM to set the highest level of security for administrative and cryptographic operations on the device.
PAGE 156
Clustering Clustering FIPS-compliant devices with non-FIPS-compliant devices will disable FIPS for all devices in the cluster. Backups FIPS and non-FIPS devices cannot share backups. FIPS Self-Test To run a FIPS self-test on the SKM, powercycle the device. Software Patches and Upgrades HP will indicate which software patches and upgrades are FIPS certified. Apply only FIPS certified software to a FIPS-compliant device. Doing otherwise takes the device out of FIPS compliance.
PAGE 157
Table 72 FIPS Compliance section components Component Description Is FIPS Compliant Indicates if the SKM’s security configuration is consistent with FIPS Level 2 requirements. You cannot edit this field.If this value is Yes, the Set FIPS Compliant button is not enabled. Click Set FIPS Compliant to alter the settings shown in the High Security Settings and Security Settings Configured Elsewhere sections and enable FIPS compliance.
PAGE 158
Table 73 High Security Settings section components Component Description Disable Creation and Use of Global Keys Disables the ability to create and use global keys. Once this option is selected, global keys cannot be created on the SKM. Any existing global keys will not be usable by the SKM for any purpose. While the device is FIPS-compliant, you may assign an owner to an existing global key. Prevents the creation or use of algorithms and key sizes that are not FIPS-compliant.
PAGE 159
IMPORTANT: Modifying any of the items in the Security Settings Configured Elsewhere section immediately takes the SKM out of FIPS compliance. Figure 95 Viewing the Security Settings Configured Elsewhere section The following table describes the components of the Security Settings Configured Elsewhere section.
PAGE 160
1. View the Security Protocols enabled on your Internet Browser. You must enable TLS 1.0 to access the Management Console while FIPS-compliant. 2. Log in to the Management Console as an administrator with SSL, Advanced Security, and KMS Server access controls. 3. Navigate to the High Security Configuration page (Security > High Security). 4. Confirm that the Is FIPS Compliant value is “No” in the FIPS Compliance section.
PAGE 161
Table 75 FIPS Status Server tests Test power-on Conditional Description AES Encryption X Known Algorithm Test for the AES algorithm. This test is performed at power-on. DES Encryption X Known Algorithm Test for the DES algorithm. This test is performed at power-on. DSA Encryption X Known Algorithm Test for the DSA algorithm. This test is performed at power-on. HMAC Algorithm X Known Algorithm Test for the HMAC algorithm. This test is performed at power-on.
PAGE 162
Figure 96 Viewing the FIPS Status Report: normal The following table describes the components of the FIPS Status Server Settings section.
PAGE 163
Table 76 FIPS Status Report components Component Description Product Displays the model of your device. Unit ID The Unit ID is composed of alphanumeric characters. Hostname The hostname is the name used to identify the SKM on the network. IP Address(es) This field specifies the IP address(es) on which the KMS Server is enabled on the SKM. Device State Indicates the current state of the device, either normal or error.
PAGE 164
Figure 97 Viewing the FIPS Status Server Settings section The following table describes the components of the FIPS Status Server Settings section. Table 77 FIPS Status Server Settings section components Component Description Enable FIPS Status Server Select this option to enable the FIPS Status Server on this device. This requires the Security ACL. Local IP Select the IP addresses on which the FIPS Status Server is enabled on the SKM.
PAGE 165
In this scenario, the client application indicates that it is willing to perform an SSL resume (rather than a full handshake) by sending a previously negotiated session–id in the CLIENT–HELLO message. The SKM checks that it has the session key for the given session–id. If so, it acknowledges that it is willing to resume the session by using the same session–id in the SERVER–HELLO message. Otherwise, the SKM responds with a new session–id.
PAGE 166
Figure 98 Viewing the SSL Options section NOTE: Changes to the SSL Options cause the KMS Server to restart, which takes the KMS offline for a few seconds. The following table describes the components of the SSL Options section. Table 78 SSL Options section components Component Description The Allowed Protocols field allows you to specify which versions of SSL and TLS are enabled on the SKM. The supported protocols are: • SSL 2.0 (Secure Sockets Layer version 2.
PAGE 167
CAUTION: Exercise caution when modifying the SSL Cipher Order. Unless you are familiar with SSL Ciphers, you should not rearrange the Cipher Order list. Changes to the list may affect both performance and security. Click Restore Defaults to reset the list to the original settings. Figure 99 Viewing the SSL Cipher Order section The following table describes the components of the SSL Cipher Order section.
PAGE 168
Configuring the KMS Server The HP StorageWorks Secure Key Manager allows you to off-load cryptographic operations from application servers and other back-end devices to the SKM. Clients, such as application servers and databases, make requests to the KMS Server to perform cryptographic operations.
PAGE 169
When the client requests that the server generate a new key, it can specify that the key should be exportable and/or deletable. An exportable key is a key that a client can export from the server. Once a key is generated as exportable, it can be exported only by the owner and any members of a group with the “Export” permission for that key. A deletable key is a key that the client can delete from the server. Once a key is generated as deletable, only the owner of the key can delete the key.
PAGE 170
Table 80 KMS Server Settings section components Component Description This field specifies the IP address(es) on which the KMS Server is enabled on the SKM. The drop-down box consists of all IP addresses bound to the SKM. IMPORTANT: We strongly recommend that you select a specific IP address instead of specifying [All].
PAGE 171
Figure 101 Viewing the KMS Server Authentication Settings section The following table describes the elements of the KMS Server Authentication Settings section.
PAGE 172
Table 81 KMS Server Authentication Settings section components Component Description This field determines whether the KMS Server uses a local user and groups directory for this device or a central LDAP server. You can only choose one user directory at a time; if you choose LDAP, any local users or groups you define will be unavailable. User Directory NOTE: Password Authentication This field determines whether you require users to provide a username and password to access the KMS Server.
PAGE 173
User Account Lockout Settings Use the User Account Lockout Settings section to manage an account lockout policy. Figure 102 Viewing the User Account Lockout Settings section The following table describes the components of the User Account Lockout Settings section. Table 82 User Account Lockout Settings section components Component Description Enable Account Lockout Indicates if the feature is enabled. When not enabled, users can make unlimited attempts to log in to an account.
PAGE 174
Health Check Use the Health Check section to enable the health check feature, and set the port and IP address. Figure 103 Viewing the Health Check section The following table describes the components of the Health Check section. Table 83 Health Check section components Component Description Enable Health Check A check mark in this box indicates that the Health Check feature is enabled. In this field you specify the IP address on which you want to listen for health check requests.
PAGE 175
the failure in the System Log and sends an SNMP trap indicating that the cluster is out of sync. Once a device is out of sync, an administrator must synchronize it manually.
PAGE 176
During synchronization, an SKM will inherit a new list of local CAs from the cluster. The device’s old list of local CAs will be deleted. Should you need to access a deleted local CA, you can restore the automatic synchronization backup. NOTE: When upgrading from a previous release, local CA replication is disabled by default.
PAGE 177
Table 84 Cluster Members section components Component Description Server IP The IP of the member device. The port on which the device listens for cluster administration requests. Server Port CAUTION: The cluster port (typically 9001) must be different from the KMS Server port (typically 9000). Status The device’s current status. Valid values are: • Active: The device is currently connected to the cluster. • Inactive: The device is currently not connected to the cluster.
PAGE 178
Table 85 Cluster Settings section components Component Description Local IP The IP of the current device. If the device has multiple network interfaces, the pull-down menu lists all available interfaces. The port on which the device listens for cluster administration requests. Local Port CAUTION: The cluster port (typically 9001) must be different from the KMS Server port (typically 9000). Cluster Password The password for the cluster.
PAGE 179
Table 86 Create Cluster section components Component Description Local IP The IP of the current device. If the device has multiple network interfaces, the pull-down menu lists all available interfaces. The port on which the device listens for cluster administration requests. Local Port CAUTION: The cluster port (typically 9001) must be different from the KMS Server port (typically 9000). Cluster Password The password for the cluster.
PAGE 180
Table 87 Join Cluster section components Component Description Local IP The IP of the current device. If the device has multiple network interfaces, the pull-down menu lists all available interfaces. The port on which the device listens for cluster administration requests. Local Port CAUTION: The cluster port (typically 9001) must be different from the KMS Server port (typically 9000). Cluster Member IP The IP of another member in the cluster.
PAGE 181
NOTE: Synchronizing the time causes the KMS Server to restart if the time change is greater than one minute. While restarting, the KMS Server is unavailable for a brief time ranging from a few seconds to half a minute. Date & Time Configuration Page The Date & Time Configuration page enables you to view and edit the date and time settings on the SKM and manage NTP communications.
PAGE 182
NOTE: Any change to the Date and Time Settings section causes the KMS Server to restart, which takes the KMS offline for a few seconds. NTP Settings Use the NTP Settings section to enable NTP, establish the NTP servers, set a polling interval, and synchronize the SKM on demand. Figure 109 Viewing the NTP Settings section The following table describes the components of the NTP Settings section.
PAGE 183
• Port Speed Sections • IP Authorization Procedures Network Interfaces sections The Network Configuration page contains the following network interface-related section: • Network Interface List Network Interface List Network Interface settings are viewed and modified from the Network Interfaces tab on the Network Configuration page. Use the Network Interface List section to view and set network interfaces for the SKM.
PAGE 184
Figure 111 Viewing the Default Gateway List section The following table describes the components of the Default Gateway List section. Table 91 Default Gateway List section components Component Description Interface The network interface to which the default gateway is associated. The IP address associated with the server that routes all packets destined for a remote host. A blank Default Gateway indicates that no default gateway exists.
PAGE 185
All responses to incoming packets leave from 10.20.41.1 - except the responses to incoming packets from the 172.17.7.0 addresses (the local subnet of Ethernet #1). Those responses leave from the Ethernet #1 interface. All connections initiated by the SKM appliance leave from 10.20.41.1. Example 3. Example 3 InterfaceDefault Gateway Used for Outgoing Connections -----------------------------------------------------------------— Ethernet 172.17.7.1 #1 yes Ethernet 10.20.41.
PAGE 186
Figure 112 Viewing the Static Route List section The following table describes the components of the Static Route List section. Table 92 Static Route List section components Component Description IP Address The address that you are trying to reach with this route. Valid values are IP or network addresses “matching” the specified Subnet Mask. Subnet Mask The network mask associated with the IP Address/Network needed to identify the destination. Valid values are any subnet mask address.
PAGE 187
Table 93 Hostname Setting section components Component Description Hostname The hostname is the name used to identify the SKM on the network. It is originally assigned during initial configuration. This string cannot be longer than 64 characters. Edit Click Edit to modify the Hostname field. DNS Server List Domain Name Service (DNS) settings are viewed and modified on the DNS Server List section on the DNS tab of the Network Configuration page.
PAGE 188
CAUTION: The Port Speed/Duplex setting is an advanced feature that should only be used when you are certain of the port speed and duplex settings of the network device communicating with the SKM. Potential performance degradation can result if these settings do not match. We recommend that you leave the port speed and duplex setting on the SKM at Auto-Negotiate unless you know the settings of the network device it is communicating with.
PAGE 189
Figure 116 Viewing the IP Authorization Settings section The following table describes the components of the IP Authorization Settings section. Table 96 IP Authorization Settings section components Components Description KMS Server You can grant all IPs access to the server, or you can grant access to the IPs listed in the Allowed Client IP Addresses section.
PAGE 190
Table 97 Allowed Client IP Addresses section components Components Description IP Address, Range or Subnet Enter IP addresses in the following formats: • single IP address (192.168.1.60) • a range of IPs (192.168.1.70 - 192.168.1.80) • an IP and subnet (192.168.100.0/255.255.255.0) • an IP and subnet in CIDR format (192.168.200.0/24) KMS Server Select to grant access to the KMS Server. Web Administration Select to grant access to the Management Console.
PAGE 191
SNMPv1/v2 rely on the concept of a community to provide a low level of security for communications between the NMS and agent. In an HP SNMPv1/v2 deployment, each SNMP request packet includes a community name, which is similar to a password and is associated with a certain MIB access level. When the SKM receives a request, the agent looks for the community name in its table.
PAGE 192
Community: A community, also referred to as a community string, is used by the agent when it is communicating with an NMS running SNMPv1/v2. A community functions more like a password than its name suggests. In combination with the IP address/subnet mask specified for a community, the community name determines from where the SKM accepts a request for information. A community should be defined on both the agent and the NMS.
PAGE 193
Table 98 SNMP Agent Settings section components Component Description SNMP Agent IP This field specifies the IP address on which SNMP is enabled. You can select “All” or an individual IP address. We recommend that you specify an individual IP address. SNMP Agent Port This value specifies the port on which the SKM listens to requests from the NMS. The default is 161. Enable SNMP Traps By default, the SKM does not send SNMP traps. To enable the sending of SNMP traps, check the Enable SNMP Traps box.
PAGE 194
Table 99 SNMPv1/SNMPv2 Community List section components Component Description Community Name Community names can contain only alphanumeric characters and punctuation marks and they cannot contain non–printing characters and whitespaces. Community names cannot exceed 64 characters. Source IP/Subnet Mask(s) IP address(es) allowed to access the agent. You can enter a specific IP address range, or you can enter a value of “any”.
PAGE 195
Table 100 SNMPv3 Username List section components Component Description Username The username defines from whom the SKM accepts SNMP messages, and it is one of many elements used to create a key that is shared between the NMS and agent. Usernames can contain only alphanumeric characters and punctuation marks and they cannot contain non–printing characters and white spaces. Security Level You have three choices for the security level • auth, priv – authorization and privacy.
PAGE 196
Table 101 SNMP Management Station List section components Component Description Manager Type The SNMP version used on the NMS. All three versions of SNMP are supported on the SKM. Specifies whether this NMS is configured to receive Trap of Information messages. Trap Type NOTE: We recommend that you always use Inform messages. Hostname or IP The hostname or IP address of the NMS. Port Port on which the NMS is listening for SNMP traffic. The default is 162.
PAGE 197
Table 102 SNMP Management Station Properties section components Component Description Manager Type The SNMP version used on the NMS. All three versions of SNMP are supported on the SKM. Specifies whether this NMS is configured to receive Trap of Information messages. Trap Type NOTE: We recommend that you always use Inform messages. Hostname or IP The hostname or IP address of the NMS. Port Port on which the NMS is listening for SNMP traffic. The default is 162.
PAGE 198
Figure 123 Viewing the Create SNMP Management Station section The following table describes the components of the Create SNMP Management Station section.
PAGE 199
Table 103 Create SNMP Management Station section components Component Description Manager Type The SNMP version used on the NMS. All three versions of SNMP are supported on the SKM. Specifies whether this NMS is configured to receive Trap or Inform messages. Trap Type NOTE: We recommend that you always use Inform messages. Hostname or IP The hostname or IP address of the NMS. Port Port on which the NMS is listening for SNMP traffic. The default is 162.
PAGE 200
• KMS Server Statistics. KMS Server statistics are available through the MIBs; for each statistic set, you can view the following: current requests per second, maximum requests per second, successful operations, and failed operations.
PAGE 201
• • • • • Multiple Credentials Overview Multiple Credentials Sections Multiple Credentials Procedures Remote Administration Settings Overview Remote Administration Settings Sections Administrator overview An administrator is a user who can configure and manage the SKM appliance. This is done using the Management Console and the Command Line Interface (CLI). An administrator’s access control settings determine which features can be configured and which operations can be performed.
PAGE 202
Using multiple administrator accounts Most likely, you will want to create multiple administrators. When doing so, you should assign access controls that mirror your organization’s procedures. For example, if you separate the tasks of key management, system backup, and device configuration, you’ll want to create unique administrators for each of those roles. When creating an administrator, you should assign the minimum amount of access controls needed.
PAGE 203
WARNING! It is absolutely crucial that you remember the passwords for all of your local administrators. For security reasons, there is no way to reset a local administrator’s password without logging into the SKM appliance as a High Access Administrator. If you lose or forget the passwords for all administrator accounts, you cannot configure the SKM appliance, and you must ship it back to have the software reinstalled. All keys and configuration data will be unrecoverable.
PAGE 204
If you use LDAP administrators predominantly, at least one local administrator account must always exist, and that local administrator must be a High Access Administrator. This local High Access Administrator is needed in the event that connectivity to the LDAP server is lost, or if all administrator accounts on the LDAP server are removed or renamed.
PAGE 205
Create LDAP Administrator The Create Local Administrator and Create LDAP Administrator sections are the same except that the Create LDAP Administrator section requires only a Username—passwords are administered on the LDAP server—and provides a Browse button to browse for specific users in the LDAP directory. Figure 124 Viewing the Create LDAP Administrator section The following table describes the components of the Create Administrator section.
PAGE 206
Table 104 Create LDAP Administrator section components Component Description Username Enter the login name the administrator uses to access the SKM. Browse Click to access the Select LDAP Username section. Access Control – Security Configuration Access control options related to device security configuration. • Keys and Authorization Policies: Create, modify and delete keys and establish authorization policies.
PAGE 207
Select LDAP Username The Select LDAP Username section enables you to browse and select an LDAP user when creating an LDAP administrator account. Figure 125 Viewing the Select LDAP Username section Table 105 Select LDAP Username section components Component Description Username Select a username from the list to create the LDAP administrator. Click on a username to select the user and return to the Create LDAP Administrator section.
PAGE 208
Password expiration The password expiration feature allows you to specify a duration for administrator passwords. By default, this feature is disabled. When an administrator password expires, the system forces that administrator to create a new password after logging in with the expired password. (If the administrator is currently logged in when the password expires, that session continues as normal.
PAGE 209
Document the password policy and communicate it to all appropriate parties including security officers and other corporate personnel. Password Management sections The Password Management sections on the Administrator Configuration page let administrators change their own password, manage administrator password features, and set additional constraints for all passwords on the SKM.
PAGE 210
NOTE: These settings do not apply to LDAP administrator passwords. LDAP administrator passwords are not subject to any of the constraints that apply to other passwords on the SKM appliance. Figure 127 Viewing the Password Settings for Local Administrators section The following table describes the components of the Password Settings for Local Administrators section.
PAGE 211
NOTE: Changes made to this section (with the exception of the Password Expiration feature) apply to passwords created after the changes are saved. For example, if all administrator passwords are 8 characters long, and you change the minimum password length to 12 characters, the administrators do not have to immediately change their passwords. Rather, the next time your administrators change their passwords, they must comply with the new rules.
PAGE 212
NOTE: Credential grants cannot be inherited. One administrator can grant only their credentials to one other administrator. An administrator can grant credentials for the following operations: • • • • • • Add/Modify keys Delete keys Add/Modify users and groups Delete users and groups Affect authorization policies Modify LDAP settings for users and groups Administrators that are not normally permitted to execute any of these operations cannot grant credentials for them; those options are unavailable.
PAGE 213
4. Enable the multiple credentials feature for the cluster by enabling the feature for one device within the cluster.
PAGE 214
Table 108 Multiple Credentials for Key Administration section components Component Description Require Multiple Credentials Select this checkbox to enable the multiple credentials feature. You must have High Access Administrator access control to enable this feature. Deselect this checkbox to disable the multiple credentials feature. Disabling multiple credentials is governed by the same rules as the operations that require multiple credentials.
PAGE 215
Figure 130 Viewing the Grant a Credential section The following table describes the components of the Grant a Credential section. Table 110 Grant a Credential section components Component Description Grant to Enter the name of the administrator to whom you grant your credentials. Duration (in minutes) Enter the length of duration. This duration cannot be longer than the Maximum Duration for Time-Limited Credentials established in the Multiple Credentials for Key Administration section.
PAGE 216
Remote Administration Settings The Remote Administration Settings section is shown here. Figure 131 Viewing the Remote Administration Settings section The following table describes the components of the Remote Administration Settings section.
PAGE 217
Table 111 Remote Administration Settings section components Components Description The Web Admin Server IP address is the local IP address used to configure the SKM via the Management Console. You can select one specific IP address or you can select all of the IP addresses bound to the SKM. The URL used to connect to the Management Console is: https://IP-address:port. Web Admin Server IP Web Admin Server Port CAUTION: We strongly recommend that you limit the Web Admin Server IP to a specific IP address.
PAGE 218
LDAP Administrator Server You configure LDAP servers for administrators separately from LDAP servers for users. This allows for greater flexibility, and simplifies cluster replication, since administrators and users are separately replicated. An LDAP account cannot be designated as an administrator if there is already a local administrator account with the same username.
PAGE 219
Figure 132 Viewing LDAP Administrator Server Properties section Table 112 LDAP Administrator Server Properties section components Component Description Hostname or IP Address The hostname or IP address of the primary LDAP server. Port The port on which the LDAP server is listening. LDAP servers typically use port 389. Use SSL By default the SKM appliance connects directly to the LDAP server over TCP. Check this box to use SSL between the device and the LDAP server.
PAGE 220
Figure 133 Viewing LDAP Schema Properties section Table 113 LDAP Schema Properties section components Component Description User Base DN The base distinguished name (DN) from which to begin the search for usernames. User ID Attribute The attribute type for the user on which to search. The attribute type you choose must result in globally unique users. User Object Class Used to identify records of users that can be used for authentication.
PAGE 221
Figure 134 Viewing the LDAP Failover Server Properties section Table 114 LDAP Failover Server Properties section components Component Description Failover Hostname or IP Address The hostname or IP address of the LDAP server to use as the failover. Failover Port The port on which the LDAP server is listening. Edit Click to modify the properties. Clear Click to remove the current properties. LDAP Test Click to test the LDAP connection after you have defined an LDAP server.
PAGE 222
Your rotation schedule can be set to automatically rotate logs on a daily, weekly, or monthly basis, at any time of day. The system maintains these settings for each log type; your Activity and Audit logs, for example, can adhere to different schedules. By specifying a maximum log file size, you can ensure that logs are rotated when they reach a certain size, regardless of their rotation schedule.
PAGE 223
For example, the filename audit.log.1.2002-04-04_160146.demo would identify this file as: • • • • An Audit Log. The first log file in the log index. A file created on 2002-04-04 at 16:01:46. A log from the SKM with the hostname ’demo’. This naming convention allows you to transfer log files from multiple SKMs to the same remote log server while avoiding the problem of overwriting log files due to naming conflicts. These file names are not visible from the CLI or the Management Console.
PAGE 224
Secure logs The SKM allows you to sign your log files before moving them to another machine or downloading them, which makes your log files more secure than unsigned log files. A Log Signing Certificate is created the first time the SKM is run and when the machine is restored to the factory defaults. If the Sign Log option is selected, a log file is signed with the Log Signing Certificate right before it is downloaded or moved off of the SKM.
PAGE 225
Table 116 Rotation Schedule section components Component Description Log Name One of the predefined log names supported by the SKM. Log types are: System, Audit, Activity, and Client Event. Rotation Schedule Specifies the frequency of log rotation. When a log is rotated, the current log file is closed and a new log file is opened. Supported log rotation frequencies are: • Daily – happens at 3:05 AM. • Weekly – happens at 3:15 AM on Sundays.
PAGE 226
Table 117 Log Rotation Properties section components Component Description Log Name One of the predefined log names supported by the SKM. Log types are: System, Audit, Activity, and Client Event. Rotation Schedule Specifies the frequency of log rotation. When a log is rotated, the current log file is closed and a new log file is opened. Supported log rotation frequencies are Daily, Weekly, and Monthly. See Log Rotation for more information.
PAGE 227
Figure 137 Viewing the Syslog Settings section NOTE: Changes to the Syslog Settings section cause the KMS Server to restart, which takes the KMS offline for a few seconds. The following table describes the components of the Syslog Settings section. Table 118 Syslog Settings section components Component Description Log Name You can enable syslog for the all SKM logs. Enable Syslog If there is a check mark in the box, syslog is enabled. If there is no check mark in the box, syslog is disabled.
PAGE 228
Table 119 Log Signing section components Component Description Log Name Displays the logs available on the device. Sign Log Select this option to enable Secure Logs. See Secure Logs for more information. Edit Click Edit to edit the log signing settings for the selected log. View Log Signing Cert Click View Log Signing Cert to view the Log Signing Certificate information.
PAGE 229
Table 120 Log Signing Certificate Information section components Component Description Download Log Signing Cert Click Download Log Signing Cert to download the certificate. Recreate Log Signing Cert Click Recreate Log Signing Cert to access the Log Signing Certificate section to specify the certificate duration and recreate the Log Signing Certificate. Back Click Back to return to the Log Configuration page.
PAGE 230
• Successful or failed cluster replication and synchronization. • Failed log transfers. • License errors. Figure 141 Viewing the System Log section The following table describes the components of the System Log section. Table 122 System Log section components Component Description Log File Select older logs to display. Show Last Number of Lines Select the number of log entries to view. Wrap Lines Select to wrap text in the display area.
PAGE 231
• Date and time change was made. • Username: the username that made the configuration change. • Event: a text description of the configuration change. Figure 143 Viewing the Audit Log section The following table describes the components of the Audit Log section. Table 124 Audit Log section components Component Description Log File Select older logs to display. Show Last Number of Lines Select the number of log entries to view. Wrap Lines Select to wrap text in the display area.
PAGE 232
data from the client or an error has occurred. When there is no data for a particular field, a dash is inserted. The format of the Activity Log is as follows: The following table describes the fields that are present in the Activity Log.
PAGE 233
Table 127 Values for the Detail Field in the Activity Log Request Type Detail Information authentication username provided by the client key generation algorithm and key size; the value for the Deletable and Exportable options are listed as well if they are set by the client key import algorithm and key size specified in the request; the value for the Deletable and Exportable options are listed as well if they are set by the client key deletion nothing is listed in the detail field key export not
PAGE 234
Figure 146 Viewing the Current Activity Log section The following table describes the components of the Current Activity Log section. Table 129 Current Activity Log section components Component Description Download Entire Log Click Download Entire Log to download the log to your browser. Clear Click Clear to delete the select log. Client Event Log The Client Event Log contains a record of each message sent by clients using the element.
PAGE 235
Figure 147 Viewing the Client Event Log section The following table describes the components of the Client Event Log section. Table 131 Client Event Log section components Component Description Log File Select older logs to display. Show Last Number of Lines Select the number of log entries to view. Wrap Lines Select to wrap text in the display area. Display Log Click Display Log to display the specified number of lines of the log.
PAGE 236
• • • • Throughput License Usage Refresh Statistics (Server) KMS Statistics Refresh Statistics The Refresh Statistics section controls how frequently the System Statistics page is refreshed. When the page is refreshed, the values displayed on the page are updated. The refresh interval you specify in this section does not affect the refresh interval on the CLI. Figure 149 Viewing the Refresh Statistics section The following table describes the components of the Refresh Statistics section.
PAGE 237
Table 134 System Statistics section components Component Description CPU Utilization (%) This number represents the percentage of CPU time that was in use for each CPU at the moment the System Statistics page was updated. System Uptime This field represents the duration of time that has elapsed since the SKM was last rebooted. Connection Statistics The Connection Statistics section provides information on the total number of connections since the SKM was rebooted.
PAGE 238
Figure 152 Viewing the Throughput section The following table describes the components of the Throughput section. Table 136 Throughput section components Component Description KMS Server Statistics This field expresses in megabits per second the amount of data passing through the KMS Server. This traffic is generated when the SKM processes client requests. This does exclude any overhead from the SSL, TCP, or IP protocols.
PAGE 239
Figure 154 Viewing the Refresh Statistics section The following table describes the components of the Refresh Statistics section. Table 138 Refresh Statistics section components Component Description Refresh Every Specify the refresh rate of the Server Statistics page. Available refresh rates are: • Never (default value) • 5 seconds • 15 seconds • 30 seconds • 60 seconds • 2 minutes • 5 minutes This value is only valid while you are viewing the Server Statistics page.
PAGE 240
Figure 155 Viewing the KMS Statistics section The following table describes the components of the KMS Statistics section. Table 139 KMS Statistics section components Component Description KMS Operations • • • • • • • • • • • • • Current/second The Current per second column shows how many of a given statistic were counted on the SKM in the second the KMS Statistics were refreshed.
PAGE 241
C Using the Command Line Interface Shell commands The CLI supports a few shell commands that allow you to perform various search, cut, and paste operations. The following shell commands can be used: • • • • • • Ctrl-C – clears the prompt. Ctrl-R – allows you to search backward through the command history. Ctrl-K – deletes the text from the cursor to the end of the line Ctrl-U – erases the entire line Ctrl-Y – pastes text erased by Ctrl-K or Ctrl-U Ctrl-P – moves backwards through the history.
PAGE 242
new cert “new cert request” is treated as three separate arguments: • new • cert • new cert request Escaping characters using backslash You can include a quote character (“ or ‘) within an argument by putting a backslash (\) in front of it.
PAGE 243
If multiple commands match the pattern, those commands are displayed on the screen. For example, if you type sh au lo on the command line, the SKM executes the show audit log command. However, if you type sh au l on the command line, the SKM displays the commands that match that pattern. Command search To search for a command without executing it, type the command, or part of the command, and include a question mark (?). The CLI displays the commands that match the pattern you typed.
PAGE 244
hostname (config)# Scripting mode This section describes how to perform the following actions in scripting mode: • • • • • Creating Scripts Executing Scripts Displaying and Deleting Scripts Installing Certificates Entering Passwords Creating scripts There are essentially two different ways to create CLI scripts: manually or via the Script Recorder.
PAGE 245
Once loaded, a script can either be stepped through (executed one line at a time), or the entire script can be run. To step through a script, use the command “step”, as shown here: hostname(script)# step To run the entire script, use the command “go”, as shown here: hostname(script)# go Displaying and deleting scripts To display the current scripts that have been created on the system, use the command “show script”.
PAGE 246
passwd password settings show administrator show credential settings show granted credential show password settings Audit Log Commands show audit log transfer audit log Autologout Commands autologout show-autologout Backup and Restore Commands backup no backup restore backup show backup CA Cert Commands ca certificate install ca profile ca profile duplicate ca profile entry ca profile rename cert install cert request cert revoke halt no ca certificate no ca profile no ca profile entry no local ca show ca ce
PAGE 247
cert import cert request cert selfsign install no certificate no request show cert cli-show-request CRL Commands crl auto-update crl list send crl list update crl settings no crl auto-update no crl list show crl auto-update show crl entry show crl list show crl settings show crl status Client Event Log Commands clientevent log rotate no clientevent log show clientevent log transfer clientevent log Device Reset and Restore Commands reset factory settings restore default configuration zeroize all keys Diagnos
PAGE 248
show security settings show fips server show fips status Health Check Configuration Commands health check show health check Help Commands ? help History Commands history Log Commands activity syslog audit syslog clientevent syslog edit log rotation log signing no activity syslog cli-no-audit-syslog no clientevent syslog no system syslog recreate logsigning cert show activity syslog show audit syslog show clientevent syslog show log rotation show log signing show logsigning cert show system syslog system sys
PAGE 249
gateway ip address ip authorization ip authorization allowed ip name-server no gateway no ip address no ip authorization allowed no ip name-server no static route show ethernet port show gateway show hosts show interface ethernet show interfaces show ip authorization show ip authorization allowed show static route static route Services Commands halt kms-server run kms-server startup no kms-server-run no kms-server startup no snmp run no snmp startup no sshadmin run no sshadmin startup no webadmin run no web
PAGE 250
SNMP Commands community edit community edit snmp username edit station no community no snmp username no station show community show snmp agent show snmp username show station snmp agent snmp username station SSL Commands cipherspec cipherspec priority no cipherspec no export cipherspec no ssl protocol restore cipherspec show cpiherspec show ssl ssl protocol ssl-timeout Statistics Commands show license show license usage show statistics System Commands clock set edit ras settings hostname no ntp server ntp n
PAGE 251
show clock show hostname show ntp show ras settings timezone set System Health Commands show system health System Information Commands show device show software software install software rollback System Log Commands no system log show system log system log rotate transfer system log Secure Key Manager 251
PAGE 252
Activity log commands activity log level – Set the Activity Log Level. Syntax hostname (config)# activity log level Log Level: 1: Normal 2: Low Enter a number (1 - 2) [1]: Related command(s) • show activity log level activity log rotate – rotate the Activity Log. Syntax hostname (config)# activity log rotate Activity Log successfully rotated. Related command(s) • no activity log • show activity log no activity log – clear the context of an activity log file.
PAGE 253
Related command(s) • edit administrator • show administrator • no administrator credential settings – establish the multiple credential settings.
PAGE 254
Related command(s) • • • • show granted credential no granted credential credential settings show credential settings ldap test failover – connect to the failover LDAP server (if defined) and print connection debugging information. Syntax ldap test failover Related command(s) • ldap test primary ldap test primary – connect to the primary LDAP server and print connection debugging information.
PAGE 255
Related command(s) • administrator • edit administrator • no administrator show credential settings – display the multiple credential settings.
PAGE 256
Audit log commands show audit log – display all the audit logs’ names. Syntax hostname# show audit log [name] [number of lines] Specify a log name and/or the number of lines to display the specified number of lines. transfer audit log – transfer a log file off of the SKM. Syntax hostname# transfer audit log Please pick one of the following types of transfer: 1) FTP 2) SCP Transfer Type (1-2): Enter the host: Enter the directory: Enter the username: Enter the password: Success.
PAGE 257
Backup and restore commands backup – create a system backup. Syntax hostname (config)# backup After executing the backup command, the system prompts you to provide a name and description for the backup. You can specify which configurations you want to include in the backup. Related command(s) • no backup • restore backup • show backup no backup – remove a specified system backup file.
PAGE 258
Related command(s) • no ca certificate • show ca certificate ca profile – create an empty Trusted CA List profile. Syntax hostname# ca profile The profile is only useful when you populate it. Related command(s) • • • • • • • ca profile duplicate ca profile entry ca profile rename show ca profile show ca profile no ca profile no ca profile entry ca profile duplicate – copy the Trusted CA List from one profile and populate the Trusted CA List of another profile.
PAGE 259
Related command(s) • • • • • • • cert request cli-show-request no request no certificate cert import show cert cert selfsign install cert renew – renew a certificate that has been signed and revoked by a local CA. Syntax hostname (config)# cert renew Related command(s) None cert revoke – revoke a certificate signed by a local CA. Syntax hostname (config)# cert revoke Related command(s) None local ca – generate a local CA certificate.
PAGE 260
Related command(s) • • • • • • • ca profile ca profile duplicate ca profile entry ca profile rename show ca profile show ca profile no ca profile entry no ca profile entry – delete a CA from a Trusted CA List. Syntax hostname# no ca profile entry Related command(s) • • • • • • • ca profile ca profile duplicate ca profile entry ca profile rename show ca profile show ca profile no ca profile no local ca – remove a specified local CA certificate.
PAGE 261
Syntax hostname# show local ca [ca name] Related command(s) • halt • no local ca show signed certificate – display information about certificates signed by local CAs on the SKM. Syntax hostname# show signed certificate or hostname# show signed certificate If you specify a local CA after the show signed certificate command, the system displays all of the certificates signed by that CA.
PAGE 262
Certificate commands cert import – import a certificate. Syntax The certificate import process varies between SKMs.
PAGE 263
Syntax hostname (config)# cert request After executing the cert request command, the system prompts you to provide the following information: Common Name: irwin Organization Name: irwin Organizational Unit Name: Locality Name: State or Province Name: Country Name [US]: Email Address: Key Size (768, 1024, 2048) [1024]: When you have entered all the information, the system displays a warning, then displays the new certificate request.
PAGE 264
Related command(s) • • • • • • • cert request cli-show-request no request cert install cert import show cert cert selfsign install no request – delete a certificate request. Syntax hostname (config)# no request Related command(s) • • • • • • • cert request cli-show-request no certificate cert install cert import show cert cert selfsign install show cert – view either specific certificate details or all installed certificates.
PAGE 265
Syntax hostname (config)# crl list send Transport Method: 1) FTP 2) SCP Enter a number(1-2): Host: Filename: Username: Password: Related command(s) None crl list update – manually update a CRL. This command cannot be applied to a local CA. Syntax hostname (config)# crl list update Transport Method: 1) FTP 2) SCP 3) HTTP Enter a number(1-3): Host: Filename: Username: Password: Related command(s) None crl settings – configure the device to automatically download the CRL for a CA.
PAGE 266
Related command(s) None no crl list – renew all revoked certificates signed by a local CA or delete the CRL published by a known CA. Syntax hostname (config)# no crl list When you use the no crl list command with a Known CA (as opposed to a local CA), the SKM deletes the CRL published by that CA. When you use the no crl list command with a local CA, the SKM renews all revoked certificates signed by that local CA.
PAGE 267
Client event log commands clientevent log rotate – rotate the client event log. Syntax hostname (config)# clientevent log rotate Related command(s) • no clientevent log • show clientevent log • transfer clientevent log no clientevent log – clear the context of a client event log file. Syntax hostname (config)# no clientevent log Related command(s) • clientevent log rotate • show clientevent log • transfer clientevent log show clientevent log – view the client event log.
PAGE 268
Device reset and restore commands reset factory settings – delete all information stored in the SKM and reset it to its original factory setting. CAUTION: This command deletes all configuration information and any installed patches and upgrades. We recommend contacting customer support prior to using this command. NOTE: Syntax For security purposes, this command can only be run from the CLI at the console. You cannot execute this command remotely via the CLI over SSH or from the Management Console.
PAGE 269
Diagnostic commands host run – look up the host specified using the domain server. Syntax hostname (config)# host run Related command(s) • traceroute run • netstat run • ping run ping run – send ICMP ECHO_REQUEST packets to the specified network host. Syntax hostname (config)# ping run Related command(s) • host run • traceroute run • netstat run netstat run – generate a list of all active connections on the SKM.
PAGE 270
Syntax hostname# fips server Enable FIPS Status Server [y]: Available IP addresses: 1. All 2. 172.17.3.21 Local IP (1-2)[1]: Local Port [9081]: NOTE: You can view the FIPS Status Report by accessing http://:/status.html. Related command(s) • show fips server reset factory settings zeroize – zeroize all keys and passwords on the device. NOTE: Syntax For security purposes, this command can only be run from the CLI at the console.
PAGE 271
Syntax hostname# show security settings Key Security Disable Creation and Use of Global Keys: Yes Disable Non-FIPS Algorithms and Key Sizes: Yes Disable RSA Encryption and Decryption: Yes Device Security Disable FTP for Certificate Import, Backup, and Restore: Disable Certificate Import through Serial Console Paste: Disable Hotswappable RAID Drives: Yes Other Security Allow Key & Policy Configuration Operations: Disabled (FIPS-compliant) Allow Key Export: Disabled (FIPS-compliant) User Directory for KMS Se
PAGE 272
Health check configuration commands health check – enable and configure the Health Check feature. Syntax Related command(s) hostname (config)# health check Enable Health Check [n]: Local IP: 1: All 2: 192.168.200.195 Enter a number (1 - 2) [1]: Local Port [9080]: Health check settings successfully saved. enabled. Health check is • show health check show health check – view the Health Check settings of the SKM.
PAGE 273
Log commands activity syslog – enable the SKM to use the syslog protocol to send Activity Log messages to an external machine. Syntax hostname (config)# activity syslog Enable Syslog [n]: Syslog Server #1 IP [None]: Syslog Server #1 Port [514]: Syslog Server #2 IP [None]: Syslog Server #2 Port [514]: Syslog Facility: 1: local0 2: local1 3: local2 4: local3 5: local4 6: local5 7: local6 8: local7 Activity Log syslog settings successfully saved. Syslog is enabled.
PAGE 274
Syntax hostname (config)# clientevent syslog Enable Syslog [n]: Syslog Server #1 IP [None]: Syslog Server #1 Port [514]: Syslog Server #2 IP [None]: Syslog Server #2 Port [514]: Syslog Facility: 1: local0 2: local1 3: local2 4: local3 5: local4 6: local5 7: local6 8: local7 Enter a number (1 -8) [2]: Client Event Log syslog settings successfully saved. Syslog is enabled.
PAGE 275
Related command(s) • activity syslog • show activity syslog The no audit syslog command also clears all values in the Activity Log settings. no audit syslog – disable the use of the syslog protocol to send Audit Log messages to an external machine. Syntax hostname (config)# no audit syslog Audit Log syslog settings cleared. Related command(s) • show audit syslog • audit syslog The no audit syslog command also clears all values in the Audit Log settings. Syslog is disabled.
PAGE 276
Related command(s) • edit log rotation show log signing – check the status of the Secure Log feature on the SKM for a specific log. Syntax hostname# show log signing Related command(s) • log signing • recreate logsigning cert • show logsigning cert show logsigning cert – show the log signing certificate.
PAGE 277
Mode commands configure – enter configuration mode. Syntax hostname# configure Related command(s) • configure terminal • exit • script configure terminal – enter configuration mode. Syntax hostname# configure terminal Related command(s) • configure • exit • script exit – exit the current shell mode. NOTE: When in “view” mode, it logs you out of the shell. When in “configure” mode, it returns you to “view” mode.
PAGE 278
Related command(s) • • • • • ip authorization ip authorization allowed no ip authorization allowed show ip authorization show ip authorization allowed ethernet port – change the Network Interface Port Speed/Duplex settings.
PAGE 279
Syntax hostname (config)# ip authorization KMS Server: Please select from the following options: 1) Allow All Connections 2) Only Allow IPs Specified KMS Server [2]: 2 Web Administration: Please select from the following options: 1) Allow All Connections 2) Only Allow IPs Specified Web Administration [2]: 2 SSH Administration: Please select from the following options: 1) Allow All Connections 2) Only Allow IPs Specified SSH Administration [2]: 2 IP Authorization settings successfully saved.
PAGE 280
NOTE: Syntax The no ip authorization allowed command requires that you provide the index number of the IP address you want to edit, rather than the actual IP address itself. You might find it helpful to use the show ip authorization allowed command to find the appropriate index number. hostname (config)# no ip authorization allowed 3 IP successfully removed.
PAGE 281
Syntax hostname# show ip authorization KMS Server: Only Allow IPs Specified Web Administration: Only Allow IPs Specified SSH Administration: Only Allow IPs Specified Related command(s) • • • • • edit ip authorization allowed ip authorization ip authorization allowed no ip authorization allowed show ip authorization allowed show ip authorization allowed – display the IP authorization settings for all authorized IP addresses. Syntax hostname# show ip authorization allowed 1.
PAGE 282
Services commands halt – halt the SKM. Syntax hostname (config)# halt Related command(s) • reboot kms-server run – activate the KMS Server. Syntax hostname (config)# kms-server run Related command(s) • no kms-server-run kms-server startup – activate KMS Server when starting up the SKM. Syntax hostname (config)# kms-server startup Related command(s) • no kms-server startup no kms-server run – halt the KMS Server.
PAGE 283
Syntax hostname (config)# no webadmin startup Related command(s) • webadmin startup reboot – reboot the SKM. Syntax hostname (config)# reboot Related command(s) • halt show services — view current service status of the SKM.
PAGE 284
Related command(s) • no webadmin run webadmin startup – enable web administration when starting up the SKM. Syntax hostname (config)# webadmin startup Related command(s) • no webadmin startup SNMP commands community – add a community. Syntax hostname (config)# community Enter the community name: Enter the community source IP/subnet mask pair(s): Will this community be allowed Enterprise MIB access (y/n): Will this community be allowed Standard MIB access (y/n): Successfully added community.
PAGE 285
NOTE: When you execute the edit snmp username command, the system prompts you to provide the new SNMPv3 username information.
PAGE 286
NOTE: When you execute the edit station command, the system prompts you to provide the new SNMP management station information. In the example shown here, the system prompts contain the existing value in brackets. For example, if presented with the prompt Enter a number (1 - 3) [2]: the value in brackets (in this case 2) represents the existing value.
PAGE 287
Related command(s) • show snmp username • edit snmp username • snmp username no station – remove an SNMP management station. Syntax hostname (config)# no station Related command(s) • station • show station • edit station show community — view either all current communities configured on the SKM, or detail about a specified community.
PAGE 288
NOTE: When you execute the snmp username command, the system prompts you to provide the values for the new SNMPv3 username.
PAGE 289
Syntax hostname (config)# cipherspec priority CURRENT PRIORITIES The SSL cipher order is shown below: Priority Key Exchange Cipher KeysizeHash 1 RSA AES128 128SHA-1 2 RSA AES256 256SHA-1 3 RSA 3DES 168SHA-1 Disabled (1) RSA RC4 128SHA-1 Disabled (2) RSA RC4 128MD5 Disabled (3) RSA Low Security DES 56SHA-1 Disabled (4) RSA Low Security RC4 56SHA-1 Disabled (5) RSA Low Security RC4 56MD5 Disabled (6) RSA Low Security RC2 56MD5 Disabled (7) RSA Low Security DES 40SHA-1 Disabled (8) RSA Low Security RC2 40MD5
PAGE 290
Related command(s) • • • • • show cpiherspec cipherspec priority cipherspec no cipherspec restore cipherspec no ssl protocol – remove the specified protocol. Syntax hostname (config)# no ssl protocol Related command(s) • ssl protocol • ssl-timeout • show ssl restore cipherspec – restore the cipherspecs to their default values.
PAGE 291
Statistics commands show license – show the number of licenses currently in use. Syntax hostname# show license Licenses: 5 Related command(s) • show license usage show license usage – show the number of licenses currently in use. Syntax hostname# show license usage Client IP Address Number of Connections =============================================== 192.168.1.89 2 192.168.1.91 2 192.168.200.
PAGE 292
Syntax Related command(s) hostname (config)# edit ras settings Available IP addresses: 1. All 2. 192.168.200.195 Web Admin Server IP [192.168.200.195] (1-2): Web Admin Server Port [9443]: 9443 Web Admin User Authentication (y/n) [n]: n Available IP addresses: 1. All 2. 192.168.200.195 SSH Admin Server IP [192.168.200.195] (1-2): SSH Admin Server Port [22]: 2 2 • show ras settings hostname – define the hostname of the SKM.
PAGE 293
Related command(s) None reissue webadmin certificate – re–issue the web administration certificate. NOTE: This action is performed when initializing the SKM. The optional duration parameter allows you to specify in days the duration that the webadmin certificate is valid. Syntax hostname (config)# reissue webadmin certificate Related command(s) None show clock – view the current date, time, and time zone reported by the SKM.
PAGE 294
Table 141 clock set syntax details Parameter Description mm/dd/yy mm: month: enter value in the range 1 – 12dd: day: enter value in the range 1 – 31yy: year: enter value in 2–digit or 4–digit formathh: hour: enter value in the range 0 – 23.mm: minute: enter value in the range 0 – 59.ss: seconds: enter value in the range 0 – 59.
PAGE 295
System information commands show device – view the model number and Unit ID of the SKM. Syntax hostname# show device Related command(s) • show software show software – view information about the current system software. Syntax hostname# show software Related command(s) • software install • software rollback software install – install new software or a software patch.
PAGE 296
System log commands no system log – clear the context of a system log file. Syntax hostname (config)# no system log Related command(s) • system log rotate • show system log show system log – view the System Log. Syntax hostname# show system log Related command(s) • no system log • system log rotate system log rotate – rotate the System Log. Syntax hostname (config)# system log rotate System Log successfully rotated.
PAGE 297
D Troubleshooting This appendix addresses some of the typical problems you might face as the administrator of the SKM. Table 142 Common problems Problem Possible solution Unable to connect to the Management Console Check the browser version and make sure that it supports 128–bit encryption. Check the location bar in the browser window and make sure that it is connecting to the SKM via HTTPS and that the port number is correct. The default web administration port is 9443.
PAGE 298
Troubleshooting
PAGE 299
E Regulatory compliance notices This section contains regulatory notices for the HP StorageWorks Secure Key Manager (SKM) appliance. Regulatory compliance identification numbers For the purpose of regulatory compliance certifications and identification, this product has been assigned a unique regulatory model number. The regulatory model number can be found on the product nameplate label, along with all required approval markings and information.
PAGE 300
energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.
PAGE 301
Compliance with these directives implies conformity to the following European Norms (in parentheses are the equivalent international standards and regulations): • • • • • EN 55022 (CISPR 22)—Electromagnetic Interference EN55024 (IEC61000-4-2, 3, 4, 5, 6, 8, 11)—Electromagnetic Immunity EN61000-3-2 (IEC61000-3-2)—Power Line Harmonics EN61000-3-3 (IEC61000-3-3)—Power Line Flicker EN 60950 (IEC60950)—Product Safety Japanese notices Japanese power cord statement Korean notices Class A equipment Class B equ
PAGE 302
Taiwanese notices BSMI Class A notice Taiwan battery recycle statement • Recovery mark: Four-in-one recycling symbol • Recovery text: “Please recycle waste batteries” 廢電池請回收 Laser compliance This device may contain a laser that is classified as a Class 1 Laser Product in accordance with U.S. FDA regulations and the IEC 60825-1. The product does not emit hazardous laser radiation.
PAGE 303
Dutch laser notice WAARSCHUWING: !"#$% & & ' ( ) ' ) & * + %,-
PAGE 304
Italian laser notice AVVERTENZA: AVVERTENZA Questo dispositivo può contenere un laser classificato come prodotto laser di Classe 1 in conformità alle normative US FDA e IEC 60825-1. Questo prodotto non emette radiazioni laser pericolose. L'eventuale esecuzione di comandi, regolazioni o procedure difformi a quanto specificato nella presente documentazione o nella guida di installazione del prodotto può causare l'esposizione a radiazioni nocive.
PAGE 305
Recycling notices Disposal of waste equipment by users in private household in the European Union This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for recycling of waste electrical and electronic equipment.
PAGE 306
Estonian notice Finnish notice Laitteiden hävittäminen kotitalouksissa Euroopan unionin alueella Jos tuotteessa tai sen pakkauksessa on tämä merkki, tuotetta ei saa hävittää kotitalousjätteiden mukana. Tällöin hävitettävä laite on toimitettava sähkölaitteiden ja elektronisten laitteiden kierrätyspisteeseen. Hävitettävien laitteiden erillinen käsittely ja kierrätys auttavat säästämään luonnonvaroja ja varmistamaan, että laite kierrätetään tavalla, joka estää terveyshaitat ja suojelee luontoa.
PAGE 307
Greek notice Hungarian notice Italian notice Smaltimento delle apparecchiature da parte di privati nel territorio dell'Unione Europea Questo simbolo presente sul prodotto o sulla sua confezione indica che il prodotto non può essere smaltito insieme ai rifiuti domestici. È responsabilità dell'utente smaltire le apparecchiature consegnandole presso un punto di raccolta designato al riciclo e allo smaltimento di apparecchiature elettriche ed elettroniche.
PAGE 308
Latvian notice Lithuanian notice Polish notice 308 Regulatory compliance notices
PAGE 309
Portuguese notice Descarte de Lixo Elétrico na Comunidade Européia Este símbolo encontrado no produto ou na embalagem indica que o produto não deve ser descartado no lixo doméstico comum. É responsabilidade do cliente descartar o material usado (lixo elétrico), encaminhando-o para um ponto de coleta para reciclagem.
PAGE 310
Spanish notice Eliminación de residuos de equipos eléctricos y electrónicos por parte de usuarios particulares en la Unión Europea Este símbolo en el producto o en su envase indica que no debe eliminarse junto con los desperdicios generales de la casa. Es responsabilidad del usuario eliminar los residuos de este tipo depositándolos en un "punto limpio" para el reciclado de residuos eléctricos y electrónicos.
PAGE 311
Battery replacement notices Dutch battery notice Verklaring betreffende de batterij WAARSCHUWING: dit apparaat bevat mogelijk een batterij. - Probeer de batterijen na het verwijderen niet op te laden. Stel de batterijen niet bloot aan water of temperaturen boven 60˚ C. De batterijen mogen niet worden beschadigd, gedemonteerd, geplet of doorboord. Zorg dat u geen kortsluiting veroorzaakt tussen de externe contactpunten en laat de batterijen niet in aanraking komen met water of vuur.
PAGE 312
German battery notice Hinweise zu Batterien und Akkus VORSICHT: Dieses Produkt enthält unter Umständen eine Batterie oder einen Akku. - Versuchen Sie nicht, Batterien und Akkus außerhalb des Gerätes wieder aufzuladen. - Schützen Sie Batterien und Akkus vor Feuchtigkeit und Temperaturen über 60˚. - Verwenden Sie Batterien und Akkus nicht missbräuchlich, nehmen Sie sie nicht auseinander und vermeiden Sie mechanische Beschädigungen jeglicher Art.
PAGE 313
Japanese battery notice Spanish battery notice Declaración sobre las baterías ADVERTENCIA: Este dispositivo podría contener una batería. - No intente recargar las baterías si las extrae. - Evite el contacto de las baterías con agua y no las exponga a temperaturas superiores a los 60 ºC (140 ºF). - No utilice incorrectamente, ni desmonte, aplaste o pinche las baterías. - No cortocircuite los contactos externos ni la arroje al fuego o al agua.
PAGE 314
Regulatory compliance notices
PAGE 315
F Specifications This section provides the VLS node and specifications. SKM appliance specifications Item Specification Height 4.3 cm (1.70 in) Depth 70.5 cm (27.8 in) Width 42.6 cm (16.8 in) Weight (fully loaded) 16.78 kg (37 lb) Weight (no drives installed) 12.47 kg (27.5 lb) Rated input voltage 100 VAC to 240 VAC Rated input frequency 50 Hz to 60 Hz Rated input current 6.0 A (110 V) to 3.
PAGE 316
Environmental specifications Operating Non-operating Shipping 10°C to 35°C (50°F to 95°F) -40°C to 66°C (-40°F to 150°F) -40°C to 66°C (-40°F to 150°F) Relative humidity (noncondensing) 2 40% to 60% 10% to 95% 5% to 95% Altitude -1000 ft to 10,000 ft -1000 ft to 10,000 ft -1000 ft to 40,000 ft Vibration 5-1000-5 Hz, 0.25 g, sinusoidal, 1 Octave/min., 3-axis 5-1000-5 Hz, 1.0 g, sinusoidal, 1 Octave/min., 3-axis 5-1000-5 Hz, 2.0 g, sinusoidal, 1 Octave/min.
PAGE 317
G About this guide This guide provides information about: • Installing an HP StorageWorks Secure Key Manager • Configuring an HP StorageWorks Secure Key Manager • Administering security keys Intended audience This guide is intended for system administrators with knowledge of: • Basic computer system rack installation • Data security administration • Network configuration Related documentation The following documents and web sites provide related information: • HP StorageWorks Command View TL getting start
PAGE 318
WARNING! Indicates that failure to follow directions could result in bodily harm or death. CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: Provides clarifying information or specific instructions. NOTE: Provides additional information. Rack stability Rack stability protects personnel and equipment. WARNING! To • • • • • reduce the risk of personal injury or damage to equipment: Extend leveling jacks to the floor.
PAGE 319
Customer self repair HP customer self repair (CSR) programs allow you to repair your StorageWorks product. If a CSR part needs replacing, HP ships the part directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your HP-authorized service provider will determine whether a repair can be accomplished by CSR. For more information about CSR, contact your local service provider. For North America, see the CSR website: http://www.hp.
PAGE 320
About this guide
PAGE 321
Glossary Active Device In the VRRP group, this is the device that is receiving all network traffic. This is typically the primary device; however, in case of failure on the primary, the secondary device becomes the active device. Authorization policy The criteria for granting or denying access to a network resource, based on the user’s identity. This usually follows authentication.
PAGE 322
fulfill client traffic, the secondary device stands down and the primary device again becomes the active device. Primary device A designated device that, when up and running, is the active device. RSA key A public-key encryption technology using an algorithm that is the industry standard for encryption. Secondary device A designated device that is passive. If the primary device goes down, then the secondary becomes the active device until the primary is back up.
PAGE 323
Index Symbols ?, 272 A access control, 205 activity log level, 252 activity log rotate, 252 activity syslog, 273 administrator, 252 administrators creating, 205 defining access control, 205 granting credentials, 211 maintaining passwords, 202 managing multiple credentials, 211 Allowed Client IP Addresses section, 189 audience, 317 audit syslog, 273 authentication of users, 168 options, 168 Authorized Usage Periods section, 124 autologout, 256 B backup, 257 backups of the device configuring, 86 list of i
PAGE 324
Create LDAP Administrator section, 205 Create Local Certificate Authority section, 150 Create SNMP Management Station section, 197 credentials granting, 214 viewing grants, 214 Credentials Granted section, 214 crl auto-update, 264 crl list send, 264 crl list update, 265 crl settings, 265 customer self repair, 319 D Date and Time Settings section, 181 date settings, 181 Declaration of Conformity, 300 Default Gateway List section, 183 default gateways, 183 device power supply and cooling fan, 97, 98 system
PAGE 325
keys access to and ownership of, 168 administration via multiple credentials, 213 authorization policies and usage periods, 122, 124 creating, 118 deletable, 109, 169 exportable, 169 group permissions and ownership, 111, 113 importing, 120 managing ownership and permissions, 111 RSA public keys, 114, 115 viewing, 109, 111 Keys section, 109 kms-server run, 282 kms-server startup, 282 Korean notices, 301 L laser compliance notices, 302 LDAP failover server properties, 133 schema properties, 132 server prope
PAGE 326
P passwd, 254 password settings, 254 passwords administrator, 202 cluster, 175 patch releases, 96 permissions, user, 127 Ping Information section, 98 ping run, 269 port speed negotiation, 187 power supply status, 97 Power Supply Status section, 97 R rack planning resources, 22 requirements, 22 warnings, 22 rack stability warning, 318 reboot, 283 rebooting the device, 93 recreate logsigning cert, 275 recreate ssh key, 292 recycling notices, 305 Refresh Page section, 96 regulatory compliance Canadian notic
PAGE 327
show station, 287 show statistics, 291 show system log, 296 show system syslog, 276 Sign Certificate Request page, 54 sign request, 261 Signed Certificates section, 148 Simple Network Management Protocol.